From bortzmeyer at nic.fr  Mon Oct  1 10:13:29 2012
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Mon, 1 Oct 2012 10:13:29 +0200
Subject: Am I attempting the impossible?
In-Reply-To: <506888AB.5010005@ncf.ca>
References: <506888AB.5010005@ncf.ca>
Message-ID: <20121001081329.GA2346@nic.fr>

On Sun, Sep 30, 2012 at 02:00:11PM -0400,
 Allan Topp <ad707 at ncf.ca> wrote 
 a message of 22 lines which said:

> and thereby only enter 1 passphrase for all of them.

If you just want to avoid typing the passphrase N times, i suggest to
use gpg-agent, which is the greatest invention since syrup on
pancakes.

http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html


From ad707 at ncf.ca  Mon Oct  1 13:58:20 2012
From: ad707 at ncf.ca (Allan Topp)
Date: Mon, 01 Oct 2012 07:58:20 -0400
Subject: Am I attempting the impossible?
Message-ID: <5069855C.2010609@ncf.ca>

Thanks for the information.  I had no idea.  I'll give it a try.



    If you just want to avoid typing the passphrase N times, i suggest
    to use gpg-agent, which is the greatest invention since syrup on
    pancakes.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121001/7fca19a2/attachment.htm>

From iliaselmatani at hotmail.com  Tue Oct  2 10:23:52 2012
From: iliaselmatani at hotmail.com (Ilias el Matani)
Date: Tue, 2 Oct 2012 10:23:52 +0200
Subject: Backup...
Message-ID: <DUB002-W112813E9203B7599C63E06FA6860@phx.gbl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello there, 

I would like to know why, there is no 'security' when you making a Backup of the keys via the 
GNU Privacy Assistant - Key Manager.

It's possible when you have physical access to the system, to export also the private key.
Why we don't protect this?


- --

Ilias el Matani

PGP KeyID: 0xc498c1c9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJQaqSNAAoJEDolin7EmMHJsV4P/RA0YMNVV8frq2kUU5+hTAlB
eWUO+j+KJ/g+m840i19zoKU2+wvqvqL0QpTeHEsW8+6edylTQnmdJEiiuJp5KxRf
HIbaR9pyxJf1shEGfE8dn/LiODfAQeM2yt/YE35wi2jU3pdLFkx5NMLNm2D43Y0S
MledxeR45FBPcA1EIvmOnM33MqFojeCW0F/qrchrqaqexSxb7BYoMspYTJ/HXzJU
dHp/e2OlNjw/Bmhc+5V6e0odiKEfHSfHUDfxrn+IsQgwOGqFdM211UH2eGmZMUb1
cIiXB+0lN7M0TAeqr5xDYwIDHcx7f3WtQGezytzJyZ4At3r9o8iHhfEw/YnmX7Yj
e/4zULNUNZeCc16Ns+etFAIYRNuYK2yUBMY+IJHk0YkXj1VwxhFlS9FXfmCA5fZQ
QiSMACiNooFYl/Rm6p9F8JQnRi+EQkiA/rHj0GFb80A2ID0tlW6dqSL9BpgXNJs8
ofaE3xdO2nAmt6M2ZNm2zWt9ThWTYzghy6hXYOJSyFQZCwvIGJbcE1bgI1SIr1KH
DJ7p5Vq5q064CsUvo8KNY36zrYpe0HCJMetu2lxZYSbF7eUwZMj86/aDn8eQfzX3
hZzwJL7DJtpLgQY5B1tE/5bXfWXMZEnorPmUVW4ufXWc+hNl6RZptYjErZLqavJr
aAnSngduVTRX9FnEwg1n
=VSv3
-----END PGP SIGNATURE----- 		 	   		  

From rjh at sixdemonbag.org  Tue Oct  2 21:10:50 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 02 Oct 2012 15:10:50 -0400
Subject: Backup...
In-Reply-To: <DUB002-W112813E9203B7599C63E06FA6860@phx.gbl>
References: <DUB002-W112813E9203B7599C63E06FA6860@phx.gbl>
Message-ID: <506B3C3A.2040104@sixdemonbag.org>

On 10/2/12 4:23 AM, Ilias el Matani wrote:
> I would like to know why, there is no 'security' when you making a
> Backup of the keys via the GNU Privacy Assistant - Key Manager.

There is.

> It's possible when you have physical access to the system, to export
> also the private key. Why don't we protect this?

We do.

Your private certificate is encrypted with a strong algorithm.  Your
passphrase is the decryption key.  If you have a strong passphrase on
your certificate, you could publish the private certificate in the _New
York Times_ and be completely confident of its security.

If you're concerned about people gaining access to your private key, put
a strong passphrase on it.



From kristian.fiskerstrand at sumptuouscapital.com  Tue Oct  2 23:13:01 2012
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Tue, 02 Oct 2012 23:13:01 +0200
Subject: NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition
Message-ID: <506B58DD.4030503@sumptuouscapital.com>

Dear all,



The National Institute of Standards and Technology (NIST) today
announced the winner of its five-year competition to select a new
cryptographic hash algorithm, one of the fundamental tools of modern
information security.

The winning algorithm, Keccak (pronounced ?catch-ack?), was created by
Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics
and Micha?l Peeters of NXP Semiconductors. The team?s entry beat out 63
other submissions that NIST received after its open call for candidate
algorithms in 2007, when it was thought that SHA-2, the standard secure
hash algorithm, might be threatened. Keccak will now become NIST?s SHA-3
hash algorithm.

You can read more at
http://www.nist.gov/public_affairs/tech-beat/tb20121002.cfm#sha


Congratulations Keccak!


-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Bene diagnoscitur, bene curatur
Something that is well diagnosed can be cured well
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An 
introduction to OpenPGP security is 
available in both Amazon Kindle and Paperback 
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121002/9c842bda/attachment.pgp>

From mailinglisten at hauke-laging.de  Wed Oct  3 07:07:32 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Wed, 03 Oct 2012 07:07:32 +0200
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <19020731.ZpegxAa7VX@inno>
References: <19020731.ZpegxAa7VX@inno>
Message-ID: <1996301.8XxUV5pr0j@inno>

Am Mo 24.09.2012, 19:06:17 schrieb Hauke Laging:

Oh no ? I am responding to my own email...

> Given the much bigger difficulty of preimage attacks, would a rule make
> sense not to sign a document that someone else has created (and thus been
> given the opportunity for a collision attack)? The solution would be to
> change the file in a way that does not affect the meaning (e.g. an
> additional space somewhere) and can easily be detected to match this
> condition.

But I happened to find and answer to my question. In a seven and a half years 
old article about a collision attack against SHA-1. It's in German, though:

http://www.heise.de/security/artikel/Keine-Panik-271334.html

("Grunds?tzlich ist es eine gute Idee, vor dem digitalen Signieren eines 
Dokuments immer noch selbst eine kosmetische ?nderung vorzunehmen.")

It says: It does in general make sense to make a small change (that does not 
change the meaning) to a file before signing.


I have another question about hashes:
Given two different files that have the same hash value. If some data is 
appended (or prepended) to both files do the resulting files still have the 
same hash value?


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121003/2426d255/attachment.pgp>

From sttob at mailshack.com  Wed Oct  3 21:19:13 2012
From: sttob at mailshack.com (Stan Tobias)
Date: Wed, 03 Oct 2012 21:19:13 +0200
Subject: what is killing PKI?
In-Reply-To: <503AA5DA.7020303@sixdemonbag.org>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de> <5017CCEC.5010103@dfgh.net>
	<50344F25.2050107@gmail.com> <50352C1F.5010003@dfgh.net>
	<5036636D.4030001@sixdemonbag.org> <5037727F.8070703@dfgh.net>
	<5037DED2.5020301@sixdemonbag.org> <50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
Message-ID: <506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>

The impulse for writing my first post in this thread was frustration
about a "technological" treatment that privacy often receives, and about
a lobby that tries to tell everybody to encrypt everything, whether
sensitive or not (I think I've seen this on this list, but I don't have
the time to research now).  The argument for using encryption seems
to go like this: "privacy (value) is always good, privacy (secrecy)
is achieved by encryption, therefore encryption is always desirable".
I'm bothered when I read "privacy is achieved by encryption" (johnny1)
- okay, maybe they use it as a synonym of "secrecy", but then it blurs
the distinction between the two.

In my posts I just wanted to articulate one reason why for some people
(from "out in the field") encryption is a non-choice, and I gave some
context in which such attitude might be understandable.  In further
discussion I tried to describe Privacy as a social mechanism and show it's
not equivalent to secrecy (i.e. information leakage does not necessarily
mean loss of privacy), and therefore the above argument is non sequitur.
I don't feel the best person to discuss these things, but I thought
someone must first say an idea, so that others can use it and test it.

Before writing my first post, I had read the Gaw et al. article (by
your recommendation, actually), and I was a little less than satisfied
(perhaps because authors didn't make an effort to hide their opinions).
For this writing, I have read all the other articles mentioned in
someone's earlier post.

Please, allow me to add one more thought, which is relevant further down.

It might sound paradoxical, but openness is what protects us in our lives.
We require transparency from the government, from institutions, from
private companies (in certain circumstances), and therefore we practice
a culture of openness ourselves.  This is how we keep institutions
under control, and this is what keeps society together.  People are
more likely to support a transparent organisation.  People are upset
when public institutions become too secretive.

Facing an opponent, to avoid fight, we may run away (nothing wrong,
a normal defense), or challenge them (it often works).

I think I can understand why some people (e.g. Jenny) feel encrypting
"public" information is not appropriate: it's a challenge.  "We had
a meeting at 9, coffee was served, so what?  We are worried about new
law - every citizen has the right to be concerned.  We investigate what
BigCorp does - of course, we're ActivistCorp, it's our job, that's what
our supporters pay us to do.  Now, what are _you_ up to?".  Secrecy would
probably be not adequate, because then police could use any pretense to
enter the offices to hamper the activity.  Transparency also helps keep
internal discipline (don't do stupid things).


"Robert J. Hansen" <rjh at sixdemonbag.org> wrote:

> On 8/26/12 5:37 PM, Stan Tobias wrote:
> > In the works cited before (this thread and other discussions),
> > one recurring concern could be formulated as: "Why Johnny doesn't
> > encrypt his Christmas greetings to his granny?", with an implicit
> > assumption/expectation that everybody ought to use cryptography by
> > default for any and everything.  I'll concentrate on the encryption only.
>
> Well, speaking just for myself, I try not to make that assumption.  I'm
> interested in knowing why Johnny can't encrypt, and then further why
> Johnny *doesn't* encrypt.  These are two different questions which have
> very different answers.

I didn't adapt the title without a reason, my answer was directed towards
that attitude.  "What will it take to make the use of encrypted e-mail
universal and routine?" is a quote from Gaw et al.

Do we really have evidence people can't encrypt?  For me the "johnny"
articles were not quite clear about it (they seemed to investigate 
a different aspect).  I don't believe people are stupid.  They can
learn to use cryptography, just as they have learned many other things
in their lives.

Another matter is what "can" does mean.  I can fly an Airbus A380.
(Sure :-^, I only have to find that "A/P" button.)  - That was
my conclusion having read "All users were able to decrypt. This is
because PGP automatically decrypts emails when they appear in Outlook
Express." (Sheng et al.).  I think what is missing from many discussions
is that to be able to _effectively_ use cryptography on computers, one
has to know much more than how to use cryptography.  (I could tell a
funny story of a security failure, not because of wrong use of GnuPG,
but because they didn't realize how a certain file system worked.)

Can you imagine a responsible person exchanging sensitive information,
while not being certain what he does is safe?  It's a matter of personal
integrity, it's not enough to tell a user "click here and there, and
you're fine"; we have to first convince ourselves what we do is right.
The upshot is that you cannot make cryptography easier for users, they
will have to study and understand it themselves anyway.


> "Why Johnny can't encrypt" is a human-computer interaction (HCI)
> problem.  HCI problems are eminently solvable.  The papers have a lot of
> exploration of this problem: see, e.g., "Why Johnny Can't Encrypt",
> "Johnny 2", and "Why Johnny Still Can't Encrypt" for three examples of
> really good peer-reviewed papers that explore this.

One reason I didn't like those papers is that they concentrated on a
particular version of a particular implementation, and they seemed to
make mostly ignorant users to work with it (and by my standards, they
were actually quite successful in that).  Their methods and findings
could be applied to any graphical software.  As I said, for me to be
able to use encryption means more than knowing which buttons to click.


> "Why Johnny doesn't encrypt" is a social problem.  Social problems are
> notoriously intractable.  

I disagree here.  They might be difficult to quantify, but we can discuss
those issues and try to reach some conclusions, if not solutions.

One reason I like to read Schneier's blog (if I have the time) is that
he often discusses social aspects to security.

> See, e.g., Gaw, Felten and Fernandez-Kelly's
> paper.  They found that even when people were aware of the dangers they
> were facing, knew those dangers were real, had easy access to crypto
> software and had been trained in its use, they *still* weren't using
> crypto... principally because they didn't want to be seen as paranoid.

In the article I didn't find anybody who said they didn't want to be
_seen_ as paranoid, they only described certain behaviour as paranoid.
I think people use the word "paranoid" when something conflicts with
their perception of the world, and they don't know how to phrase it.

Cryptography might not be difficult to apply, but is not without its
own problems *around* it.  In my small experience, it requires a lot of
planning: what and why must be encrypted; what passwords will be used
(with many encrypted files) and how to ensure I don't forget those
passwords; how to ensure the encrypted files don't become corrupted
(so that data doesn't become irrecoverable), how do I check that they're
not corrupted, how many times will I check the files, where and how to
make backups (of course, check goes before the backups, but you have to
remember this), and many other small details in a long decision tree.

Recently I helped a friend to recover data from a broken NTFS partition -
mainly family pictures since many years ago.  Had the disk been encrypted,
the chances of recovering anything (by me, at least) would be close
to zero.  One has to be able to balance the risk of leaking information
against completely losing it, and it's a big headache, especially that
we don't realize all the factors that come into play.

Using cryptography to protect secrets is a serious intellectual
effort. Abe (in Gaw) described it as a "chore", and I think I can
understand what he meant by that.  If you want others to use cryptography
communicating with you, you want to put the same burden on their backs.
"Paranoid" in this case does not mean "tin-hat"; it just means that the
effort you put into message exchange is not proportional to its value.

As for the people you mentioned, I don't see exactly which you mean,
I didn't find any egregious carelessness (except that users didn't
understand digital signatures, but that wasn't a big issue either).
Ultimately, it's the organization management's responsibility to decide to
what degree information must be protected.  Should cleaners be required
to encrypt their emails?  What about the plumbers?  And encrypting often
isn't the only (or most important) matter to think about (WikiLeaks
"thank you" email fiasco).


> I really don't want to rain on people's parades.  A lot of these ideas
> of "what the problem is" are deeply interesting.  But until you actually
> go out into the world and ask real users the question, and observe
> workers in their natural environment, then it's a bunch of discussion
> over how many angels can dance on the head of a pin.

Facts by themselves are not knowledge.  We gain insight by discussing
facts.  It's important to discuss before a next round of interviews,
because then we can know better what questions to ask, and how to ask.
My experience is generally in agreement with the findings of the articles.
My only addition here is that I try to rationalize certain behaviour,
which is something that the interviewees could not do on the spot,
because they probably acted on instinct rather than calculated risk.
I might be wrong about Jane, but I'm not wrong about myself, and my
writing here is another testimony.  There's no need to go far,
this mailing list is a mine of issues people deal with, of reasons
why they do or don't encrypt, and of their good and bad perceptions.
If someone had the time to sort all those things out, it might result
in another great scientific paper.

Best regards, Stan.

P.S.1. Having an occasion now, I just want to say to you, Robert, a big
       and sincere "Thank You!" for your articles on this mailing list.

P.S.2. I mentioned British police once - they still don't wear guns:
       http://www.bbc.co.uk/news/magazine-19641398

P.S.3. Thanks to others who responded, and especially to Marco - after
       my second writing I got your reply first, and it was very nice
       and encouraging.  It's not very important what I have to say,
       and only slightly topical, but because you've asked, here goes,
       but briefly:

Facebook users have often been accused of carelessness about their
privacy, to plain foolishness (by "facebook" I understand any web-page
where users publish themselves, e.g. Wikipedia).  Once I read a discussion
on sexting among teenagers; the conclusion why they do it was that as
they grow, they announce this fact to others, it's in their nature.
(Some were harshly punished, but IMO not by life, but rather by
self-righteous adults, who disregarded their normality.)  I think the
same applies to grown-ups; I've seen people publishing uninteresting
things about themselves without purpose, I can't explain it other than
by a need to announce one's presence to the world - it's something in
the human nature.  Much "Internet" time has passed, and I haven't seen
any privacy disaster yet.  People reveal a lot, but not everything; they
make (sometimes funny) mistakes, but they also learn from those mistakes.
Privacy is not all black-and-white, and we have room to try how much we
can reveal, and when it becomes too much.

I think a lot of good results from people publishing themselves en
masse: we learn about other people, but most importantly *we learn about
ourselves*.  This helps _break social taboos_, and bring down barriers
between people.  We keep in contact with other people, share ideas,
organize ourselves, we can influence political changes.  People seek
other people, it's in their nature.  "Foolishness" is part of human
lives; I think what attracts people, is that they can make a mistake,
look foolish, and still maintain dignity, because everyone else around
is equally "foolish".  These are extremely important things, they help
us to grow up, and they change our (global) culture.  Ultimately, it
may occur that there are not so many things really private, because
essentially we all look the same, and do the same things.

I think we sometimes overestimate the negatives when people publish
their lives.  When one person comes out naked into the street, it's a
sensation.  When one thousand become naked, then effectively noone is.
Things that were inappropriate twenty years ago, are not so today.

One concern does remain: the published information remains, and we can
never be sure that it won't be used in future against us in ways yet
unknown to us.  Well, life is a risk.  We must evaluate what's more
important, creating more good and freedom for ourselves, or avoiding
the risk.  I see it as a race who will be there first, ordinary people
establishing a new standard of normality, or the self-righteous - will
they sense change in time and start regulating our lives again?

Last: here on this list we reveal a lot about ourselves, too.  If you
ask questions, or help someone with understanding cryptography, you
reveal you know something about it.  This information is potentially
more sensitive than what someone ate, or where they were on vacation,
and could be used against you.  So calling facebook people foolish on
this list is... well, paradoxical at least.



From rjh at sixdemonbag.org  Wed Oct  3 21:45:15 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 03 Oct 2012 15:45:15 -0400
Subject: what is killing PKI?
In-Reply-To: <506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
Message-ID: <506C95CB.3060101@sixdemonbag.org>

> P.S.1. Having an occasion now, I just want to say to you, Robert, a 
> big and sincere "Thank You!" for your articles on this mailing list.

Uff da meg.  "Articles."  If my posts have reached that level of
wordcount, then I definitely need to work on making them shorter.  :)

> The impulse for writing my first post in this thread was frustration
>  about a "technological" treatment that privacy often receives, and 
> about a lobby that tries to tell everybody to encrypt everything,

I don't doubt the existence of this part of the community, but I don't
share in their views.  In fact, I think those views are genuinely
harmful to the advance of privacy and confidentiality.

My position is simple: I want people to understand the realities of
electronic communication, the risks they're facing, what technologies
and methods exist to mitigate these risks, and the prices of these
technologies and methods.  Few people are responsive to a would-be nanny
telling them what they should be doing.

