From drfarina at acm.org Wed Feb 1 00:18:38 2012 From: drfarina at acm.org (Daniel Farina) Date: Tue, 31 Jan 2012 15:18:38 -0800 Subject: [META] The issue of the unwelcome CC (please email me if you receive a CC from me) In-Reply-To: <20120131143532.459370f5@scorpio> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F28242F.20700@comcast.net> <20120131143532.459370f5@scorpio> Message-ID: On Tue, Jan 31, 2012 at 11:35 AM, Jerry wrote: > On Tue, 31 Jan 2012 12:26:07 -0500 > Christopher J. Walters articulated: > >> It was my understanding that this bug had been fixed in Thunderbird, >> but I may be mistaken. ?I know that in a GNU/Linux user mailing list >> I have long been signed up for, I will occasionally receive CC's not >> for replies to my own messages, but for replies where the poster's >> To: line is to the person to whom they are replying and the message >> is CC'ed to the list. > > I have encounter two individuals, not on this list, who also think it > is cute to mail a response directly to the OP and then CC the list. > Honestly, some people are alive only because it seems cruel to kill a > retard. Okay, the harshness of language here has baited me to reply: There's a simple reason people do this, and it's because it is a common choice for large lists, including the Linux family of mailing lists, the Postgres family of mailing lists, and the FreeBSD family of mailing lists, and the GCC mailing lists -- and these are the first four projects I thought of, all of which use the "To: OP, CC: The List" convention. The common (and entirely valid) use case being that one can filter for mail that is "To:" them, and not necessarily read *all* mailing list traffic. gnupg-users has a Reply-To convention that is an outlier in that crowd of mailing lists. Were I someone who was expected to respond to mail on this list frequently and the list was of higher volume, I'd find it very frustrating. Nevertheless, it's fine that gnupg-users has its own way of dealing with this, but as long as it is an outlier in this respect, you are going to get the occasional email addressed in this way, from people who otherwise think that somehow the 'reply' fields were actually filled in in error. Also, Message-Id. Getting two copies should be a non-problem. -- fdr From expires2012 at rocketmail.com Wed Feb 1 00:23:25 2012 From: expires2012 at rocketmail.com (MFPA) Date: Tue, 31 Jan 2012 23:23:25 +0000 Subject: [META] please start To: with gnupg-users@gnupg.org, i.e.: In-Reply-To: <20120130190643.GB184889@crustytoothpaste.ath.cx> References: <20120130190643.GB184889@crustytoothpaste.ath.cx> Message-ID: <937838472.20120131232325@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 30 January 2012 at 7:06:43 PM, in , brian m. carlson wrote: > The problem is that unlike regular list messages, the > dupes don't come with the list headers, which makes > sorting them based on the list headers problematic. The group's email address gnupg-users at gnupg.org usually appears in the To: or CC: field of the duplicate message. Why not filter/sort on that and catch most of them? - -- Best regards MFPA mailto:expires2012 at rocketmail.com Dreams come true on this side of the Rainbow too! -----BEGIN PGP SIGNATURE----- iQCVAwUBTyh39aipC46tDG5pAQqdTAP+OqHm70dD2P5Z8zrNxfFD26pGKZ8Fvw/Z z1Dr3PGi1dZQBr0u+fj79z6bNlTTDGgMR3ypu4GLm4TNBiU9f3gyZtlReEsOUemX Qp58zzTWAvKJB4hJ5Svi5u1n2uJcAwmH4W0stZze+0WVzJz2OzOE1DlsNFaU7Xw7 yyDfZfXBjEE= =h7qZ -----END PGP SIGNATURE----- From expires2012 at rocketmail.com Wed Feb 1 00:48:53 2012 From: expires2012 at rocketmail.com (MFPA) Date: Tue, 31 Jan 2012 23:48:53 +0000 Subject: [META] The issue of the unwelcome CC (please email me if you receive a CC from me) In-Reply-To: References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F28242F.20700@comcast.net> <20120131143532.459370f5@scorpio> Message-ID: <12410614099.20120131234853@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 31 January 2012 at 9:48:03 PM, in , Richard wrote: > I've done this before (on this list), but only because > I had the impression "almost everyone else here" did > it, so I just wanted to go with what I assumed to be > expected. I don't think this makes me look like a > retard, but rather considerate, since I tried to figure > out what appeared to be the netiquette on this very > list before posting anything. For what it's worth, according to my MAU's search function 2146 of the 5803 messages I have stored locally for this list have a cc: header. If memory serves, I added the CC: to my reply template for this list because after my first few posts here I was criticised for not CCing. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Don't ask me, I'm making this up as I go! -----BEGIN PGP SIGNATURE----- iQCVAwUBTyh96qipC46tDG5pAQoZUQQAmbvlYhiddVehoAuFGQMLjA4NXW1f5vBI hO76FTLAXnTex30+QCgtkSOj5Tc6Xfw1K4liKIF6Ii8wpdSd1pCsCJFyi5N+A5bC f+MpM6jYW+BiY7xX92I/OE8XBfoeW6L6WGarpw/f5OmamkgCrOhOPSqplTNjsKNV eS+vqPeitvQ= =vLVk -----END PGP SIGNATURE----- From expires2012 at rocketmail.com Wed Feb 1 01:01:16 2012 From: expires2012 at rocketmail.com (MFPA) Date: Wed, 1 Feb 2012 00:01:16 +0000 Subject: Using the not-dash-escaped option In-Reply-To: References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> Message-ID: <1148399848.20120201000116@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 31 January 2012 at 10:29:53 PM, in , Paul Hartman wrote: > It's still missing the trailing space, assuming you put > one there in the first place... many people don't > realize it's supposed to be there. It's in my message templates with the space. Almost every line of my messages ends in a space. These are removed when I sign the message, as per the openPGP standard. I guess not-dash-escaped doesn't extend to keeping the space on the cut mark... - -- Best regards MFPA mailto:expires2012 at rocketmail.com I'll tell you what's the matter! This parrot is dead! -----BEGIN PGP SIGNATURE----- iQCVAwUBTyiA1KipC46tDG5pAQpP1QQAm6Ac6ZNDc9GyvtHZg1Wxs3ZUQFlYkkj5 YyJ8/8uy7ECwTUIW1zFac3r6pdU1hXN57AjoWrmdCSw4uw1wiEMTcwMLNoeQLNLG Sbp5r+2So51QfGWZI/AUT609zfMaxaWmaTYQhicbeFZYXlvxlXnhBASqb7GjqQ0d uSIJtR2WCbo= =iVNn -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Feb 1 01:04:57 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 31 Jan 2012 19:04:57 -0500 Subject: PGP/MIME use In-Reply-To: <201201312025.45335.mailinglisten@hauke-laging.de> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <946FFFC5-A191-4073-9D69-FC7FDC6950B7@gpgtools.org> <4F2836ED.5030705@sixdemonbag.org> <201201312025.45335.mailinglisten@hauke-laging.de> Message-ID: <4F2881A9.8040502@sixdemonbag.org> Warning: do not take *any* of the numbers here seriously. They may be completely divorced from reality. These numbers are like Monopoly money -- completely fake, but still useful to illuminate important lessons about the real thing. This email is also quite long, and I apologize for that. I haven't the time to make it shorter. On 1/31/2012 2:25 PM, Hauke Laging wrote: > Do you mean "hidden" installations (used unnoticedly by a > distribution's update tool in the background) or actively planned > instattations ("I need GnuPG.")? Either/or. Enigmail's users are a small fraction of GnuPG's no matter how you slice it. > It is hard for me to believe that a serious user of GnuPG does not > use it for email. This sounds like a No True Scotsman fallacy. If someone uses GnuPG but not for email, does that disqualify them from being a serious user? Is your definition of 'serious user' structured in a way as to implicitly select for email users? > I admit that I do not use Thunderbird but is it's share among GnuPG > users so much smaller that among all users altogether? Welcome to the world of Fermi problems, where your answers are as accurate as your prejudices. How many piano tuners are in Chicago? Well, there are about five million people in Chicago, an average household is somewhere between two and four people, maybe one in twenty has a piano that gets tuned once a year, one piano tuner can do maybe four in a day and doesn't like to work more than five days a week... uh, well, there are maybe between 125 and 250 piano tuners. More or less. Sorta. If our prejudices are accurate then our result will be. You can estimate GnuPG and Enigmail users in the same way. On average, each and every Linux installation has GnuPG installed. How many Linux users are there worldwide? Well, in the United States there are about 300,000,000 people, and probably 200,000,000 use computers on a regular basis. (Note that I'm not asking how many *computers* are in the United States, but how many *users*.) Linux might account for half a percent of mindshare, so ... my prejudice is that there are about a million GnuPG users in the United States. They might not even know it, but they're part of the userbase. Enigmail's 50,000 users is just a slender few percent of GnuPG's user base. (And believe it or not, this is an apples-to-apples comparison: all Enigmail users compared to all GnuPG users.) The knowing-users comparison is different. Essentially all of Enigmail's users are knowing users. You have to first download Thunderbird, then download Enigmail. (GnuPG is already on your system.) You've taken two deliberate steps to put Enigmail on your system: the odds are very good that you know Enigmail is there and you want the capability it provides. So of our 50,000 users, probably close to all of them know they're our users. GnuPG is a little different: of a million Linux users in the United States, how many of them actually think about how many times GnuPG is being used behind the scenes to validate their software downloads and sign packages and whatnot? Somewhere between one in ten and one and three? So against our 50,000 'knowing' users, GnuPG would still crush us with between 100,000 and 350,000 'knowing' users. >> I now see no utility to them for the vast majority of uses. > > But you admit that this depends on the current situation (described > by: hardly anyone uses it)? Of course not. Even if *everyone* used email crypto, signatures would still be largely, and maybe entirely, useless. I don't know where this myth began that messages are somehow trustworthy because they sport signatures. That's not how the world works. (Well, I suppose it *can* work, the same way you can choose to blindly trust anyone who speaks Occitan with a lisp and has a strange fascination with argyle. However, just as you might think someone who would trust completely based on such criteria to be foolish, I think people who believe signatures create trust are just as foolish.) Signatures extend trust's reach: they can't create it. My friend Raven used to live just up the highway from me. We regularly got together for tea. When we were sitting face to face, I trusted the integrity of what she was saying. Now that she's far away, if/when we need to guarantee the integrity of our message we use GnuPG to do so. The trust we had in a face-to-face communication has had its reach extended to cross thousands of miles. But if she and I hadn't met before, if we didn't have a shared experience upon which to build trust, then signatures would be meaningless. The reach of trust has been extended, sure, but that doesn't help much when there isn't trust. Let's have another example here. I woke up at about eight in the morning on 9/11. I was living in California and I was moving that day. All my belongings had already moved out: I had no television, no radio, nothing, just myself, a sleeping bag and a laptop. I woke up that morning, made myself a cup of coffee, studied the maps for the day's drive out East, and before I walked out to my car I figured I'd check my email one last time. I had one email from a friend of mine in the UK. It read exactly: Your country's at war. All of us are backing you. The message was not signed. I tried to hit CNN.com, but the site wouldn't load. Slashdot.org, same. In fact, *all* websites were pretty much down. I shrugged and figured the ISP must've turned off my account a little early. I walked outside -- it was a beautiful day, the birds were singing, clear skies. Nobody was screaming or wailing: it was a day just like any other. I shrugged off Roger's message. I figured someone was playing games with me. I dropped off my housekeys in my landlord's dropbox and began driving. It wasn't until I was leaving San Jose that I saw a bunch of flags flying, and between that and Roger's email, well -- I stopped at my favorite watering hole to check in with the morning crew and see if they'd heard anything, and that's when I discovered what had happened. Imagine what would've happened if Roger had sent me that as a *signed* email. I would've trusted it completely, right? I wouldn't have dropped off my housekeys, I would've called my landlord and asked for a few days extension, and not had to deal with the challenges of a cross-country move during 9/11 and the days immediately after. Now that you know the history (an unsigned message I disregarded) and you've imagined one alternate history (a signed message that I would've heeded), imagine a second alternate history. In this second alternate history, MFPA sends me a signed message telling me "Your country's at war, all of us are backing you." Would I trust that? Of course not. I don't know MFPA. He's never bought me a beer. We have no shared context of trust, so there's no way for a signature to extend the reach of that nonexistent trust. The signature on the message means exactly nothing. The best MFPA could hope for would be to say, "Your country's at war, all of us are backing you, nytimes.com is still up and responsive, check there for details" -- but even then I'm not trusting MFPA. He's giving me a way to independently verify his claim, which is pretty much the polar opposite of asking me to take things on trust. Finally, one last thought experiment: During my time percolating through graduate school I used a coffeeshop across the street from my building as my office. (My official office was literally a converted janitor's closet that now housed five TAs.) One semester I had to bounce a large number of students on academic honesty violations: some of them were extremely upset. My nightmare scenario then involved one of them visiting the coffeeshop at the same time as me and posting incredibly offensive things on University forums using my name. It would be easy to do and *very* hard to fight: after all, the IP address would track back to the same coffeeshop I frequented, and the timestamps would correlate to the time I was in there. For a while I considered signing everything, so I could then deny making those posts. "I didn't write that! I sign everything! That has a bad/missing signature!" And then I imagined my dean answering, "That proves nothing: after all, if I was posting this stuff I wouldn't sign it, either." ... Anyway. I apologize again for the length of this post. Too long by half, I know. The takeaway here is: * Signatures extend the reach of trust, they don't create new trust * Unless there's a pre-existing trust relationship signatures mean either nothing or so close to it I can't tell the difference * Signatures on mailing lists are mostly (and maybe entirely) useless because of how few members have pre-existing trust relationships with others * Don't ask people to trust what you say: give them a way to independently verify what you say and you can skip the headache of trying to establish trust Hope these thoughts help. Thanks for reading. From rjh at sixdemonbag.org Wed Feb 1 01:15:07 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 31 Jan 2012 19:15:07 -0500 Subject: [META] The issue of the unwelcome CC (please email me if you receive a CC from me) In-Reply-To: References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F28242F.20700@comcast.net> <20120131143532.459370f5@scorpio> Message-ID: <4F28840B.2080708@sixdemonbag.org> On 1/31/2012 6:18 PM, Daniel Farina wrote: > Okay, the harshness of language here has baited me to reply: First, thank you for keeping your response civil. I appreciate it a lot. > There's a simple reason people do this, and it's because it is a > common choice for large lists, including the Linux family of mailing > lists, the Postgres family of mailing lists, and the FreeBSD family of > mailing lists, and the GCC mailing lists -- and these are the first > four projects I thought of, all of which use the "To: OP, CC: The > List" convention. The common (and entirely valid) use case being that > one can filter for mail that is "To:" them, and not necessarily read > *all* mailing list traffic. I agree with you. I thought this convention was sufficiently obvious as to not need pointing out. In 20+ years of being on the Net, this is the first time I've ever seen a flamewar erupt over something as ridiculous as whether it's a mark of mental retardation to have on-list and cc responses. With respect to GnuPG's "outlier" convention, I've never heard of it. I've received both on-list and cc's many, many times in the past. People are, of course, free to request what they want: but this trend of getting angry and furious at people who do not comply seems to me to be a social power-play and I want none of it. Dan Geer had the right approach, I think. He said, politely, that he prefers not to receive a separate cc. I plan on honoring this as far as my memory allows. He didn't tell me that I *must* not, or that I was a 'retard' or a 'moron' if I did so. I don't mind people being argumentative. (I've been accused of being brusque many, many times. Guilty as charged, and unrepentant.) But the level here has gone from good form straight into unsportsmanlike conduct. I'd like it if we could stop that and de-escalate back to our usual level of vigorous, impassioned argument. :) From jerry at seibercom.net Wed Feb 1 01:17:17 2012 From: jerry at seibercom.net (Jerry) Date: Tue, 31 Jan 2012 19:17:17 -0500 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: <4F284E5D.4070901@dougbarton.us> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F27DD13.1070905@digitalbrains.com> <20120131080509.07f7602e@scorpio> <4F284E5D.4070901@dougbarton.us> Message-ID: <20120131191717.0662f2c5@scorpio> On Tue, 31 Jan 2012 12:26:05 -0800 Doug Barton articulated: > On 01/31/2012 05:05, Jerry wrote: > > This is an "OPT-IN"list. Some lists, like FreeBSD are open, but not > > this one. > > I don't understand the distinction you're trying to make. Both this > list and all of the FreeBSD lists require you to subscribe. In fact > FreeBSD lists also use mailman. OK, I thought it was self evident; however, I guess I need to explain the difference more clearly. I am not sure what terms mailman uses, so I will use "open-posting" and "closed-posting" The meanings will become self evident. The basic FreeBSD forum is "open-posting". A poster need not be subscribed to the forum. What that means is that anyone may post to the forum. To see a response, they will either have to convince every responder to the post to CC him/her or view the replies on the web interface. Now most, but not all, forums are "closed-posting". If a non-subscriber attempts to post to the forum, they will receive this response: ********************************************************************* Your mail to 'Gnupg-users' with the subject Testing Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list Either the message will get posted to the list, or you will receive notification of the moderator's decision. If you would like to cancel this posting, please visit the following URL: (URL removed by me) ******************************************************************** This is an actual reply from a test message I sent awhile ago. Now, unless the poster intended to wait an indefinite period of time, said time varying from a few hours to a few days, depending on the forum, there is virtually no likelihood that anyone would waste their time posting if they were not subscribed to the forum. Now, I am sure that someone will make the statement that they wouldn't mind waiting an indefinite period, hoping that their message will be approved and then hoping that the responders to said post actually do CC them. I have a term I use for people like that. It takes only 3 minutes or less (I once subscribed to a forum and responded to the email in less than 3 minutes) to subscribed one's self. If the poster cannot take the time involved to subscribe to a list, then they don't have the time to be posting to the list. Now, this is all very simple to me; however, I am sure that someone is going to tell me what a burden subscribing to a list is. I actually find that rather amusing since I wonder if they find wiping their ass after taking a crap a burden too. Now Doug, I hope I have explained it to your satisfaction. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ Q: What came after the "Big Bang"? A: The walk of shame. From jerry at seibercom.net Wed Feb 1 01:29:20 2012 From: jerry at seibercom.net (Jerry) Date: Tue, 31 Jan 2012 19:29:20 -0500 Subject: PGP/MIME use In-Reply-To: <4F2881A9.8040502@sixdemonbag.org> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <946FFFC5-A191-4073-9D69-FC7FDC6950B7@gpgtools.org> <4F2836ED.5030705@sixdemonbag.org> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> Message-ID: <20120131192920.65be1159@scorpio> On Tue, 31 Jan 2012 19:04:57 -0500 Robert J. Hansen articulated: > And then I imagined my dean answering, "That proves nothing: after > all, if I was posting this stuff I wouldn't sign it, either." Don't apologize, I loved you post. One of the better one's I have read in a while. It appears that your Dean was a sharp individual. You analogy is interesting too. In the '50s in the USA, there was a movement to require individuals to take a "loyalty oath" It was at the height of the McCarthy era. The theory was that it would root out communist. Finally, it dawned upon these intellectually challenged jerks that a real communist would have no problem taking such an oath since it would be to their advantage to do so. Sometimes you just have to shout, WTF. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ What if there had been room at the inn? Linda Festa on the origins of Christianity -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From sandals at crustytoothpaste.net Wed Feb 1 02:20:44 2012 From: sandals at crustytoothpaste.net (brian m. carlson) Date: Wed, 1 Feb 2012 01:20:44 +0000 Subject: [META] please start To: with gnupg-users@gnupg.org, i.e.: In-Reply-To: <937838472.20120131232325@my_localhost> References: <20120130190643.GB184889@crustytoothpaste.ath.cx> <937838472.20120131232325@my_localhost> Message-ID: <20120201012043.GD184889@crustytoothpaste.ath.cx> On Tue, Jan 31, 2012 at 11:23:25PM +0000, MFPA wrote: > On Monday 30 January 2012 at 7:06:43 PM, in > , brian m. > carlson wrote: > > The problem is that unlike regular list messages, the > > dupes don't come with the list headers, which makes > > sorting them based on the list headers problematic. > > The group's email address gnupg-users at gnupg.org usually appears in the > To: or CC: field of the duplicate message. Why not filter/sort on > that and catch most of them? Because that means that instead of using one procmail rule to autosort all mailing lists I have to write one for every list I might subscribe to. This is error-prone and defeats the purpose of using a generic tool to do repetitive tasks easily. Most mailing lists have a List-ID header for this purpose. Majordomo lists use a different convention which is also easily sorted on. Also, when I'm subscribed to a mailing list, I expect people to post their replies to the list unless there's a personal reply that is not appropriate for the list. For lists that require subscriptions, that means that it's guaranteed that everybody will get a copy, which is the point of a mailing list. Why intentionally send me an extra? Who wants two copies of an email? -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From dougb at dougbarton.us Wed Feb 1 05:18:44 2012 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 31 Jan 2012 20:18:44 -0800 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: <20120131191717.0662f2c5@scorpio> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F27DD13.1070905@digitalbrains.com> <20120131080509.07f7602e@scorpio> <4F284E5D.4070901@dougbarton.us> <20120131191717.0662f2c5@scorpio> Message-ID: <4F28BD24.10301@dougbarton.us> On 01/31/2012 16:17, Jerry wrote: > On Tue, 31 Jan 2012 12:26:05 -0800 > Doug Barton articulated: > >> On 01/31/2012 05:05, Jerry wrote: >>> This is an "OPT-IN"list. Some lists, like FreeBSD are open, but not >>> this one. >> >> I don't understand the distinction you're trying to make. Both this >> list and all of the FreeBSD lists require you to subscribe. In fact >> FreeBSD lists also use mailman. > > OK, I thought it was self evident; however, I guess I need to explain > the difference more clearly. > > I am not sure what terms mailman uses, so I will use "open-posting" > and "closed-posting" The meanings will become self evident. > > The basic FreeBSD forum FYI, "forum" generally refers to something different than a mailing list. I point this out mostly because http://forums.freebsd.org/ exists. > is "open-posting". A poster need not be subscribed to the forum. Actually many of the FreeBSD lists moderate posts from non-members, but none of them outright block them. I realize that this isn't germane to your main point, but I wouldn't want the wrong information to live forever in the archives. :) Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From remco at webconquest.com Wed Feb 1 05:57:46 2012 From: remco at webconquest.com (Remco Rijnders) Date: Wed, 1 Feb 2012 05:57:46 +0100 Subject: PGP/MIME use (was Re: META) In-Reply-To: <4F283C2A.6070102@verizon.net> References: <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F272A58.10708@sixdemonbag.org> <20120131065918.5cd15ffb@scorpio> <946FFFC5-A191-4073-9D69-FC7FDC6950B7@gpgtools.org> <4F283C2A.6070102@verizon.net> Message-ID: On Tue, Jan 31, 2012 at 02:08:26PM -0500, Jean-David wrote in <4F283C2A.6070102 at verizon.net>: >Remco Rijnders wrote: > >> I appreciate signed mails on this list (and any other lists). Most >> problems these days on the internet are, in my opinion, related to >> people being completely anonymous. If you stand behind your words, >> show so by signing your posts. >> >OK. I stand behind this post. But other than amusing myself, does it >really make any difference? To me it does some. Knowing that we know that you are really Jean-David Beyer and that it probably is not a made up name, makes it far more likely that you'll consider your words before posting them online and that it is also less likely that you'd be trolling just for the fun of it. Please note that I am in any way suggesting you'd be trolling otherwise, but a properly signed post for which a trust path from my key to yours exists does make a difference to me. A small one perhaps and you might not find it worth signing your posts for my convenience / peace of mind, but if you do sign it, I do appreciate it :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From remco at webconquest.com Wed Feb 1 06:20:46 2012 From: remco at webconquest.com (Remco Rijnders) Date: Wed, 1 Feb 2012 06:20:46 +0100 Subject: Using the not-dash-escaped option In-Reply-To: <516876184.20120131214116@my_localhost> References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> Message-ID: On Tue, Jan 31, 2012 at 09:41:16PM +0000, MFPA wrote in <516876184.20120131214116 at my_localhost>: > >> That's exactly what the --not-dash-escaped option is >> for. Granted, it's not portable to some other PGP >> implemetations, but if there is any mailing list in >> world in which it would be acceptable, I would think >> it would be this one! :) > >I'm guessing that's what you did, and the cut mark was not munged. >Trying the same right back at ya. > >Are you sure this is what the option is for? The man page says it is >to enable cleartext signatures to be used with patch files. And for what it's worth... my client tells me the signature on this particular post you made is invalid. Your other posts to this list all pass the test ;-) Kind regards, Remco -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From wk at gnupg.org Wed Feb 1 09:43:13 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 09:43:13 +0100 Subject: Compiling GnuPG problem In-Reply-To: (Davi Barker's message of "Tue, 31 Jan 2012 22:23:42 -0800") References: <87obtk3u9f.fsf@vigenere.g10code.de> Message-ID: <87ipjr0wri.fsf@vigenere.g10code.de> On Wed, 1 Feb 2012 07:23, themuslimagorist at gmail.com said: > compress.c:34:18: fatal error: zlib.h: No such file or directory > compilation terminated. You need to install zlib development files. On a Debian system this is the package zlib1g-dev. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Feb 1 09:48:53 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 09:48:53 +0100 Subject: Using the not-dash-escaped option In-Reply-To: (Paul Hartman's message of "Tue, 31 Jan 2012 16:29:53 -0600") References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> Message-ID: <87ehuf0wi2.fsf@vigenere.g10code.de> On Tue, 31 Jan 2012 23:29, paul.hartman at gmail.com said: > It's still missing the trailing space, assuming you put one there in > the first place... many people don't realize it's supposed to be > there. The best way to make sure that it does not get removed is by using QP encoding. ("--=20\n"). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Feb 1 10:15:01 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 10:15:01 +0100 Subject: [META] The issue of the unwelcome CC In-Reply-To: <4F28840B.2080708@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 31 Jan 2012 19:15:07 -0500") References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F28242F.20700@comcast.net> <20120131143532.459370f5@scorpio> <4F28840B.2080708@sixdemonbag.org> Message-ID: <8739au29uy.fsf_-_@vigenere.g10code.de> Hi, Let me quote from the Gnus manual, which explains how some think it should be handled. Sometimes while posting to mailing lists, the poster needs to direct followups to the post to specific places. The Mail-Followup-To (MFT) was created to enable just this. Three example scenarios where this is useful: * A mailing list poster can use MFT to express that responses should be sent to just the list, and not the poster as well. This will happen if the poster is already subscribed to the list. * A mailing list poster can use MFT to express that responses should be sent to the list and the poster as well. This will happen if the poster is not subscribed to the list. * If a message is posted to several mailing lists, MFT may also be used to direct the following discussion to one list only, because discussions that are spread over several lists tend to be fragmented and very difficult to follow. Gnus honors the MFT header in other's messages (i.e. while following up to someone else's post) and also provides support for generating sensible MFT headers for outgoing messages as well. The basic rule is that the first poster to a thread decides what to do, any later reply may change that - but only by adding CC headers. Without that rule some may miss a mail. Gnus considers a missed mail more serious than a duplicated mail. If you delay mail receiving for a a few minutes, it is possible to use the message-id to filter out the duplicates. Well, this does not work always (e.g. due to greylisting) but it has the ability to remove duplicates in many cases. For many years I used Gnus internal mail splitting which handles duplicates suppression very well. Meanwhile I switched back to procmail and a local imapd. This does not have the the full Gnus filtering and I also did not implemented the above strategy. It doesn't harm - I check my general folder for important messages and then turn to the mailing lists. By reading the mailing lists the duplicates in the general mail folder will also be marked. Salam-Shalom, Werner ps. Things which annoy me much more than CCs are: top posting, not stripping long quotes, missing to insert a "was:" after changing the subject, and changing the name part of the address to include the list name. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From themuslimagorist at gmail.com Wed Feb 1 07:23:42 2012 From: themuslimagorist at gmail.com (Davi Barker) Date: Tue, 31 Jan 2012 22:23:42 -0800 Subject: Compiling GnuPG problem In-Reply-To: <87obtk3u9f.fsf@vigenere.g10code.de> References: <87obtk3u9f.fsf@vigenere.g10code.de> Message-ID: Werner, Thanks for you help. I discovered a list of libraries that needed to be installed prior to GnuPG. I got that figured out, but now I'm getting a new error message: compress.c:34:18: fatal error: zlib.h: No such file or directory compilation terminated. Any ideas? Thanks again for your help and patience. Peace Davi On Tue, Jan 31, 2012 at 4:56 AM, Werner Koch wrote: > On Tue, 31 Jan 2012 06:03, themuslimagorist at gmail.com said: > > > I successfully downloaded a package named gnupg-2.0.18.tar.bz2 from > > gnupg.org. Following the instructions, I successfully configured the > > package using the "./configure" command, but when I attempted to compile > he > > Are you sure that the configure run was successfully? Read the error > messages closely. At the end of a successful run you should see a list > of configure options active for the build (platform: xxxx, etc.). Most > likely you missed to install or build a required dependency > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -- The San Francisco Muslim Examiner National Libertarian Examiner Graphic Artist at Eccentric Circle Propagandist at Vote 4 Nobody -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at seibercom.net Wed Feb 1 12:19:58 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 06:19:58 -0500 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: <4F28BD24.10301@dougbarton.us> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F27DD13.1070905@digitalbrains.com> <20120131080509.07f7602e@scorpio> <4F284E5D.4070901@dougbarton.us> <20120131191717.0662f2c5@scorpio> <4F28BD24.10301@dougbarton.us> Message-ID: <20120201061958.5ee3f1f5@scorpio> On Tue, 31 Jan 2012 20:18:44 -0800 Doug Barton articulated: > Actually many of the FreeBSD lists moderate posts from non-members, > but none of them outright block them. I realize that this isn't > germane to your main point, but I wouldn't want the wrong information > to live forever in the archives. :) Yes, many of them do; however, I was referring to only one of them, the "FreeBSD Questions " list. I probably should have been more specific. In any case, it more than amply demonstrates my point of the uselessness of "CCing" on a closed list such as this one which you interestingly enough did not address although you did send me a copy via CC of this message even though I specifically asked not to receive one and have configured Mailman to not send me a CC'd copy. I am not sure why this one got through. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ From Dave.Smith at st.com Wed Feb 1 11:27:51 2012 From: Dave.Smith at st.com (David Smith) Date: Wed, 1 Feb 2012 10:27:51 +0000 Subject: Compiling GnuPG problem In-Reply-To: References: <87obtk3u9f.fsf@vigenere.g10code.de> Message-ID: <4F2913A7.3020701@st.com> Davi Barker wrote: > Werner, > > Thanks for you help. I discovered a list of libraries that needed to be > installed prior to GnuPG. I got that figured out, but now I'm getting a > new error message: > > compress.c:34:18: fatal error: zlib.h: No such file or directory > compilation terminated. It looks like that you still need to install some more packages before you can start on GnuPG proper. On my system (RedHat Enterprise Server), zlib.h is in /usr/include, and has come from the "zlib-devel" package. Ubuntu might put it in a differently-named package, but I doubt it would be too tricky to find. My system also a few other files called "zlib.h", one is from the "syslinux" package, and the other is in "kernel-devel". HTH&HAND From lists at chrispoole.com Wed Feb 1 15:41:27 2012 From: lists at chrispoole.com (Chris Poole) Date: Wed, 1 Feb 2012 14:41:27 +0000 Subject: 1024 key with 2048 subkey: how affected? In-Reply-To: <4F1DCC3C.9050002@enigmail.net> References: <4F1B8A6C.40401@sixdemonbag.org> <20120123165217.GC10912@crustytoothpaste.ath.cx> <4F1DCC3C.9050002@enigmail.net> Message-ID: On Mon, Jan 23, 2012 at 9:08 PM, John Clizbe wrote: > Larger and larger RSA keys aren't the solution, ECC is. The balance of power has > tipped away from RSA and toward ECC. > > Feel free to ignore everything I've said. There's no reason you should trust > me. But by all means, keep asking questions. But everything I've read agrees > larger and larger RSA keys are not the path forward. I agree with you entirely, I'm just waiting for the various standards to pick it up, and for more people to use it. When many people (whose opinion I value) use and trust it, I will also. Cheers Chris Poole [PGP BAD246F9] From lists at chrispoole.com Wed Feb 1 15:43:53 2012 From: lists at chrispoole.com (Chris Poole) Date: Wed, 1 Feb 2012 14:43:53 +0000 Subject: 1024 key with 2048 subkey: how affected? In-Reply-To: <4F1DDB09.6040403@sixdemonbag.org> References: <4F1B8A6C.40401@sixdemonbag.org> <20120123165217.GC10912@crustytoothpaste.ath.cx> <4F1DCC3C.9050002@enigmail.net> <4F1DDB09.6040403@sixdemonbag.org> Message-ID: On Mon, Jan 23, 2012 at 10:11 PM, Robert J. Hansen wrote: > A lot of people like to refer to _Applied Cryptography_ or _The Handbook > of Applied Cryptography_ for information on algorithms, and for very > good reason: they've generally got excellent information. ?They are also > old books. ?_AC_ is coming up on twenty years old, for instance, and > _HoAC_ isn't much younger. ?At the time these books were written the > jury was still out on whether ECC had firm theoretical underpinnings. > Nowadays the jury is back, and ECC is generally recognized as being as > reputable as RSA, DSA or Elgamal. Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? Cheers Chris Poole [PGP BAD246F9] From rjh at sixdemonbag.org Wed Feb 1 16:00:56 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 10:00:56 -0500 Subject: 1024 key with 2048 subkey: how affected? In-Reply-To: References: <4F1B8A6C.40401@sixdemonbag.org> <20120123165217.GC10912@crustytoothpaste.ath.cx> <4F1DCC3C.9050002@enigmail.net> <4F1DDB09.6040403@sixdemonbag.org> Message-ID: <4F2953A8.3010708@sixdemonbag.org> On 2/1/12 9:43 AM, Chris Poole wrote: > Are you able to recommend any particular resources or books that > cover ECC in a more complete and up to date fashion? Many. The real question is what level of depth you want. Googling for "nsa suite b" qould be a pretty good starting place, probably. The National Security Agency has approved the use of ECC for classified material as part of their "Suite B" cryptography package. As is the case with most government standards there is ample documentation about everything from the theoretical to the practical, although it isn't all collected in one place. From wk at gnupg.org Wed Feb 1 16:41:48 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 16:41:48 +0100 Subject: 1024 key with 2048 subkey: how affected? In-Reply-To: (Chris Poole's message of "Wed, 1 Feb 2012 14:43:53 +0000") References: <4F1B8A6C.40401@sixdemonbag.org> <20120123165217.GC10912@crustytoothpaste.ath.cx> <4F1DCC3C.9050002@enigmail.net> <4F1DDB09.6040403@sixdemonbag.org> Message-ID: <87pqdyzhkz.fsf@vigenere.g10code.de> On Wed, 1 Feb 2012 15:43, lists at chrispoole.com said: > Are you able to recommend any particular resources or books that cover ECC in a > more complete and up to date fashion? @book{Hankerson:2003:GEC:940321, author = {Hankerson, Darrel and Menezes, Alfred J. and Vanstone, Scott}, title = {Guide to Elliptic Curve Cryptography}, year = {2003}, isbn = {038795273X}, url = {http://www.cacr.math.uwaterloo.ca/ecc/}, publisher = {Springer-Verlag New York, Inc.}, address = {Secaucus, NJ, USA}, } It is similar to the already mentioned HAC. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Wed Feb 1 16:47:12 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 1 Feb 2012 16:47:12 +0100 Subject: PGP/MIME use In-Reply-To: <4F2881A9.8040502@sixdemonbag.org> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> Message-ID: <201202011647.17817.mailinglisten@hauke-laging.de> Am Mittwoch, 1. Februar 2012, 01:04:57 schrieb Robert J. Hansen: > > It is hard for me to believe that a serious user of GnuPG does not > > use it for email. > > This sounds like a No True Scotsman fallacy. If someone uses GnuPG but > not for email, does that disqualify them from being a serious user? Of course not. I just don't believe that there are many examples of this type out there. To me a serious user is one who actively signs, encrypts, and/or verifies data and knows what he is doing. He has created a key and verified at least one. Everything else seems like special use to me. > Linux might account for half a percent > of mindshare, so ... my prejudice is that there are about a million > GnuPG users in the United States. They might not even know it, but > they're part of the userbase. That's not what I would call a serious user. Counting that way some big distributors would just have to add Enigmail to their (graphical) default installation and to you the numer of Enigmail "users" would get boosted by a factor of 100 without any real change. > (GnuPG is already on your system.) That's not true for a certain quite popular OS. How many Windows users install GnuPG without Enigmail? Given the huge difference in Linux and Windows users this affects the calculation a lot. > GnuPG would still crush us with between 100,000 and > 350,000 'knowing' users. Knowing is not the point to me. > That's not how the world works. > if/when we need to guarantee the integrity of our message The world (at least the part I am familiar with) relies (implicitely) even more on the integrity of a message than on trust. If you get an important information, question or order and have doubts about the integrity of the message then you will do some checks, no matter how much you trust. Of course, doubts are much lower today than they should be. That's how a part of online crime works. On the other hand is the proof of the integrity of a message often enough even if you do not know the person. Quite often people have to make manual signatures without being knows to the person who demands for that. Often the content is less important than the possibility to hold someone responsible for it. Another point: I get most of my (both private and professional) emails from people I know. > The reach of trust has been extended, sure, but > that doesn't help much when there isn't trust. Right. I would put it this way: A signature cannot raise the trust in a message content above the trust in the sender / signer. But a missing signature can (and usually will) lower the trust in the message content below the trust in the (non-proven) sender. > Imagine what would've happened if Roger had sent me that as a *signed* > email. > In this second alternate history, MFPA sends me a signed message And which of these scenarios is more probable? Who will after starting to sign emails start to send emails to people he is not familiar with? The first szenario is an improvement for you, the second does not make a difference (except for some wasted bandwith). Leaving out the cost it would not make sense to do without signatures. > time as me and posting incredibly offensive things on University forums > using my name. > For a while I considered signing everything, Which is BTW not so easy. Many people use webmail. And there are reasons for not importing private keys onto work PCs. I am often too lazy to plug in the smartcard reader. But in the signature I apologize for not signing the mail. ;-) And if the content was important I would use the smartcard, of course. > so I could then deny making > those posts. "I didn't write that! I sign everything! That has a > bad/missing signature!" You probably wouldn't even have to because everyone who is in regular contact with you would know that. On the other hand: Signing in a web forum seems kind of extreme (and unsafe with respect to breaking the signature by automatic text formatting). :-) > And then I imagined my dean answering, "That proves nothing: after all, > if I was posting this stuff I wouldn't sign it, either." Would not make much sense to use the name but not sign it, though. > * Signatures on mailing lists are mostly (and maybe > entirely) useless because of how few members have > pre-existing trust relationships with others The ability to hold someone responsible for his messages (which usually requires a signature but a signature is not enough to ensure that) is not the same like trust but an important point, too. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Wed Feb 1 17:19:08 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 11:19:08 -0500 Subject: PGP/MIME use In-Reply-To: <201202011647.17817.mailinglisten@hauke-laging.de> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> Message-ID: <4F2965FC.8050705@sixdemonbag.org> On 2/1/12 10:47 AM, Hauke Laging wrote: > Of course not. I just don't believe that there are many examples of > this type out there. To me a serious user is one who actively signs, > encrypts, and/or verifies data and knows what he is doing. He has > created a key and verified at least one. Everything else seems like > special use to me. Then yes, you are selecting for email users. There are quite a lot of people who use GnuPG primarily for themselves -- for instance, a system administrator who signs each backup, a lawyer who encrypts files when in transit on a flash drive, etc. The overwhelming majority of the users you see are using email, yes, but only because email is the method by which you come to see them. Users who never announce their usage (the system administrator, the lawyer, etc.) are completely invisible to you. I can't give an estimate on the number of 'invisible' users: they're invisible to me, too. But I'm not going to believe they don't exist, or that they don't exist in good numbers. > That's not what I would call a serious user. A 'serious user' is, to me, someone who will send angry emails if things break. If a program can fail and not have an immediate adverse effect on a user, the program is not important to the user and the user can be said to not be a "serious user." If GnuPG breaks, a whole lot of the Linux experience breaks. You get warnings left and right about installing packages with bad signatures, important updates don't happen, etc. This will result in a lot of angry people strangling whoever is responsible for breaking their PC. Yes, this definition means that you're a serious user of your OS kernel. And why wouldn't you be? You demand your PC make thousands of kernel calls each second. Is that not serious use? > Counting that way some big distributors would just have to add > Enigmail to their (graphical) default installation and to you the > numer of Enigmail "users" would get boosted by a factor of 100 > without any real change. Think about what you're saying: (a) a major distro would have to ditch their email client for Thunderbird (b) a user would have to download and install Enigmail, since it's not a standard part of Thunderbird Ubuntu will be switching to Thunderbird in 12.04, apparently, so that takes care of (a). I doubt we will see a huge surge in Enigmail users as a result, though, since (b) is unchanged. As soon as both Thunderbird *and* Enigmail are part of a standard Linux installation, let me know. I'd love to know about it. Until then, I think Enigmail is going to remain a niche player. >> (GnuPG is already on your system.) > > That's not true for a certain quite popular OS. Quite in context, please. In context, that sentence obviously referred to Linux users. Quoting people out-of-context to score points is a pet peeve of mine. >> GnuPG would still crush us with between 100,000 and 350,000 >> 'knowing' users. > > Knowing is not the point to me. Well, clearly the install base isn't the point, you've already said those aren't what you'd call 'serious users'. And if users who know of, are aware of, who pay attention to, how GnuPG works behind the scenes aren't relevant to you, then what is? Each benchmark I use to represent a class of users, you reject as being not what you're talking about, so please tell me precisely what you *are* talking about. > And which of these scenarios is more probable? Who will after > starting to sign emails start to send emails to people he is not > familiar with? Quite a lot, apparently. There are a whole lot of people on this mailing list. I'm sending a message to all of them, including people I don't even know. Your question: "Who will after starting to sign emails start to send emails to people he is not familiar with?" The answer is Facebook. Google+. eHarmony. Match.com. JDate. Bear411. ChristianSingles.com. The list goes on and on and on. (Note: my mention of any service is not an endorsement. If so, I'd be a weird mess of contradictions: a nice Jewish boy who happens to be a Pentecostal bear...) People love to talk and to meet new people. You can't stop people from talking to each other. It's part of the human experience. Something about creating social connections tickles something deep in our brains. It's like a drug. It's so much part of the human experience that we do it even when it's risky and dangerous, and for those who *don't* love to talk and meet new people we hang words like "misanthrope" or "hermit" off them -- words with powerful connotations of psychological dysfunction. > You probably wouldn't even have to because everyone who is in regular > contact with you would know that. Yes, but that's completely irrelevant. I don't mean to be callous, but you've missed a very important point. The people who would be complaining about my conduct would be people who don't know me from the wind. *They're* the ones who would have to be persuaded I was on the up-and-up. Persuading them would be an uphill road to hoe. What would the Dean say to them? "I've known Rob for three years and he's never once expressed any sentiments like this?" They'd point out that yes, I've never expressed sentiments like that openly around the Dean because those opinions are so offensive they'd get me canned. Best case scenario, the aggrieved parties would demand the Dean make a full investigation. The Dean would know there would be no investigation that could either clear me or condemn me: there's simply not enough evidence to draw conclusions either way. The Dean would know that I was on the up and up, but since trust isn't transitive, he couldn't convince the concerned college community I was on the up and up. So the Dean would quietly relieve me of teaching duties, give me a research job in some office somewhere that I didn't have to interact with anyone, keep me out of public view, and he'd tell the affected people "the investigation is underway, and until it's resolved we've relieved him of teaching duties." Then in a semester or two I'd be quietly reinstated as a TA. Welcome to politics. That's how it works. >> And then I imagined my dean answering, "That proves nothing: after >> all, if I was posting this stuff I wouldn't sign it, either." > > Would not make much sense to use the name but not sign it, though. Sure it would. Deniability. From wk at gnupg.org Wed Feb 1 17:31:28 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 17:31:28 +0100 Subject: PGP/MIME use In-Reply-To: <201202011647.17817.mailinglisten@hauke-laging.de> (Hauke Laging's message of "Wed, 1 Feb 2012 16:47:12 +0100") References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> Message-ID: <87y5smv7kv.fsf@vigenere.g10code.de> On Wed, 1 Feb 2012 16:47, mailinglisten at hauke-laging.de said: > That's not true for a certain quite popular OS. How many Windows users install > GnuPG without Enigmail? Given the huge difference in Linux and Windows users > this affects the calculation a lot. A quick data point. From March to May, after the release of Gpg4win 2.1, we had an average of more than 600 downloads per day from the primary server. That is more than 50000 in 3 months. In June we even reached 800 per days. Unfortunately I don't have any newer numbers available. And there are also the users of gnupg 1.4 - I don't run statistics on ftp.gnupg.org, thus I can't tell you any numbers. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gnupg at lists.grepular.com Wed Feb 1 17:40:59 2012 From: gnupg at lists.grepular.com (gnupg at lists.grepular.com) Date: Wed, 01 Feb 2012 16:40:59 +0000 Subject: PGP/MIME use In-Reply-To: <4F2965FC.8050705@sixdemonbag.org> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> Message-ID: <4F296B1B.1080201@lists.grepular.com> On 01/02/12 16:19, Robert J. Hansen wrote: > As soon as both Thunderbird *and* Enigmail are part of a standard Linux > installation, let me know. I'd love to know about it. Until then, I > think Enigmail is going to remain a niche player. Has there been a concerted effort to make Enigmail an integral part of Thunderbird, distributed with it? If yes, what are the reasons that it has been rejected so far? If no, why not? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 598 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Feb 1 17:55:05 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 17:55:05 +0100 Subject: PGP/MIME use In-Reply-To: <4F296B1B.1080201@lists.grepular.com> (gnupg@lists.grepular.com's message of "Wed, 01 Feb 2012 16:40:59 +0000") References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> Message-ID: <87ty3av6hi.fsf@vigenere.g10code.de> On Wed, 1 Feb 2012 17:40, gnupg at lists.grepular.com said: > Has there been a concerted effort to make Enigmail an integral part of > Thunderbird, distributed with it? If yes, what are the reasons that it > has been rejected so far? If no, why not? The Mozillas don't like OpenPGP. To them it is probably too much anarchy compared to S/SMIME. Ask the Mammon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jerry at seibercom.net Wed Feb 1 18:19:41 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 12:19:41 -0500 Subject: PGP/MIME use In-Reply-To: <87ty3av6hi.fsf@vigenere.g10code.de> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> Message-ID: <20120201121941.5e100a23@scorpio> On Wed, 01 Feb 2012 17:55:05 +0100 Werner Koch articulated: > The Mozillas don't like OpenPGP. To them it is probably too much > anarchy compared to S/SMIME. Ask the Mammon. Windows users prefer S/MIME. I know I use it on my Windows machines because it does not require me to install more applications. It works seamlessly in Outlook, which is probably its biggest asset. Perhaps the Mozilla folks, realizing that Microsoft users are probably its largest base audience prefer to stick with what its main constituency want. Just a guess and my own 2?. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ From rjh at sixdemonbag.org Wed Feb 1 19:37:54 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 13:37:54 -0500 Subject: PGP/MIME use In-Reply-To: <4F296B1B.1080201@lists.grepular.com> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> Message-ID: <4F298682.3030907@sixdemonbag.org> On 2/1/12 11:40 AM, gnupg at lists.grepular.com wrote: > Has there been a concerted effort to make Enigmail an integral part > of Thunderbird, distributed with it? I don't know what you mean by a "concerted effort." Maybe five Enigmail users count under your definition, maybe fifty: maybe two people within Mozilla, or maybe nobody has to be within Mozilla, etc. All I can say is that at various times people have tried to push for this, but so far without success. There seem to be two major reasons for this: * S/MIME is already irrelevant to the vast majority of Thunderbird users, and providing OpenPGP would just introduce a redundant irrelevant capability * Enigmail requires a binary that's not maintained by Mozilla, which is released on its own schedule, and is licensed under terms other than those Mozilla prefers From MichaelQuigley at TheWay.Org Wed Feb 1 19:37:56 2012 From: MichaelQuigley at TheWay.Org (MichaelQuigley at TheWay.Org) Date: Wed, 1 Feb 2012 13:37:56 -0500 Subject: PGP/MIME use In-Reply-To: Message-ID: gnupg-users-bounces at gnupg.org wrote on 02/01/2012 10:51:46 AM: > ----- Message from "Robert J. Hansen" on Wed, > 01 Feb 2012 11:19:08 -0500 ----- > > To: > > gnupg-users at gnupg.org > > Subject: > > Re: PGP/MIME use > > On 2/1/12 10:47 AM, Hauke Laging wrote: > > Of course not. I just don't believe that there are many examples of > > this type out there. To me a serious user is one who actively signs, > > encrypts, and/or verifies data and knows what he is doing. He has > > created a key and verified at least one. Everything else seems like > > special use to me. > > Then yes, you are selecting for email users. There are quite a lot of > people who use GnuPG primarily for themselves -- for instance, a system > administrator who signs each backup, a lawyer who encrypts files when in > transit on a flash drive, etc. > > The overwhelming majority of the users you see are using email, yes, but > only because email is the method by which you come to see them. Users > who never announce their usage (the system administrator, the lawyer, > etc.) are completely invisible to you. > I would be one who fits in the other case. I've never signed an e-mail--no one at our organization does. (Not that I wouldn't like to, but nearly all those with whom I communicate wouldn't have any use for nor comprehension of the signature.) However, I've written scripts to routinely sign files for transmission to our bank. I would definitely count us as serious users. We would be very upset if the bank started rejecting transmissions due to the lack of a valid signature. Seeing that our bank is a very large one, I'm sure there are plenty of others who also sign their business transmissions using GPG. Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Feb 1 19:38:52 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 19:38:52 +0100 Subject: GnuPG asp net on web server In-Reply-To: <918D83BFC95948C09FD14356374188F3@ZuziakPC> (Zenon Biedrzycki's message of "Tue, 31 Jan 2012 20:20:12 +0100") References: <918D83BFC95948C09FD14356374188F3@ZuziakPC> Message-ID: <87hazav1oj.fsf@vigenere.g10code.de> On Tue, 31 Jan 2012 20:20, zenobiuszbiedrzycki at poczta.onet.pl said: > > szyfrowanie.StartInfo.Arguments() = "--recipient " & mail & " --armor --encrypt " & sciezka & nazwa_pliku At least add "--batch" to the options. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Feb 1 19:37:29 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Feb 2012 19:37:29 +0100 Subject: PGP/MIME use In-Reply-To: <20120201121941.5e100a23@scorpio> (jerry@seibercom.net's message of "Wed, 1 Feb 2012 12:19:41 -0500") References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> <20120201121941.5e100a23@scorpio> Message-ID: <87liomv1qu.fsf@vigenere.g10code.de> On Wed, 1 Feb 2012 18:19, jerry at seibercom.net said: > Windows users prefer S/MIME. I know I use it on my Windows machines > because it does not require me to install more applications. It works But users need to pay their Internet tax to Verislime et al. Or, tinger with CAcert root certificates. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jerry at seibercom.net Wed Feb 1 20:23:31 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 14:23:31 -0500 Subject: PGP/MIME use In-Reply-To: References: Message-ID: <20120201142331.0907c459@scorpio> On Wed, 1 Feb 2012 13:37:56 -0500 MichaelQuigley at TheWay.Org articulated: > However, I've written scripts to > routinely sign files for transmission to our bank. Does your bank actually verify those signed documents? I have sent documents to various organizations, both signed and unsigned and never heard a word spoken from any of them regarding it. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ From rjh at sixdemonbag.org Wed Feb 1 20:40:23 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 14:40:23 -0500 Subject: PGP/MIME use In-Reply-To: <20120201142331.0907c459@scorpio> References: <20120201142331.0907c459@scorpio> Message-ID: <4F299527.6040609@sixdemonbag.org> On 2/1/12 2:23 PM, Jerry wrote: > Does your bank actually verify those signed documents? I can't vouch for financial institutions. I can tell you that when I was working in electronic voting, whenever I asked questions about "do you verify signatures?" I was always assured that yes, yes they did. Whenever I asked, "when was the last time you had a bad signature?" I always received an answer of either "gee, look at the time, gotta go," or "we've never had a bad signature on data from a real election, after all, our systems are reliable and trustworthy." >From the perspective of the voting authority, if they say "no we don't check signatures" it undercuts confidence, therefore they always say they check signatures. If they say "yeah, we had a bad sig last week, a byte got dropped somewhere, we re-sent the data and it was fine," that, too, undercuts confidence: they're admitting the system isn't perfect. I liked hearing the "Gee, look at the time, gotta go" answer. It seemed to be the most honest. YMMV, and banks are definitely different beasts from voting authorities. From cwal989 at comcast.net Wed Feb 1 20:47:59 2012 From: cwal989 at comcast.net (Christopher J. Walters) Date: Wed, 01 Feb 2012 14:47:59 -0500 Subject: [META] Apologies was: The issue of the unwelcome CC In-Reply-To: <8739au29uy.fsf_-_@vigenere.g10code.de> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F28242F.20700@comcast.net> <20120131143532.459370f5@scorpio> <4F28840B.2080708@sixdemonbag.org> <8739au29uy.fsf_-_@vigenere.g10code.de> Message-ID: <4F2996EF.8060009@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/1/2012 04:15 AM, Werner Koch wrote: > ps. > Things which annoy me much more than CCs are: top posting, not stripping > long quotes, missing to insert a "was:" after changing the subject, and > changing the name part of the address to include the list name. I apologize for not putting the "was:" in when I initially posted with the changed subject line. I usually do so, in this case, however, I felt it would violate a pet peeve of my own - that is unnecessarily long (and often confusing) subject lines. I should, nevertheless, have either used that convention, or started a new thread. I want to make clear to all here: I did not intend to offend anyone, or start a flame war on this list - this is why I did not reply to the thread until now. I was only pointing out that I sometimes receive, on other lists two copies of messages addressed To: CC: . I do not complain about it, as I assume it to be a problem of the MTA and not the intention of the person replying that way. Regards, Christopher Walters P.S. Those things all bother me, as well. This is why I decided to post this reply. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKZbqAAoJEJ6vdel2qM1c+fMP/1k6iKTlBWlyuTs2yNvxUlVe pZ7mHDUJWzBY+0Zue0cPsvoBoMa9JQxJn7DyJ20xfqP8yv85pHWTOp+Ce4/O8RJT CN978GlbieKVwu8vI9p6CgfKwsPg7eknVrtpyAaQ2bZzzF5c8D4U2SIWV2Gy5IuU LfgEDBY5W6qwT3zM83oFbBdqDdvGqMQyRf+bWVSgMEYCl12lDqnfb9cVcDAQ1bmr OL7siQH1DKDwpzhg7JGPXkn/NweNyzjA6vz5CNAbYdQ4U5DfFxXHzQaoGfC+pF3R R1DfqmjAZH6LYmDLbHDtxmt29dAMy0bzaU5FWEqdPsb7df8GPsjEqDs5x6aB3cBE Nw/HrTvygJDuDKmu2yjnycWP/tnh/HqApBlJvLWXOEkZUNp5pO648v89esJ6LYkM 9/U2xgzEiKAYjr73AgIUs2INt+Y6Cl11a/4pk6EgDKbdMBGebTis4pPiYmfCIdu0 w1uXWjb7y8951OfAc6BeD+rHYYukRkkxLERYdTAPkrvzHdcTRZyw72xef4cwWcVH oWk81ulo/3QW9sJ7aaIssbhHICKAmy9c6kSDaZZQwsEtyiKiIXl52Lvskbmsw1Qj b9SSxHH7Z9Ok2b5edQ+i5f3o4CvkMwOqeMFk4lFqHnRnwmb+wvvcvha7ZmaWrrfv oJKeZCF0+pq1M9gTLfuN =Xi2S -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 2:48:00 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com From expires2012 at rocketmail.com Wed Feb 1 21:19:48 2012 From: expires2012 at rocketmail.com (MFPA) Date: Wed, 1 Feb 2012 20:19:48 +0000 Subject: Using the not-dash-escaped option In-Reply-To: References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> Message-ID: <889423494.20120201201948@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 1 February 2012 at 5:20:46 AM, in , Remco Rijnders wrote: > And for what it's worth... my client tells me the > signature on this particular post you made is invalid. > Your other posts to this list all pass the test ;-) I just tried and got "good signature." Strange. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Two wrongs don't make a right. But three lefts do. -----BEGIN PGP SIGNATURE----- iQCVAwUBTymec6ipC46tDG5pAQocLAP+IaLSzxKmMBpFvwsjR9a/plg6LLOWp/N9 8rv6rxCkHaKYfJCv0SjBuZPmuGNwn0TAhre9KwhMoL7DISBd6qTnsv0xewlSEo0W uQl6MSj+8dFLLxDp8w6j1/3oTo/Lg03UKrK9nHIKDY5T9BGeZxdCipPaHxOiaupb EIfiKbW+Ju0= =O/Ew -----END PGP SIGNATURE----- From cwal989 at comcast.net Wed Feb 1 21:34:30 2012 From: cwal989 at comcast.net (Christopher J. Walters) Date: Wed, 01 Feb 2012 15:34:30 -0500 Subject: On message signing and Enigmail... Message-ID: <4F29A1D6.4030205@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I thought I would start a new thread because of the thread confusion. I first want to say that I use Enigmail with Thunderbird, and check the To: and CC: lines of any replies before I send my reply to any list, to avoid people receiving unwanted private email from me. On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. In reply to the concept that it is meaningless, I will say that I feel that it adds a layer of trust (perhaps more than one, if you have one or more lines of trust to the poster) that the message was, in fact, posted by the person signing it, and that person stands behind what they say. OpenPGP's PGP/MIME vs. S/MIME: I have always used Enigmail with Thunderbird on Windows, and GNU/Linux systems (I dual boot, so I use both). I do not use S/MIME, have never done so, do not intend to start. On inline vs. PGP/MIME signed messages: I post to several lists, forums and groups. Some strip attachments, by default, and since my signature is sent as an attachment when using PGP/MIME, it is stripped from my message. Also, some of my contacts have set ups that automatically strip attachments (e.g. my signature). Therefore, I decided that it is best for all to use the plain text only type of posting and an inline signature so that everyone on all lists can at least verify that I have taken the time to install GnuPG on my system, generate a key pair with my name and email address, upload my public key to a widely used key server, and enter my passphrase to sign the message. Those are my thoughts on this matter. Sincerely, Christopher J. Walters -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKaHTAAoJEJ6vdel2qM1cWYgP+gKGcm1G3gOjVEFecqfkB4i5 opzYCazldaMcu1qz0TpeXemoZ3sgZ24T+a4i9yHgfPft6rIF6TJu23VLDYQcmUwk vCMlvNG4gpnfJIEFkIgVqdsMfzbgk6QrQWWMmwoQkiXPL50r65Ar3mZp9ROKjuOo MgSiURTPu0NodsOzTEiL85ScP4RtnkvPJQd6lPiehrqfazPVeWd+7EGPJEaTkHzR 3IM8j/3ZFYp7emkbvEu94h+kf+IfIzPy0Duow2blZKQ++T4cBDzPFDvqL0QvVXsi 8rSj5xTRFnYPCmaoj/Mbrh8v6P9SVDwD+q3EtVRgknpH6pj8dI3fJRZ0eH1EVGL+ Zq9CZdvCzYF/l+XD37Rz5lc3aXxkRRVSaG2jg+gpk3gwCjubxbrdHZxFPa66rvrU cY32XTcxMTjiWBtU1p92dHfH6cCrhFnBI/5u8pYD4q5C+PW+1cUxWksdR3Z59AKj VJIJg58WRKDV5ESEx7MiaWwIaseCJvmx8QdBaG3CaX86+HT7fOHttvmPBuh79mYn 4JIyxuvpzGq8c6dyl3IANlIdPnCq+NsTZJG6IE3jcNFLg4MIMCAFvgQNsr5qVDHl 2373Y/lF58QoDSy+6HD9WR6Sg8fz1J80JnCkzL9GahsJrklhJEdEap5QvZQ0aHt/ 69cM9sVJBC0124dE8bTN =Q1EU -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 3:34:31 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com From rjh at sixdemonbag.org Wed Feb 1 21:45:05 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 15:45:05 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29A1D6.4030205@comcast.net> References: <4F29A1D6.4030205@comcast.net> Message-ID: <4F29A451.9040801@sixdemonbag.org> On 2/1/12 3:34 PM, Christopher J. Walters wrote: > On the issue of signing: I do sign my messages, and have uploaded my > public keys to key servers, so they are available to check that no > one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, "but that certificate's a fraud, my certificate's real!", but the Christopher Walters impersonator will say the same thing about you. There's no way to check. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. > In reply to the concept that it is meaningless, I will say that I > feel that it adds a layer of trust (perhaps more than one, if you > have one or more lines of trust to the poster) that the message was, > in fact, posted by the person signing it, and that person stands > behind what they say. I can't argue against a feeling. No one can. Feelings are what they are, and they are immune to the forces of reason. That said, I consider this sentiment to be a close analogue of feeling that statements given by argyle-wearing men who speak Occitan with a lisp are more trusted than statements given by others. It's crazy. It's just that it's your particular flavor of it, and I respect that. Just don't ask me to subscribe to it. :) (No perjoration is intended. We all have our own particular flavors of crazy.) From expires2012 at rocketmail.com Wed Feb 1 21:47:06 2012 From: expires2012 at rocketmail.com (MFPA) Date: Wed, 1 Feb 2012 20:47:06 +0000 Subject: Using the not-dash-escaped option In-Reply-To: <87ehuf0wi2.fsf@vigenere.g10code.de> References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> <87ehuf0wi2.fsf@vigenere.g10code.de> Message-ID: <4910154966.20120201204706@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 1 February 2012 at 8:48:53 AM, in , Werner Koch wrote: > The best way to make sure that it does not get removed > is by using QP encoding. ("--=20\n"). I'm not sure that helps me. See below. - --=20\n Best regards MFPA mailto:expires2012 at rocketmail.com Put knot yore trust inn spel chequers -----BEGIN PGP SIGNATURE----- iQCVAwUBTymk0KipC46tDG5pAQoqdwP8CPzC5lzhYYpTkOIEeWIqPVCTKH57Wg84 ZFeZgXKXfWDnXRVVVoSQkzzDfrpA7m+AbITeWPRZR+368tI0U4VHtigWsnAyRT+1 km7DhdpzWgke+qNY4yxMF/uJG+JQMUg+6QvbhRYNmBBeKokjh6liSlIu3DXeH8w+ rpHDadHFFiE= =MW47 -----END PGP SIGNATURE----- From dougb at dougbarton.us Wed Feb 1 21:56:29 2012 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 01 Feb 2012 12:56:29 -0800 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: <20120201061958.5ee3f1f5@scorpio> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F27DD13.1070905@digitalbrains.com> <20120131080509.07f7602e@scorpio> <4F284E5D.4070901@dougbarton.us> <20120131191717.0662f2c5@scorpio> <4F28BD24.10301@dougbarton.us> <20120201061958.5ee3f1f5@scorpio> Message-ID: <4F29A6FD.8040401@dougbarton.us> On 02/01/2012 03:19, Jerry wrote: > In any case, it more than amply > demonstrates my point of the uselessness of "CCing" on a closed list > such as this one which you interestingly enough did not address I already addressed that issue in previous posts. Stop trying to force other people to change, and deal with what life brings. You'll live a happier life overall. :) -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From jerry at seibercom.net Wed Feb 1 22:02:24 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 16:02:24 -0500 Subject: PGP/MIME use In-Reply-To: <4F299527.6040609@sixdemonbag.org> References: <20120201142331.0907c459@scorpio> <4F299527.6040609@sixdemonbag.org> Message-ID: <20120201160224.62dba5de@scorpio> On Wed, 01 Feb 2012 14:40:23 -0500 Robert J. Hansen articulated: > I liked hearing the "Gee, look at the time, gotta go" answer. It > seemed to be the most honest. > > YMMV, and banks are definitely different beasts from voting > authorities. I used to get the "Gee" bit to when I asked for a raise. Anyhow, I am willing to bet that most, if not all banking establishments do not verify signed mail, or if they do they want S/MIME since their user base is vastly Microsoft orientated and S/MIME is favored on that architecture. An unverified signed document is about as useful as tits on a bull. I receive from time to time a signed document on various forums that is shown as bad by my MUA (claws-mail). Usually, it is just out of date. Occasionally, I get a revoked one though. Again, it is usually due to the PEBKC phenomenon. In any case, I have never considered the signature to be of any importance in a mail forum environment. I know that some users do, and that is their right. The only problem I have is with those friggin "inliners" whose signature Spams up the page and makes a "sig-delimiter" impotent. Then, of course, there are those intellectually challenged who fail to trim out that superfluous crap before replying to it. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From gnupg at lists.grepular.com Wed Feb 1 22:05:31 2012 From: gnupg at lists.grepular.com (gnupg at lists.grepular.com) Date: Wed, 01 Feb 2012 21:05:31 +0000 Subject: On message signing and Enigmail... In-Reply-To: <4F29A451.9040801@sixdemonbag.org> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> Message-ID: <4F29A91B.2040501@lists.grepular.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/02/12 20:45, Robert J. Hansen wrote: >> On the issue of signing: I do sign my messages, and have >> uploaded my public keys to key servers, so they are available to >> check that no one has changed my message. > > Except that it doesn't. What's to prevent me from creating a > certificate with your name and email address and making posts in > your name, with a signature from a certificate that claims to be > yours? > > Nothing -- and that signature is every bit as credible as the one > that's from your own certificate. You might say, "but that > certificate's a fraud, my certificate's real!", but the Christopher > Walters impersonator will say the same thing about you. There's no > way to check. Isn't this the whole point of the web of trust? And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -----BEGIN PGP SIGNATURE----- iQGGBAEBAgBwBQJPKakbMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBF/BB/kBNf1WUxkR +gNP1NIirxIykvDZZFZfQuagWssbHncwQVpVz+rMF3W/NbmibL/BItyg3F8iufQD b6ZuyUuQ7cU5ZBLnm4SFLCdZkW/G5SCEPon5KRTJUhkl9MflBEKwt/gb3/o3W8hP 4XVvVdsM/20r2GviGHZE5h5Pu/YtAdgFetyGeQckuAIioixIDuEAE8fgHYhUSrPR 2TtVjEyq5Pk8GoUJTAQlDBAIlVr0/2YhSwwNI9DMSB/IXp+5UcU2XHciuQsvagDF 8OsOyxwHJfzM/jYPUUTmFybnnEi59lo/NQYypWDISCGbe6IyKfSIxLjHXnR+ohU9 zrT+Iy4V+SC3 =4Hyt -----END PGP SIGNATURE----- From dougb at dougbarton.us Wed Feb 1 22:12:56 2012 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 01 Feb 2012 13:12:56 -0800 Subject: On message signing and Enigmail... In-Reply-To: <4F29A91B.2040501@lists.grepular.com> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29A91B.2040501@lists.grepular.com> Message-ID: <4F29AAD8.6050100@dougbarton.us> On 02/01/2012 13:05, gnupg at lists.grepular.com wrote: > On 01/02/12 20:45, Robert J. Hansen wrote: > >>> On the issue of signing: I do sign my messages, and have >>> uploaded my public keys to key servers, so they are available to >>> check that no one has changed my message. > >> Except that it doesn't. What's to prevent me from creating a >> certificate with your name and email address and making posts in >> your name, with a signature from a certificate that claims to be >> yours? > >> Nothing -- and that signature is every bit as credible as the one >> that's from your own certificate. You might say, "but that >> certificate's a fraud, my certificate's real!", but the Christopher >> Walters impersonator will say the same thing about you. There's no >> way to check. > > Isn't this the whole point of the web of trust? Different category of problems. But what does a large number of signatures from people you don't know tell you more than a single key without signatures? > And if somebody uses the same key to sign mail repeatedly it builds a > history and an identity. It build the *appearance* of an identity. Did you not read Robert's story of multiple people posting using the same key? > It doesn't stop somebody else coming in and > using a fake key, but that person can't successfully claim to be the > same person who signed all the other mail. Not if the person who > actually signed all of the historical mail still has access to that > key and can call them out on it. This much is true, yes. > I've posted using the same key on probably a dozen mailing lists, I > use it for all of my personal and work email. I use it to sign all of > the comments on my blog. I use it to sign the front page of my > website. There is very definite and obvious value in using the same > key in multiple places to establish the connection between your key > and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Wed Feb 1 22:14:33 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 1 Feb 2012 22:14:33 +0100 Subject: PGP/MIME use In-Reply-To: References: Message-ID: <201202012214.38430.mailinglisten@hauke-laging.de> Am Mittwoch, 1. Februar 2012, 19:37:56 schrieb MichaelQuigley at theway.org: > I would be one who fits in the other case. I've never signed an > e-mail--no one at our organization does. (Not that I wouldn't like to, > but nearly all those with whom I communicate wouldn't have any use for nor > comprehension of the signature.) However, I've written scripts to > routinely sign files for transmission to our bank. I would definitely > count us as serious users. And you perfectly fit the description I gave for "serious users" from my perspective. > I'm sure there are plenty of others who also > sign their business transmissions using GPG. I don't doubt that. I just don't understand why someone who has understood the concept and is capable of validating keys of others, encrypting, decrypting and signing should not use that technology for his email (neither professional nor private). The people I know who are interested in security technology are generally interested in spreading this technology (not limited to OpenPGP). Thus I assume that you are an exception, whatever your reasons may be. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From jerry at seibercom.net Wed Feb 1 22:19:45 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 16:19:45 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29A451.9040801@sixdemonbag.org> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> Message-ID: <20120201161945.7bd19008@scorpio> On Wed, 01 Feb 2012 15:45:05 -0500 Robert J. Hansen articulated: > Except that it doesn't. What's to prevent me from creating a > certificate with your name and email address and making posts in your > name, with a signature from a certificate that claims to be yours? > > Nothing -- and that signature is every bit as credible as the one > that's from your own certificate. You might say, "but that > certificate's a fraud, my certificate's real!", but the Christopher > Walters impersonator will say the same thing about you. There's no > way to check. > > I understand the desire to give people a way to verify the integrity > of your message, but the way you're going about it has some glaring > and obvious flaws. I have to agree with Robert on this one. The whole idea of signing a message in a forum such as this is more of a pseudo security concept AKA "feel good" belief. It doesn't hurt to do it, but its usefulness is limited to pacifying yourself into a false sense of security. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From lists at chrispoole.com Wed Feb 1 21:20:48 2012 From: lists at chrispoole.com (Chris Poole) Date: Wed, 1 Feb 2012 20:20:48 +0000 Subject: 1024 key with 2048 subkey: how affected? In-Reply-To: <4F2953A8.3010708@sixdemonbag.org> References: <4F1B8A6C.40401@sixdemonbag.org> <20120123165217.GC10912@crustytoothpaste.ath.cx> <4F1DCC3C.9050002@enigmail.net> <4F1DDB09.6040403@sixdemonbag.org> <4F2953A8.3010708@sixdemonbag.org> Message-ID: <966D144C-67DE-4260-AA9B-AEF911CE0AE0@chrispoole.com> On 1 Feb 2012, at 15:00, "Robert J. Hansen" wrote: > Googling for "nsa suite b" qould be a pretty good starting place, > probably. The National Security Agency has approved the use of ECC for > classified material as part of their "Suite B" cryptography package. As > is the case with most government standards there is ample documentation > about everything from the theoretical to the practical, although it > isn't all collected in one place. Thanks, I didn't realise this; it's left me with plenty of reading to do. From lists at chrispoole.com Wed Feb 1 21:19:24 2012 From: lists at chrispoole.com (Chris Poole) Date: Wed, 1 Feb 2012 20:19:24 +0000 Subject: 1024 key with 2048 subkey: how affected? In-Reply-To: <87pqdyzhkz.fsf@vigenere.g10code.de> References: <4F1B8A6C.40401@sixdemonbag.org> <20120123165217.GC10912@crustytoothpaste.ath.cx> <4F1DCC3C.9050002@enigmail.net> <4F1DDB09.6040403@sixdemonbag.org> <87pqdyzhkz.fsf@vigenere.g10code.de> Message-ID: <87DB1396-34F4-4783-AFA3-06CD20E84DC2@chrispoole.com> On 1 Feb 2012, at 15:41, Werner Koch wrote: > @book{Hankerson:2003:GEC:940321 Thank you, that's useful. From gnupg at lists.grepular.com Wed Feb 1 22:26:18 2012 From: gnupg at lists.grepular.com (gnupg at lists.grepular.com) Date: Wed, 01 Feb 2012 21:26:18 +0000 Subject: On message signing and Enigmail... In-Reply-To: <4F29AAD8.6050100@dougbarton.us> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29A91B.2040501@lists.grepular.com> <4F29AAD8.6050100@dougbarton.us> Message-ID: <4F29ADFA.2040304@lists.grepular.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/02/12 21:12, Doug Barton wrote: >>> Nothing -- and that signature is every bit as credible as the >>> one that's from your own certificate. You might say, "but >>> that certificate's a fraud, my certificate's real!", but the >>> Christopher Walters impersonator will say the same thing about >>> you. There's no way to check. >> >> Isn't this the whole point of the web of trust? > > Different category of problems. But what does a large number of > signatures from people you don't know tell you more than a single > key without signatures? It tells you that all of the messages were from the same identity. >> And if somebody uses the same key to sign mail repeatedly it >> builds a history and an identity. > > It build the *appearance* of an identity. Did you not read > Robert's story of multiple people posting using the same key? IMO, it builds an *actual* identity. That multiple people chose to share the same identity in that particular story is not important. >> It doesn't stop somebody else coming in and using a fake key, but >> that person can't successfully claim to be the same person who >> signed all the other mail. Not if the person who actually signed >> all of the historical mail still has access to that key and can >> call them out on it. > > This much is true, yes. > >> I've posted using the same key on probably a dozen mailing lists, >> I use it for all of my personal and work email. I use it to sign >> all of the comments on my blog. I use it to sign the front page >> of my website. There is very definite and obvious value in using >> the same key in multiple places to establish the connection >> between your key and your identity. Mailing lists are just >> another one of these places. > > The only thing what you're doing proves is that at the time those > things were posted someone had control of the secret key, and that > the messages weren't altered after they were signed. Beyond that > everything is speculation. If you see somebody posting on another list using the same key that I've been using to post on this list, then you know it's the same person. If you come across my website and find the content on it signed by my key, you can connect my postings on this list with my website. And so on. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -----BEGIN PGP SIGNATURE----- iQGGBAEBAgBwBQJPKa36MBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBO6FB/wMB8caKnFS J+pXsFeVDfluKrUArIBK0ylq3A0xGKI5GpNZfsixUp5kgj9eK4J4EZ/qFq0wV//S TarO87SIJrljze2nhSiURsuqUARD5BC9/XpLpel3YCQSSZ8AFZRy3LHjv2GvIoAb dN5ezIR0B32R1b2pG/NyqIXWHSJzDfZORlXEiHOzVH0Lf5dBAaIx0vNQ1hx/7J5P 2j0JO4+LfM8TswfuuJBHwr3xMMWjLz4zBRxRe4FtEuUq9lCKQ7YlX0HO40S/nUOz kXNaJQHZrycFwZQVfodZLue8mzI/Ghjs/MGNMbq0T8tDUi3Fg/c4Bl34g+SXaDdG jn8iNlmdRhTX =bmhD -----END PGP SIGNATURE----- From cwal989 at comcast.net Wed Feb 1 22:29:51 2012 From: cwal989 at comcast.net (Christopher J. Walters) Date: Wed, 01 Feb 2012 16:29:51 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29A451.9040801@sixdemonbag.org> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> Message-ID: <4F29AECF.70202@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/1/2012 03:45 PM, Robert J. Hansen wrote: > Except that it doesn't. What's to prevent me from creating a > certificate with your name and email address and making posts in your > name, with a signature from a certificate that claims to be yours? > > Nothing -- and that signature is every bit as credible as the one that's > from your own certificate. You might say, "but that certificate's a > fraud, my certificate's real!", but the Christopher Walters impersonator > will say the same thing about you. There's no way to check. Nothing, true. However, I disagree with your statement that there is no way to check: one can check the headers of each message to see from where they originated. If one says it came from (my email name @ my ISP) and originated from my ISP, and the other shows a different origin, then the one showing a different origin would be suspect, while the one showing an IP address from my ISP, and showing that it came from my username, would be more able to be trusted. If neither originated from my ISP, then both are suspect. That is, unless you met the real me, verified that I am who I say I am, and signed my key - then it would add some very strong trust if you had signed one of those keys. If they both came from my ISP, and neither was signed by you or someone you trust, they would both be suspect. Before you mention it, I know that headers can be spoofed, however, I very much doubt that a troll or spammer would go to the trouble of creating a key-pair in my name to sign messages, as well as the trouble to spoof the headers. > I understand the desire to give people a way to verify the integrity of > your message, but the way you're going about it has some glaring and > obvious flaws. That is your opinion, and I can respect that. However, in showing the flaw in your argument that "there is no way to check", I cannot agree with your conclusion. I could have understood and agreed with your argument if you had said: 1. I have never met you. 2. By the standard of trust I use, I have to meet you to sign your public key. 3. No one I have met, who uses my standard of trust, has signed your key. Therefore, I do not know you well enough for your signature to have any meaning to me. To simply state that "the way you're going about it has some glaring and obvious flaws", when the only argument you used against it has its own flaws, does not meet my standard of logic in reasoned argument. > I can't argue against a feeling. No one can. Feelings are what they > are, and they are immune to the forces of reason. I am always open to logical arguments. However, in using logic alone, one must realize that two opposing logical arguments can be equally valid. As for arguing with a feeling, I see people doing that all the time and it's usually not pretty. ;) I do not believe there is *One True and Correct Answer* to this issue. I do feel it germane to point out that this IS the gnupg-users list, and if anywhere would be appropriate to sign messages, it would be here. Regards, Chris P.S. I could show a proof of concept very easily, to support my premise that the headers can be used to check which one is valid. However, it is a good deal of work for me, and it is really up to you to refute my argument. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKa7MAAoJEJ6vdel2qM1c3vwP/0IBh8EP8PuCuyhn1cS7TFoW deejwIUHz9kRObSpDPS67xml1WpsAnCvOSRzOi18csYqiMENjP8VvdwBFKCDRfh6 6T3mwDr0cnm9Va/XmJ+sPP0fItfzYpl4X6E41qvYWxZIZym5GSPUDPzTuVo7/Ae+ PhYaX0j83uSyfyJXl17fuRRVMclBX8pbKFwDxj9/uOXF+188Bub6XHiiv1YBObyj jN3EE3DA2vmBockNOhe2ol4EeOM9txVcNVLsuTp0FfbiRcYcXZb3zQFnCVzOf28Y T6JUtdHwc76pgjRbbUoQB8rG9ZN+amRxJuQHfiVuNrAJ9Q7WepLvbEhZJXmk9Y9W ho15DwRYxIIaNDsNDCfHWVbKgdnXOOOC0pIxS4/OtxAo+amH8nvbEyXeeqXbJn6U un08MzedcYJA6hifLGkR7BD9wjV4LYDb6Js9zJ8fWRTNZ5xb7sN7z3QX+to7I5XZ gkwtSAZ4P79IH9AP2HAW56i5CeB2mPRU54+9sqgtU/OaSw3ciZglvzshdtsSeFZm XAfIhllN6QZTXEXMXjs40VUk0w2ZqofwBfWMsFtUOgTUmn3LfZ+FP48j2Aqk0qg7 ImR/YN5xACD9iaFJYE8n2W3lxI63OyxqPMbJlUmp4dBP7pvAa7OfG5YBGBL5wnVV gUROQBL4nh4hZXmbQKfk =hjNc -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 4:29:53 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com From expires2012 at rocketmail.com Wed Feb 1 22:35:21 2012 From: expires2012 at rocketmail.com (MFPA) Date: Wed, 1 Feb 2012 21:35:21 +0000 Subject: PGP/MIME use In-Reply-To: <20120201121941.5e100a23@scorpio> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> <20120201121941.5e100a23@scorpio> Message-ID: <169155237.20120201213521@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 1 February 2012 at 5:19:41 PM, in , Jerry wrote: > Windows users prefer S/MIME. Seems likely to me that the majority of Windows users use neither S/MIME nor openPGP. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Never lean forward to push an invisible object. -----BEGIN PGP SIGNATURE----- iQCVAwUBTymwH6ipC46tDG5pAQpJQwP+J8BlHs9NJg1K7hbN4mzSeYYhdCaX9g61 aHANyVvhX8kqW0O+tFNFzXOQ3O3tsjI9uhbxaOJ8mW5SkbkF2tHlGEZlSgAcghHL QvOjNMRQhf7yxHkNXCbvDT6bJtcVN02Jf0Q0AHzSfEg4K5cWP/o04puYv/iJK5K9 wrYHlw4Xldc= =I0FH -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Feb 1 22:38:57 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 16:38:57 -0500 Subject: PGP/MIME use In-Reply-To: <201202012214.38430.mailinglisten@hauke-laging.de> References: <201202012214.38430.mailinglisten@hauke-laging.de> Message-ID: <4F29B0F1.2020504@sixdemonbag.org> On 2/1/12 4:14 PM, Hauke Laging wrote: > I just don't understand why someone who has understood the > concept and is capable of validating keys of others, encrypting, decrypting > and signing should not use that technology for his email. I have referred to this paper probably five times or more on this list and other lists. I really wish people would read it. I'm getting tired of answering this -- it's my least-favorite OpenPGP-related question. Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy, Flagging and Paranoia: Adoption Criteria in Encrypted Email. Proceedings of CHI 2006 Conference on Human Factors in Computing Systems, 2006. http://www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf From expires2012 at rocketmail.com Wed Feb 1 22:53:06 2012 From: expires2012 at rocketmail.com (MFPA) Date: Wed, 1 Feb 2012 21:53:06 +0000 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: <4F29A6FD.8040401@dougbarton.us> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F27DD13.1070905@digitalbrains.com> <20120131080509.07f7602e@scorpio> <4F284E5D.4070901@dougbarton.us> <20120131191717.0662f2c5@scorpio> <4F28BD24.10301@dougbarton.us> <20120201061958.5ee3f1f5@scorpio> <4F29A6FD.8040401@dougbarton.us> Message-ID: <401820274.20120201215306@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 1 February 2012 at 8:56:29 PM, in , Doug Barton wrote: > I already addressed that issue in previous posts. Stop > trying to force other people to change, and deal with > what life brings. You'll live a happier life overall. > :) Here here! Be liberal in what you accept, and conservative in what you send. - -- Best regards MFPA mailto:expires2012 at rocketmail.com CAUTION! - Beware of Warnings! -----BEGIN PGP SIGNATURE----- iQCVAwUBTym0SqipC46tDG5pAQpViAQAjT6L5UgDW1nKVf6HYk+ZzSr1TOPIUBk/ T9q8Igg/5iikEYaC8Y8Dl0djvdRhn7oQhDAPmjsNnGAYzs/XpS+0KZ7sA02jhFbY P5/xgkNyPMQAJVWf/m+KB8N6zr6b+NfNW7e9Z3HzG4Y+69/QVC7LieHFEtNkVpj/ 9fJFQ3wuDQ0= =tNsg -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Feb 1 22:53:48 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 16:53:48 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29AECF.70202@comcast.net> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29AECF.70202@comcast.net> Message-ID: <4F29B46C.4000501@sixdemonbag.org> On 2/1/12 4:29 PM, Christopher J. Walters wrote: > However, I disagree with your statement that there is no way to > check: one can check the headers of each message to see from where > they originated. Easily forged, and machines are too easy to compromise. This idea that an IP address is clear and convincing evidence of origin is absolute bonkers. An IP address is evidence of *routing*. > Before you mention it, I know that headers can be spoofed, however, > I very much doubt that a troll or spammer would go to the trouble > of creating a key-pair in my name to sign messages, as well as the > trouble to spoof the headers. I personally know fourteen-year-olds who would do this just for the pleasure of screwing with you. Consider Anonymous, whose stated raison d'etre is to do it all for the lulz and because none of them is as cruel as all of them. Anonymous gets in the news when it goes after big targets, but you think a bunch of technically competent high school students wouldn't direct this against a particularly hated teacher, or the designated class pariah, or...? Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) > P.S. I could show a proof of concept very easily, to support my > premise that the headers can be used to check which one is valid. > However, it is a good deal of work for me, and it is really up to > you to refute my argument. The only way this argument can be refuted is for me to commit a felony (breaking the Computer Fraud and Abuse Act). I'll happily give a general outline of how it can be done, but I'm not going to commit a felony just to prove a point. That way lies madness. From jerry at seibercom.net Wed Feb 1 23:01:26 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 17:01:26 -0500 Subject: PGP/MIME use In-Reply-To: <169155237.20120201213521@my_localhost> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> <20120201121941.5e100a23@scorpio> <169155237.20120201213521@my_localhost> Message-ID: <20120201170126.3c069457@scorpio> On Wed, 1 Feb 2012 21:35:21 +0000 MFPA articulated: > Seems likely to me that the majority of Windows users use neither > S/MIME nor openPGP. Which would equate to the majority of non-Windows users. However, of those users on MS Windows that do use a form of document signing, I believe that majority employ S/MIME, if for no other reason than it works seamlessly in MS Outlook. As I stated elsewhere, I use S/MIME on my MS Windows machines because it is just easier to do. I really, really like the KISS principal. For that very reason, on my FreeBSD based machines, I employ PGP. I see no problem with it and both work quite well. Others are certainly entitled to their own opinion. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ From cwal989 at comcast.net Wed Feb 1 23:02:49 2012 From: cwal989 at comcast.net (Christopher J. Walters) Date: Wed, 01 Feb 2012 17:02:49 -0500 Subject: PGP/MIME use In-Reply-To: <4F29B0F1.2020504@sixdemonbag.org> References: <201202012214.38430.mailinglisten@hauke-laging.de> <4F29B0F1.2020504@sixdemonbag.org> Message-ID: <4F29B689.7060207@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/1/2012 04:38 PM, Robert J. Hansen wrote: > I have referred to this paper probably five times or more on this list > and other lists. I really wish people would read it. I'm getting tired > of answering this -- it's my least-favorite OpenPGP-related question. > > Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy, > Flagging and Paranoia: Adoption Criteria in Encrypted Email. Proceedings > of CHI 2006 Conference on Human Factors in Computing Systems, 2006. > > www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf I have read the abstract, and admit that I only skimmed the rest of that paper. I find that it is only really talking about the use of public key encryption of messages, and the human factors that lead to the decision of whether or not to encrypt messages. That is a separate topic from actually signing your message with your secret key - and is not terribly germane to public mailing lists. Since the list owner would have to deem it worth the trouble to generate a key pair for the list AND collect the public keys of each subscriber, and use software that will be able to decrypt messages sent to the list, and re-encrypt them to each subscriber. This would not significantly improve security in such a forum, and would increase the load on the system that processes mail for the list. To clarify, by "public mailing list", I mean that anyone can join it and post to it. A private mailing list would mean, in this context, would be an "invite-only" list, where one would have to be known to the list owner and specifically invited to join. Signing, OTOH is a personal choice of each subscriber. Those who choose to do so can do so, and those who do no choose to do so, do not. Regards, Christopher J. Walters -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKbaFAAoJEJ6vdel2qM1cbsIP/1fRt03em5hHN3uQz5c+tilV cfBTItlXIVE5W6I9Xl08mhIy5KGhCG9vn0Zjx5PJn30VYneakAxNxHzQ+uqDlDa0 9A/PvzUSOoz8AO0IDEblASsU6z6iS/1xEuP1C3GXeqZcb9Rg2//UPEHwAMxvE1sG rmIMX2MUrTb2Tuy8EL20ym/VioUaqP3H/le1shNBmakS9sjgtsDooQzJX3erl64b pKD30BaBmP93WiI/r7Sxnry0jp7n8yMSpYRCzKMUWde7MNVZ+MgwBo5EVisWBBkq vh/X+uKbp/6uVSk1LXh/dpj8Sbl0Co8u+0jKudeBcGscu8Y/inuP22evKmS90XuE qGx/Mgwy+Vp05M8OwuYk8+2V/41KLNoO/IWrtWQfwDEOJSjcA2mcamYdF8jwAeOY IIW5Dapk2f5g4EciPZ1eO/SJ4227aV3PEbuceLAAy2BHSHuXIt9uTEq3SOHzxLKT vauuP/kLgra9ZZJkESoSoAY5KBHaJt3C6+jSp7KYL6UNUipto8/mH0MF/KXecUyb ZYOYSRDBlvE2/WicxZBCN0Nlwq1SQ38/zCUFyXiKnyhjiUNpBuHdOdZfrp9KWDrC Y08GgwY4WWpmwBQbP3zPM1X7iVoP2gfmcm3+1gxfm/aVkhhm22JZNdvBGId69AIe xDfh2dzEYWl+/S7oILXB =E1X7 -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 5:02:50 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com From rjh at sixdemonbag.org Wed Feb 1 23:08:24 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 17:08:24 -0500 Subject: PGP/MIME use In-Reply-To: <4F29B689.7060207@comcast.net> References: <201202012214.38430.mailinglisten@hauke-laging.de> <4F29B0F1.2020504@sixdemonbag.org> <4F29B689.7060207@comcast.net> Message-ID: <4F29B7D8.5080309@sixdemonbag.org> On 2/1/12 5:02 PM, Christopher J. Walters wrote: > I have read the abstract, and admit that I only skimmed the rest of > that paper. I find that it is only really talking about the use of > public key encryption of messages, and the human factors that lead > to the decision of whether or not to encrypt messages. Read the paper. One of the principal reasons the NGO in the study avoided using crypto was because they were concerned about appearing to outsiders as if they were paranoids with something to hide. Why do you want to sign everything? Because you want to detect if someone's tampered with your messages. What are you, some kind of paranoid who's worried about people screwing with your email? Seriously. Read the paper. It's worthwhile. From cwal989 at comcast.net Wed Feb 1 23:14:25 2012 From: cwal989 at comcast.net (Christopher J. Walters) Date: Wed, 01 Feb 2012 17:14:25 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29B46C.4000501@sixdemonbag.org> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29AECF.70202@comcast.net> <4F29B46C.4000501@sixdemonbag.org> Message-ID: <4F29B941.1000904@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/1/2012 04:53 PM, Robert J. Hansen wrote: > Easily forged, and machines are too easy to compromise. This idea that > an IP address is clear and convincing evidence of origin is absolute > bonkers. An IP address is evidence of *routing*. Must you resort to the ad hominem fallacy? > Maybe I have a darker view of human nature than you do, that's certainly > possible, but I think it's a critical mistake to apply rational-actor > theory to criminals. (It's just as critical of a mistake to apply > rational-actor theory to human beings. Human beings ain't rational > actors.) I am not assuming that ANYONE is rational. I am merely assuming that most everyone is lazy, and would only go to that trouble if they had a personal problem with the person they are targeting. I know some teenagers who might, "just for fun", but they usually target people they have a problem with. > The only way this argument can be refuted is for me to commit a felony > (breaking the Computer Fraud and Abuse Act). I'll happily give a > general outline of how it can be done, but I'm not going to commit a > felony just to prove a point. That way lies madness. Yet, you did not give that outline. I think we'll just have to agree to disagree on this one. It is already heating up, and the last thing we want here is a flame war. Regards, Christopher J. Walters P.S. I shall not add more fuel to the fire, so to speak. I stand by my decision to sign my messages, and respect your choice not to do so. I only ask the same respect from you. In the end, as all things, this is a personal choice. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKbk+AAoJEJ6vdel2qM1cvMkQAJKERTiiUpnfbdgInZ/AqsrG 5TSEH93SWD8EmARrEMhugtI91gFkxLWu27Tiy4pFIQ+phNYMOld9q5hDl3PiXHYL 2pfS4CtQ9mBopLejpJ7F+0mlADmRFCJYKBjbdlk6t63UG/Kjjr5mLvf4X9Y0bJDP UQcyzlHcblrbv+ae3jSILsSlLi56cIHfvyYB5LwXVxMc4S2erQ/c562g1G8Rb8Zb ol/o5FA36V2dNQk6xusZ8PsjdMY80gPBPUWm4NCDoeu+zBS1IdU4f+Fr8dJJfhUJ ohOM2dpDYMgqeHvbUVHWj2rcG1N8sO062ivj7e1losE2lodEDrxRDzC8PoNW4u8r BqUbAIDLoazWeI9YrwD0VCjgMl7UqPY8/QkN67PHCat0VgJ62xGzLM9HE0SlbP/i RonLvsnvi3qYTwiKKLA0qK+PQRE0p+f8NqbHTxoXmkYQHrlsQNf4aiaASaW+s2vX 8OmVrtEetCXKGLBVJktlwlg1LFtB3Qe2NsewAyJeLSQWxomiVZE7FIdwyxTYQHWm aE3qvsMLBWyo2PTQ5h4vBkIRne9jzrkqm1/mwp35IAXYHwKQn/5S2fFOzOnVJz+w p8UkRUSfibJzxIKFkuqo0FNXf2bkCqosndsX50nVFwtu5bXRY7PkUWcnYnrkQRS5 mUlvM6j3yNZcPcYUfEX6 =5hBo -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 5:14:26 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com From expires2012 at rocketmail.com Wed Feb 1 23:19:43 2012 From: expires2012 at rocketmail.com (MFPA) Date: Wed, 1 Feb 2012 22:19:43 +0000 Subject: PGP/MIME use In-Reply-To: <201202012214.38430.mailinglisten@hauke-laging.de> References: <201202012214.38430.mailinglisten@hauke-laging.de> Message-ID: <87819772.20120201221943@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 1 February 2012 at 9:14:33 PM, in , Hauke Laging wrote: > I just don't understand why someone > who has understood the concept and is capable of > validating keys of others, encrypting, decrypting and > signing should not use that technology for his email > (neither professional nor private). There are plenty of things people don't bother doing, despite understanding, knowledge, and capability. Why should this be different? - -- Best regards MFPA mailto:expires2012 at rocketmail.com A closed mouth gathers no foot -----BEGIN PGP SIGNATURE----- iQCVAwUBTym6hqipC46tDG5pAQqsigP9Gh1IF9BleD9BKrPSTQgScgvRQggEo6Kg CxRnvp6ium4RgwDKmSgd70pzPeeAclLmnG+NK9WE7229vIfR3bB9HvodYk/CFtf4 WcohaA9i9WnmmExNrDLqpI5lBrj44bUUf4zJ23sV+P2jlldtxF89T1AImdl7YQC2 j4z9K9QlFaE= =l8xF -----END PGP SIGNATURE----- From jerry at seibercom.net Wed Feb 1 23:25:33 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 17:25:33 -0500 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: <401820274.20120201215306@my_localhost> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <4F23FBEC.6070106@digitalbrains.com> <00c101ccddd5$7e861230$7b923690$@abilitybusinesscomputerservices.com> <4F242228.5050004@jeromebaum.com> <00db01ccdde1$7b5c2c00$72148400$@abilitybusinesscomputerservices.com> <20120128161234.17cb391f@Braetac.lighthouse.yetnet> <00b101ccdeed$493a6180$dbaf2480$@abilitybusinesscomputerservices.com> <774873157.20120130015244@my_localhost> <20120129211348.2b49cc7b@scorpio> <1862457322.20120130022304@my_localhost> <20120130043459.6967f6fe@scorpio> <4F27232E.2060508@enigmail.net> <4F27DD13.1070905@digitalbrains.com> <20120131080509.07f7602e@scorpio> <4F284E5D.4070901@dougbarton.us> <20120131191717.0662f2c5@scorpio> <4F28BD24.10301@dougbarton.us> <20120201061958.5ee3f1f5@scorpio> <4F29A6FD.8040401@dougbarton.us> <401820274.20120201215306@my_localhost> Message-ID: <20120201172533.50f806ed@scorpio> On Wed, 1 Feb 2012 21:53:06 +0000 MFPA articulated: > Here here! Be liberal in what you accept, and conservative in what you > send. I will "liberally"accept a message not CC'd to me if the individual making the reply would be "conservative" enough not to include me on the CC line. You cannot accidentally CC someone. Most of those responding to this tread have stated that they would not CC an individual who so requested it. The over whelming majority of users on this list, and most others as well, never CC anyone because they realize it is just a waste of time, bandwidth and serves no useful purpose. There is one glaring exception who evidently thinks his CC doesn't stink. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From jerry at seibercom.net Wed Feb 1 23:28:30 2012 From: jerry at seibercom.net (Jerry) Date: Wed, 1 Feb 2012 17:28:30 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29B46C.4000501@sixdemonbag.org> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29AECF.70202@comcast.net> <4F29B46C.4000501@sixdemonbag.org> Message-ID: <20120201172830.6bcc1286@scorpio> On Wed, 01 Feb 2012 16:53:48 -0500 Robert J. Hansen articulated: > Maybe I have a darker view of human nature than you do, that's > certainly possible, but I think it's a critical mistake to apply > rational-actor theory to criminals. (It's just as critical of a > mistake to apply rational-actor theory to human beings. Human beings > ain't rational actors.) Always expect the worst in people and you will never be disappointed. -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From cwal989 at comcast.net Wed Feb 1 22:43:13 2012 From: cwal989 at comcast.net (Christopher J. Walters) Date: Wed, 01 Feb 2012 16:43:13 -0500 Subject: PGP/MIME use In-Reply-To: <169155237.20120201213521@my_localhost> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> <20120201121941.5e100a23@scorpio> <169155237.20120201213521@my_localhost> Message-ID: <4F29B1F1.8040600@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/1/2012 04:35 PM, MFPA wrote: > Seems likely to me that the majority of Windows users use neither > S/MIME nor openPGP. This is an assumption. I, personally, have a dual-boot system with a GNU/Linux OS and Windows 7. Ever since I discovered GnuPG and the OpenPGP standard, I have used them on both systems. I cannot, however, speak for the "majority" of Windows users, as I share the same assumption, though my support is the fallacy of leaning on personal experience. Regards, Christopher J. Walters -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKbHuAAoJEJ6vdel2qM1cPPgP/RuUigH6eie++kSCBqBdpg0y VAPrPk3Dsj9wbt6oVyeT1rpa0LDQg486p85Kw8VHkqFFjGrtCrtYsGABbCjqzfFG yug7MR37pRu9O2esy+4dU0Jd1ousYDtGDD1rwBn5V1tHdGhat9H2BGVu4EFk+ZTs /o8OtpquXQw3HGrWJ6HtSzuIZiSxrlHJ1GwGxpaMnQwQZCB7gOijg7QHWR+J9s9d otUQg8uEZwV8B6wr+in5u8Z9n+ktD0bhnQRNVoPmZWkuuKmuXLXosvduLUz8h2XJ h16UdAm0FAApQg9B/HvjvLRySGnRYpaPhQSHEekewEmX9VHTvl9aFANnhTycEOmq yDwB+8P8rUkACPqF6EDpmeq3ycimTuLrMReyi5DtVTdTqAXY/Fa3NvZkdFb0qqLA TEC5CqQZW8l/etkxSN4V52AiMLPios7FjNXjO5Ah/isATAx4Tc35hphkRoyD7RZJ rzBxB5ldwf2+zUF/kpGGwG6AoVE9HK4OGZUHY/legUdVwOJ7bjiIiy1oYdSAWVxr LVHVcHuB0gI5Py3J4cXZzS3dZj6q2Z8sqdd4AzCTDfvdVCr5Jduf0OHhTeEm6gf2 658g7oqxL+OGIWc2pkb206SLzNMwvOnCm12DuExp2PhSp3FQUq9FPncqc29OiH3t yfneEvlMz9wjRzp7Nb6b =rIRD -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 4:43:14 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com From mailinglisten at hauke-laging.de Wed Feb 1 23:34:12 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 1 Feb 2012 23:34:12 +0100 Subject: PGP/MIME use In-Reply-To: <87819772.20120201221943@my_localhost> References: <201202012214.38430.mailinglisten@hauke-laging.de> <87819772.20120201221943@my_localhost> Message-ID: <201202012334.12824.mailinglisten@hauke-laging.de> Am Mittwoch, 1. Februar 2012, 23:19:43 schrieb MFPA: > > I just don't understand why someone > > who has understood the concept and is capable of > > validating keys of others, encrypting, decrypting and > > signing should not use that technology for his email > > (neither professional nor private). > > There are plenty of things people don't bother doing, despite > understanding, knowledge, and capability. Why should this be > different? I give training courses about cryptography in a German party and am involved in the discussion whether and how we should use it in our administration. Thus I have some experience with (mostly) "normal" people (no IT geeks). My experience is that a) most people don't care at all (which probably everyone here can confirm...) b) the other ones say that it's a useful technology but they do not use it due to either their software not supporting it or (more important) their personal lack of knowledge c) I have never encountered someone saying something like "I know how it works, I use it for software distribution and backups but I have never used it for email". The probable main difference to your "plenty of things" is that this is considered useful (for email!) by many people (many more than capable of using it). Thus it seems quite improbable to me that among those few who are capable of using it there are many who do not find it useful (for email). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Wed Feb 1 23:40:16 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 17:40:16 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29B941.1000904@comcast.net> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29AECF.70202@comcast.net> <4F29B46C.4000501@sixdemonbag.org> <4F29B941.1000904@comcast.net> Message-ID: <4F29BF50.4070907@sixdemonbag.org> On 2/1/12 5:14 PM, Christopher J. Walters wrote: > On 2/1/2012 04:53 PM, Robert J. Hansen wrote: >> Easily forged, and machines are too easy to compromise. This >> idea that an IP address is clear and convincing evidence of >> origin is absolute bonkers. An IP address is evidence of >> *routing*. > > Must you resort to the ad hominem fallacy? No -- because I didn't. If I said *you* were bonkers and deserved to be locked away in an asylum and for that reason you're wrong, that would be ad hominem. Saying that an *idea* is bonkers and just plain wrong is an assertion of fact. It's either right or it's wrong. Consider this: when I make a connection to the outside world my IP address gets silently transformed by my router thanks to the magic of network address translation (NAT). The original source IP address gets erased and replaced with another. The IP address no longer reports my source correctly. IP addresses, as originally conceived, would have identified source and destination. But NAT is pervasive nowadays, and that means IP addresses can no longer be relied on for those purposes. "This idea that an IP address is clear and convincing evidence of origin is absolute bonkers." I stand by that. Feel free to substitute "clearly wrong" if you prefer, it doesn't change a thing. > Yet, you did not give that outline. Reread my message. > P.S. I shall not add more fuel to the fire, so to speak. I stand > by my decision to sign my messages, and respect your choice not to > do so. I only ask the same respect from you. In the end, as all > things, this is a personal choice. That you get to choose whether to do this is not in any debate. You do, and that authority is absolutely respected. The wisdom of your choice, though, is a fair subject for discussion. From MichaelQuigley at TheWay.Org Wed Feb 1 23:01:25 2012 From: MichaelQuigley at TheWay.Org (MichaelQuigley at TheWay.Org) Date: Wed, 1 Feb 2012 17:01:25 -0500 Subject: PGP/MIME use In-Reply-To: Message-ID: gnupg-users-bounces at gnupg.org wrote on 02/01/2012 01:58:45 PM: > ----- Message from Jerry on Wed, 1 Feb 2012 > 14:23:31 -0500 ----- > > To: > > gnupg-users at gnupg.org > > Subject: > > Re: PGP/MIME use > > On Wed, 1 Feb 2012 13:37:56 -0500 > MichaelQuigley at TheWay.Org articulated: > > > However, I've written scripts to > > routinely sign files for transmission to our bank. > > Does your bank actually verify those signed documents? I have sent > documents to various organizations, both signed and unsigned and never > heard a word spoken from any of them regarding it. Yes they verify the signature on the file. In fact, I spent quite a bit of time working with them to get the signature to successfully verify. (It finally turned out that they did not want clearsign, but I had been specifically told to use both clearsign and armour.) I'm quite confident they are verifying the signature on all files transmitted via the platform we're using. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Wed Feb 1 23:53:12 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 1 Feb 2012 23:53:12 +0100 Subject: PGP/MIME use In-Reply-To: <4F2965FC.8050705@sixdemonbag.org> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> Message-ID: <201202012353.12793.mailinglisten@hauke-laging.de> Am Mittwoch, 1. Februar 2012, 17:19:08 schrieb Robert J. Hansen: > On 2/1/12 10:47 AM, Hauke Laging wrote: > > Of course not. I just don't believe that there are many examples of > > this type out there. To me a serious user is one who actively signs, > > encrypts, and/or verifies data and knows what he is doing. He has > > created a key and verified at least one. Everything else seems like > > special use to me. > > Then yes, you are selecting for email users. There are quite a lot of > people who use GnuPG primarily for themselves -- for instance, a system > administrator who signs each backup, a lawyer who encrypts files when in > transit on a flash drive, etc. My description does not select for email users only but also covers your examples. We are not talking about "primarily" but about "only". > Yes, this definition means that you're a serious user of your OS kernel. > And why wouldn't you be? You demand your PC make thousands of kernel > calls each second. Is that not serious use? Depends on what you are thinking about. Of course, it is interesting to know how many kernels are out there. But it is also interesting an deserves being looked at seperately how many people have an "active", "planned" interaction with their kernel. Something like compiling it themselves, compiling modules for it, deactivating or configuring modules, configuring the kernel via command line parameters, saving an old kernel version as fallback. > >> (GnuPG is already on your system.) > > > > That's not true for a certain quite popular OS. > > Quite in context, please. In context, that sentence obviously referred > to Linux users. Quoting people out-of-context to score points is a pet > peeve of mine. I apologize if anyone had the impression that I used your quote wrongly (but why should I?). The point is that you said nothing about Windows which due to its market share cannot be ignored. And that has no relation to the context of your quote. > And if users who know of, > are aware of, who pay attention to, how GnuPG works behind the scenes > aren't relevant to you, then what is? I do not see how relevance could be bound to knowing what happens if this has no influence to what happens at all. Users who need a software (whether they know that or not) are relevant to me, too. But those users are relevant for GnuPG's verification feature only because they never use anything else. To me it's important for the assessment of a user whether ot not he causes any data in the world to be changed (because he signs something, encrypts something, something is encrypted for him). One groups makes just a quantity difference to IT, the other one a quality difference. The reason why most people do not use Enigmail (or something similar) is *not* the installation of GnuPG. You can easily install GnuPG without any clue how to use it. The main reasons are the lack of felt need (whether those people on average feel a need for update rpm signature checks?) and the lack of knowledge. Thus only comparing the GnuPG users with knowledge to the Enigmail users makes sense to me. > Each benchmark I use to represent > a class of users, you reject as being not what you're talking about, so > please tell me precisely what you *are* talking about. I already did so: > > This sounds like a No True Scotsman fallacy. If someone uses GnuPG but > > not for email, does that disqualify them from being a serious user? > > [...] To me a serious user is one who actively signs, encrypts, > and/or verifies data and knows what he is doing. He has created a key and > verified at least one. Everything else seems like special use to me. However, we are not discussing something important. You said that Enigmail users were just a small share of GnuPG users. This share depends on the part of GnuPG users considered. Obviously our opinions about that part differ but the decision who is "right" has no consequence at all. > > And which of these scenarios is more probable? Who will after > > starting to sign emails start to send emails to people he is not > > familiar with? > > Quite a lot, apparently. There are a whole lot of people on this > mailing list. I'm sending a message to all of them, including people I > don't even know. But you don't send email to this list *because* you sign your email. You don't even sign your email to this list. > Your question: "Who will after starting to sign emails start to send > emails to people he is not familiar with?" > > The answer is Facebook. Google+. eHarmony. Match.com. JDate. > Bear411. ChristianSingles.com. The list goes on and on and on. Right. But for nearly none of those cryptography is the reason for contaction others. In other words: If email cryptography becomes more common there is no reason to expect more email from unknown people (due to this effect). > The people who would be complaining about my conduct would be people who > don't know me from the wind. *They're* the ones who would have to be > persuaded I was on the up-and-up. OK but if someone considers his opinion about something he is not familiar with superior to the uniform opinion of some who are familiar then I would consider him an idiot (not stating that idiots cannot be a problem for someone innocently accused). > >> And then I imagined my dean answering, "That proves nothing: after > >> all, if I was posting this stuff I wouldn't sign it, either." > > > > Would not make much sense to use the name but not sign it, though. > > Sure it would. Deniability. That's the sense of non-signing. What's the sense of using your name? Creating problems for yourself? Accepting those problems in order to make the offense more interesting to the public? Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Thu Feb 2 00:08:32 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 2 Feb 2012 00:08:32 +0100 Subject: PGP/MIME use In-Reply-To: <4F29B0F1.2020504@sixdemonbag.org> References: <201202012214.38430.mailinglisten@hauke-laging.de> <4F29B0F1.2020504@sixdemonbag.org> Message-ID: <201202020008.33428.mailinglisten@hauke-laging.de> Am Mittwoch, 1. Februar 2012, 22:38:57 schrieb Robert J. Hansen: > On 2/1/12 4:14 PM, Hauke Laging wrote: > > I just don't understand why someone who has understood the > > concept and is capable of validating keys of others, encrypting, > > decrypting and signing should not use that technology for his email. > > I have referred to this paper probably five times or more on this list > and other lists. I really wish people would read it. I'm getting tired > of answering this -- it's my least-favorite OpenPGP-related question. I knew that paper (due to one of your emails). I read it again now. It has quite little to do with my "question". My question was NOT "Why do so few people use email cryptography"? But that is the question this paper wants to answer. Some points from the paper: ? It is (mainly) about people not familiar with GnuPG in some context different from email. ? One of the two most IT capable people being interviewed does not even know how to make signatures. ? Most or even all of those users did not have an environment which creates signatures or encrypts automatically. I have not read how they did it; I assume they used some program not integrated into their email software and had to use the clipboard for transferring the data. ? Most of the paper is about encryption. None of the interviewed people denied the sense of encryption in certain cases. I do not see how to get valid conclusions from non-IT people using bad software for IT people free to chose their software. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Thu Feb 2 00:12:24 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 18:12:24 -0500 Subject: PGP/MIME use In-Reply-To: <201202012353.12793.mailinglisten@hauke-laging.de> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <201202012353.12793.mailinglisten@hauke-laging.de> Message-ID: <4F29C6D8.6000501@sixdemonbag.org> On 2/1/12 5:53 PM, Hauke Laging wrote: > I apologize if anyone had the impression that I used your quote > wrongly (but why should I?). The point is that you said nothing about > Windows which due to its market share cannot be ignored. And that has > no relation to the context of your quote. Yes, I'm ignoring Windows, mostly because I have absolutely no idea where to begin estimating GnuPG users on Windows. All I can do is mutter something about "wovon man nicht sprechen kann, dar?ber mu? man schweigen" and quickly change the subject. :) That said, yes, on Linux Enigmail is a niche player. The major distros ship either KDE or GNOME desktops. KDE's default mail application is KMail, and GNOME's is Evolution. Both have strong OpenPGP support. You don't need to install Thunderbird+Enigmail on those platforms to get OpenPGP support for email, so most people who want OpenPGP email don't. > The reason why most people do not use Enigmail (or something similar) > is *not* the installation of GnuPG. Having fielded questions from people stymied by Enigmail installation for a few years now, I disagree. I've encountered a lot of people who find it to be a significant obstacle. It was much worse in the past, but since the introduction of Windows installers for GnuPG the problems have diminished significantly. We still get a fair number of them, though. > But you don't send email to this list *because* you sign your email. > You don't even sign your email to this list. No, but I do sign emails. There are a fair number of people who can attest to that. I just don't sign emails to mailing lists except in unusual cases (e.g., I'm making a post to the Enigmail list in my role as a list moderator) or when I've enabled signing by accident. > Right. But for nearly none of those cryptography is the reason for > contaction others. In other words: If email cryptography becomes more > common there is no reason to expect more email from unknown people > (due to this effect). I don't understand what you're saying. If cryptography is the reason to contact someone, then I think we all need to get out more. :) I contact people to *communicate*. Cryptography is just a tool to facilitate that. > OK but if someone considers his opinion about something he is not > familiar with superior to the uniform opinion of some who are > familiar then I would consider him an idiot. World's full of 'em. God knows I've asserted my right to be a damnfool idiot from time to time, so I'm inclined to judge them a bit more leniently. > That's the sense of non-signing. What's the sense of using your name? > Creating problems for yourself? Accepting those problems in order to > make the offense more interesting to the public? Ask Charlie Sheen, or for that matter anyone who's ever wrestled with bipolar disorder, drug addiction, or any of a whole host of illnesses and/or conditions that can cause erratic behavior. Sometimes the software running on the gray matter just breaks and people act in weird ways. It's part of the human condition. From rjh at sixdemonbag.org Thu Feb 2 00:27:04 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 18:27:04 -0500 Subject: PGP/MIME use In-Reply-To: <201202020008.33428.mailinglisten@hauke-laging.de> References: <201202012214.38430.mailinglisten@hauke-laging.de> <4F29B0F1.2020504@sixdemonbag.org> <201202020008.33428.mailinglisten@hauke-laging.de> Message-ID: <4F29CA48.5050706@sixdemonbag.org> On 2/1/12 6:08 PM, Hauke Laging wrote: > My question was NOT "Why do so few people use email cryptography"? > But that is the question this paper wants to answer. Your statement was, "I just don't understand why someone who has understood the concept[s] and is capable of [using the software] should not use that technology for his email." That's a statement, not a question: I inferred your question as, "Why is it people who understand the concepts and are capable of using the software don't use it for their email?" And that is, in fact, exactly the question they're answering. "In this paper we try to identify additional barriers by interviewing a set of users from an organization that relies on secrecy. Our interviews demonstrate that users' attitudes about encryption, and the social significance users attach to it, are an important factor in limiting adoption." Their central finding? It's not a technological problem: it's a social one. > Some points from the paper: > > ? It is (mainly) about people not familiar with GnuPG in some context > different from email. Incorrect. GnuPG is never mentioned in the paper. The NGO mentioned in the paper is PGP-only. Some of their case studies (Woodward) used PGP to encrypt files on their desktops: others (Abe) were email-only. Some were email-only (Jenny) but abandoned it, others... etc. > ? Most or even all of those users did not have an environment which > creates signatures or encrypts automatically. Incorrect. The paper makes it clear they had plugins available to do the process automatically. "In addition, [Woodward] distrusted plugins for email programs, relying on encrypting the text of a message first and copying it into his email program later." That sentence only makes sense if they had access to plugins. Further, PGP circa 2006 shipped with email plugins. Another user, Abe, "used encryption to protect financial data ... [he] believed this setup was simple." From that I infer Abe had suitable tools for the task -- which is quite plausible, given we know they were using PGP. From dan at geer.org Thu Feb 2 01:03:22 2012 From: dan at geer.org (dan at geer.org) Date: Wed, 01 Feb 2012 19:03:22 -0500 Subject: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...) In-Reply-To: Your message of "Wed, 01 Feb 2012 21:53:06 GMT." <401820274.20120201215306@my_localhost> Message-ID: <20120202000322.97BEC33D9D@absinthe.tinho.net> > Here here! Be liberal in what you accept, and conservative in > what you send. Folks, at the risk of starting a new thread or steering this thread into an eddy, Postel's Law is now officially a problem. I strongly (and I mean it) urge ya'll to take a look at the one or two principal papers at langsec.org I believe they are game changing. As I said earlier on, I read my mail in a text-only legacy reader because it cannot interpret. Ditto not allowing Javascript, etc. Why? Because I refuse to honor a remote procedure call from parties I know not written in a Turing-Complete language which characteristic, if I need to say it, means that security, a variant of the halting problem, is formally undecideable. --dan From mailinglisten at hauke-laging.de Thu Feb 2 01:30:45 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 2 Feb 2012 01:30:45 +0100 Subject: PGP/MIME use In-Reply-To: <4F29CA48.5050706@sixdemonbag.org> References: <201202020008.33428.mailinglisten@hauke-laging.de> <4F29CA48.5050706@sixdemonbag.org> Message-ID: <201202020130.46245.mailinglisten@hauke-laging.de> Am Donnerstag, 2. Februar 2012, 00:27:04 schrieb Robert J. Hansen: > Your statement was, "I just don't understand why someone who has > understood the concept[s] and is capable of [using the software] should > not use that technology for his email." That's a statement, not a > question: You are so right. You like quotation contexts, don't you? > I knew that paper (due to one of your emails). I read it again now. It has > quite little to do with my "question". See the ""? > I inferred your question as, "Why is it people who understand > the concepts and are capable of using the software don't use it for > their email?" Correct. > And that is, in fact, exactly the question they're answering. "In this > paper we try to identify additional barriers by interviewing a set of > users from an organization that relies on secrecy. Our interviews > demonstrate that users' attitudes about encryption, and the social > significance users attach to it, are an important factor in limiting > adoption." That's not even nearly the question they are answering. For none of the users they mention that he uses GnuPG-like software in a context different from email. At most one of them "understands the concept" (as a whole, not just a part of it, i.e. encryption). They don't say that explicitly but we have to assume that everyone else has neither understood the feature signing nor is using it. How much do these people have in common with admins and lawyers in your opinion? > Their central finding? It's not a technological problem: it's a social > one. I have never heard or assumed something different. > > Some points from the paper: > > > > ? It is (mainly) about people not familiar with GnuPG in some context > > > > different from email. > > Incorrect. GnuPG is never mentioned in the paper. Thus we have no reason to assume that any of them is familiar with GnuPG. Our point is people familiar with GnuPG who do not use email cryptography. This is the other way round: People using email (most of them) with no information about their other background. > > ? Most or even all of those users did not have an environment which > > creates signatures or encrypts automatically. > > Incorrect. The paper makes it clear they had plugins available to do > the process automatically. "In addition, [Woodward] distrusted plugins > for email programs, relying on encrypting the text of a message first > and copying it into his email program later." That sentence only makes > sense if they had access to plugins. Further, PGP circa 2006 shipped > with email plugins. No, it also makes sense reading "He did not see a problem in not having a tool for automatic processing as he would not have used it anyway as he distrusted such plugins". Furthermore "available" is not the same like "using". There are other quotes which make sense only if such plugins are NOT available: "He (Abe) estimated that encrypting every e-mail message would add another hour to his workday unless it was automated." "He (Abe) ?gured this man has an automated system for encrypting e-mail" "I (Jenny) think he probably has some automated system. That everything he sends gets encrypted automatically. I can?t believe he?s encrypting manually every time. But to me, it?s like?OK, if it?s automated??ne." "If it was encrypted on his computer and he sent to my computer, automatically encrypted or decrypted it??ne. Then, encrypt everything you want." "Arguably, some of the stigma associated with using encrypted e-mail was tied to the overhead of the system ActivistCorp used. Where appropriate, some of the process can be removed or automated." > Another user, Abe, "used encryption to protect financial data ... [he] > believed this setup was simple." The same one saying "most people see this as more work and want things simpler" and "I?m actually considered a ?techie?". "Simple" is in the eye of the beholder. It may even have referred to the point that he just encrypts financial data which he regularly synchronizes with others. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Thu Feb 2 02:43:22 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 01 Feb 2012 20:43:22 -0500 Subject: PGP/MIME use In-Reply-To: <201202020130.46245.mailinglisten@hauke-laging.de> References: <201202020008.33428.mailinglisten@hauke-laging.de> <4F29CA48.5050706@sixdemonbag.org> <201202020130.46245.mailinglisten@hauke-laging.de> Message-ID: <4F29EA3A.7080602@sixdemonbag.org> On 2/1/2012 7:30 PM, Hauke Laging wrote: >> Your statement was, "I just don't understand why someone who has >> understood the concept[s] and is capable of [using the software] should >> not use that technology for his email." That's a statement, not a >> question: > > You are so right. You like quotation contexts, don't you? I'm afraid, Hauke, that I don't understand what you're getting at. >> I inferred your question as, "Why is it people who understand >> the concepts and are capable of using the software don't use it for >> their email?" > > Correct. Then you have my response to that: the paper I cited does a good job of answering that question. > That's not even nearly the question they are answering. Then we disagree completely, and there's nothing more to be said. From wk at gnupg.org Thu Feb 2 10:50:34 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 Feb 2012 10:50:34 +0100 Subject: Using the not-dash-escaped option In-Reply-To: <4910154966.20120201204706@my_localhost> (MFPA's message of "Wed, 1 Feb 2012 20:47:06 +0000") References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> <87ehuf0wi2.fsf@vigenere.g10code.de> <4910154966.20120201204706@my_localhost> Message-ID: <874nv9va1h.fsf@vigenere.g10code.de> On Wed, 1 Feb 2012 21:47, expires2012 at rocketmail.com said: > I'm not sure that helps me. See below. > > - --=20\n :-) Sure it does not work if you use Content-Transfer-Encoding: 7bit Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mwood at IUPUI.Edu Thu Feb 2 16:13:40 2012 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 2 Feb 2012 10:13:40 -0500 Subject: On message signing and Enigmail... In-Reply-To: <4F29ADFA.2040304@lists.grepular.com> References: <4F29A1D6.4030205@comcast.net> <4F29A451.9040801@sixdemonbag.org> <4F29A91B.2040501@lists.grepular.com> <4F29AAD8.6050100@dougbarton.us> <4F29ADFA.2040304@lists.grepular.com> Message-ID: <20120202151339.GB28315@IUPUI.Edu> On Wed, Feb 01, 2012 at 09:26:18PM +0000, gnupg at lists.grepular.com wrote: > On 01/02/12 21:12, Doug Barton wrote: > >> I've posted using the same key on probably a dozen mailing lists, > >> I use it for all of my personal and work email. I use it to sign > >> all of the comments on my blog. I use it to sign the front page > >> of my website. There is very definite and obvious value in using > >> the same key in multiple places to establish the connection > >> between your key and your identity. Mailing lists are just > >> another one of these places. > > > > The only thing what you're doing proves is that at the time those > > things were posted someone had control of the secret key, and that > > the messages weren't altered after they were signed. Beyond that > > everything is speculation. > > If you see somebody posting on another list using the same key that > I've been using to post on this list, then you know it's the same > person. If you come across my website and find the content on it > signed by my key, you can connect my postings on this list with my > website. And so on. Well, no; what you know is that someone with access to the private key and passphrase did it. If someone steals your private key and passphrase, they no longer uniquely identify you. Signatures can't protect against this form of imposture. But they *can* protect against someone else simply creating another key with the same name in it. Not by themselves. But the impostor, in this case, cannot demonstrate control of your private key, and when challenged, will be shown to be lying if he claims to be the person who controls your key. This still doesn't establish that the person named in the certificate has control of the key, but use of the key to create a signature does create evidence which can be investigated. Someone could visit you in person and ask you to create a recognizable signed object in his presence using the same key. If you can, then you are a person who could have created the other signature. If there is no evidence that anyone else could have created the other signature, then there is good reason to believe that you created it, though this is not proof. Signatures also cannot establish *non*identity, since you could easily have another key and pretend you don't. If the key were somehow produced, you could pretend you don't know the passphrase, and demonstrate this any number of times by typing anything which is *not* the passphrase. This is roughly equivalent to claiming that unsigned objects don't come from you. The pattern that you establish is evidence but not proof. I would like to say that, while proof settles the matter, evidence short of proof often has value. I'm going to continue to sign every email. Besides, I'm too lazy to turn it on and off. :-) -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Asking whether markets are efficient is like asking whether people are smart. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From nicholas.cole at gmail.com Thu Feb 2 18:07:57 2012 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Thu, 2 Feb 2012 17:07:57 +0000 Subject: GnuPG distribution signature In-Reply-To: <87bopk70f5.fsf@vigenere.g10code.de> References: <4F272267.7040107@gmail.com> <87bopk70f5.fsf@vigenere.g10code.de> Message-ID: On Tue, Jan 31, 2012 at 8:15 AM, Werner Koch wrote: > On Tue, 31 Jan 2012 00:06, faramir.cl at gmail.com said: >> Hello, >> ? ? ? Is key D869 2123 C406 5DEA 5E0F ?3AB5 249B 39D2 4F25 E3B6 ( >> 0x4F25E3B6 ) the current key used for signing files? I suppose it is, > > Yes, it is. ?See my OpenPGP mail header for a list of all my keys and > their descriptions. > > There is a small error in the announcement: > > ? ? gpg --recv-key 4F25E3B6 > > ? The distribution key 1CE0C630 is signed by the well known keys > > It should say > > ? ? gpg --recv-key 4F25E3B6 > > ? The distribution key 4F25E3B6 is signed by the well known keys I've long thought that one nightmare scenario for OpenPGP would be an ISP or other network gateway that transparently scanned all data passing through it looking for specific key ids and fingerprints and which silently changed them in webpages, email etc to fraudulent values. I can't imagine that it would be that difficult, and it would be difficult to detect as well as tripping up anyone who relied on "well-known" keys. N From avi.wiki at gmail.com Thu Feb 2 20:03:08 2012 From: avi.wiki at gmail.com (Avi) Date: Thu, 2 Feb 2012 14:03:08 -0500 Subject: PGP/MIME use Message-ID: > ---------- Forwarded message ---------- > From: "Robert J. Hansen" > To: gnupg-users at gnupg.org > Cc: > Date: Wed, 01 Feb 2012 18:12:24 -0500 > Subject: Re: PGP/MIME use > On 2/1/12 5:53 PM, Hauke Laging wrote: > Yes, I'm ignoring Windows, mostly because I have absolutely no idea > where to begin estimating GnuPG users on Windows. All I can do is > mutter something about "wovon man nicht sprechen kann, dar?ber mu? man > schweigen" and quickly change the subject. :) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OK, I'm sorry, but when someone drops Wittgenstein?on topic?on a list about cryptography, there needs to be some recognition of that. Well done, sir. - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) - GPGshell v3.78 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iL4EAREKAGYFAk8q3clfGGh0dHA6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbS9wa3Mv bG9va3VwP29wPWdldCZoYXNoPW9uJmZpbmdlcnByaW50PW9uJnNlYXJjaD0weDBE NjJCMDE5RjgwRTI5RjkACgkQDWKwGfgOKfkt7AD/XBnefqGl/3Ul2FcghMK6pOwf 8pmkxBiy/EC8qxF8TZIA/RgCgmYwzzERQHFj5X9pQJCX2x7EURV+otSFR+7yWvwK =nc8f -----END PGP SIGNATURE----- ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) ?? Primary key fingerprint: 167C 063F 7981 A1F6 71EC? ABAA 0D62 B019 F80E 29F9 From rjh at sixdemonbag.org Thu Feb 2 20:46:10 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 02 Feb 2012 14:46:10 -0500 Subject: Wittgenstein (was Re: PGP/MIME) In-Reply-To: References: Message-ID: <4F2AE802.4010409@sixdemonbag.org> On 2/2/12 2:03 PM, Avi wrote: > OK, I'm sorry, but when someone drops Wittgenstein?on topic?on a > list about cryptography, there needs to be some recognition of > that. Oh, Wittgenstein's wonderful. I have a quote from him on a Post-It on my monitor: "What makes a subject difficult to understand ... is not that some special instruction about abstruse things is necessary to understand it. Rather it is the contrast between the understanding of the subject and what most people want to see. ... *The things that are most obvious can become the most difficult to understand.