My doctor tells me that my cholesterol is on the high side and I should
rethink my meat intake: I sometimes think about him as I'm eating a
hamburger.  Same thing with privacy advocates who tell people what they
should be doing.  I think the best that can be done is to give people
information, and let them draw their own conclusions.

This, unfortunately, means that most of your post is -- it's not
irrelevant or ill-considered or anything else like that.  It's just that
we're coming at it from such divergent perspectives there's not much I
can really say about it.  My position is simple: provide information and
let people make their own calls.  What people should do, or what we as a
community should be advocating, is really not my lookout.

> For this writing, I have read all the other articles mentioned in
> someone's earlier post.

Thank you -- seriously.  As I said above, I think that information and
education is the best thing we can do.  That applies to ourselves as
well.  :)

> It might sound paradoxical, but openness is what protects us in our 
> lives.

I generally agree with you here.  If you haven't read David Brin's _The
Transparent Society_, I think perhaps you'd enjoy it: it covers a lot of
these subjects (and many more) in detail.  I don't agree with Brin, but
he definitely has ideas worth considering.

Personally, I side more with those who believe that a proper balance
between privacy and transparency is what protects us.  The problem here
is that my interest in transparency may conflict with your interest in
privacy -- making it an extraordinarily difficult interaction of
interests to balance.  Schneier's _Liars and Outliers_ discusses this in
more detail: again, you might enjoy it.

> Do we really have evidence people can't encrypt?

Although anecdotes are not the same as data:

My first year of teaching I was assigned to a freshman (university
first-years, for those outside the United States) Computer Literacy
course.  On the first day of class I asked thirty-five freshmen if
anyone had brought a computer to class.  Three hands went up.  I then
asked if anyone brought a cell phone to class.  Thirty-five hands went
up.  I asked one student at random, "So why isn't a cell phone a
computer?"  His answer was, "Because it can only surf the Web.  You
can't write a term paper on it or anything like that."

When I asked for a show of hands for who agreed with that statement,
probably two-thirds of the class agreed with it.

In my experience -- which is absolutely *not* the same as peer-reviewed
research, don't mistake me -- most people don't even know what a
computer is, except in a very superficial "it's a box with a keyboard
and a monitor attached" sense.  So, yes, given the truly dismal state of
computer literacy today, I think it's reasonable to conclude most people
can't encrypt.

Close to the end of that semester I taught the students about S/MIME
(not OpenPGP -- S/MIME is much better supported by email clients).  The
majority were able to get S/MIME certs and install it in their email
clients, but it did take four hours of classroom lecture to get them to
understand what encryption was, what a signature was, and so on.

> Can you imagine a responsible person exchanging sensitive 
> information, while not being certain what he does is safe?

Happens all the time.  Today I had to give my Social Security Number to
a government agency over the telephone: I had no way of verifying the
person I was talking to really was a government employee.  For all I
know he was working with a Chechen organized crime syndicate.  But,
after reflecting on the risks, I decided to accept the risk and go on.

So, yeah, I can imagine it quite easily.  The problem isn't the lack of
certainty that what we're doing is safe: the problem is the incorrect
certainty that we are safe, that what we're doing can never come back to
bite us.

> As I said, for me to be able to use encryption means more than
> knowing which buttons to click.

Sure, but in their defense, they weren't interested in seeing which
users were capable of walking on their own -- they were interested in
seeing which users were capable of standing on their own.  Have to learn
to stand before we learn to walk, learn to walk before we learn to run,
and all that.



From expires2012 at rocketmail.com  Wed Oct  3 23:45:00 2012
From: expires2012 at rocketmail.com (MFPA)
Date: Wed, 3 Oct 2012 22:45:00 +0100
Subject: what is killing PKI?
In-Reply-To: <506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
Message-ID: <81366192.20121003224500@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 3 October 2012 at 8:19:13 PM, in
<mid:506c8fb1.xUl4j/QYBk5l1dXi%sttob at mailshack.com>, Stan Tobias
wrote:


> Using cryptography to protect secrets is a serious
> intellectual effort. Abe (in Gaw) described it as a
> "chore", and I think I can understand what he meant by
> that.  If you want others to use cryptography
> communicating with you, you want to put the same burden
> on their backs. "Paranoid" in this case does not mean
> "tin-hat"; it just means that the effort you put into
> message exchange is not proportional to its value.


Routinely encrypting *all* communications would transform the "chore"
into an habitual routine that requires little-to-no intellectual
effort in respect of each individual message sent or file stored. The
value of the encryption would then greatly exceed the effort.

In a surprisingly short time, the "burden" of which you speak would
become barely noticeable.


- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

Dreams come true on this side of the Rainbow too!
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUGyx4aipC46tDG5pAQqkdwQAtRmAean0DbFLkCtgq/pcgaFHALiZFvi+
03nJNZL9dBNqG9hEiknOYNYF8qiGOdhzElX/Ht9kW4KrwEd5V9G9RhL+47J1TvVS
G96iWqp91ekglvy3MQKvL7MwEw6uVtCO6bpi1Y8ltWRSvHmtQORci2XeKyJZxtQq
Z34rtpxnclk=
=K9xU
-----END PGP SIGNATURE-----



From wk at gnupg.org  Thu Oct  4 11:32:02 2012
From: wk at gnupg.org (Werner Koch)
Date: Thu, 04 Oct 2012 11:32:02 +0200
Subject: what is killing PKI?
In-Reply-To: <81366192.20121003224500@my_localhost> (MFPA's message of "Wed, 3
	Oct 2012 22:45:00 +0100")
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de> <5017CCEC.5010103@dfgh.net>
	<50344F25.2050107@gmail.com> <50352C1F.5010003@dfgh.net>
	<5036636D.4030001@sixdemonbag.org> <5037727F.8070703@dfgh.net>
	<5037DED2.5020301@sixdemonbag.org> <50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
Message-ID: <87sj9uwpkd.fsf@vigenere.g10code.de>

On Wed,  3 Oct 2012 23:45, expires2012 at rocketmail.com said:

> Routinely encrypting *all* communications would transform the "chore"
> into an habitual routine that requires little-to-no intellectual
> effort in respect of each individual message sent or file stored. The
> value of the encryption would then greatly exceed the effort.

Modulo the problems of searching, spam, backup and to some extend the
potential loss of the private key.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From nosuchclient at gmail.com  Thu Oct  4 12:27:27 2012
From: nosuchclient at gmail.com (No such Client)
Date: Thu, 04 Oct 2012 12:27:27 +0200
Subject: what is killing PKI?
In-Reply-To: <87sj9uwpkd.fsf@vigenere.g10code.de>
References: <50168344.9090000@dfgh.net>
	<501768E4.8010603@yyy.id.lv>	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net>	<50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net>	<5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net>	<5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>	<50380F52.3070202@sixdemonbag.org>
	<5038319D.7000003@gmail.com>	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>	<5039FBFE.80301@gmail.com>	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>	<503AA5DA.7020303@sixdemonbag.org>	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
Message-ID: <506D648F.6040403@gmail.com>

On Wed, 3 Oct 2012 23:45, expires2012 at rocketmail.com said:
>   
>> > Routinely encrypting *all* communications would transform the "chore"
>> > into an habitual routine that requires little-to-no intellectual
>> > effort in respect of each individual message sent or file stored. The
>> > value of the encryption would then greatly exceed the effort.
>>     
You can encrypt all of your comms and most of your traffic, however.. if
the other side isn't on the same page, intellectually (understanding why
it is employed, what it protects against (and what it doesn't) , what
the risks are) as well as technically (signatures, encryption,
decryption, public keys, private keys,etc) then you will be sending
wierd garbled messages , either signed or encrypted, whether it is
inline and signed (and they can make out parts of the message), or.. you
choose to encrypt it to them, and they see a wierd garbled message, (I
wager that very few would go to the length to learn about PKI and then
gpg just to decrypt your msg without a compelling
curiosity/self-interest. ) Furthermore, on my iphone, gpg is not exactly
supported. Sure, there are other apps, that let me encrypt to a public
key, and a few allow one to load a private key, but they are not gnupg
(and so I personally don't trust those apps). Encrypting *all* traffic
is thus infeasible in the manner that you speak, unless you want to
carry a system with you (or a flashdrive with a private key on there,
assuming you can trust it).. Either way.  Or, if you were in contact
with someone who you usually encrypt traffic to, but they were on an
untrusted computer, or on their phone, would you lower your "standard"
and send it in the plaintext for them? Or maintain your standard, and
send them something that you know that they cannot access until later?
Just a few questions to toss your way MPFA .  I recall Mr. Tobias
mentioning something about an "encrypt-everything lobby" which your
words, put you firmly in. :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121004/f47eb41c/attachment.pgp>

From mwood at IUPUI.Edu  Thu Oct  4 16:59:16 2012
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Thu, 4 Oct 2012 10:59:16 -0400
Subject: what is killing PKI?
In-Reply-To: <506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
References: <5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net> <50380F52.3070202@sixdemonbag.org>
	<5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
Message-ID: <20121004145916.GB23933@IUPUI.Edu>

On Wed, Oct 03, 2012 at 09:19:13PM +0200, Stan Tobias wrote:
[snip]
> Do we really have evidence people can't encrypt?  For me the "johnny"
> articles were not quite clear about it (they seemed to investigate 
> a different aspect).  I don't believe people are stupid.  They can
> learn to use cryptography, just as they have learned many other things
> in their lives.

I have anecdotal evidence that people *think* they can't.  Just this
week, my wife asked me how to change the passphrase on her PGP private
key.  Now, I would have expected this to be an easy, very visible
operation, and been thunderstruck if I should find it were not, but
whatever.  So I followed her to the computer and just sat there making
encouraging murmurs while she easily navigated Enigmail to the dialog
and did it.  If she had expected the software to be usable, she
wouldn't have needed me at all, because it is.

This isn't confined to crypto software.  A great many people have
acquired considerable skill with computers but little confidence
therein.  There seems to be a lingering expectation that you need a
team of experts to handle the unfamiliar.  Lots of people don't
realize that the experts have been and gone, that the result of good
engineering is that the engineer can go home and let you use the
machine without his oversight.

[snip]
> Can you imagine a responsible person exchanging sensitive information,
> while not being certain what he does is safe?

Oh, yes.  We have no choice.  See any number of articles about thieves
copying out tens of thousands of *plaintext* passwords from some
e-tailer's systems, or boxes of *unencrypted* backup tapes lost.
Those businesses still have customers.  I think that one hope of the
encrypt-by-default camp is that, when enough people see encryption as
normal, these execrable blunders won't happen anymore.  Another
anecdotal data point: I am still flabbergasted to hear that people
design their systems that way -- to me, it's just *not normal*.

Or look at the dozen messages I get every day purporting to be from
some bank or ISP, telling me that I must send them my password right
away or Bad Things will happen.  Someone must actually respond to
these, or the bad guys wouldn't keep at it.  Probably responsible
people, but they don't know *how* to behave responsibly in this
context.  I wish our trading partners would crypto-sign all of their
emails, so that it could be simple for people to spot scams, and those
scams at least would lose value and disappear.

>  It's a matter of personal
> integrity, it's not enough to tell a user "click here and there, and
> you're fine"; we have to first convince ourselves what we do is right.
> The upshot is that you cannot make cryptography easier for users, they
> will have to study and understand it themselves anyway.

This much I agree with.  But I wonder why they don't.  We don't
have to understand how locks are made, but we do have to understand
how to use them.  And the vast majority of Joe Average Citizens do.
Billions of people have learned to use banks and checkbooks at least
somewhat securely.  I think one difference here is that one is taught
from an early age and *expected* to learn their proper use.

Another is that financial institutions are in the business (when they
can remember it) of keeping things safe, and won't interact with you
unless you follow procedures designed to promote that safety.  Few
find this unreasonable.

Heh, of course I want people to make good practical use of crypto.
Not doing so is costing me time and money.  It's costing them, too,
because I will dump my cart and walk away from an e-store if I think
their processes are too loose -- and I won't be back.  Ceteris
paribus, I would choose a medical practice which has good secure and
convenient IRM over one that doesn't, and I'm learning how to find
that out.  I will write and mail a paper check if I don't trust the
look of your online payment system.

I'm not a security expert, but somehow I realized that I need security
in the virtual world as in the physical world and I had better
understand how to get it.  If more people would cross that bridge, I
wouldn't have to work so hard, because more of the burden would be
shared.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Who also thinks locks are interesting.  I'm weird -- so what?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20121004/a31225d8/attachment.pgp>

From rjh at sixdemonbag.org  Thu Oct  4 17:22:00 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 04 Oct 2012 11:22:00 -0400
Subject: what is killing PKI?
In-Reply-To: <20121004145916.GB23933@IUPUI.Edu>
References: <5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<20121004145916.GB23933@IUPUI.Edu>
Message-ID: <506DA998.9020705@sixdemonbag.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/4/12 10:59 AM, Mark H. Wood wrote:
> Billions of people have learned to use banks and checkbooks at
> least somewhat securely.  I think one difference here is that one
> is taught from an early age and *expected* to learn their proper
> use.

I have made this analogy before, but --

Imagine there is a new technology.  Call it "Grumpelfnord."
Grumpelfnord technology lets you talk to the dead and with people who
are in far-away places.  Those people who understand grumpelfnord are
seen as possessing almost magical powers.  The world can be divided
into two categories: the ones who know grumpelfnord, and the ones who
don't.  Grumpelfnord is tightly correlated with economic prosperity,
health, and life happiness.  The bad news is that learning
grumpelfnord requires upwards of ten years of intensive, continuous
training by subject matter experts specializing in grumpelfnord.
Everyone agrees that mastery of grumpelfnord is absolutely essential
to our modern society and economy, but people tend to view it as
broccoli: sure, other people should learn and practice grumpelfnord,
but each individual person says they can get by without it.

You can easily substitute "security awareness" for grumpelfnord.  All
you have to do is change what the technology lets you do -- the rest
of the paragraph stands as-is.  Everyone knows security awareness is
essential, but everyone wants somebody else to learn it.

Grumpelfnord technology is real, by the by.  It's called literacy.
Literacy lets us learn from authors who have been dead for thousands
of years, and opens up the world to us via letters, missives and
email.  Literacy is essential to modern society, and is so important
that most Western countries give children ten years or more of
constant practice in it (in the form of compulsory schooling).  And
despite the fact we invest so much in teaching people how to read, in
America the average adult American reads under two books per year.

I don't see there being any quick, easy or cheap solutions to the
problem of how to get people to be more security-aware.  I think
things will only change once computer literacy gets taught in the
public-school curriculum, and treated with the same seriousness that
normal literacy is.  And even then, I think that as soon as people
leave public schools they will willingly and cheerfully let their
computer literacy skills atrophy, just like we tend to let our
conventional literacy skills atrophy.

This is, of course, just speculation.  I have no basis for believing
this beyond my own meandering experience.

Now, if you'll pardon me, there's a copy of Xenophon's _Anabasis_ that
I've been neglecting for far, far too long.  It's high time I re-read
it.  :)

-----BEGIN PGP SIGNATURE-----

iFYEAREIAAYFAlBtqZgACgkQI4Br5da5jhAsvQDgtE8/21dRZAaQQoJhPa2a8IUV
kMY2pD1VNS7zZQDbB66XlRSOy8mPh2sLx4ZFYfGm3rz+/bk4l9+XJg==
=N8nW
-----END PGP SIGNATURE-----


From spam2000 at gmail.com  Thu Oct  4 17:38:45 2012
From: spam2000 at gmail.com (spam man)
Date: Thu, 4 Oct 2012 10:38:45 -0500
Subject: Backup...
In-Reply-To: <DUB002-W112813E9203B7599C63E06FA6860@phx.gbl>
References: <DUB002-W112813E9203B7599C63E06FA6860@phx.gbl>
Message-ID: <CAOZ-Q7N8r9+DDcZxdyczNVsDOu0ZTnrReeTXps6p5E60G75k0Q@mail.gmail.com>

Hello Ilias,

When you use the "--export-secret-keys" option you will not be prompted for
a password.  This also scared me the first time I ran the command because I
was thinking that my private-key could be exported by any hacker that got
on my system.  But do not fear, the keys that gets exported with this
option are in their encrypted form and would require your password to make
use of.



On Tue, Oct 2, 2012 at 3:23 AM, Ilias el Matani
<iliaselmatani at hotmail.com>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello there,
>
> I would like to know why, there is no 'security' when you making a Backup
> of the keys via the
> GNU Privacy Assistant - Key Manager.
>
> It's possible when you have physical access to the system, to export also
> the private key.
> Why we don't protect this?
>
>
> - --
>
> Ilias el Matani
>
> PGP KeyID: 0xc498c1c9
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQIcBAEBAgAGBQJQaqSNAAoJEDolin7EmMHJsV4P/RA0YMNVV8frq2kUU5+hTAlB
> eWUO+j+KJ/g+m840i19zoKU2+wvqvqL0QpTeHEsW8+6edylTQnmdJEiiuJp5KxRf
> HIbaR9pyxJf1shEGfE8dn/LiODfAQeM2yt/YE35wi2jU3pdLFkx5NMLNm2D43Y0S
> MledxeR45FBPcA1EIvmOnM33MqFojeCW0F/qrchrqaqexSxb7BYoMspYTJ/HXzJU
> dHp/e2OlNjw/Bmhc+5V6e0odiKEfHSfHUDfxrn+IsQgwOGqFdM211UH2eGmZMUb1
> cIiXB+0lN7M0TAeqr5xDYwIDHcx7f3WtQGezytzJyZ4At3r9o8iHhfEw/YnmX7Yj
> e/4zULNUNZeCc16Ns+etFAIYRNuYK2yUBMY+IJHk0YkXj1VwxhFlS9FXfmCA5fZQ
> QiSMACiNooFYl/Rm6p9F8JQnRi+EQkiA/rHj0GFb80A2ID0tlW6dqSL9BpgXNJs8
> ofaE3xdO2nAmt6M2ZNm2zWt9ThWTYzghy6hXYOJSyFQZCwvIGJbcE1bgI1SIr1KH
> DJ7p5Vq5q064CsUvo8KNY36zrYpe0HCJMetu2lxZYSbF7eUwZMj86/aDn8eQfzX3
> hZzwJL7DJtpLgQY5B1tE/5bXfWXMZEnorPmUVW4ufXWc+hNl6RZptYjErZLqavJr
> aAnSngduVTRX9FnEwg1n
> =VSv3
> -----END PGP SIGNATURE-----
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121004/fd9db025/attachment.htm>

From spam2000 at gmail.com  Thu Oct  4 17:51:57 2012
From: spam2000 at gmail.com (spam man)
Date: Thu, 4 Oct 2012 10:51:57 -0500
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <1996301.8XxUV5pr0j@inno>
References: <19020731.ZpegxAa7VX@inno>
	<1996301.8XxUV5pr0j@inno>
Message-ID: <CAOZ-Q7MdG28eKDJBr9RAdAxU0QY5Zjk_oQa5iCtjf7+efAUukw@mail.gmail.com>

So the question is...

1.) I have two different messages that have the same hash value (a
collision).
           hash("foo") = abcdefg
           hash("bar") = abcdefg

2.) Now you want to append identical new data to the messages and see if
the new hashes would still be collisions?
          hash("foo and here are some more words") = tuvwxyz
          hash("bar and here are some more words") = tuvwxyz

Is this your question?


On Wed, Oct 3, 2012 at 12:07 AM, Hauke Laging <mailinglisten at hauke-laging.de
> wrote:

> Am Mo 24.09.2012, 19:06:17 schrieb Hauke Laging:
>
> Oh no ? I am responding to my own email...
>
> > Given the much bigger difficulty of preimage attacks, would a rule make
> > sense not to sign a document that someone else has created (and thus been
> > given the opportunity for a collision attack)? The solution would be to
> > change the file in a way that does not affect the meaning (e.g. an
> > additional space somewhere) and can easily be detected to match this
> > condition.
>
> But I happened to find and answer to my question. In a seven and a half
> years
> old article about a collision attack against SHA-1. It's in German, though:
>
> http://www.heise.de/security/artikel/Keine-Panik-271334.html
>
> ("Grunds?tzlich ist es eine gute Idee, vor dem digitalen Signieren eines
> Dokuments immer noch selbst eine kosmetische ?nderung vorzunehmen.")
>
> It says: It does in general make sense to make a small change (that does
> not
> change the meaning) to a file before signing.
>
>
> I have another question about hashes:
> Given two different files that have the same hash value. If some data is
> appended (or prepended) to both files do the resulting files still have the
> same hash value?
>
>
> Hauke
> --
> ?
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121004/49adee6a/attachment.htm>

From hka at qbs.com.pl  Thu Oct  4 22:09:27 2012
From: hka at qbs.com.pl (Hubert Kario)
Date: Thu, 04 Oct 2012 22:09:27 +0200
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <CAOZ-Q7MdG28eKDJBr9RAdAxU0QY5Zjk_oQa5iCtjf7+efAUukw@mail.gmail.com>
References: <19020731.ZpegxAa7VX@inno> <1996301.8XxUV5pr0j@inno>
	<CAOZ-Q7MdG28eKDJBr9RAdAxU0QY5Zjk_oQa5iCtjf7+efAUukw@mail.gmail.com>
Message-ID: <1814547.CMrXuir56S@bursa22>

On Thursday 04 of October 2012 10:51:57 spam man wrote:
> So the question is...
> 
> 1.) I have two different messages that have the same hash value (a
> collision).
>            hash("foo") = abcdefg
>            hash("bar") = abcdefg
> 
> 2.) Now you want to append identical new data to the messages and see if
> the new hashes would still be collisions?
>           hash("foo and here are some more words") = tuvwxyz
>           hash("bar and here are some more words") = tuvwxyz
> 
> Is this your question?

won't the answer to that depend on the hash in question?

The hash output depends on internal state of the hash function.

If the output depends on all bits of internal state then yes, appending new 
data should give the same output.

If the output depends only on some bits of internal state (we have 512 bits 
of internal state and the output is only 256bit) then appending new data may 
or may not give the same output. If the collision was found randomly I'd say 
the latter has more chance of happening.

Or am I missing something?

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawer?w 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl


From expires2012 at rocketmail.com  Fri Oct  5 01:05:37 2012
From: expires2012 at rocketmail.com (MFPA)
Date: Fri, 5 Oct 2012 00:05:37 +0100
Subject: what is killing PKI?
In-Reply-To: <87sj9uwpkd.fsf@vigenere.g10code.de>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
Message-ID: <05261768.20121005000537@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 4 October 2012 at 10:32:02 AM, in
<mid:87sj9uwpkd.fsf at vigenere.g10code.de>, Werner Koch wrote:



> Modulo the problems of searching,

Searching is not an insurmountable problem: some email clients
(including The Bat!) manage to search in encrypted messages - but you
have to have the passphrase cached at the time (and can only cache one
password).



> spam,

How is spam any more of a problem in a scenario where all messages are
encrypted?



> backup

Creating or restoring?



>  and to
> some extend the potential loss of the private key.

Some will lose (access to) data through carelessness and/or
misfortune. Two choices: multiple secure backups of the private key
stored in different locations, or don't bother encrypting. Hmm. Which
of the two should we promote?

- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

This message represents the official view of the voices in my head.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUG4WTaipC46tDG5pAQoiSAP/XOSbqd3yhUqQgZD/N7o/b8tQVmKxLFX1
gkEsJJRj0G2YzxcV14Uc5l0J5fTsKtA6euvk2glN2+WiGCY9h+0514dAlxu9elEF
jWTb2+zcXckaZv01ifI2/9L07Sm7V/bJNNiTjAo67WrKxkfzBJ5zT9UoyhlPT+P+
CnRobb83lQc=
=9yzc
-----END PGP SIGNATURE-----



From rjh at sixdemonbag.org  Fri Oct  5 01:22:07 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 04 Oct 2012 19:22:07 -0400
Subject: what is killing PKI?
In-Reply-To: <05261768.20121005000537@my_localhost>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
Message-ID: <506E1A1F.9000903@sixdemonbag.org>

On 10/4/2012 7:05 PM, MFPA wrote:
> Searching is not an insurmountable problem

Problems do not have to be insurmountable to have serious effects on
regular users.

John Clizbe maintains a 10Mb archive of every message that's ever been
posted to the Enigmail mailing list.  This comprises tens of thousands
of messages.  If each message is encrypted individually, then searching
through that archive could easily take on the order of a minute or more.
 That's simply unacceptable.

There are, of course, ways to mitigate this.  As near as I can tell
they're all just as bad.  For instance, you could say that each time you
receive an encrypted message, you could add it to the existing archive
with the same key.  Depending on which mode you use, though, this could
result in encrypting the 10mb archive for each and every new message
that comes in.  That's something you really want to avoid.  You could
try to get around that by using more exotic cipher modes (e.g., consider
each message's position in the archive to be an index, and use the index
to set a cipher running in Galois-CTR mode or somesuch), but the more
complicated the scheme becomes the more fragile it becomes.

> How is spam any more of a problem in a scenario where all messages are
> encrypted?

It becomes completely impossible to do enterprise-level spam filtering.
 If I send you email in plaintext, your ISP can check that email against
its spam detection engine and, if my message gets flagged as spam, it
can be automatically redirected to a spam folder.  If I send you email
in ciphertext, your ISP can't do that.

Now, you might say that this is exactly the behavior you want.  If so,
great.  But it's not the behavior that the overwhelming majority of
users want -- I can't count the number of people I know who have
completely switched to Gmail for their email provider just because of
their superb spam filtering.  Many of these people are quite
computer-literate and they know full well that Google is inspecting the
contents of their email to deliver targeted ads -- but that's a tradeoff
they're willing to make if it reduces spam.

> Some will lose (access to) data through carelessness and/or
> misfortune. Two choices: multiple secure backups of the private key
> stored in different locations, or don't bother encrypting. Hmm. Which
> of the two should we promote?

Who says we should promote anything?  Nobody ever elected me Grand
Poobah of the Internet.  I don't think anyone ever elected you, either.
 Instead of telling people what they should do, what's wrong with giving
people options and telling them that it's their responsibility to make
informed choices?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121004/7682ccae/attachment.pgp>

From mailinglisten at hauke-laging.de  Fri Oct  5 01:10:23 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 05 Oct 2012 01:10:23 +0200
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <CAOZ-Q7MdG28eKDJBr9RAdAxU0QY5Zjk_oQa5iCtjf7+efAUukw@mail.gmail.com>
References: <19020731.ZpegxAa7VX@inno> <1996301.8XxUV5pr0j@inno>
	<CAOZ-Q7MdG28eKDJBr9RAdAxU0QY5Zjk_oQa5iCtjf7+efAUukw@mail.gmail.com>
Message-ID: <1502655.5jUjOWcFvl@inno>

Am Do 04.10.2012, 10:51:57 schrieb spam man:
> So the question is...
> 
> 1.) I have two different messages that have the same hash value (a
> collision).
>            hash("foo") = abcdefg
>            hash("bar") = abcdefg
> 
> 2.) Now you want to append identical new data to the messages and see if
> the new hashes would still be collisions?
>           hash("foo and here are some more words") = tuvwxyz
>           hash("bar and here are some more words") = tuvwxyz
> 
> Is this your question?

Yes.
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121005/3338619d/attachment-0001.pgp>

From mailinglisten at hauke-laging.de  Fri Oct  5 01:13:54 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 05 Oct 2012 01:13:54 +0200
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <1814547.CMrXuir56S@bursa22>
References: <19020731.ZpegxAa7VX@inno>
	<CAOZ-Q7MdG28eKDJBr9RAdAxU0QY5Zjk_oQa5iCtjf7+efAUukw@mail.gmail.com>
	<1814547.CMrXuir56S@bursa22>
Message-ID: <1993585.MpPcyAHuvL@inno>

Am Do 04.10.2012, 22:09:27 schrieb Hubert Kario:

> won't the answer to that depend on the hash in question?

Probably. So the question could be changed to: For which hashes does the value 
change and for which not? Limited to the hashes relevant for GnuPG operation.

Is different data with the same hash value publicly available? In that case I 
could just try it myself. :-)


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121005/d51530b5/attachment.pgp>

From mailinglisten at hauke-laging.de  Fri Oct  5 01:56:44 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 05 Oct 2012 01:56:44 +0200
Subject: what is killing PKI?
In-Reply-To: <506E1A1F.9000903@sixdemonbag.org>
References: <50168344.9090000@dfgh.net> <05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
Message-ID: <2832251.QK6bTnsovl@inno>

Am Do 04.10.2012, 19:22:07 schrieb Robert J. Hansen:

> Who says we should promote anything?

That is probably something that everyone has to say for himself: "If I promote 
XY then probably the (or: my) world gets better." The alternative is something 
like "I don't care what happens if I don't" like in "I don't care if the WWW 
gets f*cked up if more people start using IE" years ago.


> Nobody ever elected me Grand Poobah of the Internet.

Sure? 8-)


>  Instead of telling people what they should do, what's wrong with giving
> people options and telling them that it's their responsibility to make
> informed choices?

There is not necessarily a contradiction. And the second works only for those 
(in some cases: the few) who are willing to make an informed choice.

I might say even GnuPG combines both: There are many default values (:="What 
you should do (if you don't know better or don't care).") but the program and 
the documentation allow to make a (more or less) informed differing choice. 
Who would say that default values are bad?

The line between "tell what to do" and "inform" can be thin.


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121005/e0eb5506/attachment.pgp>

From nosuchclient at gmail.com  Fri Oct  5 02:40:11 2012
From: nosuchclient at gmail.com (No such Client)
Date: Fri, 05 Oct 2012 02:40:11 +0200
Subject: what is killing PKI?
In-Reply-To: <506E1A1F.9000903@sixdemonbag.org>
References: <50168344.9090000@dfgh.net>
	<501768E4.8010603@yyy.id.lv>	<87ehns6zp7.fsf@vigenere.g10code.de>	<5017CCEC.5010103@dfgh.net>
	<50344F25.2050107@gmail.com>	<50352C1F.5010003@dfgh.net>
	<5036636D.4030001@sixdemonbag.org>	<5037727F.8070703@dfgh.net>
	<5037DED2.5020301@sixdemonbag.org>	<50380AB2.8020303@enigmail.net>	<50380F52.3070202@sixdemonbag.org>
	<5038319D.7000003@gmail.com>	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>	<5039FBFE.80301@gmail.com>	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>	<503AA5DA.7020303@sixdemonbag.org>	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>	<81366192.20121003224500@my_localhost>	<87sj9uwpkd.fsf@vigenere.g10code.de>	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
Message-ID: <506E2C6B.2040307@gmail.com>

On 10/05/2012 01:22 AM, Robert J. Hansen wrote:
> Who says we should promote anything?  Nobody ever elected me Grand
> Poobah of the Internet.  I don't think anyone ever elected you, either.
>  Instead of telling people what they should do, what's wrong with giving
> people options and telling them that it's their responsibility to make
> informed choices?
>   
Well, if Alice uses gpg for everything, with a strict signing/encryption
policy, and she meticulously makes sure that fingerprints match, keys
are valid, etc.. And her brother/boyfriend/beuau/coworker etc, Bob
doesn't.. Bob's "insecurity" (for not using it , some of which get
passed onto her, especially if she has a i-do-not-send-plaintext-policy,
and she has/wants to send/receive comms from Bob. So Bob lowers the
quality of her personal security standard, and if Charlie,
 knows "a bit" about gpg, but doesn't see the need, unless it is for
"sensitive" applications (to alice, all comms are sensitive,
irrespective of the content, to Charlie, only matters that he
feels/defines as "sensitive" should be encrypted) much to the chagrin of
Alice, who often tries to tell Charlie about traffic analysis, and how
he is making things easier by only encrypting what he wants to hide, not
the mundane, the routine, and what he wants to hide. She also clearly
has a self-interest in him adopting her higher-standard to increase her
security and communications.

Lastly, we have David.. Who knows about encryption, even likes using
it.. But.. he "can't be bothered" to encrypt and/or sign his traffic
because he says "what's the point? the government can break it anyway
(his opinion)"  , or  "I would sign/encrypt, but Im at work, or I
haven't found the time to load gpg on my new home computer", or  "not
enough people use gpg to make it worthwhile or mean anything"

So people have their options, and they clearly choose to use it. But you
are at the mercy of their opinions, options, feelings, and standards.
And at the end of the day, it's alla bout standards. Poor Alice in her
crypto-Wonderland. Too bad not many others share her enthusiasm and
dedication.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121005/de547358/attachment.pgp>

From expires2012 at rocketmail.com  Fri Oct  5 03:00:36 2012
From: expires2012 at rocketmail.com (MFPA)
Date: Fri, 5 Oct 2012 02:00:36 +0100
Subject: what is killing PKI?
In-Reply-To: <506E1A1F.9000903@sixdemonbag.org>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
Message-ID: <1163858353.20121005020036@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 5 October 2012 at 12:22:07 AM, in
<mid:506E1A1F.9000903 at sixdemonbag.org>, Robert J. Hansen wrote:

> Problems do not have to be insurmountable to have
> serious effects on regular users.

Fair enough. To me, a problem that is "surmounted" by an effective
solution or work-around ceases to be a problem.



> John Clizbe maintains a 10Mb archive of every message
> that's ever been posted to the Enigmail mailing list.
> This comprises tens of thousands of messages.  If each
> message is encrypted individually, then searching
> through that archive could easily take on the order of
> a minute or more.  That's simply unacceptable.

I guess it depends what speeds you are used to. I expect about three
minutes to search around 65,000 messages (including around 3000
encrypted) at home using The Bat!, and a little longer at work to
search through 2000-3000 unencrypted messages using Outlook.



> It becomes completely impossible to do enterprise-level
> spam filtering.  If I send you email in plaintext, your
> ISP can check that email against its spam detection
> engine and, if my message gets flagged as spam, it can
> be automatically redirected to a spam folder.  If I
> send you email in ciphertext, your ISP can't do that.

Brilliant! Makes it harder for the service provider who is trying to
censor your mail. Although, the headers are still plaintext...



> Now, you might say that this is exactly the behavior
> you want.  If so, great.

Yes!



>  But it's not the behavior
> that the overwhelming majority of users want -- I can't
> count the number of people I know who have completely
> switched to Gmail for their email provider just because
> of their superb spam filtering.  Many of these people
> are quite computer-literate and they know full well
> that Google is inspecting the contents of their email
> to deliver targeted ads -- but that's a tradeoff
> they're willing to make if it reduces spam.

Most of the spam I receive is pretty obvious from subject line alone.
Google's spam filtering would still have all the headers to work off.

Anyway, I would anticipate spam volumes to be lower if all messages
were encrypted. Would the spammers invest the cpu cycles to encrypt
their messages to each and every recipient? Unless they did it in
fairly small batches, the size of the ciphertext block would be
another spam indicator as they soon grow very large (look at the size
of the messages on PGPNET encrypted to about 40 keys). If they didn't
encrypt at all, their messages would stick out like sore thumbs
because everything else was encrypted. And encrypting the messages but
sending to lots of people who were not included in the encryption
would be completely pointless, since those who can't decrypt it can't
reply or click on links.



> Who says we should promote anything?

I can't say whether or not we should, but most of us spend our lives
promoting things.



> Nobody ever
> elected me Grand Poobah of the Internet.  I don't think
> anyone ever elected you, either.

At times I recommend things like restaurants, films, holiday destinations, pubs,
books, nightclubs, bands. Nobody elected me for that either



> Instead of telling
> people what they should do, what's wrong with giving
> people options and telling them that it's their
> responsibility to make informed choices?

And what's wrong with having safe and sane defaults for those who
choose not to make their own informed choices?

- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

Don't cry because it is over - smile because it happened
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUG4xRKipC46tDG5pAQp7zAQAq7gnStlT1yV5wk1WLNnoqMpMQmn2C6Rx
UTfRKmV+Yjqg6dRvekU12VUyCegNOEITiMAqzYYZRh1EmzXlPYl/pMtlTrdEwf2c
0qLIUu6RrSyqViVFS1pQxkU3hKDEV7GrJwCVvVTJishJR8oISdSLM2fvhDi8RQZL
Ll1jD18QV08=
=T2RT
-----END PGP SIGNATURE-----



From ljrhurley at gmail.com  Fri Oct  5 03:12:09 2012
From: ljrhurley at gmail.com (Landon Hurley)
Date: Thu, 04 Oct 2012 21:12:09 -0400
Subject: what is killing PKI?
In-Reply-To: <506E1A1F.9000903@sixdemonbag.org>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
Message-ID: <506E33E9.2050008@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/04/2012 07:22 PM, Robert J. Hansen wrote:
> On 10/4/2012 7:05 PM, MFPA wrote:
>> Searching is not an insurmountable problem
> 
> Problems do not have to be insurmountable to have serious effects on
> regular users.
> 
> John Clizbe maintains a 10Mb archive of every message that's ever been
> posted to the Enigmail mailing list.  This comprises tens of thousands
> of messages.  If each message is encrypted individually, then searching
> through that archive could easily take on the order of a minute or more.
>  That's simply unacceptable.
> 
> There are, of course, ways to mitigate this.  As near as I can tell
> they're all just as bad.  For instance, you could say that each time you
> receive an encrypted message, you could add it to the existing archive
> with the same key.  Depending on which mode you use, though, this could
> result in encrypting the 10mb archive for each and every new message
> that comes in.  That's something you really want to avoid.  You could
> try to get around that by using more exotic cipher modes (e.g., consider
> each message's position in the archive to be an index, and use the index
> to set a cipher running in Galois-CTR mode or somesuch), but the more
> complicated the scheme becomes the more fragile it becomes.
> 
>> How is spam any more of a problem in a scenario where all messages are
>> encrypted?
> 
> It becomes completely impossible to do enterprise-level spam filtering.
>  If I send you email in plaintext, your ISP can check that email against
> its spam detection engine and, if my message gets flagged as spam, it
> can be automatically redirected to a spam folder.  If I send you email
> in ciphertext, your ISP can't do that.

Won't the overhead from running gpg or equivalent limit the amount of
spam that will occur afterward anyway? The whole reason that spam works
and is profitable is in the agreggate of millions of messages. If I
introduce a .5 second latency, that undermines the whole economic
incentive, because I can no longer send messages quickly enough. Or am I
overestimating the time it takes to run a single message through
1024-bit RSA with SHA1?