*" One of the hardest challenges I face with this stuff is figuring out what I want something to be or mean, and then saying "okay, now I need to try and prove that wrong, so that along the way I might find out what's right." It's tough, but I've found it to be an effective way of increasing understanding. One of the hardest things in the human situation is discovering what we want and why we want it. Wrestling with it, though, makes us better human beings -- and ultimately better engineers, too. From expires2012 at rocketmail.com Thu Feb 2 21:45:56 2012 From: expires2012 at rocketmail.com (MFPA) Date: Thu, 2 Feb 2012 20:45:56 +0000 Subject: Using the not-dash-escaped option In-Reply-To: <874nv9va1h.fsf@vigenere.g10code.de> References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> <87ehuf0wi2.fsf@vigenere.g10code.de> <4910154966.20120201204706@my_localhost> <874nv9va1h.fsf@vigenere.g10code.de> Message-ID: <16010622274.20120202204556@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 2 February 2012 at 9:50:34 AM, in , Werner Koch wrote: > Sure it does not work if you use > Content-Transfer-Encoding: 7bit The message body looks exactly the same in the copy in my sentbox, where the header you cite above says Content-Transfer-Encoding: quoted-printable - -- Best regards MFPA mailto:expires2012 at rocketmail.com No man ever listened himself out of a job -----BEGIN PGP SIGNATURE----- iQCVAwUBTyr2CqipC46tDG5pAQqoUgQAkQMH7/1F2815sAMvRiyKU8CCDAueiIBF EtpczAEOVBVT9EJIBNe96ByQZO0iLKWSEDbAecIraV+k6sWipK1Q6wZc307XacYL bjFgN4PyOQi0C/NEKhslcEcV5aefXqfQi0tFaQixnmbTZm52HGzIo0yvHD4lV9vb c0YdiuOC+nk= =rDAl -----END PGP SIGNATURE----- From reynt0 at cs.albany.edu Thu Feb 2 22:18:10 2012 From: reynt0 at cs.albany.edu (reynt0) Date: Thu, 2 Feb 2012 16:18:10 -0500 (EST) Subject: Wittgenstein (was Re: PGP/MIME) In-Reply-To: <4F2AE802.4010409@sixdemonbag.org> References: <4F2AE802.4010409@sixdemonbag.org> Message-ID: On Thu, 2 Feb 2012, Robert J. Hansen wrote: . . . > Oh, Wittgenstein's wonderful. I have a quote from him on a Post-It on > my monitor: > > "What makes a subject difficult to understand ... is not > that some special instruction about abstruse things is > necessary to understand it. Rather it is the contrast > between the understanding of the subject and what most > people want to see. ... *The things that are most obvious > can become the most difficult to understand.*" . . . For several years I had the last seven words of the following auf Deutsch painted decoratively by a hot rod artist on the trunk lip of my car. But the only people who ever commented were a German tourist couple in a parking lot once. "Ich glaube einen Philosophen, einen der selbst denken kann, koennte es interessieren meine Noten zu lesen. Denn wenn ich auch nur selten in's Schwarze getroffen habe, so wuerde er doch erkennen, nach welchen Zielen ich unablaessig geschossen habe" [from the Notebooks, IIRC at this moment] ("I believe a philosopher, one who can think for himself, can be interested to read my notes. Then if I even only seldom in the black have shot [ie hit the archery target in center], so would he nevertheless be able to know, at which target I unremittingly have shot.") The idea being that some things are so hard to talk about that you have to work at them bit by bit and hope that the shared continuity can be understood. A little bit like Zen, IMHO. Also like trying to get security ideas across publicly sometimes without saying everything so bluntly that bad guy evesdroppers can easily understand. From sandals at crustytoothpaste.net Thu Feb 2 22:53:00 2012 From: sandals at crustytoothpaste.net (brian m. carlson) Date: Thu, 2 Feb 2012 21:53:00 +0000 Subject: Using the not-dash-escaped option In-Reply-To: <16010622274.20120202204556@my_localhost> References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> <87ehuf0wi2.fsf@vigenere.g10code.de> <4910154966.20120201204706@my_localhost> <874nv9va1h.fsf@vigenere.g10code.de> <16010622274.20120202204556@my_localhost> Message-ID: <20120202215300.GA6122@crustytoothpaste.ath.cx> On Thu, Feb 02, 2012 at 08:45:56PM +0000, MFPA wrote: > On Thursday 2 February 2012 at 9:50:34 AM, in > , Werner Koch wrote: > > Sure it does not work if you use > > > Content-Transfer-Encoding: 7bit > > > The message body looks exactly the same in the copy in my sentbox, > where the header you cite above says > > Content-Transfer-Encoding: quoted-printable I think what Werner is saying is to use quoted-printable encoding; then, the space will be represented as =20 (when encoded) and it will be less likely to get eaten by hungry mail-handling tools. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From expires2012 at rocketmail.com Fri Feb 3 01:13:00 2012 From: expires2012 at rocketmail.com (MFPA) Date: Fri, 3 Feb 2012 00:13:00 +0000 Subject: Using the not-dash-escaped option In-Reply-To: <20120202215300.GA6122@crustytoothpaste.ath.cx> References: <1862457322.20120130022304@my_localhost> <516876184.20120131214116@my_localhost> <87ehuf0wi2.fsf@vigenere.g10code.de> <4910154966.20120201204706@my_localhost> <874nv9va1h.fsf@vigenere.g10code.de> <16010622274.20120202204556@my_localhost> <20120202215300.GA6122@crustytoothpaste.ath.cx> Message-ID: <1426137907.20120203001300@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 2 February 2012 at 9:53:00 PM, in , brian m. carlson wrote: > I think what Werner is saying is to use > quoted-printable encoding; then, the space will be > represented as =20 (when encoded) and it will be less > likely to get eaten by hungry mail-handling tools. I already had/have the option set in my MUA for "Transfer-encoding for non-ascii characters in message text" set to "quoted-printable." The other options are "no encoding" or "base64." - -- Best regards MFPA mailto:expires2012 at rocketmail.com To know what we know, and know what we do not know, is wisdom. -----BEGIN PGP SIGNATURE----- iQCVAwUBTysmnqipC46tDG5pAQqvoAP+JuEkMhULPJang8TV88X/Wd8m4EFLPEEn vKBddYQURsbn4gEOQGF3frjzivJwu1e2xyaTmjDPL5GqP/ON/8irRvkxukbG/7Yz /vO67pigAYdsanSApSHOSNPZkde57vP4zf0d9wRz9LJN04ZffkYkGUHXA4rx/ZQv oHT1jSx772A= =Dsq8 -----END PGP SIGNATURE----- From gonet9 at gmail.com Fri Feb 3 14:41:53 2012 From: gonet9 at gmail.com (Slawek Gonet) Date: Fri, 3 Feb 2012 14:41:53 +0100 Subject: Problems with GnuPG and Smartcard (opensc + pcsc) Message-ID: <20120203134153.GA3730@ciastko.tk> Hello. I'm trying to follow this howto: http://www.rainerkeller.de/etoken.htm To start using my smartcard as gpg-key. My smartcard and terminal: - Aladdin eToken 32k Pro (initialised with pkcs15-init): - Info : CardOS V4.2B (C) Siemens AG 1994-2005 - pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L: Slot 1 (0x1): HP USB Smartcard Reader [HP USB Smartcard Reader] (0000000000000 token label: Slawomir Gonet (User PIN) token manuf: OpenSC Project token model: PKCS#15 token flags: login required, PIN initialized, token initialized serial num : XXXBDCXXXXX Objects on my smartcard from pkcs15-tool -D: PKCS#15 Card [Slawomir Gonet]: PIN [User PIN] Object Flags : [0x3], private, modifiable ID : 01 Flags : [0x32], local, initialized, needs-padding Private RSA Key [Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local Public RSA Key [Public Key] Object Flags : [0x2], modifiable Usage : [0x4], sign Access Flags : [0x0] X.509 Certificate [Certificate] Object Flags : [0x2], modifiable Authority : no ~/.gnupg $ cat gnupg-pkcs11-scd.conf # Log file. # log-file log1 # Default is not verbose. # verbose # Default is no debugging. # debug-all # Pin cache period in seconds; default is infinite. # pin-cache 20 # Comma-separated list of available provider names. Then set # attributes for each provider using the provider-[name]-attribute # syntax. providers opensc # Provider attributes (see below for detailed description) provider-opensc-library /usr/lib/opensc-pkcs11.so emulate-openpgp openpgp-sign XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX openpgp-encr XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX openpgp-auth XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --------------------------------------------------------------------------- My problem: Following the howto: $ gpg-agent --server OK Pleased to meet you SCD LEARN gnupg-pkcs11-scd[3994.3616020224]: Listening to socket '/tmp/gnupg-pkcs11-scd.q0utvT/agent.S' gnupg-pkcs11-scd[3994]: chan_5 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[3994]: chan_5 <- GETINFO socket_name gnupg-pkcs11-scd[3994]: chan_5 -> D /tmp/gnupg-pkcs11-scd.q0utvT/agent.S gnupg-pkcs11-scd[3994]: chan_5 -> OK gnupg-pkcs11-scd[3994]: chan_5 <- LEARN gnupg-pkcs11-scd[3994]: chan_5 -> S SERIALNO D276... S SERIALNO D276.. gnupg-pkcs11-scd[3994]: chan_5 -> S APPTYPE PKCS11 S APPTYPE PKCS11 gnupg-pkcs11-scd[3994]: chan_5 -> S KEY-FRIEDNLY 1A7A6F350... /C=XX/ST=XXXXXXX/L=XXXXXXXX/CN=Slawomir Gonet/emailAddress=gonet9 at gmail.com on Slawomir Gonet (User PIN) gnupg-pkcs11-scd[3994]: chan_5 -> S KEYPAIRINFO 1A7A6F350... OpenSC\x20Project/PKCS\x2315/25BBDC102315/Slawomir\x20Gonet\x20\x28User\x20PIN\x29/45 gnupg-pkcs11-scd[3994]: chan_5 -> OK S KEY-FRIEDNLY 1A7A6F350... /C=XX/ST=XXXXXXXX/L=XXXXXXX/CN=Slawomir Gonet/emailAddress=gonet9 at gmail.com on Slawomir Gonet (User PIN) S KEYPAIRINFO 1A7A6F350... OpenSC\x20Project/PKCS\x2315/25BBDC102315/Slawomir\x20Gonet\x20\x28User\x20PIN\x29/45 ------------------ So, as you can see I'm getting only one KEY-FRIEDNLY instead of two: S KEY-FRIEDNLY 1A7A6F350... /C=XX/ST=XXXXXXXX/L=XXXXXXX/CN=Slawomir Gonet/emailAddress=gonet9 at gmail.com on Slawomir Gonet (User PIN) What I'm doing wrong? Please, help. Regards, SG From gabriel.rosseel at telenet.be Sat Feb 4 13:16:36 2012 From: gabriel.rosseel at telenet.be (gabriel @ telenet) Date: Sat, 04 Feb 2012 13:16:36 +0100 Subject: Gnupg and cardreader Message-ID: <4F2D21A4.5030202@telenet.be> I have installed Gnupg 1.4.9 and Enigmail 1.3.5 on a Mozilla Thunderbird 10.0 mail client. My OS is Windows 7. Everyting works just great (can send and receive encrypted mails). When I try to use my cardreader (ACR38U), which by the way works fine with websites that require ID cards, I get an error: "Your SmartCard reader could not be accessed Please attach your SmartCard reader, insert your card, and repeat the operation" Is there a way to make that work? From einarr at pvv.org Sun Feb 5 14:20:14 2012 From: einarr at pvv.org (Einar Ryeng) Date: Sun, 5 Feb 2012 14:20:14 +0100 Subject: Decryption fails with Crypto Stick + GnuPG 2.0.18 Message-ID: <20120205132014.GA19235@pvv.ntnu.no> Hi, I'm having trouble with GnuPG 2.0.18 and Crypto Stick on Debian unstable. My key is a 4096 bit RSA key where only subkeys reside on the Crypto Stick, while the private main key is kept offline. With this setup I get the following symptoms: - gpg2 --card-status works as expected - Signing works fine with gpg2 - SSH integration works fine - Decryption FAILS with gpg2 - However, gpg 1.4 decrypts fine, provided I first kill scdaemon. The output from gpg2 is not overly helpful: ----------- einarr at barium:~/gpgtest$ LANG=en gpg2 passwd.gpg gpg: can't connect to the agent - trying fall back gpg: encrypted with 4096-bit RSA key, ID 9A6EE054, created 2011-12-14 "Einar Ryeng " gpg: public key decryption failed: General error gpg: decryption failed: No secret key ----------- (btw, this is not related to the agent not running) I suspect this might be a bug somewhere either in gpg2 or scdaemon. Using the debug option on gpg2 did not give me anything useful. How should I proceed to debug this? I'd guess that the line "decryption failed: No secret key" means that gpg2 has asked scdaemon for that key and got back a negative response. Can anyone confirm that they get this combination to work: GnuPG 2.0.18, Crypto Stick (or for that matter any OpenPGP smart card implementation) and 4096 bit keys? Cheers, -- Einar Ryeng From klaus.layer at gmx.de Sun Feb 5 22:20:57 2012 From: klaus.layer at gmx.de (Klaus Layer) Date: Sun, 5 Feb 2012 22:20:57 +0100 Subject: Moving from openpgp card to cryptostick Message-ID: <201202052221.19138.klaus.layer@gmx.de> Hi, since several years I am using an openpgp card with subkeys. Because I have to move to a new hardware without a cardreader, I bought a cryptostick to replace my old openpgp card. I picked up my backup storage with the keyring with my main key and run: #gpg --homedir /keylocation --edit-key MY-KEY-ID #toggle #key 2 #keytocard key 2 is my authentication key, so I have to select (3) authentication key Your selection? 3 Now I get the message gpg: secretkey already stored on a card How can I transfer my keys from the old openpgp card to the new cryptostick? Thanks for your help. With kind regards, Klaus -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From expires2012 at rocketmail.com Sun Feb 5 23:50:08 2012 From: expires2012 at rocketmail.com (MFPA) Date: Sun, 5 Feb 2012 22:50:08 +0000 Subject: Moving from openpgp card to cryptostick In-Reply-To: <201202052221.19138.klaus.layer@gmx.de> References: <201202052221.19138.klaus.layer@gmx.de> Message-ID: <79573930.20120205225008@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 5 February 2012 at 9:20:57 PM, in , Klaus Layer wrote: > How can I transfer my keys from the old openpgp card to > the new cryptostick? If you have a backup copy of your secret keys that you stored before transferring them to the old openpgp card, copy the backup to your keyring and then transfer it to the new cryptostick. - -- Best regards MFPA mailto:expires2012 at rocketmail.com None are so fond of secrets as those who do not mean to keep them -----BEGIN PGP SIGNATURE----- iQCVAwUBTy8HqqipC46tDG5pAQqWFAP+LfgMv4kdTTVn751IfEgF3GbXKswdxHnp DHZhgz8y33wU7nKLiyU+sa1X7fdp13EZdKGPZDVJ37RhPvDdYzgeIuHaTM/Q/ANy 60wDxzyU2zt6nQa/uh90oBeaPfT8TZEcEBPIgjjDYqlVtWXEnirmdW67+kGKXw+T UDsXDv6sBak= =oiJx -----END PGP SIGNATURE----- From klaus.layer at gmx.de Mon Feb 6 08:39:27 2012 From: klaus.layer at gmx.de (Klaus Layer) Date: Mon, 6 Feb 2012 08:39:27 +0100 Subject: Moving from openpgp card to cryptostick In-Reply-To: <79573930.20120205225008@my_localhost> References: <201202052221.19138.klaus.layer@gmx.de> <79573930.20120205225008@my_localhost> Message-ID: <201202060839.34648.klaus.layer@gmx.de> FPA wrote on 05.02.2012: > If you have a backup copy of your secret keys that you stored before > transferring them to the old openpgp card, copy the backup to your > keyring and then transfer it to the new cryptostick. > > When I created the keys for my old openpgp card I followed the description from http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups. I have the backup key ring that I created as described in the howto. How do I use this back key ring to transfer the keys to my new crypto stick? Regards, Klaus -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From expires2012 at rocketmail.com Mon Feb 6 20:54:51 2012 From: expires2012 at rocketmail.com (MFPA) Date: Mon, 6 Feb 2012 19:54:51 +0000 Subject: Moving from openpgp card to cryptostick In-Reply-To: <201202060839.34648.klaus.layer@gmx.de> References: <201202052221.19138.klaus.layer@gmx.de> <79573930.20120205225008@my_localhost> <201202060839.34648.klaus.layer@gmx.de> Message-ID: <1371596497.20120206195451@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 6 February 2012 at 7:39:27 AM, in , Klaus Layer wrote: > When I created the keys for my old openpgp card I > followed the description from > http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups. > I have the backup key ring that I created as described > in the howto. How do I use this back key ring to > transfer the keys to my new crypto stick? Make sure your computer is "clean" and not connected to any network. *Copy* your backup secret keyring onto your computer. Refer back to the howto; there is a section near the end called "Transfering the subkeys to a new card," which contains some caveats and points you back to the section "Move the subkeys to the card" to repeat the whole procedure from there onwards. I don't know if there are any subtle differences due to using the new crypto stick instead of the old openpgp card. - -- Best regards MFPA mailto:expires2012 at rocketmail.com The man who really wants to do something finds a way, the other finds an excuse. -----BEGIN PGP SIGNATURE----- iQCVAwUBTzAwEqipC46tDG5pAQr4swP7Bh2jcphg7P2+CAh54j2QHk+XUQS/V5wX +I23QOy66i6Zez/ge/W3cAMW30kRq7rjz2ByXeLWt+smmCKEsqyvBAk8822lZ8FQ lQRKGa4lCS/kCpkE+UiPcFb0Fy3oY6Qm6RXIXg9YLqgAPnWuyNtP8uYQMNH67Cf5 4OCIqU2eTrI= =omIW -----END PGP SIGNATURE----- From rfflrccrd at gmail.com Tue Feb 7 02:09:37 2012 From: rfflrccrd at gmail.com (Raffaele Ricciardi) Date: Tue, 07 Feb 2012 01:09:37 +0000 Subject: GPG2 hangs the system if I activate another window Message-ID: <4F3079D1.9080007@gmail.com> Hello, I've downloaded and compiled GPG2 on Debian Linux (Gnome). When GPG2 opens a popup to ask for a password, I can't switch to another window without locking up the desktop. Neither the mouse nor any key works anymore, not even the power button, and I have to keep it pressed for 6 seconds to force power-off. Is there any way around this? I need to switch to another window because I keep my passwords in a password database application I may need to open, and on a laptop with a touchpad, a click can be fired off inadvertently anyway. Thanks. Raffaele Software: - gpg (GnuPG) 2.0.17 - libgcrypt 1.4.5 - Debian GNU/Linux version: 6.0.3 - Kernel version: Linux debian 2.6.32-5-686 #1 SMP Wed Jan 11 12:29:30 UTC 2012 i686 GNU/Linux From gnupg at lists.grepular.com Tue Feb 7 11:11:33 2012 From: gnupg at lists.grepular.com (gnupg at lists.grepular.com) Date: Tue, 07 Feb 2012 10:11:33 +0000 Subject: GPG2 hangs the system if I activate another window In-Reply-To: <4F3079D1.9080007@gmail.com> References: <4F3079D1.9080007@gmail.com> Message-ID: <4F30F8D5.8070107@lists.grepular.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/02/12 01:09, Raffaele Ricciardi wrote: > I've downloaded and compiled GPG2 on Debian Linux (Gnome). > > When GPG2 opens a popup to ask for a password, I can't switch to > another window without locking up the desktop. Neither the mouse > nor any key works anymore, not even the power button, and I have to > keep it pressed for 6 seconds to force power-off. > > Is there any way around this? I need to switch to another window > because I keep my passwords in a password database application I > may need to open, and on a laptop with a touchpad, a click can be > fired off inadvertently anyway. I think this is by design. See the following option in the man page for gpg-agent and make sure you understand the security implications before using it: - --no-grab: Tell the pinentry not to grab the keyboard and mouse. This option should in general not be used to avoid X-sniffing attacks. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -----BEGIN PGP SIGNATURE----- iQGGBAEBAgBwBQJPMPjVMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBEryCACo0HhMurM/ XSvSA9S0gssjIherkf628zFY+1oZBu7c9Hj/tri+vZXco0K2TYlEU98+0FL3m5ls ovscAWV0MW6clhp7NfemPSD4su9eVs562Qu+ksFN7ATEwVHZsfMa42zr6Ad+uYCs gBcs0j+l2HnZ6ookwcpmm7K+BcC314y6ydnZiDw5iqvLPMTd51yEdHZFmge1/rNq sraNXeHtWG5mEuGvzUkkYeNE4YUoWQrVi22oRnO40vC2W4UIroWRUfmUPF3X5jFR DGjtwKPEEMZoCw+MiJKXi6FKO6uBKuf1dG/+ruxY2lxzon8Dhqp0fN8u+Ujs3k83 Gllmfm2Bg80u =0Vne -----END PGP SIGNATURE----- From peter at digitalbrains.com Tue Feb 7 15:31:58 2012 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 07 Feb 2012 15:31:58 +0100 Subject: GPG2 hangs the system if I activate another window In-Reply-To: <4F30F8D5.8070107@lists.grepular.com> References: <4F3079D1.9080007@gmail.com> <4F30F8D5.8070107@lists.grepular.com> Message-ID: <4F3135DE.8020007@digitalbrains.com> On 07/02/12 11:11, gnupg at lists.grepular.com wrote: >> When GPG2 opens a popup to ask for a password, I can't switch to >> another window without locking up the desktop. Neither the mouse >> nor any key works anymore, not even the power button, and I have to >> keep it pressed for 6 seconds to force power-off. > > I think this is by design. Locking up seems a bit harsh :). Here, on XFCE with Debian testing, my desktop definitely does not lock up. I can press some buttons with the mouse, but I can't type any text in any other window than the password input dialog. But at no point do I lose control, and once I dismiss the password dialog, I can continue using my computer. This would be the "design" I expected :). That said, if you want to pass the password from a password database application, you probably indeed need --no-grab, and that might solve the locking problem as a byproduct. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From rudupa at easylink.com Wed Feb 8 18:07:48 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Wed, 8 Feb 2012 17:07:48 +0000 Subject: subscribe Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F362E6ACE@PSEXMBX01.netmaster.corp.easylink.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: From rudupa at easylink.com Wed Feb 8 18:37:39 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Wed, 8 Feb 2012 17:37:39 +0000 Subject: Runniing gpg2 on Linux Servers Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F362E6AE3@PSEXMBX01.netmaster.corp.easylink.com> Hi, I installed gnupg with all related modules as well as pinentry module on a redhat linux server. Now, when I try to run gpg2, to generate a key using command line gpg2 --gen-key I get the following error. GnuPG needs to construct a user ID to identify your key. Real name: rudupa Email address: rudupa at test.com Comment: test You selected this USER-ID: "rudupa (test) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. gpg-agent[12363]: can't connect to the PIN entry module: IPC connect call failed gpg-agent[12363]: command get_passphrase failed: No pinentry gpg: problem with the agent: No pinentry gpg: Key generation canceled. I am running gpg-agent in the daemon mode with following parameters gpg-agent --options /u4/udupa/gnupg/gpg-agent.conf --daemon --verbose --log-file /tmp/log --enable-ssh-support --debug-all Thanks, Raghu Udupa -------------- next part -------------- An HTML attachment was scrubbed... URL: From rudupa at easylink.com Wed Feb 8 18:44:29 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Wed, 8 Feb 2012 17:44:29 +0000 Subject: Runniing gpg2 on Linux Servers In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F362E6AE3@PSEXMBX01.netmaster.corp.easylink.com> References: <10F20BC0C13B3F4C928EFD1C3A651F362E6AE3@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F362E6B07@PSEXMBX01.netmaster.corp.easylink.com> Hi, I installed gnupg with all related modules as well as pinentry module on a redhat linux server. Now, when I try to run gpg2, to generate a key using command line gpg2 --gen-key I get the following error. GnuPG needs to construct a user ID to identify your key. Real name: rudupa Email address: rudupa at test.com Comment: test You selected this USER-ID: "rudupa (test) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. gpg-agent[12363]: can't connect to the PIN entry module: IPC connect call failed gpg-agent[12363]: command get_passphrase failed: No pinentry gpg: problem with the agent: No pinentry gpg: Key generation canceled. I am running gpg-agent in the daemon mode with following parameters gpg-agent --options /u4/udupa/gnupg/gpg-agent.conf --daemon --verbose --log-file /tmp/log --enable-ssh-support --debug-all I am using the following gpg-agent.conf config file. -bash-3.00$ cat gpg-agent.conf no-grab pinentry-program /usr/bin/pinentry-curses Thanks, Raghu Udupa -------------- next part -------------- An HTML attachment was scrubbed... URL: From johannes.baiter at googlemail.com Wed Feb 8 20:57:14 2012 From: johannes.baiter at googlemail.com (Johannes Baiter) Date: Wed, 8 Feb 2012 20:57:14 +0100 Subject: Problem "Kobil Kaan Advanced" keypad [gnupg 2.0.18] In-Reply-To: References: Message-ID: Okay, I managed to resolve that problem by specifying the `pinpad-program` option in gpg-agent.conf. I can enter the PIN now and it is recognized ("Good PIN"-beep and the pin retry counter is not decremented afterwards). However, the file is not decrypted and scdaemon throws this (debug log): 2012-02-08 20:49:11 scdaemon[28024] DBG: prompting for keypad entry '||Please enter the PIN' scdaemon[28024]: chan_7 -> INQUIRE POPUPKEYPADPROMPT ||Please enter the PIN scdaemon[28024]: chan_7 <- END 2012-02-08 20:49:12 scdaemon[28024] DBG: send apdu: c=00 i=20 p1=00 p2=82 lc=0 le=-1 em=0 2012-02-08 20:49:12 scdaemon[28024] DBG: raw apdu: 00 20 00 82 00 2012-02-08 20:49:26 scdaemon[28024] DBG: response: sw=9000 datalen=0 2012-02-08 20:49:26 scdaemon[28024] DBG: dump: 2012-02-08 20:49:26 scdaemon[28024] DBG: dismiss keypad entry prompt scdaemon[28024]: chan_7 -> INQUIRE DISMISSKEYPADPROMPT scdaemon[28024]: chan_7 <- END 2012-02-08 20:49:26 scdaemon[28024] DBG: send apdu: c=00 i=2A p1=80 p2=86 lc=257 le=2048 em=1 2012-02-08 20:49:26 scdaemon[28024] DBG: raw apdu: 2012-02-08 20:49:26 scdaemon[28024] ccid_transceive failed: (0x10002) 2012-02-08 20:49:26 scdaemon[28024] apdu_send_simple(0) failed: invalid value 2012-02-08 20:49:26 scdaemon[28024] operation decipher result: Invalid value 2012-02-08 20:49:26 scdaemon[28024] app_decipher failed: Invalid value Google-Fu did not yield anything for that specifiy error code :-/ 2012/2/8 Johannes Baiter : > I recently acquired a "Kobil Kaan Advanced" reader and am trying to > use it under Debian (unstable). > I have it working now up to the point where I can query the card > status, i.e. the reader works and the card is recognized correctly. > However, it seems that the built-in keypad of my reader does not work, > although according to the howto [1] it should do so: > > $ gpg2 -d foo.txt.gpg > gpg: anonymous recipient; trying secret key ... > scdaemon[21350]: updating slot 0 status: 0x0000->0x0007 (0->1) > scdaemon[21350]: fingerprint on card does not match requested one > scdaemon[21350]: app_decipher failed: Wrong secret key used > gpg: anonymous recipient; trying secret key ... > scdaemon[21350]: DBG: prompting for keypad entry '||Please enter the PIN' > gpg-agent[21349]: can't connect to the PIN entry module: IPC connect call failed > gpg: anonymous recipient; trying secret key ... > scdaemon[21350]: PIN callback returned error: Unexpected IPC command > scdaemon[21350]: app_decipher failed: Unexpected IPC command > gpg: anonymous recipient; trying secret key ... > scdaemon[21350]: fingerprint on card does not match requested one > scdaemon[21350]: app_decipher failed: Wrong secret key used > gpg: anonymous recipient; trying secret key ... > scdaemon[21350]: DBG: prompting for keypad entry '||Please enter the PIN' > gpg-agent[21349]: can't connect to the PIN entry module: IPC connect call failed > gpg: anonymous recipient; trying secret key ... > scdaemon[21350]: PIN callback returned error: Unexpected IPC command > scdaemon[21350]: app_decipher failed: Unexpected IPC command > gpg: encrypted with RSA key, ID 00000000 > gpg: encrypted with RSA key, ID 00000000 > gpg: decryption failed: No secret key > > > [1] http://www.gnupg.org/howtos/card-howto/en/ch02s02.html From rfflrccrd at gmail.com Wed Feb 8 23:15:51 2012 From: rfflrccrd at gmail.com (Raffaele Ricciardi) Date: Wed, 08 Feb 2012 22:15:51 +0000 Subject: GPG2 hangs the system if I activate another window In-Reply-To: References: Message-ID: <4F32F417.4050401@gmail.com> > Date: Tue, 07 Feb 2012 10:11:33 +0000 > From: gnupg at lists.grepular.com > To: gnupg-users at gnupg.org > Subject: Re: GPG2 hangs the system if I activate another window > Message-ID: <4F30F8D5.8070107 at lists.grepular.com> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/02/12 01:09, Raffaele Ricciardi wrote: > > > I've downloaded and compiled GPG2 on Debian Linux (Gnome). > > > > When GPG2 opens a popup to ask for a password, I can't switch to > > another window without locking up the desktop. Neither the mouse > > nor any key works anymore, not even the power button, and I have to > > keep it pressed for 6 seconds to force power-off. > > > > Is there any way around this? I need to switch to another window > > because I keep my passwords in a password database application I > > may need to open, and on a laptop with a touchpad, a click can be > > fired off inadvertently anyway. > I think this is by design. See the following option in the man page > for gpg-agent and make sure you understand the security implications > before using it: > > - --no-grab: Tell the pinentry not to grab the keyboard and mouse. This > option should in general not be used to avoid X-sniffing attacks. Thank you for the tip about looking into the help for gpg-agent (I was looking into that for gpg2). It seems GPG2 on my system is running Seahorse, a Gnome front end for GnuPG: GPG_AGENT_INFO=/tmp/seahorse-PDdgFx/S.gpg-agent:2402:1 That's the reason this other user, who is running XFCE instead of Gnome, is not experiencing my same issue: > Date: Tue, 07 Feb 2012 15:31:58 +0100 > From: Peter Lebbing > To: gnupg-users at gnupg.org > Subject: Re: GPG2 hangs the system if I activate another window > Message-ID: <4F3135DE.8020007 at digitalbrains.com> > Content-Type: text/plain; charset=UTF-8 > > On 07/02/12 11:11, gnupg at lists.grepular.com wrote: > >> When GPG2 opens a popup to ask for a password, I can't switch to > >> another window without locking up the desktop. Neither the mouse > >> nor any key works anymore, not even the power button, and I have to > >> keep it pressed for 6 seconds to force power-off. > > I think this is by design. > Locking up seems a bit harsh . Here, on XFCE with Debian testing, my desktop > definitely does not lock up. I can press some buttons with the mouse, but I > can't type any text in any other window than the password input dialog. But at > no point do I lose control, and once I dismiss the password dialog, I can > continue using my computer. This would be the "design" I expected . > > That said, if you want to pass the password from a password database > application, you probably indeed need --no-grab, and that might solve the > locking problem as a byproduct. I'll investigate the issue further. Since in my case GPG2 is being invoked by another application (Emacs), this is not straightforward. Thank you guys for your support. From wk at gnupg.org Thu Feb 9 10:07:43 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Feb 2012 10:07:43 +0100 Subject: Runniing gpg2 on Linux Servers In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F362E6B07@PSEXMBX01.netmaster.corp.easylink.com> (Raghu Udupa's message of "Wed, 8 Feb 2012 17:44:29 +0000") References: <10F20BC0C13B3F4C928EFD1C3A651F362E6AE3@PSEXMBX01.netmaster.corp.easylink.com> <10F20BC0C13B3F4C928EFD1C3A651F362E6B07@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: <871uq4nzmo.fsf@vigenere.g10code.de> On Wed, 8 Feb 2012 18:44, rudupa at easylink.com said: > gpg-agent --options /u4/udupa/gnupg/gpg-agent.conf --daemon --verbose --log-file /tmp/log --enable-ssh-support --debug-all Did you setup the environment as described in the manual? Why do you use a specific options file? For testing it is easier to use a specific home directory and a shell: GNUPGHOME=/foo/bar/ gpg-agent --daemon --verbose --log-file /tmp/log --enable-ssh-support /bin/sh The environment variables are then correctly setup and you can just run gpg. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Feb 9 10:16:25 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Feb 2012 10:16:25 +0100 Subject: Problem "Kobil Kaan Advanced" keypad [gnupg 2.0.18] In-Reply-To: (Johannes Baiter's message of "Wed, 8 Feb 2012 20:57:14 +0100") References: Message-ID: <87wr7wmknq.fsf@vigenere.g10code.de> On Wed, 8 Feb 2012 20:57, johannes.baiter at googlemail.com said: > Okay, I managed to resolve that problem by specifying the > `pinpad-program` option in gpg-agent.conf. I can enter the PIN now and > it is recognized ("Good PIN"-beep and the pin retry counter is not > decremented afterwards). However, the file is not decrypted and > scdaemon throws this (debug log): I used that reader for a long time. However with the v2 OpenPGP card it stopped to work reliable. There are rumors that Kobil had problems with 2048 bit keys and thus I didn't looked closer at the problem and switched to another reader. If you want to look closer at the problem, you may add the option debug-ccid-driver two times to your scdaemon.conf. You may also want to test it using pcscd instead of the internal driver. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Feb 9 10:20:23 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Feb 2012 10:20:23 +0100 Subject: GPG2 hangs the system if I activate another window In-Reply-To: <4F32F417.4050401@gmail.com> (Raffaele Ricciardi's message of "Wed, 08 Feb 2012 22:15:51 +0000") References: <4F32F417.4050401@gmail.com> Message-ID: <87sjikmkh4.fsf@vigenere.g10code.de> On Wed, 8 Feb 2012 23:15, rfflrccrd at gmail.com said: > It seems GPG2 on my system is running Seahorse, a Gnome front end for GnuPG: > > GPG_AGENT_INFO=/tmp/seahorse-PDdgFx/S.gpg-agent:2402:1 > Seahorse and gnome-keyring are hijacking the gpg-agent connection. It is a source of constant frustration. You can configure gnome-keyring not to badly emulate some gpg-agent functions. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From klaus.layer at gmx.de Thu Feb 9 10:46:37 2012 From: klaus.layer at gmx.de (Klaus Layer) Date: Thu, 9 Feb 2012 10:46:37 +0100 Subject: Moving from openpgp card to cryptostick In-Reply-To: <1371596497.20120206195451@my_localhost> References: <201202052221.19138.klaus.layer@gmx.de> <201202060839.34648.klaus.layer@gmx.de> <1371596497.20120206195451@my_localhost> Message-ID: <201202091046.45246.klaus.layer@gmx.de> MFPA wrote on 06.02.2012: > Make sure your computer is "clean" and not connected to any network. > *Copy* your backup secret keyring onto your computer. Refer back to > the howto; there is a section near the end called "Transfering the > subkeys to a new card," which contains some caveats and points you > back to the section "Move the subkeys to the card" to repeat the whole > procedure from there onwards. I don't know if there are any subtle > differences due to using the new crypto stick instead of the old > openpgp card. I proceed exactly as described in the howto with my backup keys. But I always get the message "gpg: secretkey already stored on a card" Any idea how I can resolve this? Thanks, Klaus -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From johannes.baiter at googlemail.com Wed Feb 8 20:16:44 2012 From: johannes.baiter at googlemail.com (Johannes Baiter) Date: Wed, 8 Feb 2012 20:16:44 +0100 Subject: Problem "Kobil Kaan Advanced" keypad [gnupg 2.0.18] Message-ID: I recently acquired a "Kobil Kaan Advanced" reader and am trying to use it under Debian (unstable). I have it working now up to the point where I can query the card status, i.e. the reader works and the card is recognized correctly. However, it seems that the built-in keypad of my reader does not work, although according to the howto [1] it should do so: $ gpg2 -d foo.txt.gpg gpg: anonymous recipient; trying secret key ... scdaemon[21350]: updating slot 0 status: 0x0000->0x0007 (0->1) scdaemon[21350]: fingerprint on card does not match requested one scdaemon[21350]: app_decipher failed: Wrong secret key used gpg: anonymous recipient; trying secret key ... scdaemon[21350]: DBG: prompting for keypad entry '||Please enter the PIN' gpg-agent[21349]: can't connect to the PIN entry module: IPC connect call failed gpg: anonymous recipient; trying secret key ... scdaemon[21350]: PIN callback returned error: Unexpected IPC command scdaemon[21350]: app_decipher failed: Unexpected IPC command gpg: anonymous recipient; trying secret key ... scdaemon[21350]: fingerprint on card does not match requested one scdaemon[21350]: app_decipher failed: Wrong secret key used gpg: anonymous recipient; trying secret key ... scdaemon[21350]: DBG: prompting for keypad entry '||Please enter the PIN' gpg-agent[21349]: can't connect to the PIN entry module: IPC connect call failed gpg: anonymous recipient; trying secret key ... scdaemon[21350]: PIN callback returned error: Unexpected IPC command scdaemon[21350]: app_decipher failed: Unexpected IPC command gpg: encrypted with RSA key, ID 00000000 gpg: encrypted with RSA key, ID 00000000 gpg: decryption failed: No secret key [1] http://www.gnupg.org/howtos/card-howto/en/ch02s02.html From rfflrccrd at gmail.com Thu Feb 9 20:23:06 2012 From: rfflrccrd at gmail.com (Raffaele Ricciardi) Date: Thu, 09 Feb 2012 19:23:06 +0000 Subject: GPG2 hangs the system if I activate another window In-Reply-To: <87sjikmkh4.fsf@vigenere.g10code.de> References: <4F32F417.4050401@gmail.com> <87sjikmkh4.fsf@vigenere.g10code.de> Message-ID: <4F341D1A.5040403@gmail.com> On 02/09/2012 09:20 AM, Werner Koch wrote: > On Wed, 8 Feb 2012 23:15, rfflrccrd at gmail.com said: > >> It seems GPG2 on my system is running Seahorse, a Gnome front end for GnuPG: >> >> GPG_AGENT_INFO=/tmp/seahorse-PDdgFx/S.gpg-agent:2402:1 >> > > Seahorse and gnome-keyring are hijacking the gpg-agent connection. It > is a source of constant frustration. You can configure gnome-keyring > not to badly emulate some gpg-agent functions. Thanks for your suggestion. I'd like to do without both Seahorse and gnome-keyring. I don't need them because in my case passwords are managed by another application anyway. I've tried replacing Seahorse with pinentry-gtk-2, which I've found on my system, but currently I've managed to have just a pinentry-gtk-2 popup window flashing for an instant and then GPG failing. Here is what I've done: - cleared the GPG_AGENT_INFO environment variable, which avoids my application running GPG2 with the --use-agent option; - created ~/.gnupg/gpg.conf with this content: use-agent - following directions given here: https://wiki.archlinux.org/index.php/GnuPG#gpg-agent I've created a ~/bin/gpg-agent.sh (instead of a /etc/profile.d/gpg-agent.sh) and ran it, and checked that gpg-agent was running. Then I've created a ~/.gnupg/gpg-agent.conf with this content: pinentry-program /usr/bin/pinentry-gtk-2 That's it. Any suggestion? Thanks. From toskp10 at gmail.com Thu Feb 9 19:55:18 2012 From: toskp10 at gmail.com (Thomas Martin) Date: Thu, 9 Feb 2012 22:55:18 +0400 Subject: Gnupg compression Message-ID: Hello all, I've been playing around with encrypted files, trying to decrypt them independently. I've used Maple to decrypt the RSA, and openssl to decrypt the AES, sha1sum to verify the hashes, but I'm having problems with the compressed files. I (perhaps naively) thought that once I'd undone the encryption, it would be possible to extract just the compressed data and use a decompression command to retrieve the original file. I know Gnupg uses zlib by default, but I used "--personal-compress-preferences zip" to use zip instead, and tried 7z to decompress. Not only did it not work, but trying to compress the original file with 7z came up with a very different file (different size as well as content). Even when I used no compression and encrypted a 1k all-zero file, the decrypted file only had 990 zero bytes. With the redundant 16 bits in the CFB mode, and the hash digests, I know I'm doing most things right. Can anyone help with these final steps? Do there exist commands (Windows or Linux) that will compress/decompress a file in the exact same manner as Gnupg, for any or all three compression algorithms? Thomas. From kgo at grant-olson.net Thu Feb 9 20:17:17 2012 From: kgo at grant-olson.net (Grant Olson) Date: Thu, 09 Feb 2012 14:17:17 -0500 Subject: Moving from openpgp card to cryptostick In-Reply-To: <201202091046.45246.klaus.layer@gmx.de> References: <201202052221.19138.klaus.layer@gmx.de> <201202060839.34648.klaus.layer@gmx.de> <1371596497.20120206195451@my_localhost> <201202091046.45246.klaus.layer@gmx.de> Message-ID: <4F341BBD.90109@grant-olson.net> On 2/9/12 4:46 AM, Klaus Layer wrote: > > I proceed exactly as described in the howto with my backup keys. But I always > get the message "gpg: secretkey already stored on a card" > > Any idea how I can resolve this? > I would suggest setting up the new card off of a temp keyring using the homedir option: mkdir newcard gpg --homedir newcard import backup.gpg gpg --homedir newcard --card-edit ... etc If that works, delete your private key from your real keyring and run --card-status to use the new card. -- Grant Confidential info? Please encrypt or send via: https://privacybox.de/grant.msg "I am gravely disappointed. Again you have made me unleash my dogs of war." From wk at gnupg.org Thu Feb 9 22:00:09 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Feb 2012 22:00:09 +0100 Subject: Gnupg compression In-Reply-To: (Thomas Martin's message of "Thu, 9 Feb 2012 22:55:18 +0400") References: Message-ID: <87bop7n2na.fsf@vigenere.g10code.de> On Thu, 9 Feb 2012 19:55, toskp10 at gmail.com said: > these final steps? Do there exist commands (Windows or Linux) that > will compress/decompress a file in the exact same manner as Gnupg, for > any or all three compression algorithms? Not really. The format is OpenPGP specific. You need to read RFC-4880 closely to understand how it works. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kunlele4u at yahoo.com Fri Feb 10 12:02:54 2012 From: kunlele4u at yahoo.com (kunle odu) Date: Fri, 10 Feb 2012 11:02:54 +0000 Subject: Hello Message-ID: <4F34F95E.3080908@yahoo.com> pls how can l install gnupg because l dont computer command at all or may be u can show me simple way to install it. Thanks From kunlele4u at yahoo.com Fri Feb 10 12:51:05 2012 From: kunlele4u at yahoo.com (kunle odu) Date: Fri, 10 Feb 2012 11:51:05 +0000 Subject: Pls help on OpenGPG/ Preference In-Reply-To: <4F34F95E.3080908@yahoo.com> References: <4F34F95E.3080908@yahoo.com> Message-ID: <4F3504A9.909@yahoo.com> > pls i dont know how to set my path file on opengpg/preference. when l > wanted to generate new key it was telling Error in accessing Enigmail > service.Pls help me Base on lay man computer language because it seems > l confused. Thanks From kunlele4u at yahoo.com Fri Feb 10 03:18:31 2012 From: kunlele4u at yahoo.com (kunle odu) Date: Fri, 10 Feb 2012 02:18:31 +0000 Subject: Enigmail problem Message-ID: <4F347E77.9090602@yahoo.com> i want 2 generate key but telling dat Enigmail error From expires2012 at rocketmail.com Fri Feb 10 22:13:35 2012 From: expires2012 at rocketmail.com (MFPA) Date: Fri, 10 Feb 2012 21:13:35 +0000 Subject: Moving from openpgp card to cryptostick In-Reply-To: <201202091046.45246.klaus.layer@gmx.de> References: <201202052221.19138.klaus.layer@gmx.de> <201202060839.34648.klaus.layer@gmx.de> <1371596497.20120206195451@my_localhost> <201202091046.45246.klaus.layer@gmx.de> Message-ID: <25789901.20120210211335@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 9 February 2012 at 9:46:37 AM, in , Klaus Layer wrote: > I proceed exactly as described in the howto with my > backup keys. But I always get the message "gpg: > secretkey already stored on a card" > Any idea how I can resolve this? I suspect this means GnuPG is finding the secret key stub created when you moved your keys to the old card. Before importing the backup you made the first time around, I would try exporting the relevant secret key (so that you have a backup copy of the stubs...), then deleting that secret key from your keyring gpg --delete-secret-key your_key_ID. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Don't ask me, I'm making this up as I go! -----BEGIN PGP SIGNATURE----- iQCVAwUBTzWIhaipC46tDG5pAQqvHwP/VjQjhOSwpDkWc4pKI8kdNiGZ+8eiECpG HwCqgyyzJX4kSGFZM0JFEE+vrNOZcqfC00teB/qDIoAaCcOm2/KOcSLBmUTC/+Q5 AOMh8pctKkGVS/gGwsKlkJdeaaigVxyjAn5/Ec2s/QHvJiWHaAbltX01Gt1eMLCF S8/rlbiODZc= =8ys3 -----END PGP SIGNATURE----- From remco at webconquest.com Sat Feb 11 05:38:25 2012 From: remco at webconquest.com (Remco Rijnders) Date: Sat, 11 Feb 2012 05:38:25 +0100 Subject: Hello In-Reply-To: <4F34F95E.3080908@yahoo.com> References: <4F34F95E.3080908@yahoo.com> Message-ID: On Fri, Feb 10, 2012 at 11:02:54AM +0000, kunle wrote in <4F34F95E.3080908 at yahoo.com>: >pls how can l install gnupg because l dont computer command at all or >may be u can show me simple way to install it. Thanks This is way too little information for anyone to help you. What are you trying, what package of gnupg (download URL?) are you trying to install. On what OS is this? How are you attempting to run the installer? What exact error message do you get (thus not your own interpretation of it)? Cheers, Remco -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From olav at enigmail.net Sat Feb 11 09:34:50 2012 From: olav at enigmail.net (Olav Seyfarth) Date: Sat, 11 Feb 2012 09:34:50 +0100 Subject: Pls help on OpenGPG/ Preference In-Reply-To: <4F3504A9.909@yahoo.com> References: <4F34F95E.3080908@yahoo.com> <4F3504A9.909@yahoo.com> Message-ID: <4F36282A.3000105@enigmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi kunle odu, you posted 3 messages to the GnuPG mailing list. There is a better place to get help with Enigmail: http://www.mozdev.org/mailman/listinfo/enigmail/ Please subscribe and post further messages there. And before you post, please gather information first and then post all info one would probably need to be able to help you in one message, such as - - on what system are you - - which software is installed, versions (as for Enigmail, that's from the OpenPGP menu) - - what were the steps you took - - when did you encounter which errors - - debug information (Enigmail: OpenPGP preferences (advanced settings on), debugging tab) > how can l install gnupg because l dont computer command at all or may be u > can show me simple way to install it. You need to install GnuPG. First uninstall any GnuPG you tried to install manually. Use the recent GPG4win (2.1), available from http://gpg4win.org/ You may adjust the packages to be installed as you like, but the default works fine. Once installed, restart Thunderbird. Enigmail will find GnuPG WITHOUT any prefs/paths set as long as you leave the default installation path of GPG4win untouched. > pls i dont know how to set my path file on opengpg/preference. when l > wanted to generate new key it was telling Error in accessing Enigmail > service. Your "Error in accessing Enigmail service" has nothing to do with GnuPG. It seems that you are on Windows using Thunderbird 10.0, no Enigmail headers. Please uninstall Enigmail (from the AddOns dialog) and download it again from here: https://addons.mozilla.org/de/thunderbird/addon/enigmail/ , then install dhe downloaded file from the AddOns dialog. > i want 2 generate key but telling dat Enigmail error Only once you resolved the "accessing Enigmail service" error, you will be able to use any functionoality such as creating a key. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJPNigoAAoJEKGX32tq4e9WZv0L/238Q2IsK8k863ufwByNaPap 1vtm93dcHbvpJZ6B1oNqRLjVHTo0kqzrxiB9XgFWbFnvvJ9MlQzFokwEY3HIkGbc zo/7Ty/hzvNqRZu7yDzHvRO7V+r9I38/joreo8Votadg4IOinqAeb6OtHvHinbEr 6KzH/y8fSmPRnDszGXtcVBU+IkFxKX9tn0NcockxGJoVyZrKVtnQvRMXNPC9+yC0 JIVPTiWHSechqsp8ovDbg8XpSIC3If9Jihw0wQiNje4h8waBR3/tjWLrH/cu3GAd nGZBAPh4YkP+xkM+gSxm/gkfdLnB4a0Sr/ojV64LvlOdPGiFyAn4vZPEFvE84RAo Khto8GCFqq9lmS85c3jKmp5oB5Ujdu+MKITf/vv1EkbDqKe9QPpBFoalqla1jVbc Q1Ohy1xk3rEcu4nONRKCbXAncFf0WGkodLqPYb89l6cmK37AVTHO7B6bKBrxOMJT Y0GczAS5kE2NVOl9g6blPiY2Uo5bAy35AfvJTUEwuA== =bKi0 -----END PGP SIGNATURE----- From salahuddin at qomento.com Sun Feb 12 16:49:31 2012 From: salahuddin at qomento.com (salahuddin) Date: Sun, 12 Feb 2012 21:49:31 +0600 Subject: pgp-maildrop script Message-ID: <1329061771.9474.1.camel@debian01> Hello there I have written a Perl script for using gnupg using maildrop http://www.courier-mta.org/maildrop/ It may be useful to others: https://github.com/libreserver/pgp-maildrop Comments and suggests are welcome. - From laith.aldeen at yahoo.de Sun Feb 12 19:44:07 2012 From: laith.aldeen at yahoo.de (Laith Al-Deen) Date: Sun, 12 Feb 2012 19:44:07 +0100 Subject: New GnuPT-Version In-Reply-To: <1329061771.9474.1.camel@debian01> References: <1329061771.9474.1.camel@debian01> Message-ID: <4F380877.7080904@yahoo.de> Hello, a new version of GnuPT has been released. This version comes with an update of WinPT. Alternatively it is possible to install WinPT Version 1.4.3. Download: http://installer.gnupt.de/ WinPT Blog: http://winpt.gnupt.de/ WinPT and GnuPT are two independent projects. -- Laith From meddington at gmail.com Tue Feb 14 23:33:01 2012 From: meddington at gmail.com (Michael Eddington) Date: Tue, 14 Feb 2012 14:33:01 -0800 Subject: Announce: Outlook 2010 Privacy Plugin Message-ID: <4F3AE11D.8010802@gmail.com> Outlook Privacy Plugin A simple OpenPGP encryption plugin for Outlook 2010. http://code.google.com/p/outlook-privacy-plugin/ *About* Outlook Privacy Plugin is a security extension for Outlook 2010. It enables Outlook 2010 to send and receive email messages that are encrypted and/or signed with the OpenPGP standard. Outlook Privacy Plugin uses GNU Privacy Guard (GnuPG/GPG). *Features* * Microsoft Outlook 2010 * Encrypt and decrypt email using OpenPGP standard * Supports encrypted attachments * Supports multiple recipients * Decrypts PGP-MIME * Decrypts OpenPGP blocks in HTML email *Not Supported* * Encrypting with PGP-MIME (planned) * No support for HTML email (planned) This plugin is in BETA status and is based on an earlier plugin for Office 2007. Project Sponsored by Deja vu Security . -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Wed Feb 15 05:32:50 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 14 Feb 2012 23:32:50 -0500 Subject: Interesting real world short ID collision Message-ID: <56F6E481-EDDC-4701-A513-8EE636B22A8C@jabberwocky.com> As pointed out in Debian bug 659905, on the keyservers, the primary key 171CAA4A (dated 2002) collides (presumably naturally) with a subkey on primary key 1C8BB5A7 (dated 2000). It seems the owner of one went to a keysigning party, and an attendee was rather surprised to find two keys coming back from the keyserver for that ID... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659905 David From wk at gnupg.org Wed Feb 15 18:41:00 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 15 Feb 2012 18:41:00 +0100 Subject: Interesting real world short ID collision In-Reply-To: <56F6E481-EDDC-4701-A513-8EE636B22A8C@jabberwocky.com> (David Shaw's message of "Tue, 14 Feb 2012 23:32:50 -0500") References: <56F6E481-EDDC-4701-A513-8EE636B22A8C@jabberwocky.com> Message-ID: <87pqdgyoyb.fsf@vigenere.g10code.de> On Wed, 15 Feb 2012 05:32, dshaw at jabberwocky.com said: > It seems the owner of one went to a keysigning party, and an attendee was rather surprised to find two keys coming back from the keyserver for that ID... At the FSFE we had this surprise regulary with 76B8337A which is used by one of our office folks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From neha.rastogi at twc-contractor.com Wed Feb 15 21:46:09 2012 From: neha.rastogi at twc-contractor.com (=?iso-8859-1?Q?Rastogi=2C_Neha=A0=28contractor=29?=) Date: Wed, 15 Feb 2012 15:46:09 -0500 Subject: GPG installation Message-ID: <47BA19004B907A43827D8408ED03B11D5ACC6A23@PRVPEXVS07.corp.twcable.com> Hi Team, I am new to GPG. I am not seeing .gnupg directory at home path. I did following: 1. Go to link http://fadaskeng.com/gnupg.php#solaris for gpg setup. 2. Download gnupg-1.4.8-sol10-intel-local version from link http://www.portal-to-web.de/pub/sunfreeware/i386/10/ 3. Place file at a location on which gpg needs to be installed. 4. Unzip file gnupg-1.4.8-sol10-x86-local.gz. 5. Ask Unix team to install the package using command: pkgadd -d gnupg-1.4.8-sol10-x86-local 6. While running package, it ask for i/ps: a. The following packages are available: 1 SMCgnupg gnupg (intel) 1.2.6 Select package you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Select all b. Do you want to install these conflicting files [y,n,?,q] : Select yes 7. Verify steps from link http://fadaskeng.com/gnupg.php#solaris gpg --list-keys -bash: /usr/local/bin/gpg: Invalid argument Please help!!! Thanks & Regards, Neha Rastogi Business & Technical Ops Team Aim: neharastogi3006 ________________________________ This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cryptostick at privacyfoundation.de Thu Feb 16 14:44:06 2012 From: cryptostick at privacyfoundation.de (Crypto Stick) Date: Thu, 16 Feb 2012 21:44:06 +0800 Subject: Gnupg and cardreader In-Reply-To: <4F2D21A4.5030202@telenet.be> References: <4F2D21A4.5030202@telenet.be> Message-ID: <4F3D0826.5080607@privacyfoundation.de> Hi Gabriel! Before you can use any smart card, you need to store your keys on the smart card. Which card are you using? Am 04.02.2012 20:16, schrieb gabriel @ telenet: > I have installed Gnupg 1.4.9 and Enigmail 1.3.5 on a Mozilla Thunderbird > 10.0 mail client. My OS is Windows 7. > Everyting works just great (can send and receive encrypted mails). > When I try to use my cardreader (ACR38U), which by the way works fine > with websites that require ID cards, I get an error: > > "Your SmartCard reader could not be accessed > Please attach your SmartCard reader, insert your card, and repeat the > operation" > > Is there a way to make that work? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From s_buckhe at cs.uni-kl.de Mon Feb 20 01:10:42 2012 From: s_buckhe at cs.uni-kl.de (Sean Buckheister) Date: Mon, 20 Feb 2012 01:10:42 +0100 Subject: Trust signatures with unbounded regular expressions Message-ID: <4F418F82.6000003@cs.uni-kl.de> Hello, given a key, I would like to create a trust signature with a specific regular expression, say "-mail[12]\.example\.com$" in this exact form. That expression, and thus the signature, would match any domain name ending with -mail1.example.com or -mail2.example.com, including all email addresses attached to them. This is exactly what I want, but gnupg mangles the regular expression to match mail addresses or domains at or beneath the verbatim domain name -mail[12].example.com. Is there any way to create a trust signature with that exact regular expression with gnupg? -- Sean From stevebell at gulli.com Mon Feb 20 20:24:52 2012 From: stevebell at gulli.com (Steve) Date: Mon, 20 Feb 2012 20:24:52 +0100 Subject: PGP/MIME use In-Reply-To: <87ty3av6hi.fsf@vigenere.g10code.de> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> Message-ID: >> Has there been a concerted effort to make Enigmail an integral part of >> Thunderbird, distributed with it? If yes, what are the reasons that it >> has been rejected so far? If no, why not? > Werner replied: > The Mozillas don't like OpenPGP. To them it is probably too much > anarchy compared to S/SMIME. Ask the Mammon. Robert replied: > * S/MIME is already irrelevant to the vast majority of > Thunderbird users, and providing OpenPGP would just > introduce a redundant irrelevant capability > > * Enigmail requires a binary that's not maintained by > Mozilla, which is released on its own schedule, and > is licensed under terms other than those Mozilla > prefers Mozilla is founded by Google. Without Google they would be gone. Googles business model is not to protect the user but to analyze him. That is not possible when you use mail encryption. The question is still valid and imo, some pressure from the user community might help to bring Thunderbird to the point where it can be downloaded containing enigmail. That would be a huge step! The arguments by Robert seem to be rather minor compared to the huge benefit delivery of save communication would bring. Imagine a world in which Windows and OS X are delivered with OpenPGP. I don't see why that should not happen. It's all a question of community requests and pressure on the according companies behind that OSs. That pressure could also take share in pure statistics: If people simply buy machines which come with build in OpenSource crypto. That would be the case, if average people (not like us who are subscribed to this geeky mailing list) become more security aware and realize that privacy matters). Call me idealistic, but I think it's up to the community to make that happen. All the best, steve -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rjh at sixdemonbag.org Mon Feb 20 22:32:45 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 20 Feb 2012 16:32:45 -0500 Subject: PGP/MIME use In-Reply-To: References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> Message-ID: <4F42BBFD.2090907@sixdemonbag.org> On 2/20/12 2:24 PM, Steve wrote: > Mozilla is founded by Google. Mozilla receives funds from Google and others. The "and others" bit is important. > Without Google they would be gone. Without Google Mozilla would have to find other partners. I'm willing to bet cash money on the barrelhead they already have other partners lined up in the event this becomes necessary. > That is not possible when you use mail encryption. I doubt that whether you use email encryption is really any concern to Google. Invasive, intrusive email scanning exposes them to all manner of legal risks, from both civil and criminal law. It's also a public relations disaster waiting to happen, and could result all manner of horrific penalties for Google. Traffic analysis gives them almost as much useful information with much less risk exposure -- and email encryption doesn't interfere with traffic analysis. I'm not a particular fan of Google (or Facebook or what-have-you), but let's make sure our criticisms of them match up to reality. > The question is still valid and imo, some pressure from the user > community might help to bring Thunderbird to the point where it can > be downloaded containing enigmail. You're certainly welcome to. If you'd like to see Enigmail bundled with Thunderbird, then please write the Thunderbird developers a politely-worded email asking them to look into it. However, talking on this list (or on the Enigmail user list) about how much you'd like to see it in Thunderbird is unlikely to achieve anything: the people who make those decisions are not, as far as I know, on either this list or Enigmail's list. > The arguments by Robert seem to be rather minor compared to the huge > benefit delivery of save communication would bring. There is virtually nothing OpenPGP can do that S/MIME cannot do. There are certainly some implementation differences between the two, but in terms of broad capabilities they're almost identical. If you want email encryption capabilities, they're already there. If you want OpenPGP specifically, you'll need to find things OpenPGP can do that S/MIME can't do, and pitch it to the Thunderbird developers on that score. > Imagine a world in which Windows and OS X are delivered with > OpenPGP. Windows and OS X are delivered with S/MIME already. If people aren't using S/MIME (and they overwhelmingly are not!), why should we believe the presence of an OpenPGP suite would change their behavior? > Call me idealistic, but I think it's up to the community to make that > happen. I'm not trying to dissuade you, but the people you need to convince are not on this mailing list. :) From reynt0 at cs.albany.edu Tue Feb 21 00:25:55 2012 From: reynt0 at cs.albany.edu (reynt0) Date: Mon, 20 Feb 2012 18:25:55 -0500 (EST) Subject: PGP/MIME use In-Reply-To: References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> Message-ID: On 2/20/12 2:24 PM, stevebell at gulli.com wrote: . . . > Mozilla is founded ["funded" probably] by Google. Without Google > they would be gone. > Googles business model is not to protect the user but to analyze him. > That is not possible when you use mail encryption. > > The question is still valid and imo, some pressure from the user > community might help to bring Thunderbird to the point where it can > be downloaded containing enigmail. . . . Just considering your own points, would you trust an encryption functionality you thought was written in a way satisfying Google? From wk at gnupg.org Tue Feb 21 10:17:25 2012 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Feb 2012 10:17:25 +0100 Subject: Trust signatures with unbounded regular expressions In-Reply-To: <4F418F82.6000003@cs.uni-kl.de> (Sean Buckheister's message of "Mon, 20 Feb 2012 01:10:42 +0100") References: <4F418F82.6000003@cs.uni-kl.de> Message-ID: <877gzgsfyy.fsf@vigenere.g10code.de> On Mon, 20 Feb 2012 01:10, s_buckhe at cs.uni-kl.de said: > Hello, > > given a key, I would like to create a trust signature with a specific > regular expression, say "-mail[12]\.example\.com$" in this exact form. > That expression, and thus the signature, would match any domain name > ending with -mail1.example.com or -mail2.example.com, including all > email addresses attached to them. This is exactly what I want, but gnupg > mangles the regular expression to match mail addresses or domains at or > beneath the verbatim domain name -mail[12].example.com. > > Is there any way to create a trust signature with that exact regular > expression with gnupg? No. For security reasons we don't allow arbitrary REs anymore: 2007-12-12 David Shaw (wk) * trustdb.c (sanitize_regexp): New. Protect against dangerous regexps (malloc bombs) by force-commenting any characters aside from the ones we explicitly want. (check_regexp): Use it here before passing the regexp to regcomp(). See the comment in the sanitize_regexp function for more details. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From stevebell at gulli.com Tue Feb 21 01:55:29 2012 From: stevebell at gulli.com (Steve) Date: Tue, 21 Feb 2012 01:55:29 +0100 Subject: PGP/MIME use In-Reply-To: References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> Message-ID: <1ADEDE68-CFC6-4B09-BE7E-EBEA2A7F50AF@gulli.com> > . . . >> Mozilla is founded ["funded" probably] by Google. Without Google >> they would be gone. >> Googles business model is not to protect the user but to analyze him. >> That is not possible when you use mail encryption. >> >> The question is still valid and imo, some pressure from the user >> community might help to bring Thunderbird to the point where it can >> be downloaded containing enigmail. > . . . > > Just considering your own points, would you trust an encryption > functionality you thought was written in a way satisfying Google? Sorry. Funded of course. And to answer your question. No I wouldn't. But would you still trust OpenPGP if it was delivered with every chromebook? Maybe that wouldn't satisfy Google, but I never asked for encryption technology that satisfied Google. Robert wrote: > I'm not a particular fan of Google (or Facebook or what-have-you), but > let's make sure our criticisms of them match up to reality. You might be correct. But also we all know that if Google has access the US gov does have access as well (other expamples would be dropbox, twitter, ?). And although I might only tell my mom to buy 6 egg for a cake I'm going to make, I still don't want them to read that. Neither Google (which you say they don't - but since we can't look into their internal mechanisms we'd have to trust them and if you ask me "do you trust google" I'd rather not) nor the US gov (which we know they do). Why again was it, that europe needed to sign swift-treaty? > >> The question is still valid and imo, some pressure from the user >> community might help to bring Thunderbird to the point where it can >> be downloaded containing enigmail. > > You're certainly welcome to. If you'd like to see Enigmail bundled with > Thunderbird, then please write the Thunderbird developers a > politely-worded email asking them to look into it. Will do. >> The arguments by Robert seem to be rather minor compared to the huge >> benefit delivery of save communication would bring. > > There is virtually nothing OpenPGP can do that S/MIME cannot do. Hm, that was also bothering me with the other mails you wrote on this topic earlier. It's already very late here, so bare with me I'm taking this from remembrance. You said due to the fact that the world is very big and web of trust not used much, it can't serve as a good information tool since most likely the signatures will be from people I don't know. I'm not so sure about that. Wonder why google called the grouping feature in G+ "circle"? We communicate and behave and live in circles. This list is just another circle. And I might know e.g. our beloved Werner Koch from another project than this list. Or I might know Robert from another context than this list. The context might be the same (e.g. computersecurity) but it will still be the same people because at any time only so and so much people are currently dealing with a certain topic with a certain level of expertise. Wouldn't that mean that actually the web of trust should work well? I think the web of trust is an awesome idea and again (as with encryption in general) it's up to each and every human to make use of those tools. Eventually the web of trust might become very informative indeed. Isn't the big difference that OpenPGP is a decentralized concept while S/MIME requires centralized infrastructure? And I have to say, currently I'd rather go with decentralized. Again, it boils down to the question of trust. I'd rather trust the web of trust than an anonymous centralized entity for which I don't know why they are in this business and who exactly is behind the curtain of a company name (there is no business with a decentralized web of trust and imo it's much harder to corrupt it). > There are certainly some implementation differences between the two, but in > terms of broad capabilities they're almost identical. If you want email > encryption capabilities, they're already there. If you want OpenPGP > specifically, you'll need to find things OpenPGP can do that S/MIME > can't do, and pitch it to the Thunderbird developers on that score. See above. >> Imagine a world in which Windows and OS X are delivered with >> OpenPGP. > > Windows and OS X are delivered with S/MIME already. If people aren't > using S/MIME (and they overwhelmingly are not!), why should we believe > the presence of an OpenPGP suite would change their behavior? Again, see above >> Call me idealistic, but I think it's up to the community to make that >> happen. > > I'm not trying to dissuade you, but the people you need to convince are > not on this mailing list. :) I am well aware of that fact. I just wanted to add my thought to this very interesting discussion. And maybe it's us (the people on this list) that can make a change. It has to start somewhere? All the best, steve -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From s_buckhe at cs.uni-kl.de Tue Feb 21 11:52:27 2012 From: s_buckhe at cs.uni-kl.de (Sean Buckheister) Date: Tue, 21 Feb 2012 11:52:27 +0100 Subject: Trust signatures with unbounded regular expressions In-Reply-To: <877gzgsfyy.fsf@vigenere.g10code.de> References: <4F418F82.6000003@cs.uni-kl.de> <877gzgsfyy.fsf@vigenere.g10code.de> Message-ID: <4F43776B.1040501@cs.uni-kl.de> > No. For security reasons we don't allow arbitrary REs anymore: That is unfortunate. I'll probably default to signature notations and some more application logic then. Thank your for your time. -- Sean From rjh at sixdemonbag.org Tue Feb 21 14:29:27 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 21 Feb 2012 08:29:27 -0500 Subject: PGP/MIME use In-Reply-To: <1ADEDE68-CFC6-4B09-BE7E-EBEA2A7F50AF@gulli.com> References: <005801ccddb3$30d9b400$928d1c00$@abilitybusinesscomputerservices.com> <201201312025.45335.mailinglisten@hauke-laging.de> <4F2881A9.8040502@sixdemonbag.org> <201202011647.17817.mailinglisten@hauke-laging.de> <4F2965FC.8050705@sixdemonbag.org> <4F296B1B.1080201@lists.grepular.com> <87ty3av6hi.fsf@vigenere.g10code.de> <1ADEDE68-CFC6-4B09-BE7E-EBEA2A7F50AF@gulli.com> Message-ID: <4F439C37.1010002@sixdemonbag.org> On 2/20/12 7:55 PM, Steve wrote: > Hm, that was also bothering me with the other mails you wrote on > this topic earlier. It's already very late here, so bare with me I'm > taking this from remembrance. You said due to the fact that the world > is very big and web of trust not used much, it can't serve as a good > information tool since most likely the signatures will be from people > I don't know. I think this is a mischaracterization of my position. My position is, "PKI is hard." We don't have any tools that can scale up to the size of the world. > I'm not so sure about that. Wonder why google called the grouping > feature in G+ "circle"? We communicate and behave and live in > circles. Circles that are increasingly separate from actual physical interaction. There are a lot of people in my circles I've never met before, which makes the problem of verifying their keys rather difficult. Social media will not solve the PKI problem. In many ways it makes it worse. Social media is predicated around the idea that you have given up your privacy and anonymity in exchange for being more connected to the social flow around you. Before Facebook, people who used encryption and other privacy technologies were looked at by the population at large as being kind of kooks. Now we're being looked at as if we're about to step off into the woods with Ted Kaczynski. The things that we value are increasingly out of step with the things our society values. And, you know, that's fine: there are *lots* of communities with values out of step with those of the larger society. But we should be cautious of thinking that we're going to wave a little crypto magic fairy dust and suddenly everyone will come to our side of the privacy fence: they won't, and it doesn't matter how good our Kool-Aid tastes. > Wouldn't that mean that actually the web of trust should work well? The question is not whether we think it should work well, but rather whether it *does* work well. It doesn't. > I think the web of trust is an awesome idea and again (as with > encryption in general) it's up to each and every human to make use > of those tools. As long as people have to make a conscious choice to use these tools, these tools will never become mainstream. > Isn't the big difference that OpenPGP is a decentralized concept > while S/MIME requires centralized infrastructure? Not really. S/MIME is as capable of decentralized behavior as OpenPGP. From dshaw at jabberwocky.com Tue Feb 21 19:42:41 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 21 Feb 2012 13:42:41 -0500 Subject: Trust signatures with unbounded regular expressions In-Reply-To: <4F43776B.1040501@cs.uni-kl.de> References: <4F418F82.6000003@cs.uni-kl.de> <877gzgsfyy.fsf@vigenere.g10code.de> <4F43776B.1040501@cs.uni-kl.de> Message-ID: <27372A66-0A06-4BED-9634-88B850826BB6@jabberwocky.com> On Feb 21, 2012, at 5:52 AM, Sean Buckheister wrote: >> No. For security reasons we don't allow arbitrary REs anymore: > > That is unfortunate. I'll probably default to signature notations and > some more application logic then. > > Thank your for your time. If I understand, you were trying to accept "mail1.example.com" and "mail2.example.com". Try this regexp: <[^>]+[@.]mail.