//landon
> 
> Now, you might say that this is exactly the behavior you want.  If so,
> great.  But it's not the behavior that the overwhelming majority of
> users want -- I can't count the number of people I know who have
> completely switched to Gmail for their email provider just because of
> their superb spam filtering.  Many of these people are quite
> computer-literate and they know full well that Google is inspecting the
> contents of their email to deliver targeted ads -- but that's a tradeoff
> they're willing to make if it reduces spam.
> 
>> Some will lose (access to) data through carelessness and/or
>> misfortune. Two choices: multiple secure backups of the private key
>> stored in different locations, or don't bother encrypting. Hmm. Which
>> of the two should we promote?
> 
> Who says we should promote anything?  Nobody ever elected me Grand
> Poobah of the Internet.  I don't think anyone ever elected you, either.
>  Instead of telling people what they should do, what's wrong with giving
> people options and telling them that it's their responsibility to make
> informed choices?
> 
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


- -- 
Violence is the last refuge of the incompetent.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIbBAEBCgAGBQJQbjPpAAoJEDeph/0fVJWs7IYP9jAJCpfkA+gn5CL74HJ/tlvx
2i7uBuEJFkkVsSFl0tTpxJksDPKTC8cw0uUqVyMj7dd1TjdRnPlWdQtjAdbQJ3hT
+KHXPtAzd8J/ZBpA4C3/AU0f+4xSBSJL8Yv79Z5EJqFwpWnJBtgjsy05f8Lpoc1M
wzntfpKk3A7QCiysTinleaCrctKUux7Rk5x62+yrr8M2WcKPeViLKIzOT7iX0Gba
Mb7i4vywtLslnT0UNokzEmWQjnUX0QhAPe47SRa7hbz2zKero38QDSctPXX4aIy9
A0KNneq4Y7hk7cTOJRInyh8N5wqPgKMXooAZfTwTThaAVwh0rXse591nbh7OqlIx
yprRkerITnZGfAWT76xd0gh3tns0mOrtPEsSSxl2q+TqqeetgNIAlXmbjty/KEMf
3tIU6loYz+RHOZeMvCOY8QI8p70JhffMQ6WPhxvYfY9+xwCkPjkb16dNUQw1hsSt
oAZURk2gitTmwlSV4STAtKmI4L/Y5jKcrrT2nvmjJVOPiz8IKPKW+MGGNwwX8ofW
PH9wdgHcREEudsgp2kRWKxZUAHC1VgjurDV+gQQaEpk9zIpaLlDlImNANqhAwPYU
p367PSkHtL0vJeceTID0u/qYP7UeSZY2henjOqN7nPX9c3dml1WJ2EIbl5DvecBt
dPVLXO9659PEtgu3JPc=
=7VN7
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Fri Oct  5 03:12:29 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 04 Oct 2012 21:12:29 -0400
Subject: what is killing PKI?
In-Reply-To: <1163858353.20121005020036@my_localhost>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
	<1163858353.20121005020036@my_localhost>
Message-ID: <506E33FD.9070805@sixdemonbag.org>

On 10/4/2012 9:00 PM, MFPA wrote:
> I guess it depends what speeds you are used to. I expect about three 
> minutes to search around 65,000 messages (including around 3000 
> encrypted) at home using The Bat!, and a little longer at work to 
> search through 2000-3000 unencrypted messages using Outlook.

Yeah, and me, if doing a fulltext search on 100,000 messages takes more
than a fraction of a second, something's quite wrong.  Responsiveness
matters.

> Anyway, I would anticipate spam volumes to be lower if all messages 
> were encrypted. Would the spammers invest the cpu cycles to encrypt 
> their messages to each and every recipient?

Of course they would.  They're already running on hijacked systems,
using botnets to send out spam: why would they care about using up a lot
of somebody else's CPU?  They already don't care about using up a lot of
somebody else's network connection.

> At times I recommend things like restaurants, films, holiday
> destinations, pubs, books, nightclubs, bands. Nobody elected me for
> that either

Yes.  Recommendations are all well and good.  There's a difference
between a recommendation and a should, though.  If I say, "I really
liked this restaurant: they had wonderful seafood," that's different
from saying, "You should go to this restaurant: they have wonderful
seafood."  The first is a statement about how you interact with the
world.  The second is rather rude if you say it to someone who's
allergic to shellfish, or someone who for religious or dietary reasons
must abstain from seafood, or... etc.

> And what's wrong with having safe and sane defaults for those who 
> choose not to make their own informed choices?

This is a meaningless question, because it presumes there's a single
objective standard for what is "safe and sane."  There isn't: all
security decisions are context-sensitive.


From rjh at sixdemonbag.org  Fri Oct  5 03:17:44 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 04 Oct 2012 21:17:44 -0400
Subject: what is killing PKI?
In-Reply-To: <506E33E9.2050008@gmail.com>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org> <506E33E9.2050008@gmail.com>
Message-ID: <506E3538.20207@sixdemonbag.org>

On 10/4/2012 9:12 PM, Landon Hurley wrote:
> Won't the overhead from running gpg or equivalent limit the amount of
> spam that will occur afterward anyway? The whole reason that spam works
> and is profitable is in the agreggate of millions of messages. If I
> introduce a .5 second latency, that undermines the whole economic
> incentive, because I can no longer send messages quickly enough. Or am I
> overestimating the time it takes to run a single message through
> 1024-bit RSA with SHA1?

The task is parallelizable, and botnets are large.


From mailinglisten at hauke-laging.de  Fri Oct  5 03:55:24 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 05 Oct 2012 03:55:24 +0200
Subject: spam and crypto (was: Re: what is killing PKI?)
In-Reply-To: <1163858353.20121005020036@my_localhost>
References: <50168344.9090000@dfgh.net> <506E1A1F.9000903@sixdemonbag.org>
	<1163858353.20121005020036@my_localhost>
Message-ID: <1922821.tsMbWQbWIV@inno>

Am Fr 05.10.2012, 02:00:36 schrieb MFPA:

> Anyway, I would anticipate spam volumes to be lower if all messages
> were encrypted. Would the spammers invest the cpu cycles to encrypt
> their messages to each and every recipient?

They don't have to. They don't even have others to spend this CPU time. The 
point is that a spammer would not encrypt to protect the contained information 
but because he is required to adhere to the format rules of encrypted messages 
in order to get his mails read.

So the CPU effizient spammer

1) encrypts all messages with the same session key. This forces him to send 
identical messages but that is hardly a problem. This frees the spammer from 
doing the symmetric encryption of the message but still causes that CPU load 
of asymmetrically encrypting the session key to each of the recipient keys.

2) stores the "encrypted session key" packet for each recipient so he can send 
other spam messages without per-recipient CPU consumption

3) if we try to detect spam by detecting reused session keys (by e.g. storing 
the hashed of all session keys) then the spammer can still save a lot of CPU 
power by not using the same but just similar session keys, differing just in 
the last byte. If I understand asymmetric encryption correctly then most of 
the encryption effort could be shared then between the keys. The spammer would 
have to transmit the encrypted session key block along with the recipient 
email address. That is a multiple of the data amount of just the addresses but 
still not much.


And if we go even further and check not just for equal but for similar session 
keys then the spammer still has the possibility to better use his resources by 
preparing session keys and encrypted sesseion keys packets for future.


IMHO the solution of spam is not encryption but signatures. The better 
solutions are not even crypto related. If the US and EU governments started 
treating foreign spammers the same way like "terrorists" we would soon see no 
more spam. A less violent option is the creation of a second email 
infrastructure. Make (by law) certain addresses (subdomains) accessible only 
by ISPs who fight spam (e.g. have to pay for spam from them). Then anyone can 
decide whether and how many email accounts he wants to have in the "Do what 
you like, get what you don't like" and the clean mail nets. Done (with small  
effort).


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121005/5bff6604/attachment.pgp>

From hka at qbs.com.pl  Fri Oct  5 10:28:42 2012
From: hka at qbs.com.pl (Hubert Kario)
Date: Fri, 05 Oct 2012 10:28:42 +0200
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <1993585.MpPcyAHuvL@inno>
References: <19020731.ZpegxAa7VX@inno> <1814547.CMrXuir56S@bursa22>
	<1993585.MpPcyAHuvL@inno>
Message-ID: <3374548.FlELLblC7e@bursa22>

On Friday 05 of October 2012 01:13:54 Hauke Laging wrote:
> Am Do 04.10.2012, 22:09:27 schrieb Hubert Kario:
> > won't the answer to that depend on the hash in question?
> 
> Probably. So the question could be changed to: For which hashes does the
> value change and for which not? Limited to the hashes relevant for GnuPG
> operation.
> 
> Is different data with the same hash value publicly available? In that
> case I could just try it myself. :-)

the only collisions I saw were for MD5 and SHA-0

I don't think there are any collisions for SHA-1 published
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawer?w 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl


From rjh at sixdemonbag.org  Fri Oct  5 11:59:15 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 05 Oct 2012 05:59:15 -0400
Subject: collision vs. preimage attacks: policy for signing data created
	by others
In-Reply-To: <3374548.FlELLblC7e@bursa22>
References: <19020731.ZpegxAa7VX@inno> <1814547.CMrXuir56S@bursa22>
	<1993585.MpPcyAHuvL@inno> <3374548.FlELLblC7e@bursa22>
Message-ID: <506EAF73.6090403@sixdemonbag.org>

On 10/5/2012 4:28 AM, Hubert Kario wrote:
> I don't think there are any collisions for SHA-1 published

The first SHA-1 collisions were published in 2005, somewhere in there.
A team at Shengdong University discovered them.




From zjf_sy at shangmail.com  Sat Oct  6 02:18:20 2012
From: zjf_sy at shangmail.com (zjf_sy)
Date: Sat, 6 Oct 2012 08:18:20 +0800 (CST)
Subject: Install Gnupg-2.0.19 errors
Message-ID: <196735469.36579.1349482700187.JavaMail.saas@B-tunnel-2>

dear sir:
     I need your help. my computer system is centos6.2(Linux version 2.6.32-220.el6.i686 (mockbuild at c6b18n3.bsys.dev.centos.org) (gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) )) . 
       I have installed libgpg-error-1.9 , libgcrypt-1.5.0 , libksba-1.2.0 , libassuan-2.0.3 , the next i want to install gnupg-2.0.19 on my computer , the "./configure" is ok ,but when "make" there are some error .
--------------------------------------------
*armor.c : In function ' armor_filter' :*
*armor.c : 1187 : warning :'radbuf' may be used uninitialized in this function .*
*../../g10/gpg2: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory .*
*make[3]: [secring.gpg] Error 127*
*make[3]: Leaving directory `/root/gnupg-2.0.19/gnupg-2.0.19/tests/openpgp'*
*make[2]: [all-recursive] Error 1*
*make[2]: Leaving directory `/root/gnupg-2.0.19/gnupg-2.0.19/tests'*
*make[1]: [all-recursive] Error 1*
*make[1]: Leaving directory `/root/gnupg-2.0.19/gnupg-2.0.19'*
*make : [all] Error 2*
---------------------------------------------
but when i use "whereis libassuan.so.0" ,it said that:
*libassuan.so: /usr/local/lib/libassuan.so /usr/local/lib/libassuan.so.0*
    can you help me ? thank you verymuch !
                                                  a chinese boy 
                                                    2012.10.6
---------------------------------------------------
Sent from ShangMail:Travel with free pushmail www.shangmail.com

From zjf_sy at shangmail.com  Sat Oct  6 04:41:35 2012
From: zjf_sy at shangmail.com (zjf_sy)
Date: Sat, 6 Oct 2012 10:41:35 +0800 (CST)
Subject: Install Gnupg-2.0.19 errors
Message-ID: <258587748.36814.1349491295408.JavaMail.saas@B-tunnel-2>

dear sir:
     I need your help. my computer system is centos6.2(Linux version 2.6.32-220.el6.i686 (mockbuild at c6b18n3.bsys.dev.centos.org) (gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) )) . 
       I have installed libgpg-error-1.9 , libgcrypt-1.5.0 , libksba-1.2.0 , libassuan-2.0.3 , the next i want to install gnupg-2.0.19 on my computer , the "./configure" is ok ,but when "make" there are some error .
--------------------------------------------
*armor.c : In function ' armor_filter' :*
*armor.c : 1187 : warning :'radbuf' may be used uninitialized in this function .*
*../../g10/gpg2: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory .*
*make[3]: [secring.gpg] Error 127*
*make[3]: Leaving directory `/root/gnupg-2.0.19/gnupg-2.0.19/tests/openpgp'*
*make[2]: [all-recursive] Error 1*
*make[2]: Leaving directory `/root/gnupg-2.0.19/gnupg-2.0.19/tests'*
*make[1]: [all-recursive] Error 1*
*make[1]: Leaving directory `/root/gnupg-2.0.19/gnupg-2.0.19'*
*make : [all] Error 2*
---------------------------------------------
but when i use "whereis libassuan.so.0" ,it said that:
*libassuan.so: /usr/local/lib/libassuan.so /usr/local/lib/libassuan.so.0*
    can you help me ? thank you verymuch !
                                                  a chinese boy 
                                                    2012.10.6
---------------------------------------------------
Sent from ShangMail:Travel with free pushmail www.shangmail.com

From benjamin at py-soft.co.uk  Sat Oct  6 14:35:24 2012
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 6 Oct 2012 13:35:24 +0100
Subject: Install Gnupg-2.0.19 errors
In-Reply-To: <196735469.36579.1349482700187.JavaMail.saas@B-tunnel-2>
References: <196735469.36579.1349482700187.JavaMail.saas@B-tunnel-2>
Message-ID: <CAPqDu0M4mYNxA+HZ1zKHv9JS3kUk=HSCvexaQNDf5e1vVLoQVw@mail.gmail.com>

On 6 October 2012 01:18, zjf_sy <zjf_sy at shangmail.com> wrote:

> *../../g10/gpg2: error while loading shared libraries: libassuan.so.0:
> cannot open shared object file: No such file or directory .*
>
[...]

> *libassuan.so: /usr/local/lib/libassuan.so /usr/local/lib/libassuan.so.0*
>

You need to tell the OS where to find these libraries.  For a quick fix,
add /usr/local/lib/ to /etc/ld.so.conf, run ldconfig -v and try again.

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121006/f862a8d3/attachment.htm>

From expires2012 at rocketmail.com  Sat Oct  6 15:44:32 2012
From: expires2012 at rocketmail.com (MFPA)
Date: Sat, 6 Oct 2012 14:44:32 +0100
Subject: what is killing PKI?
In-Reply-To: <506E33FD.9070805@sixdemonbag.org>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
	<1163858353.20121005020036@my_localhost>
	<506E33FD.9070805@sixdemonbag.org>
Message-ID: <1846405108.20121006144432@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 5 October 2012 at 2:12:29 AM, in
<mid:506E33FD.9070805 at sixdemonbag.org>, Robert J. Hansen wrote:



> They're already running on
> hijacked systems, using botnets to send out spam: why
> would they care about using up a lot of somebody else's
> CPU?

A good point well made.



> Yes.  Recommendations are all well and good.  There's a
> difference between a recommendation and a should,
> though.  If I say, "I really liked this restaurant:
> they had wonderful seafood," that's different from
> saying, "You should go to this restaurant: they have
> wonderful seafood."  The first is a statement about how
> you interact with the world.  The second is rather rude
> if you say it to someone who's allergic to shellfish,
> or someone who for religious or dietary reasons must
> abstain from seafood, or... etc.

I take your point, if you look at the strict grammatical meaning of
the two versions. However, I have always heard the second form used
much more than the first, and in my experience people generally do not
appear to perceive it as rude. Rather, it seems to be accepted as a
vernacular shorthand for "You should go to this restaurant: they have
wonderful seafood which I really liked, and feel that you might also
like if you are into seafood."



> This is a meaningless question, because it presumes
> there's a single objective standard for what is "safe
> and sane."

I disagree. I would say it presumes that the person/people releasing
the software are capable of forming an opinion as to what they
consider to be "safe and sane."



- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

The best way to destroy your enemy is to make him your friend.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUHA116ipC46tDG5pAQoeAwQAkP1Y2Og4FtDa6LxVqQbpfP7wYrs9EZxf
ZCt0lf0g9v52V3fSewazb3vOgNZTJ0N5i3tpK02nXBlHevtcgUNeaqppMUJ907y/
tU9mtDp06ri7Sb/6doeoZt52lE+lBWza4Fv7+5UDgBF8+kkbJ7Pf2qgzDYg3aDiC
xEvTHjCztaU=
=t0id
-----END PGP SIGNATURE-----



From melvincarvalho at gmail.com  Sat Oct  6 15:53:25 2012
From: melvincarvalho at gmail.com (Melvin Carvalho)
Date: Sat, 6 Oct 2012 15:53:25 +0200
Subject: Is it possible to construct a GPG Certificate from an existing RSA
	key pair
Message-ID: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>

Is it possible to construct a GPG 'Certificate' from an existing RSA key
pair?

I've got some 2048 RSA keys I'd like to reuse, is there any way I can use
them to make everything I need for GPG?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121006/064f85fe/attachment-0001.htm>

From mailinglisten at hauke-laging.de  Sat Oct  6 16:15:21 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sat, 06 Oct 2012 16:15:21 +0200
Subject: Is it possible to construct a GPG Certificate from an existing
	RSA key pair
In-Reply-To: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
References: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
Message-ID: <1665317.muuGgYQDgn@inno>

Am Sa 06.10.2012, 15:53:25 schrieb Melvin Carvalho:
> Is it possible to construct a GPG 'Certificate' from an existing RSA key
> pair?
> 
> I've got some 2048 RSA keys I'd like to reuse, is there any way I can use
> them to make everything I need for GPG?

How do you have these key pairs? Are they part of a GnuPG keyring? What is 
missing?


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121006/7579d17a/attachment.pgp>

From melvincarvalho at gmail.com  Sat Oct  6 16:22:20 2012
From: melvincarvalho at gmail.com (Melvin Carvalho)
Date: Sat, 6 Oct 2012 16:22:20 +0200
Subject: Is it possible to construct a GPG Certificate from an existing
	RSA key pair
In-Reply-To: <1665317.muuGgYQDgn@inno>
References: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
	<1665317.muuGgYQDgn@inno>
Message-ID: <CAKaEYhK=xhs0=8cY5BoO+edzwz8ezfP-dnxEeavt=VmB5a9qqA@mail.gmail.com>

On 6 October 2012 16:15, Hauke Laging <mailinglisten at hauke-laging.de> wrote:

> Am Sa 06.10.2012, 15:53:25 schrieb Melvin Carvalho:
> > Is it possible to construct a GPG 'Certificate' from an existing RSA key
> > pair?
> >
> > I've got some 2048 RSA keys I'd like to reuse, is there any way I can use
> > them to make everything I need for GPG?
>
> How do you have these key pairs? Are they part of a GnuPG keyring? What is
> missing?
>

Long story but I have them in various forms

- as an exponent / modulus
- as PEM
- as DER
- as .p12
- as id_rsa (ssh)

I originally extracted the key pair from my GPG key->.p12 using some java
code below:

https://gist.github.com/1505613

If there's any way it's theoretically possible to try and do the reverse
and reconstruct some of the GPG from the .p12 I'd be very grateful to know.


>
>
> Hauke
> --
> ?
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121006/ed23696a/attachment.htm>

From kristian.fiskerstrand at sumptuouscapital.com  Sat Oct  6 17:48:56 2012
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Sat, 06 Oct 2012 17:48:56 +0200
Subject: SRV records and HKPS requests
Message-ID: <507052E8.7040807@sumptuouscapital.com>

Hi,

In relation to setting up a HKPS pool for sks-keyservers.net[0] I've
encountered a scenario where some input would be appreciated.

In the process of trying to figure out a mechanism to not have to
disable certificate checking when using the pool (I quite like DKG's
approach in [1]) I set up nginx (which was a reverse proxy to my SKS
server for hkp requests already) to respond to SSL requests on port 11375.

Port 443 on this server is already used by Apache.  Normally I'd be able
to set up Apache with a ProxyPassReverse to use this as a shared
resource, but since migrating to mod_gnutls rather than mod_ssl , this
configuration directive seems somewhat non-trivial[2] (and since i'm not
using mod_proxy for anything else, debugging it isn't that much of a
priority), so for the purposes of this discussion, using port 443 for
this service is out of the question.

As 11375 is a non-default port I set up a SRV record as shown in
#Snippet 1# below. When trying to send a key request as shown in
#Snippet 2# below, however, a connection to port 443 is attempted. Am I
using the wrong SRV records for HKPS? When first introducing SRV records
in the pool, this was the one being pointed out[3].

Some background information on this particular pool: My crawler is now
trying to detect HKPS enabled servers by looking for this SRV record,
and if no such SRV record is found, attempting to connect and locate a
SKS stats page on port 443. Servers available on 443 are then included
as A, AAAA and SRV records, while other SSL-enabled servers are only
represented as SRV records, as shown in #Snippet 3#


##
Snippet 1:
##
kristianf at kristianf-precision-m4600:~$ dig +short srv
_pgpkey-https._tcp.keys.kfwebs.net any
10 10 11375 keys.kfwebs.net.
##
Snippet 2:
##
kristianf at kristianf-precision-m4600:~$ gpg2 --keyserver-options
no-check-cert,debug,verbose --keyserver hkps://keys.kfwebs.net
--recv-key 0x0B7F8B60E3EDFAE3
gpg: requesting key 0B7F8B60E3EDFAE3 from hkps server keys.kfwebs.net
gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/1.2.3.4
libidn/1.23 librtmp/2.3
* About to connect() to keys.kfwebs.net port 443 (#0)
*   Trying 2001:16d8:ee30::4... * connected
*      server certificate verification SKIPPED
*      compression: NULL
*      cipher: AES-128-CBC
*      MAC: SHA1
> GET /pks/lookup?op=get&options=mr&search=0x0B7F8B60E3EDFAE3 HTTP/1.1
Host: keys.kfwebs.net
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
##
Snippet 3:
##
kristianf at kristianf-precision-m4600:~$ dig +short srv
_pgpkey-https._tcp.hkps.pool.sks-keyservers.net
100 100 443 zimmerman.mayfirst.org.
100 100 11375 keys.kfwebs.net.
100 100 443 gpg.spline.inf.fu-berlin.de.
100 100 443 sks.spodhuis.org.
100 100 443 keyserver.cns.vt.edu.
100 100 443 keyserver.oeg.com.au.
100 100 443 keyserver.stack.nl.

###########################

[0] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00000.html
[1] http://lists.nongnu.org/archive/html/sks-devel/2012-10/msg00002.html
[2]
http://apache-http-server.18135.n6.nabble.com/mod-gnutls-and-mod-proxy-TLS-termination-td4831028.html
[3] http://lists.gnu.org/archive/html/sks-devel/2010-04/msg00016.html

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
"In politics stupidity is not a handicap."
(Napoleon Bonaparte)
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An 
introduction to OpenPGP security is 
available in both Amazon Kindle and Paperback 
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121006/affb71aa/attachment.pgp>

From hka at qbs.com.pl  Sat Oct  6 17:52:46 2012
From: hka at qbs.com.pl (Hubert Kario)
Date: Sat, 06 Oct 2012 17:52:46 +0200
Subject: Is it possible to construct a GPG Certificate from an existing
	RSA key pair
In-Reply-To: <CAKaEYhK=xhs0=8cY5BoO+edzwz8ezfP-dnxEeavt=VmB5a9qqA@mail.gmail.com>
References: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
	<1665317.muuGgYQDgn@inno>
	<CAKaEYhK=xhs0=8cY5BoO+edzwz8ezfP-dnxEeavt=VmB5a9qqA@mail.gmail.com>
Message-ID: <5329161.gFT4VZi71A@bursa22>

On Saturday 06 of October 2012 16:22:20 Melvin Carvalho wrote:
> On 6 October 2012 16:15, Hauke Laging <mailinglisten at hauke-laging.de> 
wrote:
> > Am Sa 06.10.2012, 15:53:25 schrieb Melvin Carvalho:
> > > Is it possible to construct a GPG 'Certificate' from an existing RSA
> > > key
> > > pair?
> > > 
> > > I've got some 2048 RSA keys I'd like to reuse, is there any way I can
> > > use
> > > them to make everything I need for GPG?
> > 
> > How do you have these key pairs? Are they part of a GnuPG keyring? What
> > is missing?
> 
> Long story but I have them in various forms
> 
> - as an exponent / modulus
> - as PEM
> - as DER
> - as .p12
> - as id_rsa (ssh)
> 
> I originally extracted the key pair from my GPG key->.p12 using some java
> code below:
> 
> https://gist.github.com/1505613
> 
> If there's any way it's theoretically possible to try and do the reverse
> and reconstruct some of the GPG from the .p12 I'd be very grateful to
> know.

There is some support for PGP in Bouncy Castle, so if is possible you should 
look at their API.

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawer?w 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl


From dkg at fifthhorseman.net  Sat Oct  6 18:34:23 2012
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sat, 06 Oct 2012 12:34:23 -0400
Subject: Is it possible to construct a GPG Certificate from an existing
	RSA key pair
In-Reply-To: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
References: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
Message-ID: <50705D8F.8070809@fifthhorseman.net>

On 10/06/2012 09:53 AM, Melvin Carvalho wrote:
> Is it possible to construct a GPG 'Certificate' from an existing RSA key
> pair?
> 
> I've got some 2048 RSA keys I'd like to reuse, is there any way I can use
> them to make everything I need for GPG?

from the monkeysphere package, you might want to use pem2openpgp.  the
man page should explain the details.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121006/11ab734c/attachment.pgp>

From melvincarvalho at gmail.com  Sat Oct  6 19:15:36 2012
From: melvincarvalho at gmail.com (Melvin Carvalho)
Date: Sat, 6 Oct 2012 19:15:36 +0200
Subject: Is it possible to construct a GPG Certificate from an existing
	RSA key pair
In-Reply-To: <50705D8F.8070809@fifthhorseman.net>
References: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
	<50705D8F.8070809@fifthhorseman.net>
Message-ID: <CAKaEYhJO2D86nVdXNmiMKSvz__dcQSS+dMmnxtzfoETKtZ6yNA@mail.gmail.com>

On 6 October 2012 18:34, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> On 10/06/2012 09:53 AM, Melvin Carvalho wrote:
> > Is it possible to construct a GPG 'Certificate' from an existing RSA key
> > pair?
> >
> > I've got some 2048 RSA keys I'd like to reuse, is there any way I can use
> > them to make everything I need for GPG?
>
> from the monkeysphere package, you might want to use pem2openpgp.  the
> man page should explain the details.
>

Sounds awesome, thanks so much for the pointer!


>
> hth,
>
>         --dkg
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121006/e5955c7d/attachment.htm>

From expires2012 at rocketmail.com  Sat Oct  6 20:32:16 2012
From: expires2012 at rocketmail.com (MFPA)
Date: Sat, 6 Oct 2012 19:32:16 +0100
Subject: spam and crypto (was: Re: what is killing PKI?)
In-Reply-To: <1922821.tsMbWQbWIV@inno>
References: <50168344.9090000@dfgh.net> <506E1A1F.9000903@sixdemonbag.org>
	<1163858353.20121005020036@my_localhost> <1922821.tsMbWQbWIV@inno>
Message-ID: <583436596.20121006193216@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 5 October 2012 at 2:55:24 AM, in
<mid:1922821.tsMbWQbWIV at inno>, Hauke Laging wrote:


> A less violent option is
> the creation of a second email  infrastructure. Make
> (by law) certain addresses (subdomains) accessible only
> by ISPs who fight spam (e.g. have to pay for spam from
> them). Then anyone can decide whether and how many
> email accounts he wants to have in the "Do what you
> like, get what you don't like" and the clean mail nets.

Fragmentation of email into walled gargens? That would set a dangerous
precident for the rest of the internet.



> Done (with small effort).

But at the expense of destroying the internet.


- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

When duty calls...hang up immediately
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUHB5N6ipC46tDG5pAQqBagP+OOoJYaQoiSkxmGcr9pdGoDNCiBnSrKgF
tXD8+KHdctXJWhbmXCc3D4VLokJqQ/rU2xlgta/cOD7vVDtaEikp3NHkALS24pFO
RsstYN703+0PdvXstYxr2S0zQVKou7kl2wt2e/hkXRx4ag6csEqD91vJDzcsL2g4
NdD309oDlz0=
=kqpN
-----END PGP SIGNATURE-----



From rjh at sixdemonbag.org  Sat Oct  6 23:20:53 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 06 Oct 2012 17:20:53 -0400
Subject: what is killing PKI?
In-Reply-To: <1846405108.20121006144432@my_localhost>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
	<1163858353.20121005020036@my_localhost>
	<506E33FD.9070805@sixdemonbag.org>
	<1846405108.20121006144432@my_localhost>
Message-ID: <5070A0B5.9020702@sixdemonbag.org>

On 10/6/2012 9:44 AM, MFPA wrote:
> However, I have always heard the second form used much more than the
> first, and in my experience people generally do not appear to
> perceive it as rude. Rather, it seems to be accepted as a vernacular
> shorthand for "You should go to this restaurant: they have wonderful
> seafood which I really liked, and feel that you might also like if
> you are into seafood."

Yes.  But there's a difference between saying "the ceviche is awesome,
you should try it" and saying "you really should lose some weight."

When you're telling people to eat their broccoli, nobody wants to hear
the word "should."  It's a word best avoided.

>> This is a meaningless question, because it presumes there's a
>> single objective standard for what is "safe and sane."
> 
> I disagree. I would say it presumes that the person/people releasing 
> the software are capable of forming an opinion as to what they 
> consider to be "safe and sane."

Therefore, for this question to be meaningful, you must have doubt as to
whether Werner & Co. are capable of forming an opinion as to what they
consider to be "safe and sane."  Because if there's no doubt, then why
ask it at all?

I do not share in your doubts.


From jaimefdez86 at gmail.com  Sun Oct  7 02:34:41 2012
From: jaimefdez86 at gmail.com (=?ISO-8859-1?Q?Jaime_Fern=E1ndez?=)
Date: Sun, 7 Oct 2012 02:34:41 +0200
Subject: [gnupg-users] Decrypting file encrypted for multiple recipients using
	a given ID in batch mode
Message-ID: <CALMWyX75Fm_s5Bv+KqVQyi1QF7Hch+g95U15+rSywTSsFeSZug@mail.gmail.com>

Hi,

I've some files encrypted to multiple recipients  and I want to use gpg in
batch mode like this:

$ gpg --passphrase-fd 0 --batch --d file.gpg

If I type a password gpg will try it with all the posible recipients but
this is not the behaviour that I want, is there any way to force a user?

Thanks for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121007/2fb77b53/attachment.htm>

From mailinglisten at hauke-laging.de  Sun Oct  7 02:47:56 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sun, 07 Oct 2012 02:47:56 +0200
Subject: [gnupg-users] Decrypting file encrypted for multiple recipients
	using a given ID in batch mode
In-Reply-To: <CALMWyX75Fm_s5Bv+KqVQyi1QF7Hch+g95U15+rSywTSsFeSZug@mail.gmail.com>
References: <CALMWyX75Fm_s5Bv+KqVQyi1QF7Hch+g95U15+rSywTSsFeSZug@mail.gmail.com>
Message-ID: <18240775.tg1n1fZAR4@inno>

Am So 07.10.2012, 02:34:41 schrieb Jaime Fern?ndez:

> $ gpg --passphrase-fd 0 --batch --d file.gpg
> 
> If I type a password gpg will try it with all the posible recipients but
> this is not the behaviour that I want, is there any way to force a user?

Is the file encrypted with hidden recipients?

If one private key can decrypt alle the files then you have the possibility to 
export this private key to another keyring and call gpg for decryption with 
this keyring as the only one. See 
--keyring
--secret-keyring
--no-default-keyring


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121007/22867113/attachment.pgp>

From wk at gnupg.org  Sun Oct  7 14:29:11 2012
From: wk at gnupg.org (Werner Koch)
Date: Sun, 07 Oct 2012 14:29:11 +0200
Subject: Is it possible to construct a GPG Certificate from an existing
	RSA key pair
In-Reply-To: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
	(Melvin Carvalho's message of "Sat, 6 Oct 2012 15:53:25 +0200")
References: <CAKaEYh+WfZtaAyTwFiqM8axCBr5sc4xh=B2=U=MWJcJ9o5f9GA@mail.gmail.com>
Message-ID: <87obkev52g.fsf@vigenere.g10code.de>

On Sat,  6 Oct 2012 15:53, melvincarvalho at gmail.com said:
> Is it possible to construct a GPG 'Certificate' from an existing RSA key
> pair?

If you want to add it as a subkey, that is easy with GnuPG 2.1 (beta).
You first import your private key using

  gpgsm --import foo.p12

you will be asked for the transport passphrase and then for the new
passphrase.  Then do a key listing

  gpgsm --with-keygrip -K 

and figure out the right key.  You may use a user id etc on the command
line to restrict the listing to that key.  One of the lines shown is the
/keygrip/ - copy its value.  

Now run 

  gpg2 --expert --edit YOURGPGKEY

The use "addkey":

  Please select what kind of key you want:
     (3) DSA (sign only)
     (4) RSA (sign only)
     (5) Elgamal (encrypt only)
     (6) RSA (encrypt only)
     (7) DSA (set your own capabilities)
     (8) RSA (set your own capabilities)
    (10) ECDSA (sign only)
    (11) ECDSA (set your own capabilities)
    (12) ECDH (encrypt only)
    (13) Existing key
  
Now enter "13" and paste the keygrip you saved above.  The new subkey
will be created using the private key you imported into gpgsm.  Note
that there are no checks for the key type; thus make sure the key
matches the capabilities you want for your subkey.  The next prompt
allows you to set this capabilities.

Take care, that is an expert option for a reason.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From sks-devel-phil at spodhuis.org  Sun Oct  7 04:20:39 2012
From: sks-devel-phil at spodhuis.org (Phil Pennock)
Date: Sat, 6 Oct 2012 22:20:39 -0400
Subject: [Sks-devel] SRV records and HKPS requests
In-Reply-To: <507052E8.7040807@sumptuouscapital.com>
References: <507052E8.7040807@sumptuouscapital.com>
Message-ID: <20121007022039.GB57007@redoubt.spodhuis.org>

GnuPG folks (since this is cross-posted, if my mail makes it through):

 there is a bug in GnuPG's SRV handling, I've identified where I think
 it is, it's in the second block of text from me; the first part of this
 mail relates to SKS and some policy issues around the new keyserver
 pool Kristian has added.

On 2012-10-06 at 17:48 +0200, Kristian Fiskerstrand wrote:
> Some background information on this particular pool: My crawler is now
> trying to detect HKPS enabled servers by looking for this SRV record,
> and if no such SRV record is found, attempting to connect and locate a
> SKS stats page on port 443. Servers available on 443 are then included
> as A, AAAA and SRV records, while other SSL-enabled servers are only
> represented as SRV records, as shown in #Snippet 3#

Ah, interesting; in checking, I just discovered that my SRV record for
_pgpkey-https had not been updated since I added nginx proxying, so was
still giving the "0 0 0 ." (explicitly no service here) response, but
what's happening is that you're looking for records on the _server_, I
think, not the "discoverability" records on the _domain_.

Normally, I think the answer is "whatever is given to GnuPG as the
host/domain label in the --keyserver URL".  This is a little different.

Not knowing if you're using the hostname from peering records, or the
hostname reported from the lookup?op=stats pages, I've added records for
both.  That should cover it, right?  Your snippet 3 suggests the
op=stats hostname, but seems safest to just cover both.

(And if I got really unlucky with timing, I'm out of the pool for the
next two hours because of a bogus entry created by forgetting to
re-anchor the RR data after repeating the block in different $ORIGIN
bases.  Duh.)

> kristianf at kristianf-precision-m4600:~$ dig +short srv
> _pgpkey-https._tcp.keys.kfwebs.net any
> 10 10 11375 keys.kfwebs.net.

> kristianf at kristianf-precision-m4600:~$ gpg2 --keyserver-options
> no-check-cert,debug,verbose --keyserver hkps://keys.kfwebs.net
> --recv-key 0x0B7F8B60E3EDFAE3
> gpg: requesting key 0B7F8B60E3EDFAE3 from hkps server keys.kfwebs.net
> gpgkeys: curl version = libcurl/7.22.0 GnuTLS/2.12.14 zlib/1.2.3.4
> libidn/1.23 librtmp/2.3
> * About to connect() to keys.kfwebs.net port 443 (#0)
> *   Trying 2001:16d8:ee30::4... * connected

Looking at gnupg's keyserver/gpgkeys_hkp.c as of git commit
76055d49d1c8b8e4f6245e6729cae81b1eaecbf6 it looks like you might be
using an older binary than me?  If I try that command, I get "Host:",
"Port:", ... lines before the "* About to connect()" line from curl.

Still, doesn't appear to be fixed.

I see the bug: if the scheme is hkps: then they set:

695   if(ascii_strcasecmp(opt->scheme,"hkps")==0)
696     {
697       proto="https";
698       port="443";
699     }

then we hit:
729   if(opt->port)
730     port=opt->port;
731   else if(try_srv)
732     {
733       char *srvtag;
734
735       if(ks_strcasecmp(opt->scheme,"hkp")==0)
736         srvtag="pgpkey-http";
737       else if(ks_strcasecmp(opt->scheme,"hkps")==0)
738         srvtag="pgpkey-https";
739       else
740         srvtag=NULL;
741
742 #ifdef HAVE_LIBCURL
743       /* We're using libcurl, so fake SRV support via our wrapper.
744          This isn't as good as true SRV support, as we do not try all
745          possible targets at one particular level and work our way
746          down the list, but it's better than nothing. */??????
747       srv_replace(srvtag);

Now srv_replace will set opt->port:
531       if(newname && newport)
532         {
533           free(opt->host);
534           free(opt->port);
535           opt->host=newname;
536           snprintf(newport,MAX_PORT,"%u",srvlist->port);
537           opt->port=newport;
538         }

but then in get_key():
266   strcpy(request,proto);
267   strcat(request,"://");
268   strcat(request,opt->host);
269   strcat(request,":");
270   strcat(request,port);
271   strcat(request,opt->path);
[...]
294   curl_easy_setopt(curl,CURLOPT_URL,request);


So, there's a `port` and an `opt->port`; the SRV lookups set `opt->port`
but not `port`, while the URL given to curl uses `port`.

It seems like changing 537 to:
  port = opt->port = newport

should fix it as a stop-gap.