\.example\.com>$ That will match both mail1.example.com and mail2.example.com, and is accepted by the GPG parser. Two caveats: 1) You'll have to hack the code to create it since you can't type it in. Once created, though, any unmodified GPG should be able to handle it. 2) It will match some things other than mail1.example.com and mail2.example.com as well (like mailQ.example.com, or foobar.mail1.example.com, etc). David From s_buckhe at cs.uni-kl.de Tue Feb 21 19:55:59 2012 From: s_buckhe at cs.uni-kl.de (Sean Buckheister) Date: Tue, 21 Feb 2012 19:55:59 +0100 Subject: Trust signatures with unbounded regular expressions In-Reply-To: <27372A66-0A06-4BED-9634-88B850826BB6@jabberwocky.com> References: <4F418F82.6000003@cs.uni-kl.de> <877gzgsfyy.fsf@vigenere.g10code.de> <4F43776B.1040501@cs.uni-kl.de> <27372A66-0A06-4BED-9634-88B850826BB6@jabberwocky.com> Message-ID: <4F43E8BF.4000806@cs.uni-kl.de> > If I understand, you were trying to accept "mail1.example.com" and "mail2.example.com". Try this regexp: And *only* those two, not "mail3.example.com", which would match too, as you mentioned. There are a number of other, similar cases that are not easily solved without more signatures or more separate code in my application. I use gpg via gpgme, only little of the actual gpg workings are exposed to the user. Right now I'm thiking of using annotations on trust signatures with the actual regex, and the "main" domain as the regex for gpg to match on. From David.Vazquez-Landa at ecb.int Tue Feb 21 12:48:15 2012 From: David.Vazquez-Landa at ecb.int (David.Vazquez-Landa at ecb.int) Date: Tue, 21 Feb 2012 12:48:15 +0100 Subject: decrypt-file updates trustdb? Message-ID: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> Hello list, I faced a problem lately and I didn?t know exactly what was going on? I have a service, which calls gpg to decrypt files and I can?t move forward because I keep getting the following error: ?PGP decryption error - gpg: Signature made 02/06/12 14:08:19 using DSA key ID 23E858FE gpg: NOTE: trustdb not writable gpg: checking the trustdb gpg: public key 64A20A5A is 3219 seconds newer than the signature gpg: public key A1C13ADD is 153 seconds newer than the signature gpg: renaming `D:/GNU/GnuPG\pubring.gpg' to `D:/GNU/GnuPG\pubring.bak' failed: Permission denied gpg: failed to rebuild keyring cache: file rename error gpg: trustdb rec 247: write failed (n=-1): Bad file descriptor gpg: trustdb: sync failed: file write error? This happens when trying the following command: --homedir c:\GNU\GnuPG --passphrase password --no-tty --armor --yes --decrypt-files localFolder Now, I could ignore the timestamp and I guess I would be able to open the trustdb and my service wouldn?t die. OR I could give write permissions on trustdb.gpg, pubring.gpg and pubring.bak to the user executing the service. But I wouldn?t want to do any of those without knowing why the command is trying to rebuild the keyring cache. Best Regards, David V?zquez EDEN Team European Central Bank __________________ Tel. (+49) 69 1344 7029 Mail. david.vazquez-landa at ecb.europa.eu Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: From M.Dorigo at gmx.de Wed Feb 22 10:15:50 2012 From: M.Dorigo at gmx.de (Marco Dorigo) Date: Wed, 22 Feb 2012 10:15:50 +0100 Subject: verify TrueCrypt Message-ID: <20120222091550.313750@gmx.net> Hi, i have a problem verifying the truecrypt pgp-key. I searched the whole internet already for a solution and even the gnupg-lists archive... I followed the howto on truecrypt (http://www.truecrypt.org/docs/?s=digital-signatures) up to step 6. However, the last one won't work. I'll try to verify with: gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig truecrypt-7.1a-linux-x64.tar.gz (I tried it already with every other combination I could imagine: gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig TrueCrypt-Foundation-Public-Key.asc etc...) What I did so far is: 1) Create a key with: gpg --gen-key 2) Download the public key of TrueCrypt from http://www.truecrypt.org/downloads2, change into the Downloads-directory and import the key with: gpg --import TrueCrypt-Foundation-Public-Key.asc 3) Signing the key with my under 1) generated key: gpg --edit-key F0D6B1E0 I set >trust to marginal (using choice number 3) and then >sign I sign it with the above generated key and my password. I think I did something wrong at this step!? Because when I'm trying to verify it gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig truecrypt-7.1a-linux-x64.tar.gz it just says: gpg: verify signatures failed: eof I hope that is enough information for solving my prob. Of course, I downloaded the tar.gz.sig file to the same directory... Thanks in advance! md -- Marco Dorigo mail: m.dorigo at gmx.de mobil: 0177-8905323 Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de From mailinglisten at hauke-laging.de Wed Feb 22 13:53:27 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 22 Feb 2012 13:53:27 +0100 Subject: verify TrueCrypt In-Reply-To: <20120222091550.313750@gmx.net> References: <20120222091550.313750@gmx.net> Message-ID: <201202221353.32702.mailinglisten@hauke-laging.de> Am Mittwoch, 22. Februar 2012, 10:15:50 schrieb Marco Dorigo: > I followed the howto on truecrypt > (http://www.truecrypt.org/docs/?s=digital-signatures) That description contains an "error". And you misunderstood something: "Sign the imported key with your private key to mark it as trusted". "To" mark ist trusted, not "and" mark it trusted. The trust you have set is something completely different (regarding the web of trust). The "error" is: "If you skip this step and attempt to verify any of our PGP signatures, you will receive an error message stating that the signing key is invalid." The error message just tells you that this key is not considered valid yet. It does tell you that the signature has been made by that key. And that's all you need. It usually does not make much sense to sign a key which you have not checked. My advice: Either delete the signature or use the signing key for "worthless" signatures only (and in a way that makes sure you are not confused). > Because when I'm trying to verify it > gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig > truecrypt-7.1a-linux-x64.tar.gz it just says: > gpg: verify signatures failed: eof I guess that the signature file is broken. Download it again. If the signed file were broken then the error message should say that the signature is wrong. What is the size of the signature file and what is the type of the signing key? I assume that if the signature file is incomplete then somebody here can tell already by the length. We need the output of gpg --list-keys (for the TrueCrypt key only) Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From M.Dorigo at gmx.de Wed Feb 22 14:48:34 2012 From: M.Dorigo at gmx.de (Marco Dorigo) Date: Wed, 22 Feb 2012 14:48:34 +0100 Subject: verify TrueCrypt In-Reply-To: <201202221353.32702.mailinglisten@hauke-laging.de> References: <20120222091550.313750@gmx.net> <201202221353.32702.mailinglisten@hauke-laging.de> Message-ID: <20120222134834.130230@gmx.net> Thanks guys! finally, it worked! > I guess that the signature file is broken. That was the problem. After downloading it again, everything just worked fine. And I skipped the > trust part of my description which I wrote down in my first mail! regards, md -------- Original-Nachricht -------- > Datum: Wed, 22 Feb 2012 13:53:27 +0100 > Von: Hauke Laging > An: gnupg-users at gnupg.org > CC: "Marco Dorigo" > Betreff: Re: verify TrueCrypt > Am Mittwoch, 22. Februar 2012, 10:15:50 schrieb Marco Dorigo: > > > I followed the howto on truecrypt > > (http://www.truecrypt.org/docs/?s=digital-signatures) > > That description contains an "error". And you misunderstood something: > > "Sign the imported key with your private key to mark it as trusted". "To" > mark > ist trusted, not "and" mark it trusted. The trust you have set is > something > completely different (regarding the web of trust). > > The "error" is: "If you skip this step and attempt to verify any of our > PGP > signatures, you will receive an error message stating that the signing key > is > invalid." > > The error message just tells you that this key is not considered valid > yet. It > does tell you that the signature has been made by that key. And that's all > you > need. It usually does not make much sense to sign a key which you have not > checked. My advice: Either delete the signature or use the signing key for > "worthless" signatures only (and in a way that makes sure you are not > confused). > > > > Because when I'm trying to verify it > > gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig > > truecrypt-7.1a-linux-x64.tar.gz it just says: > > gpg: verify signatures failed: eof > > I guess that the signature file is broken. Download it again. If the > signed > file were broken then the error message should say that the signature is > wrong. > > What is the size of the signature file and what is the type of the signing > key? I assume that if the signature file is incomplete then somebody here > can > tell already by the length. > > We need the output of > gpg --list-keys > (for the TrueCrypt key only) > > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -- Marco Dorigo mail: m.dorigo at gmx.de mobil: 0177-8905323 Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de From hubert at kario.pl Wed Feb 22 11:41:20 2012 From: hubert at kario.pl (Hubert Kario) Date: Wed, 22 Feb 2012 11:41:20 +0100 Subject: verify TrueCrypt In-Reply-To: <20120222091550.313750@gmx.net> References: <20120222091550.313750@gmx.net> Message-ID: <1687636.TbBtHqXHZ1@bursa22> On Wednesday 22 of February 2012 10:15:50 Marco Dorigo wrote: > Hi, > > i have a problem verifying the truecrypt pgp-key. I searched the whole > internet already for a solution and even the gnupg-lists archive... > > I followed the howto on truecrypt > (http://www.truecrypt.org/docs/?s=digital-signatures) up to step 6. > However, the last one won't work. I'll try to verify with: > > gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig > truecrypt-7.1a-linux-x64.tar.gz > > (I tried it already with every other combination I could imagine: > > gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig > TrueCrypt-Foundation-Public-Key.asc > > etc...) > > What I did so far is: > > 1) Create a key with: > gpg --gen-key > > 2) Download the public key of TrueCrypt from > http://www.truecrypt.org/downloads2, change into the Downloads-directory > and import the key with: gpg --import TrueCrypt-Foundation-Public-Key.asc > > 3) Signing the key with my under 1) generated key: > gpg --edit-key F0D6B1E0 > I set > > >trust > > to marginal (using choice number 3) > and then > > >sign > > I sign it with the above generated key and my password. > > I think I did something wrong at this step!? > > Because when I'm trying to verify it > gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig > truecrypt-7.1a-linux-x64.tar.gz it just says: > gpg: verify signatures failed: eof > > I hope that is enough information for solving my prob. Of course, I > downloaded the tar.gz.sig file to the same directory... > > Thanks in advance! > > md The truecrypt-7.1a-linux-x64.tar.gz.sig file is only 72 bytes long. It may be because of long keys used by Arch developers, but all signature files I see are 287 bytes long. I'd go and ask the developers directly. -- Hubert Kario hubert at kario.pl kario at wit.edu.pl https://hubert.kario.pl PGP: 30D7 71F5 2F6F B157 872C D811 A1D0 6BC9 8956 DCFE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From gollo at fsfe.org Wed Feb 22 17:13:08 2012 From: gollo at fsfe.org (Martin Gollowitzer) Date: Wed, 22 Feb 2012 17:13:08 +0100 Subject: Sending signed e-mail via shell script Message-ID: <20120222161308.GB27812@wingback.gollo.at> Hi, I'm currently trying to do a smal script that sends automated e-mail messages on a regular basis. I want to sign those e-mails and since mutt does not allow to use it's OpenPGP features in non-interactive mode, I try to at least have these messages signed using inline PGP. For this, I use the following commands on a Debian squeeze machine: cat $file | gpg --no-verbose --batch --quiet --output - --passphrase "" --armor --textmode --clearsign > $tmpfile mail -s "" $address < $tmpfile The problem is that I get a "BAD SIGNATURE from ?" when verifying the signature in mutt. I'm not entirely sure, but I think the problem has to do with the encoding. I'm not very talented in shell scripting, so any help is highly appreciated. Of course if you know a way to send automated PGP/MIME signed messages, that would be even better. Thanks, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From ciamarie at my180.net Wed Feb 22 17:23:56 2012 From: ciamarie at my180.net (Cia Watson) Date: Wed, 22 Feb 2012 08:23:56 -0800 Subject: decrypt-file updates trustdb? In-Reply-To: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> Message-ID: <20120222082356.7f44ba65@amd3c.amd3c.cia> On Tue, 21 Feb 2012 12:48:15 +0100 wrote: > I have a service, which calls gpg to decrypt files and I can?t move forward > because I keep getting the following error: > > ?PGP decryption error - gpg: Signature made 02/06/12 14:08:19 using DSA key > ID 23E858FE gpg: NOTE: trustdb not writable gpg: checking the trustdb gpg: > public key 64A20A5A is 3219 seconds newer than the signature gpg: public > key A1C13ADD is 153 seconds newer than the signature gpg: renaming > `D:/GNU/GnuPG\pubring.gpg' to `D:/GNU/GnuPG\pubring.bak' failed: Permission > denied gpg: failed to rebuild keyring cache: file rename error gpg: trustdb > rec 247: write failed (n=-1): Bad file descriptor gpg: trustdb: sync > failed: file write error? > > This happens when trying the following command: > --homedir c:\GNU\GnuPG --passphrase password --no-tty --armor --yes > --decrypt-files localFolder > Now, I could ignore the timestamp and I guess I would be able to open the > trustdb and my service wouldn?t die. OR I could give write permissions on > trustdb.gpg, pubring.gpg and pubring.bak to the user executing the service. > But I wouldn?t want to do any of those without knowing why the command is > trying to rebuild the keyring cache. To make a long story short, check the time on your desktop and your /etc/default/rcS file to see if an update changed the UTC= from no to yes. I'm not sure what distro you're running, and this may not be related to your issue. However I saw a similar error when I was updating Debian squeeze in a VM, on a Debian wheezy host. It turns out there was a recent update that made some changes to the /etc/default/rcS file and made this change: - UTC=no + UTC=yes In other words, I had UTC=no and it changed it back to the default of yes, After seeing it wanted to make that change in wheezy which I told it to allow, since there were other changes to the file that may have been important, I just went in afterward and changed UTC= back to no. In my squeeze vm however, it didn't bother to tell me it was making the change, but when I saw the error about time differences on the keyring, I looked at the time on the desktop and saw it was off, checked the /etc/default/rcS file and saw it had UTC set to yes, so I changed it back to no and now the desktop time is correct and no keyring time errors when I'm updating. Cia W. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From houseurmusic at gmail.com Thu Feb 23 00:18:06 2012 From: houseurmusic at gmail.com (tony medeiros) Date: Wed, 22 Feb 2012 15:18:06 -0800 Subject: Encryption File Size Message-ID: Is there a guaranteed ratio of plain to cipher? If so what is it? In other words cipher_size < plain_size * X + H? Where H = header_size + footer_size + user_size + etc information and X = Worst case scenario (I'm encrypting an already compressed file) Thanks! Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From houseurmusic at gmail.com Thu Feb 23 00:12:05 2012 From: houseurmusic at gmail.com (tony medeiros) Date: Wed, 22 Feb 2012 15:12:05 -0800 Subject: GPG file seperation Message-ID: Hi, I am currently working on middleware that encrypts/decrypts a data stream. It proposes a couple challenges that I am hoping I can get help with! The system works by separating a single file in potentially many different segmented files and uploading them in different threads. When reading from the server however it is seen as one large file. Basically what is happening is that the server is storing separate gpg entities, but when we read from the server the interface is set up in a way where I have to iterate through a single file. So in other words the server is concatenating the separate gpg entities and sending them back in on large file. My question is there a way I can use gpg through the command line to decrypt a concatenated file of gpg encrypted entities. If there is no way this can work, my other idea would require me inserting some kind of footer so I can tell when the gpg file ends. Is there a character I can use that guaranteed not to be used by GPG? Thanks, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From johanw at vulcan.xs4all.nl Thu Feb 23 13:00:04 2012 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 23 Feb 2012 13:00:04 +0100 Subject: Encryption File Size In-Reply-To: References: Message-ID: <4F462A44.5050204@vulcan.xs4all.nl> On 23-02-2012 0:18, tony medeiros wrote: > Is there a guaranteed ratio of plain to cipher? No. The files are compressed before encrypting (after encrypting they should not be compressible so it has te be before) and the results vary. > X = Worst case scenario (I'm encrypting an already compressed file) If the compressin is any good the files will become slightly bigger due to a little overhead. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Thu Feb 23 15:28:54 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Feb 2012 15:28:54 +0100 Subject: GPG file seperation In-Reply-To: (tony medeiros's message of "Wed, 22 Feb 2012 15:12:05 -0800") References: Message-ID: <87y5rtpqs9.fsf@vigenere.g10code.de> On Thu, 23 Feb 2012 00:12, houseurmusic at gmail.com said: > My question is there a way I can use gpg through the command line to > decrypt a concatenated file of gpg encrypted entities. We removed such feature a long time ago because it made it too easy to fake signature status information. This has to do with the various allowed formats for a signature and the general problem to synchronize the status information with the actual data. > If there is no way this can work, my other idea would require me inserting > some kind of footer so I can tell when the gpg file ends. Is there a > character I can use that guaranteed not to be used by GPG? No you can't. Encrypted data is random and thus any sequence of delimiters you want to use may also be part of the payload. I am not sure whether I understood your question, but anyway: If you look at the packet structure and the partial length encoding as used by OpenPGP, you may find a way to re-pack them as you like. Check out tools/gpgsplit.c for a basic parser. It is possible to insert special marker packets and use them. In any case you need a wrapper and an unwrapper process but then it will be easier to use split(1) and cat(1) directly. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From john.gill at computer.org Thu Feb 23 16:32:52 2012 From: john.gill at computer.org (John Gill) Date: Thu, 23 Feb 2012 09:32:52 -0600 Subject: GPG file seperation In-Reply-To: <87y5rtpqs9.fsf@vigenere.g10code.de> References: <87y5rtpqs9.fsf@vigenere.g10code.de> Message-ID: Why not set up a fixed size start/run record identifier. No need for a magic and unique sequence. Like this: Field description start length datatype 1 GPG stream start 1 2 Alpha 2 stream length 3 15 Numb 3 stream 18 ?? GPG stream Record just keeps repeating over and over until there is nothing else. On Feb 23, 2012 8:31 AM, "Werner Koch" wrote: > On Thu, 23 Feb 2012 00:12, houseurmusic at gmail.com said: > > > My question is there a way I can use gpg through the command line to > > decrypt a concatenated file of gpg encrypted entities. > > We removed such feature a long time ago because it made it too easy to > fake signature status information. This has to do with the various > allowed formats for a signature and the general problem to synchronize > the status information with the actual data. > > > If there is no way this can work, my other idea would require me > inserting > > some kind of footer so I can tell when the gpg file ends. Is there a > > character I can use that guaranteed not to be used by GPG? > > No you can't. Encrypted data is random and thus any sequence of > delimiters you want to use may also be part of the payload. > > I am not sure whether I understood your question, but anyway: If you > look at the packet structure and the partial length encoding as used by > OpenPGP, you may find a way to re-pack them as you like. Check out > tools/gpgsplit.c for a basic parser. It is possible to insert special > marker packets and use them. In any case you need a wrapper and an > unwrapper process but then it will be easier to use split(1) and cat(1) > directly. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Feb 24 05:46:40 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 23 Feb 2012 23:46:40 -0500 Subject: US 11 Circ: 5th Am. & passphrase demands Message-ID: <4F471630.5090909@sixdemonbag.org> The United States 11th Circuit Court of Appeals, which is one small step away from the United States Supreme Court, has issued a decision in connection to a grand jury's subpoena requiring the appellant to produce unencrypted copies of six hard drives. The appellant attempted to invoke his rights under the Fifth Amendment, prohibiting anyone from being compelled to testify against themselves in any United States proceeding. The court sided with the appellant, and held that he could not be compelled to produce decrypted data for the government. Now, this isn't quite a black-and-white issue. This is not going to establish new nationwide policy on the matter. Don't generalize and think that just because this one case went this way, all similar cases will in the future. That said, it's definitely good news for United States citizens, nationals and residents who use cryptography! The original decision can be found at: http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf From David.Vazquez-Landa at ecb.int Thu Feb 23 14:19:56 2012 From: David.Vazquez-Landa at ecb.int (David.Vazquez-Landa at ecb.int) Date: Thu, 23 Feb 2012 14:19:56 +0100 Subject: decrypt-file updates trustdb? In-Reply-To: <20120222082356.7f44ba65@amd3c.amd3c.cia> References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> <20120222082356.7f44ba65@amd3c.amd3c.cia> Message-ID: <0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de> Hello Cia, I don't know if this applies in my case. I forgot to add --sorry-- that the service is running on a Windows 2008 machine. Best Regards, David V?zquez EDEN Team European Central Bank __________________ Tel. (+49) 69 1344 7029 Mail. david.vazquez-landa at ecb.europa.eu > -----Original Message----- > From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users- > bounces at gnupg.org] On Behalf Of Cia Watson > Sent: Wednesday 22 February 2012 17:24 > To: gnupg-users at gnupg.org > Subject: Re: decrypt-file updates trustdb? > > On Tue, 21 Feb 2012 12:48:15 +0100 > wrote: > > > > I have a service, which calls gpg to decrypt files and I can?t move forward > > because I keep getting the following error: > > > > ?PGP decryption error - gpg: Signature made 02/06/12 14:08:19 using DSA > key > > ID 23E858FE gpg: NOTE: trustdb not writable gpg: checking the trustdb gpg: > > public key 64A20A5A is 3219 seconds newer than the signature gpg: public > > key A1C13ADD is 153 seconds newer than the signature gpg: renaming > > `D:/GNU/GnuPG\pubring.gpg' to `D:/GNU/GnuPG\pubring.bak' failed: > Permission > > denied gpg: failed to rebuild keyring cache: file rename error gpg: trustdb > > rec 247: write failed (n=-1): Bad file descriptor gpg: trustdb: sync > > failed: file write error? > > > > This happens when trying the following command: > > > --homedir c:\GNU\GnuPG --passphrase password --no-tty --armor --yes > > --decrypt-files localFolder > > > Now, I could ignore the timestamp and I guess I would be able to open the > > trustdb and my service wouldn?t die. OR I could give write permissions on > > trustdb.gpg, pubring.gpg and pubring.bak to the user executing the > service. > > But I wouldn?t want to do any of those without knowing why the command > is > > trying to rebuild the keyring cache. > > To make a long story short, check the time on your desktop > and your /etc/default/rcS file to see if an update changed the UTC= from no > to > yes. > > I'm not sure what distro you're running, and this may not be related to your > issue. However I saw a similar error when I was updating Debian squeeze in a > VM, on a Debian wheezy host. It turns out there was a recent update that > made > some changes to the /etc/default/rcS file and made this change: > - UTC=no > + UTC=yes > > In other words, I had UTC=no and it changed it back to the default of yes, > After seeing it wanted to make that change in wheezy which I told it to allow, > since there were other changes to the file that may have been important, I > just went in afterward and changed UTC= back to no. > > In my squeeze vm however, it didn't bother to tell me it was making the > change, but when I saw the error about time differences on the keyring, I > looked at the time on the desktop and saw it was off, checked > the /etc/default/rcS file and saw it had UTC set to yes, so I changed it > back to no and now the desktop time is correct and no keyring time errors > when > I'm updating. > > Cia W. Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. From peter at digitalbrains.com Fri Feb 24 11:19:07 2012 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 24 Feb 2012 11:19:07 +0100 Subject: Encryption File Size In-Reply-To: <4F462A44.5050204@vulcan.xs4all.nl> References: <4F462A44.5050204@vulcan.xs4all.nl> Message-ID: <4F47641B.3070808@digitalbrains.com> On 23/02/12 13:00, Johan Wevers wrote: > No. The files are compressed before encrypting (after encrypting they > should not be compressible so it has te be before) and the results > vary. But isn't there a worst-case overhead for the compression algorithm used? There most likely is. >From : > In the worst possible case, where the other block types would expand > the data, deflation falls back to stored (uncompressed) blocks. zlib, with default settings, avoids increasing the size of the compressed text. That web page also gives detailed information on overhead. And *if* (big if) there isn't an acceptable worst-case overhead for a compression algorithm, there is probably a cut-off in GnuPG, or it would become a DoS attack vector: get someone to encrypt a specially crafted file that will fill his filesystem when the compression algorithm is run on it. IIRC, there's a cut-off for /de/compression like that. Furthermore: the ciphertext is enciphered with a streaming mode cipher, so the ciphertext is as big as the plaintext (after compression). But obviously there is overhead from the rest of the OpenPGP message. And if the size of the plaintext is not known beforehand, you get some extra headers for blocks of ciphertext in the OpenPGP message. At least, I believe that is the case. I didn't check now. The total overhead is small for big files, though. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From wk at gnupg.org Fri Feb 24 14:38:51 2012 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Feb 2012 14:38:51 +0100 Subject: decrypt-file updates trustdb? In-Reply-To: <0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de> (David Vazquez-Landa's message of "Thu, 23 Feb 2012 14:19:56 +0100") References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> <20120222082356.7f44ba65@amd3c.amd3c.cia> <0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de> Message-ID: <87fwe0pd04.fsf@vigenere.g10code.de> On Thu, 23 Feb 2012 14:19, David.Vazquez-Landa at ecb.int said: > I don't know if this applies in my case. I forgot to add --sorry-- that the service is running on a Windows 2008 machine. I have not closely looked at your report. However, you may want to try this option: @item --ignore-time-conflict GnuPG normally checks that the timestamps associated with keys and signatures have plausible values. However, sometimes a signature seems to be older than the key due to clock problems. This option makes these checks just a warning. See also @option{--ignore-valid-from} for timestamp issues on subkeys. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Fri Feb 24 14:35:43 2012 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Feb 2012 14:35:43 +0100 Subject: Encryption File Size In-Reply-To: <4F47641B.3070808@digitalbrains.com> (Peter Lebbing's message of "Fri, 24 Feb 2012 11:19:07 +0100") References: <4F462A44.5050204@vulcan.xs4all.nl> <4F47641B.3070808@digitalbrains.com> Message-ID: <87k43cpd5c.fsf@vigenere.g10code.de> On Fri, 24 Feb 2012 11:19, peter at digitalbrains.com said: > And *if* (big if) there isn't an acceptable worst-case overhead for a > compression algorithm, there is probably a cut-off in GnuPG, or it would No there is none. As a proper Unix tool gpg works fine in a pipeline and thus can't roll back a large amount of data to implement such a cut-off. > become a DoS attack vector: get someone to encrypt a specially crafted > file that will fill his filesystem when the compression algorithm is run There is an optional cut-off option for for decompression: @item --max-output @code{n} This option sets a limit on the number of bytes that will be generated when processing a file. Since OpenPGP supports various levels of compression, it is possible that the plaintext of a given message may be significantly larger than the original OpenPGP message. While GnuPG works properly with such messages, there is often a desire to set a maximum file size that will be generated before processing is forced to stop by the OS limits. Defaults to 0, which means "no limit". Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Fri Feb 24 17:17:16 2012 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 24 Feb 2012 11:17:16 -0500 Subject: US 11 Circ: 5th Am. & passphrase demands Message-ID: <20120224161716.9E74AA6E3F@smtp.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Fri Feb 24 05:46:40 CET 2012 : >The court sided with the appellant, and held that he could not be compelled to produce decrypted data for the government. ----- Thanks for the link! (any family Judges who could quickly point you to this type of access, whom we also have to thank? ;-) ) >That said, it's definitely good news for United States citizens, nationals and residents who use cryptography! ----- unfortunate that this had to be a child pornography case ... (also unfortunate that we can't convince ordinary people to protect their privacy by using encryption, while the bad guys seem not only to need no convincing, they use the encryption so effectively that capable intelligence agencies can't crack it) now if only they got a warrant to put in a keylogger before setting him free ... vedaal From rjh at sixdemonbag.org Fri Feb 24 17:59:08 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 24 Feb 2012 11:59:08 -0500 Subject: US 11 Circ: 5th Am. & passphrase demands In-Reply-To: <20120224161716.9E74AA6E3F@smtp.hushmail.com> References: <20120224161716.9E74AA6E3F@smtp.hushmail.com> Message-ID: <4F47C1DC.6030809@sixdemonbag.org> On 2/24/2012 11:17 AM, vedaal at nym.hush.com wrote: > (any family Judges who could quickly point you to this type of > access, whom we also have to thank? ;-) ) No, and let's not talk about the possibility of that happening. :) They studiously avoid commenting on current cases or controversies. Doing so is a breach of judicial ethics on the same level as a physician violating the confidence of medical information -- they take it dead seriously and deeply dislike even casual talk of the subject. There are a few exceptions in the ethics code for subjects like teaching law (Dad teaches a "Current Cases and Controversies Before The Court", for instance), but family members aren't one of them. Whenever I mention an opinion, a brief, anything of the sort, you can be confident of two things: (a) it did not come from my judicial relatives and (b) I don't know what they think of it. Every family has unwritten rules they rely upon in order to keep things sane. This is one of ours. :) From wk at gnupg.org Fri Feb 24 18:11:27 2012 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Feb 2012 18:11:27 +0100 Subject: decrypt-file updates trustdb? In-Reply-To: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64141@EXCVP02.ecb01.ecb.de> (David Vazquez-Landa's message of "Fri, 24 Feb 2012 14:48:17 +0100") References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> <20120222082356.7f44ba65@amd3c.amd3c.cia> <0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de> <87fwe0pd04.fsf@vigenere.g10code.de> <0FC38DE6C8C6F049A939F4A61D28E16E0CE64141@EXCVP02.ecb01.ecb.de> Message-ID: <87aa48p35s.fsf@vigenere.g10code.de> On Fri, 24 Feb 2012 14:48, David.Vazquez-Landa at ecb.int said: > understand why, if I'm just decrypting a file, gpg asks for write > permission to trustdb.gpg, pubring.gpg and pubring.bak. In other > words, I wouldn't expect my command to have to write anything. Alas, I If you encrypt something GPG computes the validity of the keys by looking at the key signatures and assigned ownertrust values. The trustdb is updated as a result of this. GPG also keeps a key signature validation status cache in the pubring. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From salahuddin at qomento.com Fri Feb 24 21:11:09 2012 From: salahuddin at qomento.com (salahuddin) Date: Sat, 25 Feb 2012 02:11:09 +0600 Subject: Sending signed e-mail via shell script In-Reply-To: <20120222161308.GB27812@wingback.gollo.at> References: <20120222161308.GB27812@wingback.gollo.at> Message-ID: <1330114269.25350.3.camel@debian01> On Wed, 2012-02-22 at 17:13 +0100, Martin Gollowitzer wrote: > Hi, > > I'm currently trying to do a smal script that sends automated e-mail > messages on a regular basis. I want to sign those e-mails and since mutt > does not allow to use it's OpenPGP features in non-interactive mode, I > try to at least have these messages signed using inline PGP. > For this, I use the following commands on a Debian squeeze machine: > > cat $file | gpg --no-verbose --batch --quiet --output - --passphrase "" --armor --textmode --clearsign > $tmpfile > mail -s "" $address < $tmpfile > > The problem is that I get a "BAD SIGNATURE from ?" when verifying the > signature in mutt. I'm not entirely sure, but I think the problem has to > do with the encoding. I'm not very talented in shell scripting, so any > help is highly appreciated. Of course if you know a way to send > automated PGP/MIME signed messages, that would be even better. > > Thanks, > Martin You may need to add header: ---------------------------- Content-Type: multipart/signed; protocol="application/pgp-signature" "5. OpenPGP signed data" section may help: http://www.ietf.org/rfc/rfc2015.txt http://www.ietf.org/rfc/rfc3156.txt > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From dougb at dougbarton.us Fri Feb 24 22:35:40 2012 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 24 Feb 2012 13:35:40 -0800 Subject: Sending signed e-mail via shell script In-Reply-To: <1330114269.25350.3.camel@debian01> References: <20120222161308.GB27812@wingback.gollo.at> <1330114269.25350.3.camel@debian01> Message-ID: <4F4802AC.30405@dougbarton.us> I have 2 sets of scripts that send signed e-mail at http://dougbarton.us/PGP/. The "generate challenges" script is probably the easiest to digest. hth, Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From reynt0 at cs.albany.edu Fri Feb 24 22:46:25 2012 From: reynt0 at cs.albany.edu (reynt0) Date: Fri, 24 Feb 2012 16:46:25 -0500 (EST) Subject: US 11 Circ: 5th Am. & passphrase demands In-Reply-To: <4F471630.5090909@sixdemonbag.org> References: <4F471630.5090909@sixdemonbag.org> Message-ID: On Thu, 23 Feb 2012, Robert J. Hansen wrote: > The United States 11th Circuit Court of Appeals, which is one small step > away from the United States Supreme Court, has issued a decision in > connection to a grand jury's subpoena requiring the appellant to produce > unencrypted copies of six hard drives. . . . > The court sided with the appellant, and held that he could not be > compelled to produce decrypted data for the government. > > Now, this isn't quite a black-and-white issue. . . . > http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf Interesting cite. So this is what the USA "Miranda" warning ("You have the right to remain silent. Whatever you say may be used against you.") is all about. The USA Fifth Amendment protects the right to remain silent on a topic (here, decryption of something), and also protects the ideas one might state on a topic if the Government learns one's ideas as a result of giving one special protection for not remaining silent (here, whatever would be found by decryption if the Government does not independently already know pretty much what it is). From telegraph at gmx.net Sat Feb 25 00:30:20 2012 From: telegraph at gmx.net (Gregor Zattler) Date: Sat, 25 Feb 2012 00:30:20 +0100 Subject: US 11 Circ: 5th Am. & passphrase demands In-Reply-To: <20120224161716.9E74AA6E3F@smtp.hushmail.com> References: <4F471630.5090909@sixdemonbag.org> <20120224161716.9E74AA6E3F@smtp.hushmail.com> Message-ID: <20120224233020.GA980@joerg.workgroup> Hi vedaal, gnupg-users, * vedaal at nym.hush.com [24. Feb. 2012]: > Robert J. Hansen rjh at sixdemonbag.org wrote on > Fri Feb 24 05:46:40 CET 2012 : > >>The court sided with the appellant, and held that he could not be > compelled to produce decrypted data for the government. [...] > unfortunate that this had to be a child pornography case ... > > (also unfortunate that we can't convince ordinary people to protect > their privacy by using encryption, > while the bad guys seem not only to need no convincing, they use > the encryption so effectively that capable intelligence agencies > can't crack it) obviousely not: http://www.crypto.com/blog/wiretap2010/ this blogpost says that the 2010 US wiretap report says there were zero cases where encryption blocked access for state agencies to interesting data. Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From astridstaufer at gmx.ch Sat Feb 25 09:06:02 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Sat, 25 Feb 2012 00:06:02 -0800 (PST) Subject: Encrypted large files cant decrypt Message-ID: <33388747.post@talk.nabble.com> Hallo, I encrypt with the folowing command on a server a backup and send it on an other server over FTP: "tar -czf - $mysql_backup_file $directory_to_backup | gpg --no-tty --batch --always-trust --recipient $id_number --encrypt | curl --netrc-optional --silent --show-error --ftp-create-dirs --retry 10 -u $ftp_user:$ftp_pwd ftp://$ftp_host/$ftp_dir$full_backup_file -T -" This works with some Backups around 35Mbytes. But I've tested it also with an 2.79Gbyte large Backup-File. It runs to the end, but the final encrypted File is corrupt. When I try to decrypt it, it says, "no encrypted data found"! Has, someone an idear, where the problem could be? Thanks a lot! -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33388747.html Sent from the GnuPG - User mailing list archive at Nabble.com. From htd at fritha.org Sat Feb 25 09:25:02 2012 From: htd at fritha.org (Heinz Diehl) Date: Sat, 25 Feb 2012 09:25:02 +0100 Subject: US 11 Circ: 5th Am. & passphrase demands In-Reply-To: <20120224233020.GA980@joerg.workgroup> References: <4F471630.5090909@sixdemonbag.org> <20120224161716.9E74AA6E3F@smtp.hushmail.com> <20120224233020.GA980@joerg.workgroup> Message-ID: <20120225082502.GA1979@fritha.org> On 25.02.2012, Gregor Zattler wrote: > obviousely not: http://www.crypto.com/blog/wiretap2010/ this > blogpost says that the 2010 US wiretap report says there were > zero cases where encryption blocked access for state agencies to > interesting data. As far as I can see, this article totally lacks any evidence of proof for its statements... From David.Vazquez-Landa at ecb.int Fri Feb 24 14:48:17 2012 From: David.Vazquez-Landa at ecb.int (David.Vazquez-Landa at ecb.int) Date: Fri, 24 Feb 2012 14:48:17 +0100 Subject: decrypt-file updates trustdb? In-Reply-To: <87fwe0pd04.fsf@vigenere.g10code.de> References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de><20120222082356.7f44ba65@amd3c.amd3c.cia><0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de> <87fwe0pd04.fsf@vigenere.g10code.de> Message-ID: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64141@EXCVP02.ecb01.ecb.de> Dear Werner, Yes, I found that option when browsing through the documentation. The reason I haven't started using it is that first I would like to understand why, if I'm just decrypting a file, gpg asks for write permission to trustdb.gpg, pubring.gpg and pubring.bak. In other words, I wouldn't expect my command to have to write anything. Alas, I haven't found enough information on what gpg does when running decrypt-file (or list-keys, for that matter, which gives me the same issue). Best Regards, David V?zquez EDEN Team European Central Bank __________________ Tel. (+49) 69 1344 7029 Mail. david.vazquez-landa at ecb.europa.eu > -----Original Message----- > From: Werner Koch [mailto:wk at gnupg.org] > Sent: Friday 24 February 2012 14:39 > To: Vazquez Landa, David > Cc: ciamarie at my180.net; gnupg-users at gnupg.org > Subject: Re: decrypt-file updates trustdb? > > On Thu, 23 Feb 2012 14:19, David.Vazquez-Landa at ecb.int said: > > > I don't know if this applies in my case. I forgot to add --sorry-- that the > service is running on a Windows 2008 machine. > > I have not closely looked at your report. However, you may want to try > this option: > > @item --ignore-time-conflict > > GnuPG normally checks that the timestamps associated with keys and > signatures have plausible values. However, sometimes a signature > seems to be older than the key due to clock problems. This option > makes these checks just a warning. See also @option{--ignore-valid-from} > for > timestamp issues on subkeys. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. From hopeschl at hoveround.com Fri Feb 24 14:28:41 2012 From: hopeschl at hoveround.com (Hope Schlais) Date: Fri, 24 Feb 2012 08:28:41 -0500 Subject: command line interface glitch Gpg4Win 2.1.0 Message-ID: <003DCF4BF59F6A4BAE863FD29F779DA201BF36FD53@HVRCEXCH.HVRC.HOVEROUND.COM> Hi, When I encrypt a .csv file using Kleopatra the recipient says everything goes smoothly. But, when I encrypt the same file using a .NET console application to start the gpg.exe process, upon decrypting the file the recipient gets an error message with a Close button. The error message is: The file"blah_blah.csv.gpg" contained no valid encrypted data. If he doesn't click the Close button he can open the file, save it with a new name, and it has all the data. Has anyone had this problem or can anyone suggest anything to try? Thanks for your help. Hope Schlais | p: 941-739-6200 x-2396 | m: 941-549-3209 | e: hopeschl at hoveround.com ________________________________ ****CONFIDENTIALITY STATEMENT**** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom this email is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message. ________________________________ ****CONFIDENTIALITY STATEMENT**** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom this email is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From astridstaufer at gmx.ch Sat Feb 25 01:21:13 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Fri, 24 Feb 2012 16:21:13 -0800 (PST) Subject: Encrypted large files cant decrypt Message-ID: <33388747.post@talk.nabble.com> Hallo, I encrypt with the folowing command on a server a backup and send it on an other server over FTP: "tar -czf - $mysql_backup_file $directory_to_backup | gpg --no-tty --batch --always-trust --recipient $id_number --encrypt | curl --netrc-optional --silent --show-error --ftp-create-dirs --retry 10 -u $ftp_user:$ftp_pwd ftp://$ftp_host/$ftp_dir$full_backup_file -T -" This works with some Backups around 35Mbytes. But I've tested it also with an 2.79Gbyte large Backup-File. It runs to the end, but the final encrypted File is corrupt. When I try to decrypt it, it says, "no encrypted data found"! Has, someone an idear, where the problem could be? Thanks a lot! -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33388747.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Sat Feb 25 15:43:30 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Feb 2012 09:43:30 -0500 Subject: US 11 Circ: 5th Am. & passphrase demands In-Reply-To: <20120225082502.GA1979@fritha.org> References: <4F471630.5090909@sixdemonbag.org> <20120224161716.9E74AA6E3F@smtp.hushmail.com> <20120224233020.GA980@joerg.workgroup> <20120225082502.GA1979@fritha.org> Message-ID: <4F48F392.2040402@sixdemonbag.org> On 2/25/2012 3:25 AM, Heinz Diehl wrote: > As far as I can see, this article totally lacks any evidence of proof > for its statements... Matt Blaze is a fairly credible blogger, and a reputable cryptographer who's done some very good work. He also references the United States Judiciary's 2010 Wiretap Report and Susan Landau's _Surveillance or Security_. If you're looking for references to back up his factual claims, I'd suggest starting in either of those two. From codegnome.consulting+gnupg.org at gmail.com Sat Feb 25 14:43:38 2012 From: codegnome.consulting+gnupg.org at gmail.com (Todd A. Jacobs) Date: Sat, 25 Feb 2012 08:43:38 -0500 Subject: Problems loading an authentication key from a USB Crypto-Stick Message-ID: I'm using GnuPG 1.4.11 on Ubuntu 11.10, and have a Crypto-Stick v1.2 with an authentication key. My desktop is LXDE, but I'm starting gpg-agent using keychain from my ~/.bashrc. My configuration files look like this: # ~/.bashrc eval `keychain --eval --agents gpg,ssh id_rsa BCB6C8D4` # ~/.gnupg/gpg-agent.conf pinentry-program /usr/bin/pinentry-curses enable-ssh-support However, while the ssh key gets loaded properly into the agent, I am prompted for the password for the GPG key every time I start a new shell--the agent isn't storing the key. In addition, "ssh-add -L" isn't showing the GPG authentication key as being loaded. So, the pinentry dialog thinks I've unlocked the key, but gpg-agent and ssh-agent aren't happy. The agent itself seems to be running: $ gpg-connect-agent 'GETINFO pid' /bye D 2579 OK and I can see the card status just fine with the "gpg --card-status" command. So, what could be going wrong here? -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From codegnome.consulting+gnupg.org at gmail.com Sat Feb 25 14:57:29 2012 From: codegnome.consulting+gnupg.org at gmail.com (Todd A. Jacobs) Date: Sat, 25 Feb 2012 08:57:29 -0500 Subject: Encrypted large files cant decrypt In-Reply-To: <33388747.post@talk.nabble.com> References: <33388747.post@talk.nabble.com> Message-ID: On Sat, Feb 25, 2012 at 3:06 AM, Astrid Staufer wrote: > > I encrypt with the folowing command on a server a backup and send it on an > other server over FTP: > I'd suggest re-writing your script so that you can validate that the archive is valid and decryptable *locally* before doing anything over the network. The problem could be anywhere in the pipeline, the network, or the remote server, so you really need to break this into pieces for testing. At a minimum, I'd suggest setting your shell options as follows: set -e set -o pipefail to make sure that you aren't having problems somewhere in the process pipeline. If that doesn't work for you, then you just need to go back to basics and test each stage of your archiving and transfer independently. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Sat Feb 25 18:12:17 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 25 Feb 2012 12:12:17 -0500 Subject: Encrypted large files cant decrypt In-Reply-To: <33388747.post@talk.nabble.com> References: <33388747.post@talk.nabble.com> Message-ID: <3193718C-AC03-44F6-8450-F7FE268671BC@jabberwocky.com> On Feb 24, 2012, at 7:21 PM, Astrid Staufer wrote: > > Hallo, > I encrypt with the folowing command on a server a backup and send it on an > other server over FTP: > > "tar -czf - $mysql_backup_file $directory_to_backup | gpg --no-tty --batch > --always-trust --recipient $id_number --encrypt | curl --netrc-optional > --silent --show-error --ftp-create-dirs --retry 10 -u $ftp_user:$ftp_pwd > ftp://$ftp_host/$ftp_dir$full_backup_file -T -" > > This works with some Backups around 35Mbytes. But I've tested it also with > an 2.79Gbyte large Backup-File. It runs to the end, but the final encrypted > File is corrupt. When I try to decrypt it, it says, "no encrypted data > found"! Since small files work, and 2.79gb doesn't, one thing to check is whether your whole pipeline (including the remote ftp server) can handle large (i.e. greater than 2^31 bytes) files. That would manifest itself as things starting to break at the 2gb mark. David From astridstaufer at gmx.ch Sun Feb 26 11:00:35 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Sun, 26 Feb 2012 02:00:35 -0800 (PST) Subject: Encrypted large files cant decrypt In-Reply-To: <3193718C-AC03-44F6-8450-F7FE268671BC@jabberwocky.com> References: <33388747.post@talk.nabble.com> <3193718C-AC03-44F6-8450-F7FE268671BC@jabberwocky.com> Message-ID: <33393790.post@talk.nabble.com> Hm, I dont think, that it has something to do with the pipeline, because this was only the last step in my testings. Firstly, I executed each step separatly and generated with each step a new file. Because I thought the problem is somewhere withe the size of the files that I generated on the server, I changed to the pipeline-methode, so that I never have on server 1. a complete file (streaming). The Support of the server said also, that there are no limitations in filesize or execution time. So I came to the conclusion, that the problem can be only in the GnuPG-funktion. Maybe some configurations of GnuPG I haven't taken into account or a bug in GnuPG? Thanks for more ideas! -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33393790.html Sent from the GnuPG - User mailing list archive at Nabble.com. From astridstaufer at gmx.ch Sun Feb 26 11:09:19 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Sun, 26 Feb 2012 02:09:19 -0800 (PST) Subject: Encrypted large files cant decrypt Message-ID: <33393790.post@talk.nabble.com> Hm, I dont think, that it has something to do with the pipeline, because this was only the last step in my testings. Firstly, I executed each step separatly and generated with each step a new file. Because I thought the problem is somewhere withe the size of the files that I generated on the server, I changed to the pipeline-methode, so that I never have on server 1. a complete file (streaming). The Support of the server said also, that there are no limitations in filesize or execution time. So I came to the conclusion, that the problem can be only in the GnuPG-function. Maybe some configurations of GnuPG I haven't taken into account or a bug in GnuPG? I have also noticed, that the GnuPG-function runs throught the complete file and just at the end it interrupts. So the resulting file is as large as the original or even a litle bit larger. Thanks for more ideas! -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33393790.html Sent from the GnuPG - User mailing list archive at Nabble.com. From codegnome.consulting+gnupg.org at gmail.com Sun Feb 26 17:50:15 2012 From: codegnome.consulting+gnupg.org at gmail.com (Todd A. Jacobs) Date: Sun, 26 Feb 2012 11:50:15 -0500 Subject: Problems loading an authentication key from a USB Crypto-Stick In-Reply-To: References: Message-ID: On Sat, Feb 25, 2012 at 8:43 AM, Todd A. Jacobs wrote: > eval `keychain --eval --agents gpg,ssh id_rsa BCB6C8D4` > With keychain 2.6.8 (and possibly others) the agents won't start properly if actually specified, so taking out the agents option actually allows gpg-agent to start, while also handling the ssh-agent keys. One also needs to add the --quick option to avoid being prompted for the gpg key's passwords each time. So: eval `keychain --quick --ignore-missing --eval id_rsa BCB6C8D4` *mostly* works, but the gpg-agent is still not being consulted for signing. Even if one kills all agents and the scdaemon, and uses "eval $(gpg-agent --daemon)" instead, the agent refuses to consult the cache when signing. $ gpg-agent --version gpg-agent (GnuPG) 2.0.17 libgcrypt 1.5.0 $ echo $GPG_AGENT_INFO /home/fubar/.gnupg/S.gpg-agent:926:1 # Prompts twice for password to clearsign. echo foo | gpg --clearsign; echo foo | gpg --clearsign So, the keychain problem seems to be resolved, in that gpg-agent is now reading the SSH authentication key off the CryptoStick and handing it off to ssh-agent, but gpg-agent is still not caching passphrases for signing activities, which seems rather critical to its usefulness. :) What else can I do to help debug this? -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From itsec.listuser at gmail.com Sun Feb 26 21:16:57 2012 From: itsec.listuser at gmail.com (Mike Korizek) Date: Sun, 26 Feb 2012 21:16:57 +0100 Subject: courier re-writing of mime boundaries, verification fails Message-ID: <4F4A9339.8020609@gmail.com> Hi all If courier receives an email with plain/text and HTML parts there happens a re-writing of the MIME boundaries. If the email is digitally signed with gnupg first, the verification fails due to this re-writing. I have no access to the server where courier runs on but I can filter/process the email before it gets signed and sent to courier and I can filter/process before it gets verified and sent to the mail client. a) Is there a possibility to prevent the re-writing of the MIME boundaries? b) If not, which are the rules of the re-writing. If I know them I can reverse that before the verification happens. -- Thanks for any hint. Mike From dkg at fifthhorseman.net Sun Feb 26 22:44:42 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 26 Feb 2012 16:44:42 -0500 Subject: courier re-writing of mime boundaries, verification fails In-Reply-To: <4F4A9339.8020609@gmail.com> References: <4F4A9339.8020609@gmail.com> Message-ID: <4F4AA7CA.3010300@fifthhorseman.net> On 02/26/2012 03:16 PM, Mike Korizek wrote: > If courier receives an email with plain/text and HTML parts there > happens a re-writing of the MIME boundaries. This sounds like a bug in the Courier MTA, according to the MIME standards for encrypted/signed mail: https://tools.ietf.org/html/rfc3156#section-3 Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the data is not to be altered in any way See also: https://tools.ietf.org/html/rfc1847 https://tools.ietf.org/html/rfc2480 > a) Is there a possibility to prevent the re-writing of the MIME boundaries? > > b) If not, which are the rules of the re-writing. If I know them I can > reverse that before the verification happens. These questions ar probably better asked on the courier mailing lists: http://www.courier-mta.org/links.html hope this helps, --dkg From David.Vazquez-Landa at ecb.int Tue Feb 28 10:42:49 2012 From: David.Vazquez-Landa at ecb.int (David.Vazquez-Landa at ecb.int) Date: Tue, 28 Feb 2012 10:42:49 +0100 Subject: decrypt-file updates trustdb? In-Reply-To: <87aa48p35s.fsf@vigenere.g10code.de> References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de><20120222082356.7f44ba65@amd3c.amd3c.cia><0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de><87fwe0pd04.fsf@vigenere.g10code.de><0FC38DE6C8C6F049A939F4A61D28E16E0CE64141@EXCVP02.ecb01.ecb.de> <87aa48p35s.fsf@vigenere.g10code.de> Message-ID: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64155@EXCVP02.ecb01.ecb.de> Thanks for the explanation Werner. Does this mean that it is OK then to have write permissions on trustdb.gpg, pubring.gpg and pubring.bak? Best Regards, David V?zquez EDEN Team European Central Bank __________________ Tel. (+49) 69 1344 7029 Mail. david.vazquez-landa at ecb.europa.eu > -----Original Message----- > From: Werner Koch [mailto:wk at gnupg.org] > Sent: Friday 24 February 2012 18:11 > To: Vazquez Landa, David > Cc: ciamarie at my180.net; gnupg-users at gnupg.org > Subject: Re: decrypt-file updates trustdb? > > On Fri, 24 Feb 2012 14:48, David.Vazquez-Landa at ecb.int said: > > > understand why, if I'm just decrypting a file, gpg asks for write > > permission to trustdb.gpg, pubring.gpg and pubring.bak. In other > > words, I wouldn't expect my command to have to write anything. Alas, I > > If you encrypt something GPG computes the validity of the keys by > looking at the key signatures and assigned ownertrust values. The > trustdb is updated as a result of this. GPG also keeps a key signature > validation status cache in the pubring. > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. From wk at gnupg.org Tue Feb 28 12:40:29 2012 From: wk at gnupg.org (Werner Koch) Date: Tue, 28 Feb 2012 12:40:29 +0100 Subject: decrypt-file updates trustdb? In-Reply-To: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64155@EXCVP02.ecb01.ecb.de> (David Vazquez-Landa's message of "Tue, 28 Feb 2012 10:42:49 +0100") References: <0FC38DE6C8C6F049A939F4A61D28E16E0CE64115@EXCVP02.ecb01.ecb.de> <20120222082356.7f44ba65@amd3c.amd3c.cia> <0FC38DE6C8C6F049A939F4A61D28E16E0CE6412A@EXCVP02.ecb01.ecb.de> <87fwe0pd04.fsf@vigenere.g10code.de> <0FC38DE6C8C6F049A939F4A61D28E16E0CE64141@EXCVP02.ecb01.ecb.de> <87aa48p35s.fsf@vigenere.g10code.de> <0FC38DE6C8C6F049A939F4A61D28E16E0CE64155@EXCVP02.ecb01.ecb.de> Message-ID: <874nubnq36.fsf@vigenere.g10code.de> On Tue, 28 Feb 2012 10:42, David.Vazquez-Landa at ecb.int said: > Thanks for the explanation Werner. Does this mean that it is OK then to have write permissions on trustdb.gpg, pubring.gpg and pubring.bak? Yes sure. If you don't want that you may use the options --no-auto-check-trustdb --no-sig-cache I have not tested it, though. If you use a writable trustdb, you may use a nightly cron job /usr/bin/gpg --batch --check-trustdb 2>/dev/null along with --no-auto-check-trustdb to avoid trustdb computations during normal operations. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From astridstaufer at gmx.ch Tue Feb 28 18:16:05 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Tue, 28 Feb 2012 09:16:05 -0800 (PST) Subject: Encrypted large files cant decrypt In-Reply-To: <33393790.post@talk.nabble.com> References: <33388747.post@talk.nabble.com> <3193718C-AC03-44F6-8450-F7FE268671BC@jabberwocky.com> <33393790.post@talk.nabble.com> Message-ID: <33408236.post@talk.nabble.com> So, problem solved!! For everyone, who have the same problems: I've solved my problem, by spliting the 2.7Gbyte archive-file in pieces of 1Gbytes. So it sems, that GnuPG has a problem with files larger than 2Gbytes, or there is a setting by my host, whitch caused in this problem, in spite, that they said, that they have no limitations in time or filesize. Thanks anyway for your posted help! -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33408236.html Sent from the GnuPG - User mailing list archive at Nabble.com. From mailinglisten at hauke-laging.de Wed Feb 29 04:27:57 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 29 Feb 2012 04:27:57 +0100 Subject: trust, ownertrust, secret keys, --status-fd, --trusted-key Message-ID: <201202290428.03426.mailinglisten@hauke-laging.de> Hello, after playing around with unfamiliar gpg features for hours I am confused now. You may already have guessed from the subject... Those hours ago I believed to have understood the concept of trust and ownertrust. I don't use the WoT thus I never cared much about ownertrust. Important to me was only that gpg considered keys valid when checking signatures. My understanding was that keys are valid if 1) you have their secret key 2) they are marked trusted by --trusted-key (important to me due to offline mainkeys and smartcards) 3) they are signed by a trusted key 4) their ownertrust is set to ultimate My confusion started when playing with --status-fd and reading the DETAILS file. It says: ################################## TRUST_UNDEFINED TRUST_NEVER TRUST_MARGINAL [0 []] TRUST_FULLY [0 []] TRUST_ULTIMATE [0 []] For good signatures one of these status lines are emitted to indicate the validity of the key used to create the signature. ################################## Now the problems arise. To me these are ownertrust values. But a signature can IMHO be valid or invalid only (depending on its key's signatures and the configuration). What is needed for a valid signature, TRUST_ULTIMATE? This is what I get with successful verifications. LC_ALL=C gpg --list-options show-uid-validity --list-sigs shows me [ultimate], [ full ] and [ unknown] only (and [ expired]). That may be caused by me not using the WoT. Is this "full" the same as with ownertrust? If --completes-needed is set above 1 then a key can be signed by a fully trusted user and is then what? "[ full ]" but not valid? Perhaps you can point me at some good online recource for understanding this. I had a look at gnupg.org but the explanation I found was not in much detail. I just noticed that calling gpg once with --trusted-key writes to the trustdb. If you leave out that option in the next call the key still has ultimate trust (even if the secret key is not available). That does not make sense to me. If I want a permanent change then I change the trustdb (or put this option in the config file). Furthermore I consider a verification a pure read-only operation. If this behaviour is not considered a bug then I recommend a suitable hint (read: warning) in the documentation. There's another problem with --trusted-key or its documentation. It says: "Assume that the specified key (which must be given as a full 8 byte key ID) is as trustworthy as one of your own secret keys." Due to this description it does not make sense to me that this option changes the calculated trust for a key which has a secret key available. Perhaps this is not intended but just a result of the empty trustdb (--check-trustdb doesn't change that though). Either the documentation should be changed or the secring be checked (in addition to the trustdb). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Feb 29 09:24:10 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 29 Feb 2012 09:24:10 +0100 Subject: Encrypted large files cant decrypt In-Reply-To: <33408236.post@talk.nabble.com> (Astrid Staufer's message of "Tue, 28 Feb 2012 09:16:05 -0800 (PST)") References: <33388747.post@talk.nabble.com> <3193718C-AC03-44F6-8450-F7FE268671BC@jabberwocky.com> <33393790.post@talk.nabble.com> <33408236.post@talk.nabble.com> Message-ID: <87vcmqm4id.fsf@vigenere.g10code.de> On Tue, 28 Feb 2012 18:16, astridstaufer at gmx.ch said: > 1Gbytes. So it sems, that GnuPG has a problem with files larger than > 2Gbytes, or there is a setting by my host, whitch caused in this problem, in If your system supports files > 2GB, GnuPG supports this as well. In case special options are created to build applications with large file support, you may pipe data in and out from gpg. This way, gpg won't have a way to know the size of a file and will for sure work: gpg -er USERID plain.gpg In case you use a shell which has no large file system support, you may try this: cat plain | gpg -er USERID | tee plain.gpg >/dev/null However, this is all very unlikely and your problem must be simewhere else. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From post.carter at yahoo.com Wed Feb 29 16:33:43 2012 From: post.carter at yahoo.com (Post Carter) Date: Wed, 29 Feb 2012 07:33:43 -0800 (PST) Subject: small security glitches Message-ID: <1330529623.49266.YahooMailNeo@web44702.mail.sp1.yahoo.com> I too had seen and been perturbed by this unexplained statement on http://www.gnupg.org/faq/GnuPG-FAQ.html: "There is a small security glitch in the OpenPGP (and therefore GnuPG) system; to avoid this you should always sign and encrypt a message instead of only encrypting it." ? I use PGP for local file encryption and was concerned this applied to that as well, but I now think it seems to only apply to *messages*. I would appreciate anyone else's analysis of that. ? I believe I have found the actual information behind the "glitch," and it *absolutely* has to do with encryption/security and not just integrity/trust. http://www.mccune.cc/PGPpage2.htm#Chosen-Ciphertext http://www.schneier.com/paper-pgp.html ? ? Tom McCune's summary from link above: ? Chosen-Ciphertext Attack? ? The report Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG discusses a potential PGP vulnerability.? This is my understanding of the attack: ? An individual intercepts an encrypted email.? He places a plaintext addition within the package, in such a manner that when the originally intended recipient decrypts the message, the symmetric session key also "decrypts" the addition.? But since the plaintext addition was not encrypted (but probably looked encrypted), it is now encrypted to the symmetric session key.? If the originally intended recipient then sends this "gibberish" back to the original sender (to inquire about it), the interceptor again intercepts this, and now has both his original plaintext addition, and the symmetric session key encryption of that plaintext.? From this, he is able to reverse the XOR processing of the original encryption to produce the plaintext of the originally intercepted encrypted message. ? Although the Open PGP standard needed to be updated to prevent such an attack, this attack was unlikely to actually succeed against a PGP user ? PGP compresses before encrypting, in such a manner that this alteration would normally result in a corrupt package. ? If the original encrypted message was signed, this alteration will result in the intended recipient receiving a Bad signature verification. ? The attack would fail under any of the following conditions: - The recipient takes no action in regards to the received ?gibberish.? - The recipient does not include the ?gibberish? in any outgoing response. - The recipient encrypts his outgoing response to the original sender (as long as the recipient is not fooled into encrypting the "gibberish" to the interceptor's key). - The interceptor fails to intercept the plaintext response to the original sender. PGP Corp states that as of PGP 8.0.2 "special MDC support" includes additional protection against this kind of attack. -------------- next part -------------- An HTML attachment was scrubbed... URL: From astridstaufer at gmx.ch Wed Feb 29 18:38:15 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Wed, 29 Feb 2012 09:38:15 -0800 (PST) Subject: Encrypted large files cant decrypt In-Reply-To: <87vcmqm4id.fsf@vigenere.g10code.de> References: <33388747.post@talk.nabble.com> <3193718C-AC03-44F6-8450-F7FE268671BC@jabberwocky.com> <33393790.post@talk.nabble.com> <33408236.post@talk.nabble.com> <87vcmqm4id.fsf@vigenere.g10code.de> Message-ID: <33415747.post@talk.nabble.com> Thanks for your help. I've ran the script, as I've posted above. And I cant find a failer. So it must have something to do with my hoster. -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33415747.html Sent from the GnuPG - User mailing list archive at Nabble.com. From astridstaufer at gmx.ch Wed Feb 29 18:40:20 2012 From: astridstaufer at gmx.ch (Astrid Staufer) Date: Wed, 29 Feb 2012 09:40:20 -0800 (PST) Subject: Encrypted large files cant decrypt Message-ID: <33415747.post@talk.nabble.com> Thanks for your help. I've ran the script, as I've posted above. And I cant find a failure. So it must have something to do with my hoster. -- View this message in context: http://old.nabble.com/Encrypted-large-files-cant-decrypt-tp33388747p33415747.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dkg at fifthhorseman.net Wed Feb 29 19:18:58 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 29 Feb 2012 13:18:58 -0500 Subject: small security glitches In-Reply-To: <1330529623.49266.YahooMailNeo@web44702.mail.sp1.yahoo.com> References: <1330529623.49266.YahooMailNeo@web44702.mail.sp1.yahoo.com> Message-ID: <4F4E6C12.70400@fifthhorseman.net> On 02/29/2012 10:33 AM, Post Carter wrote: > An individual intercepts an encrypted email. He places a plaintext addition within the package, in such a manner that when the originally intended recipient decrypts the message, the symmetric session key also "decrypts" the addition > But since the plaintext addition was not encrypted (but probably looked encrypted), it is now encrypted to the symmetric session key. The above two steps are clear so far. > If the originally intended recipient then sends this "gibberish" back to the original sender (to inquire about it), the interceptor again intercepts this, and now i'm assuming that the intended recipient sends the "gibberish" back to the original sender encrypted, right? if they send it in the clear, it's hardly the fault of the cryptosystem that the cleartext was exposed. > has both his original plaintext addition, and the symmetric session key encryption of that plaintext. eh? how does it follow that the attacker has both of these? afaict, the attacker has: A) the original ciphertext B) the modified ciphertext (which they supplied arbitrary data for) C) a re-encrypted version of the modified cleartext (reencrypted against a different session key, presumably). > From this, he is able to reverse the XOR processing of the original encryption to produce the plaintext of the originally intercepted encrypted message. I don't understand how this follows either. where does XOR come in? Which part of OpenPGP is using XOR here? At any rate, this is indeed about message integrity; if you want encrypted integrity, you need your peer to supply an MDC (gpg does this by default). If you want verifiable message provenance with message integrity, you need your peer to sign their messages. If Alice does something like take an un-verified message, decrypt it, and then post the plaintext somewhere anyone can look at it, then the cryptosystem hasn't failed; but alice has stopped using the cryptosystem. --dkg