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: </pipermail/attachments/20121006/e89cad68/attachment.pgp>

From sks-devel-phil at spodhuis.org  Sun Oct  7 04:32:59 2012
From: sks-devel-phil at spodhuis.org (Phil Pennock)
Date: Sat, 6 Oct 2012 22:32:59 -0400
Subject: [Sks-devel] SRV records and HKPS requests
In-Reply-To: <20121007022039.GB57007@redoubt.spodhuis.org>
References: <507052E8.7040807@sumptuouscapital.com>
	<20121007022039.GB57007@redoubt.spodhuis.org>
Message-ID: <20121007023259.GC57007@redoubt.spodhuis.org>

On 2012-10-06 at 22:20 -0400, Phil Pennock wrote:
> So, there's a `port` and an `opt->port`; the SRV lookups set `opt->port`
> but not `port`, while the URL given to curl uses `port`.
> 
> It seems like changing 537 to:
>   port = opt->port = newport
> 
> should fix it as a stop-gap.

bugs.g10code.com is presenting a self-signed cert and my account from
March 2008 is not accepted.  :/  Assuming that I'm not being MitM'd,
I've set up a new account and filed a bug in the GnuPG BTS.

https://bugs.g10code.com/gnupg/issue1446

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: </pipermail/attachments/20121006/fe2dfcb5/attachment.pgp>

From kristian.fiskerstrand at sumptuouscapital.com  Mon Oct  8 00:11:30 2012
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Mon, 08 Oct 2012 00:11:30 +0200
Subject: Fwd: sks-keyservers.net: ECC safe subpool
In-Reply-To: <5071ED4A.2040300@sumptuouscapital.com>
References: <5071ED4A.2040300@sumptuouscapital.com>
Message-ID: <5071FE12.7040408@sumptuouscapital.com>

Forwarding this message originally sent to sks-devel as it can have
relevance for gnupg-users as well.


-------- Original Message --------
Subject: sks-keyservers.net: ECC safe subpool
Date: Sun, 07 Oct 2012 22:59:54 +0200
From: Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com>
To: sks-devel <sks-devel at nongnu.org>

Hi,

Following the release of 1.1.4, subset.pool.sks-keyservers.net now has a
minimum requirement for version 1.1.4. That means that, in addition to
the other improvements in this versions, this pool is now working fully
with Elliptic Curve Public keys as described in RFC6637.

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Corruptissima re publica plurim? leges
The greater the degeneration of the republic, the more of its laws
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/




-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Vincit qui se vincit
He who conquers conquers self
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 903 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121008/09b41236/attachment-0001.pgp>

From JPClizbe at gingerbear.net  Mon Oct  8 00:08:49 2012
From: JPClizbe at gingerbear.net (John Clizbe)
Date: Sun, 07 Oct 2012 17:08:49 -0500
Subject: Fwd: [Sks-devel] [Announcement] SKS 1.1.4 Released
In-Reply-To: <5071E4FB.4090805@sumptuouscapital.com>
References: <5071E4FB.4090805@sumptuouscapital.com>
Message-ID: <5071FD71.2000709@GingerBear.net>

Kristain left these groups off the initial email

-John

-------- Original Message --------
Subject: [Sks-devel] [Announcement] SKS 1.1.4 Released
Date: Sun, 07 Oct 2012 22:24:27 +0200
From: Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com>
To: sks-devel <sks-devel at nongnu.org>

Hello,

We are pleased to announce the availability of a new stable SKS
release:  Version 1.1.4.

SKS is an OpenPGP keyserver whose goal is to provide easy to deploy,
decentralized, and highly reliable synchronization. That means that a
key submitted to one SKS server will quickly be distributed to all key
servers, and even wildly out-of-date servers, or servers that experience
spotty connectivity, can fully synchronize with rest of the system.

What's New in 1.1.4
====================
  - Fix X-HKP-Results-Count so that limit=0 returns no results, but
    include the header, to let a client poll for how many results
    exist, without retrieving any. Submitted by Phil Pennock. See:
    http://lists.nongnu.org/archive/html/sks-devel/2010-11/msg00015.html
  - Add UPGRADING document to explain upgrading Berkeley DB without
    rebuilding. System bdb versions often change with new SKS releases
    for .deb and .rpm distros.
  - Cleanup build errors for bdb/bdb_stubs.c. Patch from Mike Doty
  - Update cryptokit from version 1.0 to 1.5 without requiring OASIS
    build system or other additional dependencies
  - build, fastbuild, & pbuild fixed to ignore signals USR1 and USR2
  - common.ml and reconSC.ml were using different values for minumimum
    compatible version. This has been fixed.
  - Added new server mime-types, and trying another default document
    (Issue 6)
    In addition to the new MIME types added in 1.1.[23], the server now
    looks over a list and and serves the first index file that it finds
    Current list: index.html, index.htm, index.xhtml, index.xhtm,
    index.xml.
  - options=mr now works on get as well as (v)index operations. This is
    described in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
    sections 3.2.1.1. and 5.1.
  - Updated copyright notices in source files
  - Added sksclient tool, similar to old pksclient
  - Add no-cache instructions to HTTP response (in order for reverse
    proxies not to cache the output from SKS)
  - Use unique timestamps for keydb to reduce occurrances of Ptree
    corruption.
  - Added Interface specifications (.mli files) for modules that were
    missing them
  - Yaron pruned some no longer needed source files from the tree.
  - Improved the HTTP status and HTTP error codes returned for various
    situations and added checks for more error conditions.
  - Add a suffix to version (+) indicating non-release or development
    builds
  - Add an option to specify the contact details of the server
    administrator
    that shows in the status page of the server. The information is in
    the form of an OpenPGP KeyID and set by server_contact: in sksconf
  - Add a `sks version` command to provide information on the setup.
  - Added configuration settings for the remaining database table
    files. If no pagesize settings are in sksconf, SKS will use 2048
    bytes for key and 512 for ptree. The remainining files' pagesize
    will be set by BDB based on the filesystem settings, typically this
    is 4096 bytes. See sampleConfig/sksconf.typical for settings
    recommended by db_tuner.
  - Makefile: Added distclean target. Dropped autogenerated file from
    VCS.
  - Allow tuning BDB environment before creation in [fast]build and
    pbuild. If DB_CONFIG exists in basedir, copy it to DB dir before DB
    creation. Preference is given to DB_CONFIG.KDB and DB_CONFIG.PTree
    over DB_CONFIG.
  - Add support for Elliptic Curve Public keys (ECDSA, ECDH)
  - Add check if an upload is a revocation certificate, and if it is,
    produce an error message tailored for this.

Note when upgrading from earlier versions of SKS
====================
The default values for pagesize settings have changed. To continue
using an existing DB without rebuilding, explicit settings have to be
added to the sksconf file.
pagesize:       4
ptree_pagesize: 1

Getting the Software
====================
SKS can be downloaded from
https://bitbucket.org/skskeyserver/sks-keyserver

Prerequisites
====================
There are a few prerequisites to building this code.  You need:
* ocaml-3.10.2 or later.  Get it from <http://www.ocaml.org>
  ocaml-3.12.x is recommended, ocaml-4.x is not recommended at this time
* Berkeley DB version 4.6.* or later, whereby 4.8 or later is
recommended.
  You can find the appropriate versions at

<http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html>

Verifying the integrity of the download
====================
Releases of SKS are signed using the SKS Keyserver Signing Key
available on public keyservers with the KeyID

    0x41259773973A612A

and has a fingerprint of

    C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A.

Using GnuPG, verification can be accomplished by, first, retrieving
the signing key using

    gpg --keyserver pool.sks-keyservers.net --recv-key 0x41259773973A612A

followed by verifying that you have the correct key

    gpg --keyid-format long --fingerprint 0x41259773973A612A

should produce:

    pub   4096R/41259773973A612A 2012-06-27
    Key fingerprint = C90E F143 0B3A C0DF D00E 6EA5 4125 9773 973A 612A

A check should also be made that the key is signed by
trustworthy other keys;

    gpg --list-sigs 0x41259773973A612A

and the fingerprint should be verified through other trustworthy sources.

Once you are certain that you have the correct key downloaded, you can
create
a local signature, in order to remember that you have verified the key.

     gpg --lsign-key 0x41259773973A612A

Finally; verifying the downloaded file can be done using

    gpg --keyid-format long --verify sks-x.y.z.tgz.asc

The resulting output should be similar to

    gpg: Signature made Wed Jun 27 12:52:39 2012 CEST
    gpg:                using RSA key 41259773973A612A
    gpg: Good signature from "SKS Keyserver Signing Key"

Checksums for sks-1.1.4.tgz
  SHA1:
  d0b3b387653115d106ebbcae13aeda06f0034909

  SHA256:
  baa79be8c1983544518e8a72ccecacb2837d52ae4015dc7cf364cddb53220c76

Thanks
====================
We have to thank all the people who helped with this release, by
discussions on the mailing list, submitting patches, or opening issues
for items that needed our attention.

Happy Hacking,

  The SKS Team (Yaron, John, Kristian, Phil, and the other contributors)

_______________________________________________
Sks-devel mailing list
Sks-devel at nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121007/8fd49679/attachment.pgp>

From expires2012 at rocketmail.com  Mon Oct  8 01:55:41 2012
From: expires2012 at rocketmail.com (MFPA)
Date: Mon, 8 Oct 2012 00:55:41 +0100
Subject: what is killing PKI?
In-Reply-To: <5070A0B5.9020702@sixdemonbag.org>
References: <50168344.9090000@dfgh.net> <501768E4.8010603@yyy.id.lv>
	<87ehns6zp7.fsf@vigenere.g10code.de>
	<5017CCEC.5010103@dfgh.net> <50344F25.2050107@gmail.com>
	<50352C1F.5010003@dfgh.net> <5036636D.4030001@sixdemonbag.org>
	<5037727F.8070703@dfgh.net> <5037DED2.5020301@sixdemonbag.org>
	<50380AB2.8020303@enigmail.net>
	<50380F52.3070202@sixdemonbag.org> <5038319D.7000003@gmail.com>
	<5038e22c.l1TW2+7SAAn+vaPC%sttob@mailshack.com>
	<5039FBFE.80301@gmail.com>
	<503a96fd.bBqYz9KI9rQ8QrNx%sttob@mailshack.com>
	<503AA5DA.7020303@sixdemonbag.org>
	<506c8fb1.xUl4j/QYBk5l1dXi%sttob@mailshack.com>
	<81366192.20121003224500@my_localhost>
	<87sj9uwpkd.fsf@vigenere.g10code.de>
	<05261768.20121005000537@my_localhost>
	<506E1A1F.9000903@sixdemonbag.org>
	<1163858353.20121005020036@my_localhost>
	<506E33FD.9070805@sixdemonbag.org>
	<1846405108.20121006144432@my_localhost>
	<5070A0B5.9020702@sixdemonbag.org>
Message-ID: <1036197014.20121008005541@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 6 October 2012 at 10:20:53 PM, in
<mid:5070A0B5.9020702 at sixdemonbag.org>, Robert J. Hansen wrote:


> Therefore, for this question to be meaningful, you must
> have doubt as to whether Werner & Co. are capable of
> forming an opinion as to what they consider to be "safe
> and sane."

I do not harbour any such doubt. I also don't see how they might be
suggested by my question [1], or by my rebuttal of your claim that it
was a meaningless question because it wrongly presumed there's a
single objective standard for what is "safe and sane" [2].

[1] "And what's wrong with having safe and sane defaults for those
    who choose not to make their own informed choices?"

[2] "I disagree. I would say it presumes that the person/people
    releasing the software are capable of forming an opinion as to
    what they consider to be 'safe and sane.'"



> Because if there's no doubt, then why ask it at all?

Because I believe my question outlines a valid alternative strategy to
the one outlined in your question [3], to which I was replying.

[3] "Instead of telling people what they should do, what's wrong with
    giving people options and telling them that it's their
    responsibility to make informed choices?"


- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

None are so fond of secrets as those who do not mean to keep them
-----BEGIN PGP SIGNATURE-----

iQCVAwUBUHIWjqipC46tDG5pAQqKowQAhTpSAyqgcF/uwH1jEIm6tZytyq30kXrW
njx0INZaPvi+xP4C0iff9BPJbbzmI0fkJtP13C85jUbNtdSBgzXbgr4jRCzpyYfb
XQ9ygop0IGwRYbeRitwFapp4CG3p6xGPDCl9MkX9EYMoGZF0lKIp4UyNfAdxwowB
ACG3RnjNO/c=
=2BzS
-----END PGP SIGNATURE-----



From jaimefdez86 at gmail.com  Mon Oct  8 13:13:11 2012
From: jaimefdez86 at gmail.com (=?ISO-8859-1?Q?Jaime_Fern=E1ndez?=)
Date: Mon, 8 Oct 2012 13:13:11 +0200
Subject: [gnupg-users] Change key password in batch mode
Message-ID: <CALMWyX7w9iCymoUB3esrYpjVqorBSAcortDU4oJ4T7amhTWRag@mail.gmail.com>

Hi,

I want to edit the password in batch mode, I try this: (where 12345 is the
old password)

$ gpg --batch --passphrase-fd 0 --status-fd 2 --command-fd 0 --edit-key user

12345
[GNUPG:] GET_LINE keyedit.prompt
passwd
[GNUPG:] GOT_IT

[GNUPG:] USERID_HINT 4565CE******* User1 <user1 at user1.com>
[GNUPG:] NEED_PASSPHRASE 4565CE******* 4565CE****** 17 0
[GNUPG:] GOOD_PASSPHRASE
[GNUPG:] GOOD_PASSPHRASE

Enter the new passphrase for this secret key

[GNUPG:] NEED_PASSPHRASE_SYM 3 3 2

[GNUPG:] GET_LINE keyedit.prompt


But gpg never gives me the chance to write the new password. I saw other
similar post
http://lists.gnupg.org/pipermail/gnupg-users/2005-February/024757.html
but I can get it working. In fact I don't see any GET_HIDDEN, is it an old
functionality?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121008/f1348cbb/attachment.htm>

From christoph.anton.mitterer at physik.uni-muenchen.de  Tue Oct  9 00:20:40 2012
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Tue, 09 Oct 2012 00:20:40 +0200
Subject: RNG: is it possible to spoil /dev/random by seeding it from (evil)
	TRNGs (was: howto secure older keys after the recent attacks)
In-Reply-To: <467E60D6-50E7-463F-9038-85856842F6B1@jabberwocky.com>
References: <6e7da8720909091543t25f2550cv3b820d7b52a1882b@mail.gmail.com>
	<0B433892-BFE9-45F8-BDA6-9B522077B045@jabberwocky.com>
	<6e7da8720909100502r7350e4c0x92092e47e23bc742@mail.gmail.com>
	<43DB695D-52F5-4D3B-85AB-3932552FD576@jabberwocky.com>
	<1252621965.3937.1.camel@fermat.scientia.net>
	<467E60D6-50E7-463F-9038-85856842F6B1@jabberwocky.com>
Message-ID: <1349734840.3344.78.camel@fermat.scientia.net>

Hi David.

Long time ago, the following[0] ;)

I recently stumbled across that question again,... when I deployed
haveged on our faculty's HPC cluster...
So I've asked[1] around at lkml, whether a malicious (or just bad)
entropy source could spoil the kernel's RNG.

Ted Ts'o, who currently maintains that part said (see the thread) he
wouldn't know any way how that could be done, but...


On Thu, 2009-09-10 at 22:35 -0400, David Shaw wrote:
> > 3) One problem with such devices is,.. that one can never know (well  
> > at
> > least normal folks like me) how good they actually are.
> > If this company would be evil (subsidiary of NSA or so) they could  
> > just
> > sell bad devices that produce poor entropy thus rendering our  
> > (symmetric
> > and asymmetric) keys, signatures etc. "useless". Right?
> 
> Not completely useless given the Linux random design, but certainly an  
> evil source of entropy would be a serious problem.  Do you have any  
> reason to believe this device is evil?  There are many random number  
> generators on the market.  Knowing which ones are evil would be handy ;)
... your reply seems to somehow imply that it could...

So he (and I) wondered for the reasons :)


Thanks a lot,
Chris.



[0]
http://lists.gnupg.org/pipermail/gnupg-users/2009-September/037301.html
[1] http://lkml.org/lkml/2012/10/4/210



From dan at geer.org  Tue Oct  9 13:58:35 2012
From: dan at geer.org (dan at geer.org)
Date: Tue, 09 Oct 2012 07:58:35 -0400
Subject: RNG: is it possible to spoil /dev/random by seeding it from
	(evil) TRNGs (was: howto secure older keys after the recent attacks)
In-Reply-To: Your message of "Tue, 09 Oct 2012 00:20:40 +0200."
	<1349734840.3344.78.camel@fermat.scientia.net>
Message-ID: <20121009115835.98D192281C4@palinka.tinho.net>


I consulted a non-list-reading colleague who knows
rather a lot about randomness.  He writes:

>       here's my reply;  i dunno whether it counts
>  as an example of evil per se:
>  
>       the bigger problem with manufactured
>  entropy sources is that rigorous unit testing
>  at the factory usually is just impossible.
>  it just takes too long to gather a few hours
>  of bits from every unit, then do the exhaustive
>  statistical testing, again for every unit.
>  
>      indeed, it seems likely to me that when
>  a CPU vendor sells CPU chips with integrated
>  TRNG circuits, some of the chips will surely
>  come off the fabrication line with defective
>  TRNGs, just as some CPU chips get made with
>  defective ALUs, memory, etc.  the bad logic
>  circuits get caught by exhaustive pre-ship
>  testing, and those chips don't get sold.  but
>  given that rigorous testing of the TRNG circuit
>  is so expensive, it's my guess that the CPU
>  vendor surely must just unwittingly ship the
>  CPUs that happen to have obscurely bad TRNGs.



--dan



From dshaw at jabberwocky.com  Tue Oct  9 18:16:27 2012
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 9 Oct 2012 12:16:27 -0400
Subject: RNG: is it possible to spoil /dev/random by seeding it from
	(evil) TRNGs (was: howto secure older keys after the recent attacks)
In-Reply-To: <1349734840.3344.78.camel@fermat.scientia.net>
References: <6e7da8720909091543t25f2550cv3b820d7b52a1882b@mail.gmail.com>
	<0B433892-BFE9-45F8-BDA6-9B522077B045@jabberwocky.com>
	<6e7da8720909100502r7350e4c0x92092e47e23bc742@mail.gmail.com>
	<43DB695D-52F5-4D3B-85AB-3932552FD576@jabberwocky.com>
	<1252621965.3937.1.camel@fermat.scientia.net>
	<467E60D6-50E7-463F-9038-85856842F6B1@jabberwocky.com>
	<1349734840.3344.78.camel@fermat.scientia.net>
Message-ID: <CAA3A1B2-571A-4CE6-8F56-956730EA7285@jabberwocky.com>

On Oct 8, 2012, at 6:20 PM, Christoph Anton Mitterer <christoph.anton.mitterer at physik.uni-muenchen.de> wrote:

> Hi David.
> 
> Long time ago, the following[0] ;)
> 
> I recently stumbled across that question again,... when I deployed
> haveged on our faculty's HPC cluster...
> So I've asked[1] around at lkml, whether a malicious (or just bad)
> entropy source could spoil the kernel's RNG.
> 
> Ted Ts'o, who currently maintains that part said (see the thread) he
> wouldn't know any way how that could be done, but...
> 
> 
> On Thu, 2009-09-10 at 22:35 -0400, David Shaw wrote:
>>> 3) One problem with such devices is,.. that one can never know (well  
>>> at
>>> least normal folks like me) how good they actually are.
>>> If this company would be evil (subsidiary of NSA or so) they could  
>>> just
>>> sell bad devices that produce poor entropy thus rendering our  
>>> (symmetric
>>> and asymmetric) keys, signatures etc. "useless". Right?
>> 
>> Not completely useless given the Linux random design, but certainly an  
>> evil source of entropy would be a serious problem.  Do you have any  
>> reason to believe this device is evil?  There are many random number  
>> generators on the market.  Knowing which ones are evil would be handy ;)
> ... your reply seems to somehow imply that it could...
> 
> So he (and I) wondered for the reasons :)

The message is from three years ago, so I'm honestly not sure where I was going with that thought at the time.  Most likely, I was thinking about someone using an evil device for entropy directly rather than through a /dev/random that deals with the evil source case.

To be clear: I do not know of some way an evil input can somehow subvert the output of /dev/random on Linux.  My understanding was that it was designed to prevent that.

David



From jw72253 at verizon.net  Tue Oct  9 19:41:54 2012
From: jw72253 at verizon.net (John A. Wallace)
Date: Tue, 09 Oct 2012 12:41:54 -0500
Subject: new release of GPA
Message-ID: <000601cda645$65096080$2f1c2180$@net>

The latest beta version fails to work properly on my 64-bit Windows 7 OS.
Whenever I open the File Manager, either with tool or from the menu, the
program stops working and closes with an error message saying "gpa.exe has
stopped working."  Working without this feature in GPA is rather restricted.


 

John A. Wallace


-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 287741 bytes
Desc: not available
URL: </pipermail/attachments/20121009/57a5e27c/attachment-0001.bin>

From wk at gnupg.org  Wed Oct 10 08:47:18 2012
From: wk at gnupg.org (Werner Koch)
Date: Wed, 10 Oct 2012 08:47:18 +0200
Subject: new release of GPA
In-Reply-To: <000601cda645$65096080$2f1c2180$@net> (John A. Wallace's message
	of "Tue, 09 Oct 2012 12:41:54 -0500")
References: <000601cda645$65096080$2f1c2180$@net>
Message-ID: <87pq4qu8ll.fsf@vigenere.g10code.de>

On Tue,  9 Oct 2012 19:41, jw72253 at verizon.net said:
> The latest beta version fails to work properly on my 64-bit Windows 7 OS.

Is this the version from the latest gpg4win beta?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From jw72253 at verizon.net  Wed Oct 10 21:19:32 2012
From: jw72253 at verizon.net (John)
Date: Wed, 10 Oct 2012 14:19:32 -0500
Subject: new release of GPA
In-Reply-To: <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
Message-ID: <k54ho4$ggf$1@ger.gmane.org>

"Werner Koch"  wrote in message 
news:87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org at vigenere.g10code.de...

On Tue,  9 Oct 2012 19:41, jw72253 at verizon.net said:
> The latest beta version fails to work properly on my 64-bit Windows 7 OS.

Is this the version from the latest gpg4win beta?

I got it here:   http://www.gpg4win.org/download.html


it is Gpg4win 2.1.1 beta. In this package I selected the options for 
installing only GPA and 2.0.19. 




From wk at gnupg.org  Wed Oct 10 22:55:34 2012
From: wk at gnupg.org (Werner Koch)
Date: Wed, 10 Oct 2012 22:55:34 +0200
Subject: new release of GPA
In-Reply-To: <k54ho4$ggf$1@ger.gmane.org> (John's message of "Wed, 10 Oct 2012
	14:19:32 -0500")
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1@ger.gmane.org>
Message-ID: <87ehl6t5bt.fsf@vigenere.g10code.de>

On Wed, 10 Oct 2012 21:19, jw72253 at verizon.net said:

> it is Gpg4win 2.1.1 beta. In this package I selected the options for
> installing only GPA and 2.0.19. 

Okay, actually I tested it on a Windows-7 64 bit laptop.  However it was
just a cursory test with GPA.  I will do another test in the next days.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From gragster777 at gmail.com  Sun Oct 14 03:14:41 2012
From: gragster777 at gmail.com (Jonathan)
Date: Sat, 13 Oct 2012 20:14:41 -0500
Subject: Smartcard With Pin Pad Better Security?
Message-ID: <507A1201.2060802@gmail.com>

I understand that a smartcard is more secure to keep my key from ever
coming off the card itself. I like the idea of getting one with a pin
pad to lower my attack surface sense as long as my pinpad is not
compromised I should be golden right?

All the pin pads I've seen dont have many possible buttons it looks like
all numbers. Even with a strong password is it seems it would be easy if
I could only use pin of 0-9 right? Couldnt that be brute forced quick
assuming they could get my smartcard? Or am I missing something and
theres an mode that letters it do alphabets and such?

Some I saw were pc, some were class 1, class 2, class 3. Which of these
is the most secure?

http://www.cryptoshop.com/index.php

Should I get one from here or another shop? I want one that will work in
windows and ubuntu and will work with OpenPGP smartcards.

Any recommendations on this?

Also do OpenPGP smartcards support the new ECC key systems in beta?

Sorry for wall of text, thank you.


From mailinglisten at hauke-laging.de  Sun Oct 14 14:02:07 2012
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sun, 14 Oct 2012 14:02:07 +0200
Subject: Smartcard With Pin Pad Better Security?
In-Reply-To: <507A1201.2060802@gmail.com>
References: <507A1201.2060802@gmail.com>
Message-ID: <3711669.CEgJTsJGAC@inno>

Am Sa 13.10.2012, 20:14:41 schrieb Jonathan:
> as long as my pinpad is not
> compromised I should be golden right?

Depends on your definition of "golden right". :-)

Even a smartcard PIN pad combination can be abused, not as easily though. 
After you have entered the PIN an attacker controlling your system can decrypt 
as much data as he likes and perhaps (depending on the card configuration) 
even sign as much as he likes. Until you pull out the card (reader).

Even the single signature can be abused (you don't control what data gets 
signed).

Thus a smartcard does not offer more security by itself than a secure system 
(offline hardware booting from a safe medium). Reaching the paranoia level: It 
is possible to extract a key from a smartcard. It is quite expensive and 
requires certain skills though. Recovering a key which is protected by a 
sufficient passphrase can be considered impossible.


> All the pin pads I've seen dont have many possible buttons it looks like
> all numbers. Even with a strong password is it seems it would be easy if
> I could only use pin of 0-9 right? Couldnt that be brute forced quick
> assuming they could get my smartcard?

>From a software perspective that is correct (though you could use a longer 
number). But this scenario is not governed by software rules but by hardware 
rules: The smartcard does not allow you enough tries. It "destroys" itself 
after a few.


Hauke
-- 
?
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121014/ad7d5ab3/attachment.pgp>

From dougb at dougbarton.us  Wed Oct 17 02:12:54 2012
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 16 Oct 2012 14:12:54 -1000
Subject: lock/backup files
Message-ID: <507DF806.4010503@dougbarton.us>

I multiboot my systems, usually a minimum of some kind of windows, and
linux. I also have a lot of my personal data (including PGP keys) on
truecrypt volumes which are shared between my systems. For GnuPG using
the same data in the same directory for all systems works well, with the
following exceptions.

First, the backup files are different in Unix and Windows, filename~ on
the former, and filename.bak on the latter. So far I haven't run into
any problems with this, it's just duplicate data that I'd like to avoid.

The filename.lock files are a problem however. Assuming that there are
no .lock files, and I run Linux, everything works fine. Then if I boot
Windows it seems to create .lock files for every file, whether I'm using
it or not, and they remain after I restart. If I then attempt to use gpg
in Linux I get an error about the lock file being the wrong size.

What I'd like to do to solve both problems is to specify the extension
used for these files. To make them the same in the first case (where
they are different now), and different in the second case (where they
are the same now). Is this possible? 'man gpg' did not indicate a
solution, nor did a brief web search.

Any help appreciated,

Doug


From rjh at sixdemonbag.org  Wed Oct 17 05:52:35 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 16 Oct 2012 23:52:35 -0400
Subject: lock/backup files
In-Reply-To: <507DF806.4010503@dougbarton.us>
References: <507DF806.4010503@dougbarton.us>
Message-ID: <507E2B83.2070806@sixdemonbag.org>

Although I don't have a way to achieve your goal via your preferred
means, I do have a way to achieve your goal: add a small script to your
Linux startup/shutdown sequence that will remove the lock files from
your directory on boot and on shutdown.



From dougb at dougbarton.us  Wed Oct 17 07:04:54 2012
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 16 Oct 2012 19:04:54 -1000
Subject: lock/backup files
In-Reply-To: <507E2B83.2070806@sixdemonbag.org>
References: <507DF806.4010503@dougbarton.us> <507E2B83.2070806@sixdemonbag.org>
Message-ID: <507E3C76.4030705@dougbarton.us>

On 10/16/2012 05:52 PM, Robert J. Hansen wrote:
> Although I don't have a way to achieve your goal via your preferred
> means, I do have a way to achieve your goal: add a small script to your
> Linux startup/shutdown sequence that will remove the lock files from
> your directory on boot and on shutdown.

Thanks for the suggestion. The problem is that the truecrypt volume is
not mounted at boot time, and it's unmounted before shutdown.



From wk at gnupg.org  Wed Oct 17 10:24:14 2012
From: wk at gnupg.org (Werner Koch)
Date: Wed, 17 Oct 2012 10:24:14 +0200
Subject: lock/backup files
In-Reply-To: <507DF806.4010503@dougbarton.us> (Doug Barton's message of "Tue, 
	16 Oct 2012 14:12:54 -1000")
References: <507DF806.4010503@dougbarton.us>
Message-ID: <87obk1o6a9.fsf@vigenere.g10code.de>

On Wed, 17 Oct 2012 02:12, dougb at dougbarton.us said:

> First, the backup files are different in Unix and Windows, filename~ on
> the former, and filename.bak on the latter. So far I haven't run into

Old versions of the FAT file system don't support more than one dot in a
name or the tilde character.  Thus we we had to resort to the ".bak"
suffix.  I think this is not a problem with newer FAT systems or NTFS,
we are a bit conservative here.  Given that this is only for failures
during file updates, I don't think it is justified to add another option.

> no .lock files, and I run Linux, everything works fine. Then if I boot
> Windows it seems to create .lock files for every file, whether I'm using
> it or not, and they remain after I restart. If I then attempt to use gpg
> in Linux I get an error about the lock file being the wrong size.

Recent versions of GnuPG use a more smart locking strategy than old
versions.  The locking does now work on all kind of file systems, even
those which don't support hard links (e.g. EMC servers).  This works for
both, Windows and Unix.  However, multiboot is problematic because we
can't detect that at runtime.  Thus you will always run into problems.
For details see gnupg/common/dotlock.c .

Your problem with the invalid size of the lock file could be solved to
write dummy values into the file under Windows.  However, you will run
into more problems later.

Thus I believe it is better to run a cleanup script at boot time.
Actually it is expected that all files with a prefix of ".#" will be
deleted form time to time (they might be left over after a crash).
Removing all files with a ".lock" suffix in the GnuPG home directory,
after a multiboot switch (assuming it is not a shared directory) is all
you need.  We will never use files with a ".lock" suffix in those
directories to store permanent data.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From peter at digitalbrains.com  Wed Oct 17 11:48:34 2012
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 17 Oct 2012 11:48:34 +0200
Subject: lock/backup files
In-Reply-To: <507E3C76.4030705@dougbarton.us>
References: <507DF806.4010503@dougbarton.us> <507E2B83.2070806@sixdemonbag.org>
	<507E3C76.4030705@dougbarton.us>
Message-ID: <507E7EF2.4010401@digitalbrains.com>

On 17/10/12 07:04, Doug Barton wrote:
> Thanks for the suggestion. The problem is that the truecrypt volume is
> not mounted at boot time, and it's unmounted before shutdown.

If you mount them with a shell command, you could write a wrapper shell script
that you invoke instead of that command, like such:

You previously did

$ truemount /dev/sda3 /encrypted

You write a shell script:

-----8<---cut here--->8-----
#!/bin/sh

truemount "$1" "$2"

find "$2"/'*.lock' -delete
-----8<---cut here--->8-----

Call this shell script mytrue, or such, and from now on use

$ mytrue /dev/sda3 /encrypted

Please don't use this actual script. It needs a whole bunch of extra safeguards
because the find/delete command is so destructive.

Just an idea. Good luck.

Peter.

PS: I haven't ever used truecrypt, I just invented a command name :).

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gabi at idieikon.com  Wed Oct 17 14:56:57 2012
From: gabi at idieikon.com (Gabi)
Date: Wed, 17 Oct 2012 14:56:57 +0200
Subject: Problem trying to automate decrypt option
Message-ID: <0b8a01cdac66$e3fe54f0$abfafed0$@com>

We want to automate the decrypt process in some file with a task in the
operating system (Windows 7 64)

What we want to do is from command line is: gpg2.exe --decrypt file.gpg >
result.txt Of course it works ok, but launch pinentry.exe, a dialog box to
ask for the password of the certificate.

So we use a pipeline to send the password to gpg2 like this:

echo "myPassword" | gpg2.exe --decrypt file.gpg > result.txt

But this does not work.


One possible workaround is that once we have put the password in the
pinentry.exe dialog, we can decrypt again WITHOUT using the password and
after some time (some minutes) gpg2.exe ask us for a password again.(For
example after writing password if we run the same bat with the same command
it does not ask us for a password...in some minutes at least)

So there could be 2 possible solutions we don't know how to implement.
1) A way to send the password to the dialog, the command echo "myPassword" |
gpg2.exe --decrypt file.gpg > result.txt was supposed to work, we find it in
a forum, but it does not work.
2) Can we change the time it ask again for the password? Where? How? If we
can set it to, for example 1 year, the we can run the command, type the
password in the dialog box and use the same command in a daily task and
it'll work until next year...


Has anybody an answer for 1) or 2)? Any of them will solve the problem...

Regards.




From zhoucengchao at hotmail.com  Wed Oct 17 11:36:32 2012
From: zhoucengchao at hotmail.com (Steve Zhou)
Date: Wed, 17 Oct 2012 17:36:32 +0800
Subject: cannot access FTP site to download missing library
Message-ID: <BAY002-W582C9814720CB4E337B8E7CD770@phx.gbl>

Hi team,
I downloaded gnupg-2.0.19 and got several errors reported by ./configure. The error message is very clear said i missed some library and corresponding FTP link was provided. But i was prompt for username/password when try to access. Below is the link example.
*** It is now required to build with support for the*** GNU Portable Threads Library (Pth). Please install this*** library first.  The library is for example available at***   ftp://ftp.gnu.org/gnu/pth/
Could you please let me know how to get the missing package?
thank you very much! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121017/9154861c/attachment.htm>

From zhoucengchao at hotmail.com  Wed Oct 17 17:12:17 2012
From: zhoucengchao at hotmail.com (Steve Zhou)
Date: Wed, 17 Oct 2012 23:12:17 +0800
Subject: compile failure
Message-ID: <BAY002-W1361D44635C01474843F65CCD770@phx.gbl>

Hi GNUPG team,
When I tried to do make operation i got the following error:
compress.o: In function `do_compress':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:107: undefined reference to `deflate'compress.o: In function `init_uncompress':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:147: undefined reference to `inflateInit_'compress.o: In function `do_uncompress':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:196: undefined reference to `inflate'compress.o: In function `init_compress':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:82: undefined reference to `deflateInit_'compress.o: In function `init_uncompress':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:147: undefined reference to `inflateInit2_'compress.o: In function `init_compress':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:82: undefined reference to `deflateInit2_'compress.o: In function `compress_filter':/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:264: undefined reference to `inflateEnd'/home/steve/Desktop/gnupg-2.0.19/g10/compress.c:273: undefined reference to `deflateEnd'collect2: ld returned 1 exit statusmake[2]: *** [gpg2] Error 1make[2]: Leaving directory `/home/steve/Desktop/gnupg-2.0.19/g10'make[1]: *** [all-recursive] Error 1make[1]: Leaving directory `/home/steve/Desktop/gnupg-2.0.19'make: *** [all] Error 2
May i know what was missing?
thank you for your help in advance!
Regards,Steve 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121017/877f03bb/attachment.htm>

From rjh at sixdemonbag.org  Wed Oct 17 21:42:46 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 17 Oct 2012 15:42:46 -0400
Subject: compile failure
In-Reply-To: <BAY002-W1361D44635C01474843F65CCD770@phx.gbl>
References: <BAY002-W1361D44635C01474843F65CCD770@phx.gbl>
Message-ID: <507F0A36.5030400@sixdemonbag.org>

On 10/17/2012 11:12 AM, Steve Zhou wrote:
> When I tried to do make operation i got the following error:

You need a few development libraries installed.  These can usually be
installed from your UNIX's package manager, but without knowing what
you're compiling it on our ability to help you is limited.



From rjh at sixdemonbag.org  Wed Oct 17 21:46:43 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 17 Oct 2012 15:46:43 -0400
Subject: cannot access FTP site to download missing library
In-Reply-To: <BAY002-W582C9814720CB4E337B8E7CD770@phx.gbl>
References: <BAY002-W582C9814720CB4E337B8E7CD770@phx.gbl>
Message-ID: <507F0B23.1080308@sixdemonbag.org>

On 10/17/2012 5:36 AM, Steve Zhou wrote:
> But i was prompt for username/password when try to access. Below is
> the link example.

The login is 'anonymous', and the pw is your email address.  Many ftp
sites (GNU being just one of many) provide guest access this way: if you
ever find yourself prompted for a username/pw, that's usually a safe one
to try.



From fcassia at gmail.com  Thu Oct 18 00:37:27 2012
From: fcassia at gmail.com (Fernando Cassia)
Date: Wed, 17 Oct 2012 19:37:27 -0300
Subject: FTP server is down...
Message-ID: <CACGw4H5jFBEOd2yVQq4TnCbnk_e0s8_hJYz0YfEmJXqbrWFC+A@mail.gmail.com>

Hi there,

I?ve been trying to get the win32 port of the sha1sum util from
ftp://ftp.gnupg.org/gcrypt/binary/
but it looks like the server, as of this writing, is down. :-(

Just thought the site admins would like to know...

FC
-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante ?pocas de Enga?o Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121017/a35733db/attachment.htm>

From david at systemoverlord.com  Thu Oct 18 01:33:18 2012
From: david at systemoverlord.com (David Tomaschik)
Date: Wed, 17 Oct 2012 16:33:18 -0700
Subject: Problem trying to automate decrypt option
In-Reply-To: <0b8a01cdac66$e3fe54f0$abfafed0$@com>
References: <0b8a01cdac66$e3fe54f0$abfafed0$@com>
Message-ID: <CAOy4VzfJGV-KgBi9XB1HvzfR1UhQGgKi9mkotmN1PZyObqddJw@mail.gmail.com>

Have you tried --passphrase "myPassword" or --passphrase-fd 0 (with the pipe)?

(Standard statement about how storing the passphrase in a scheduled
task is a bad idea, etc.)

David


On Wed, Oct 17, 2012 at 5:56 AM, Gabi <gabi at idieikon.com> wrote:
> We want to automate the decrypt process in some file with a task in the
> operating system (Windows 7 64)
>
> What we want to do is from command line is: gpg2.exe --decrypt file.gpg >
> result.txt Of course it works ok, but launch pinentry.exe, a dialog box to
> ask for the password of the certificate.
>
> So we use a pipeline to send the password to gpg2 like this:
>
> echo "myPassword" | gpg2.exe --decrypt file.gpg > result.txt
>
> But this does not work.
>
>
> One possible workaround is that once we have put the password in the
> pinentry.exe dialog, we can decrypt again WITHOUT using the password and
> after some time (some minutes) gpg2.exe ask us for a password again.(For
> example after writing password if we run the same bat with the same command
> it does not ask us for a password...in some minutes at least)
>
> So there could be 2 possible solutions we don't know how to implement.
> 1) A way to send the password to the dialog, the command echo "myPassword" |
> gpg2.exe --decrypt file.gpg > result.txt was supposed to work, we find it in
> a forum, but it does not work.
> 2) Can we change the time it ask again for the password? Where? How? If we
> can set it to, for example 1 year, the we can run the command, type the
> password in the dialog box and use the same command in a daily task and
> it'll work until next year...
>
>
> Has anybody an answer for 1) or 2)? Any of them will solve the problem...
>
> Regards.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com


From gabi at idieikon.com  Thu Oct 18 08:34:13 2012
From: gabi at idieikon.com (Gabi)
Date: Thu, 18 Oct 2012 08:34:13 +0200
Subject: Problem trying to automate decrypt option
In-Reply-To: <CAOy4VzfJGV-KgBi9XB1HvzfR1UhQGgKi9mkotmN1PZyObqddJw@mail.gmail.com>
References: <0b8a01cdac66$e3fe54f0$abfafed0$@com>
	<CAOy4VzfJGV-KgBi9XB1HvzfR1UhQGgKi9mkotmN1PZyObqddJw@mail.gmail.com>
Message-ID: <0bd501cdacfa$96e9f950$c4bdebf0$@com>

Thanks but both of them does not work, the dialog is ever shown, using
gpg2.exe or gpg.exe.

If I write gpg2.exe --help (or gpg.exe --help) the command or option
--passphrase is not shown anywhere.
I'm using windows version. Is that a feature not available in windows
version?

(And yes storing in a task is a bad idea, is not the final solution, but
only a way to automate a process we'll do in another way but meanwhile...)

Regards.


-----Mensaje original-----
De: David Tomaschik [mailto:david at systemoverlord.com] 
Enviado el: jueves, 18 de octubre de 2012 1:33
Para: Gabi
CC: gnupg-users at gnupg.org
Asunto: Re: Problem trying to automate decrypt option

Have you tried --passphrase "myPassword" or --passphrase-fd 0 (with the
pipe)?

(Standard statement about how storing the passphrase in a scheduled
task is a bad idea, etc.)

David


On Wed, Oct 17, 2012 at 5:56 AM, Gabi <gabi at idieikon.com> wrote:
> We want to automate the decrypt process in some file with a task in the
> operating system (Windows 7 64)
>
> What we want to do is from command line is: gpg2.exe --decrypt file.gpg >
> result.txt Of course it works ok, but launch pinentry.exe, a dialog box to
> ask for the password of the certificate.
>
> So we use a pipeline to send the password to gpg2 like this:
>
> echo "myPassword" | gpg2.exe --decrypt file.gpg > result.txt
>
> But this does not work.
>
>
> One possible workaround is that once we have put the password in the
> pinentry.exe dialog, we can decrypt again WITHOUT using the password and
> after some time (some minutes) gpg2.exe ask us for a password again.(For
> example after writing password if we run the same bat with the same
command
> it does not ask us for a password...in some minutes at least)
>
> So there could be 2 possible solutions we don't know how to implement.
> 1) A way to send the password to the dialog, the command echo "myPassword"
|
> gpg2.exe --decrypt file.gpg > result.txt was supposed to work, we find it
in
> a forum, but it does not work.
> 2) Can we change the time it ask again for the password? Where? How? If we
> can set it to, for example 1 year, the we can run the command, type the
> password in the dialog box and use the same command in a daily task and
> it'll work until next year...
>
>
> Has anybody an answer for 1) or 2)? Any of them will solve the problem...
>
> Regards.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com




From wk at gnupg.org  Thu Oct 18 10:38:43 2012
From: wk at gnupg.org (Werner Koch)
Date: Thu, 18 Oct 2012 10:38:43 +0200
Subject: Problem trying to automate decrypt option
In-Reply-To: <0bd501cdacfa$96e9f950$c4bdebf0$@com> (gabi@idieikon.com's
	message of "Thu, 18 Oct 2012 08:34:13 +0200")
References: <0b8a01cdac66$e3fe54f0$abfafed0$@com>
	<CAOy4VzfJGV-KgBi9XB1HvzfR1UhQGgKi9mkotmN1PZyObqddJw@mail.gmail.com>
	<0bd501cdacfa$96e9f950$c4bdebf0$@com>
Message-ID: <876268may4.fsf@vigenere.g10code.de>

On Thu, 18 Oct 2012 08:34, gabi at idieikon.com said:

> If I write gpg2.exe --help (or gpg.exe --help) the command or option
> --passphrase is not shown anywhere.

Note that --help does not show all options.  See the man page for a
complete list.

> I'm using windows version. Is that a feature not available in windows
> version?

It is the same on all platforms.

What you need to use is the command gpg-preset-passphrase to tell the
gpg-agent the passphrase in advance.

       gpg-preset-passphrase [options] [command] keygrip

       The gpg-preset-passphrase is a utility to seed the internal cache
       of a running gpg-agent with passphrases.  It is mainly useful for
       unattended machines, where the usual pinentry tool may not be
       used and the passphrases for the to be used keys are given at
       machine startup.

       Passphrases set with this utility don't expire unless the
       --forget option is used to explicitly clear them from the cache
       --- or gpg-agent is either restarted or reloaded (by sending a
       SIGHUP to it).  It is necessary to allow this passphrase
       presetting by starting gpg-agent with the --allow-
       preset-passphrase.

       gpg-preset-passphrase is invoked this way:

         gpg-preset-passphrase [options] [command] keygrip

       keygrip is a 40 character string of hexadecimal characters
       identifying the key for which the passphrase should be set or
       cleared.  This keygrip is listed along with the key when running
       the command: gpgsm --dump-secret-keys. One of the following
       command options must be given:

       [...]

For use with gpg you can use

       gpg2 --with-keygrip -K

to view the keygrip.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Thu Oct 18 10:43:15 2012
From: wk at gnupg.org (Werner Koch)
Date: Thu, 18 Oct 2012 10:43:15 +0200
Subject: FTP server is down...
In-Reply-To: <CACGw4H5jFBEOd2yVQq4TnCbnk_e0s8_hJYz0YfEmJXqbrWFC+A@mail.gmail.com>
	(Fernando Cassia's message of "Wed, 17 Oct 2012 19:37:27 -0300")
References: <CACGw4H5jFBEOd2yVQq4TnCbnk_e0s8_hJYz0YfEmJXqbrWFC+A@mail.gmail.com>
Message-ID: <871ugwmaqk.fsf@vigenere.g10code.de>

On Thu, 18 Oct 2012 00:37, fcassia at gmail.com said:

> I?ve been trying to get the win32 port of the sha1sum util from
> ftp://ftp.gnupg.org/gcrypt/binary/
> but it looks like the server, as of this writing, is down. :-(

To me the server works:

  $ lftp ftp.gnupg.org
  lftp ftp.gnupg.org:~> ls                          
  total 0                          
  lrwxrwxrwx   1 0        0               6 Dec 11  2007 GnuPG -> gcrypt
  -rw-r--r--   1 0        0             453 Dec 11  2007 README
  drwxr-sr-x   6 1000     703          4096 Apr 20  2001 fruis
  drwxrwsr-x  27 1000     1000         4096 May  4 11:36 gcrypt
  drwxrwsr-x   7 1001     704          4096 May 27  2007 mutt
  drwxr-xr-x   6 0        0            4096 Jan 10  2005 people
  lftp ftp.gnupg.org:/> cd gcrypt
  lftp ftp.gnupg.org:/gcrypt> cd binary
  cd ok, cwd=/gcrypt/binary              
  lftp ftp.gnupg.org:/gcrypt/binary> ls sha1s*
  total 0                                     
  -rw-r--r--   1 1000     1000         9458 Dec  9  2004 sha1sum.c
  -rw-r--r--   1 1000     1000           72 Dec  9  2004 sha1sum.c.sig
  -rwxr-xr-x   1 1000     1000        19968 Dec  9  2004 sha1sum.exe
  -rw-r--r--   1 1000     1000          158 Nov 28  2006 sha1sum.exe.sig
  -rw-r--r--   1 1000     1000           72 Nov 28  2006 sha1sum.exe.sig.old

and the log shows that it didn't crashed in the last months.  You
problem is likely due to a misconfigured firewall.  You may want to try
one of the FTP mirrors, which also provide HTTP access.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From gabi at idieikon.com  Thu Oct 18 11:35:30 2012
From: gabi at idieikon.com (Gabi)
Date: Thu, 18 Oct 2012 11:35:30 +0200
Subject: Problem trying to automate decrypt option
In-Reply-To: <876268may4.fsf@vigenere.g10code.de>
References: <0b8a01cdac66$e3fe54f0$abfafed0$@com>	<CAOy4VzfJGV-KgBi9XB1HvzfR1UhQGgKi9mkotmN1PZyObqddJw@mail.gmail.com>	<0bd501cdacfa$96e9f950$c4bdebf0$@com>
	<876268may4.fsf@vigenere.g10code.de>
Message-ID: <0c0001cdad13$ea355500$be9fff00$@com>

Thanks, we find the solution with help of an user (Lee Elcocks), the problem
was to write an space between password and pipe.
Echo "mypasswd"| gpg.exe ...... use it without space between "mypasswd" and
|

Thanks for your effort, Werner, we're using the first one (only had to
remove empty space on the .bat) but your solution seems ok too.

Regards.
Gabi.



-----Mensaje original-----
De: Werner Koch [mailto:wk at gnupg.org] 
Enviado el: jueves, 18 de octubre de 2012 10:39
Para: Gabi
CC: 'David Tomaschik'; gnupg-users at gnupg.org
Asunto: Re: Problem trying to automate decrypt option

On Thu, 18 Oct 2012 08:34, gabi at idieikon.com said:

> If I write gpg2.exe --help (or gpg.exe --help) the command or option
> --passphrase is not shown anywhere.

Note that --help does not show all options.  See the man page for a
complete list.

> I'm using windows version. Is that a feature not available in windows
> version?

It is the same on all platforms.

What you need to use is the command gpg-preset-passphrase to tell the
gpg-agent the passphrase in advance.

       gpg-preset-passphrase [options] [command] keygrip

       The gpg-preset-passphrase is a utility to seed the internal cache
       of a running gpg-agent with passphrases.  It is mainly useful for
       unattended machines, where the usual pinentry tool may not be
       used and the passphrases for the to be used keys are given at
       machine startup.

       Passphrases set with this utility don't expire unless the
       --forget option is used to explicitly clear them from the cache
       --- or gpg-agent is either restarted or reloaded (by sending a
       SIGHUP to it).  It is necessary to allow this passphrase
       presetting by starting gpg-agent with the --allow-
       preset-passphrase.

       gpg-preset-passphrase is invoked this way:

         gpg-preset-passphrase [options] [command] keygrip

       keygrip is a 40 character string of hexadecimal characters
       identifying the key for which the passphrase should be set or
       cleared.  This keygrip is listed along with the key when running
       the command: gpgsm --dump-secret-keys. One of the following
       command options must be given:

       [...]

For use with gpg you can use

       gpg2 --with-keygrip -K

to view the keygrip.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




From wk at gnupg.org  Fri Oct 19 18:27:49 2012
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Oct 2012 18:27:49 +0200
Subject: Test failure
In-Reply-To: <506EA9ED.2080008@gmail.com> (Collin Kleine's message of "Fri, 05
	Oct 2012 10:35:41 +0100")
References: <506CB668.1050804@gmail.com> <506EA9ED.2080008@gmail.com>
Message-ID: <87r4oujuka.fsf@vigenere.g10code.de>

On Fri,  5 Oct 2012 11:35, collin.kleine at gmail.com said:

> Contents of gnupg-2.0.9/tests/openpgp/sigs.test.log:

GnuPG 2.0.9 is pretty old.  It even does not print the used libgcrypt
version with --version.  I assume that you use a quite recent Libgcrypt
which fixes a bug, that in turn exhibits a bug in GnuPG.  Update to at
least 2.0.18:

  Noteworthy changes in version 2.0.18 (2011-08-04)
  -------------------------------------------------

   * Bug fix for newer versions of Libgcrypt.

or better to the latest version; which is 2.0.19.


Salam-Shalom,

   Werner



-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Fri Oct 19 18:33:35 2012
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Oct 2012 18:33:35 +0200
Subject: [gnupg-users] Decrypting file encrypted for multiple recipients
	using a given ID in batch mode
In-Reply-To: <CALMWyX75Fm_s5Bv+KqVQyi1QF7Hch+g95U15+rSywTSsFeSZug@mail.gmail.com>
	("Jaime =?utf-8?Q?Fern=C3=A1ndez=22's?= message of "Sun, 7 Oct 2012
	02:34:41 +0200")
References: <CALMWyX75Fm_s5Bv+KqVQyi1QF7Hch+g95U15+rSywTSsFeSZug@mail.gmail.com>
Message-ID: <87mwzijuao.fsf@vigenere.g10code.de>

On Sun,  7 Oct 2012 02:34, jaimefdez86 at gmail.com said:

> If I type a password gpg will try it with all the posible recipients but
> this is not the behaviour that I want, is there any way to force a user?

FWIW: GnuPG 2.1.0-beta prodives the option --try-secret-key to make
things easier with hidden recipients.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Fri Oct 19 18:39:02 2012
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Oct 2012 18:39:02 +0200
Subject: [gnupg-users] Change key password in batch mode
In-Reply-To: <CALMWyX7w9iCymoUB3esrYpjVqorBSAcortDU4oJ4T7amhTWRag@mail.gmail.com>
	("Jaime =?utf-8?Q?Fern=C3=A1ndez=22's?= message of "Mon, 8 Oct 2012
	13:13:11 +0200")
References: <CALMWyX7w9iCymoUB3esrYpjVqorBSAcortDU4oJ4T7amhTWRag@mail.gmail.com>
Message-ID: <87ipa6ju1l.fsf@vigenere.g10code.de>

On Mon,  8 Oct 2012 13:13, jaimefdez86 at gmail.com said:

> $ gpg --batch --passphrase-fd 0 --status-fd 2 --command-fd 0 --edit-key user

What's wrong with

  gpg2 --passwd USER

?

> But gpg never gives me the chance to write the new password. I saw other
> similar post

Do not use --passphrase-fd along with --command-fd.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From please.post at publicly.invalid  Fri Oct 19 23:53:30 2012
From: please.post at publicly.invalid (Andreas Mattheiss)
Date: Fri, 19 Oct 2012 23:53:30 +0200
Subject: Information on a gpg encrypted file
Message-ID: <pan.2012.10.19.21.53.28.475072@publicly.invalid>

Hello,

I wonder if there is a utility that, when fed a gpg-encrypted-message,
will tell me which key is needed, which compression/cipher/hash was used.

Regards
Andreas

-- 
RIMMER: Lister, we'd be fools not to listen to him. When is he ever
wrong? Alright, he may have a head shaped like an inexplicably popular
fishing float but he does operate from a position of total logic and
we'd be fools to ignore his sage council.
KRYTEN:At least let me and Mister Rimmer go in your place. We are after
all merely electronic life forms and therefore expendable.
RIMMER: And what the smeg would you know, bog-bot from hell?




From wk at gnupg.org  Sat Oct 20 00:18:40 2012
From: wk at gnupg.org (Werner Koch)
Date: Sat, 20 Oct 2012 00:18:40 +0200
Subject: Information on a gpg encrypted file
In-Reply-To: <pan.2012.10.19.21.53.28.475072@publicly.invalid> (Andreas
	Mattheiss's message of "Fri, 19 Oct 2012 23:53:30 +0200")
References: <pan.2012.10.19.21.53.28.475072@publicly.invalid>
Message-ID: <87pq4egl6n.fsf@vigenere.g10code.de>

On Fri, 19 Oct 2012 23:53, please.post at publicly.invalid said:

> I wonder if there is a utility that, when fed a gpg-encrypted-message,
> will tell me which key is needed, which compression/cipher/hash was used.

 gpg FILE

Tells you the keys to which FILE is encrypted.  For an encrypted message
the other information are only available after decryption.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From please.post at publicly.invalid  Sat Oct 20 00:57:36 2012
From: please.post at publicly.invalid (Andreas Mattheiss)
Date: Sat, 20 Oct 2012 00:57:36 +0200
Subject: Information on a gpg encrypted file
References: <pan.2012.10.19.21.53.28.475072@publicly.invalid>
	<87pq4egl6n.fsf@vigenere.g10code.de>
Message-ID: <pan.2012.10.19.22.57.36.712992@publicly.invalid>

Thanks for the reply.

Am Sat, 20 Oct 2012 00:18:40 +0200 schrieb Werner Koch:

> For an encrypted message
> the other information are only available after decryption.
> 

I see. Looks like this basic "handling info" is also encrypted with the
unsymmetric key. 

In fact it needs gpg -vvv to elicit this information:

...
gpg: TWOFISH encrypted data
:compressed packet: algo=3
...

Reason for asking was because I played around a bit with the
compression/cipher preferences in my public key and wanted to see if it
actually uses say TWOFISH if I put it to the top of the queue of
acceptable ciphers. It does.

Thanks, regards
Andreas

-- 
LISTER: But we don't loot space corp derelicts. We just hack our way in
and swipe what we *need*.
RIMMER: If this goes to trial, I demand seperate lawyers.




From wk at gnupg.org  Sat Oct 20 06:09:23 2012
From: wk at gnupg.org (Werner Koch)
Date: Sat, 20 Oct 2012 06:09:23 +0200
Subject: Information on a gpg encrypted file
In-Reply-To: <pan.2012.10.19.22.57.36.712992@publicly.invalid> (Andreas
	Mattheiss's message of "Sat, 20 Oct 2012 00:57:36 +0200")
References: <pan.2012.10.19.21.53.28.475072@publicly.invalid>
	<87pq4egl6n.fsf@vigenere.g10code.de>
	<pan.2012.10.19.22.57.36.712992@publicly.invalid>
Message-ID: <87d30dhjik.fsf@vigenere.g10code.de>

On Sat, 20 Oct 2012 00:57, please.post at publicly.invalid said:

> In fact it needs gpg -vvv to elicit this information:

Use "--status-fd 1" to get that information:

    DECRYPTION_INFO <mdc_method> <sym_algo>
        Print information about the symmetric encryption algorithm and
        the MDC method.  This will be emitted even if the decryption
        fails.

Example:

  [GNUPG:] BEGIN_DECRYPTION
  [GNUPG:] DECRYPTION_INFO 2 7


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From freischlad at gmx.net  Tue Oct 23 17:22:54 2012
From: freischlad at gmx.net (Michael Freischlad)
Date: Tue, 23 Oct 2012 17:22:54 +0200
Subject: Problem with x.509 certificate and OpenPGP Card
Message-ID: <5086B64E.2080203@gmx.net>

Dear all,

I've got a OpenPGP Card 2.0 and would like to use it with Thunderbird 
for signing and encrypting mails via s/mime. I'm running latest version 
of gpg2 (2.0.19) on a Windows 7 machine.
What I did so far:
1) Set up of OpenPGP Card with gpg2 (changed name, generated keys). No 
Problems so far, Card works fine.
2) Generated Certification Request with gpgsm. Also worked fine.
3) signed request with a new generated own rootCA in xca
4) Transfer of certificate to the card with gpg2 --card-edit (writecert 
3 < cert.crt). Still everything worked good.
I now thought it'll be everything to do. So I terminated gpg-agent.exe 
in task manager and started Thunderbird (already with PKCS#11 
configured). Right after opening the certificates dialog my Smart Card 
PIN is requested by the PKCS#11 driver. But there is no x.509 
certificate shown.
I tried to import the certificates (root and signed certificate) with 
gpgsm --import but with no effect. Also reboots, card reader 
disconnection, restart of thunderbird in every possible combination did 
not work.

What am I doing wrong?

Thanks and regards,
Michael


From wk at gnupg.org  Tue Oct 23 19:15:24 2012
From: wk at gnupg.org (Werner Koch)
Date: Tue, 23 Oct 2012 19:15:24 +0200
Subject: Problem with x.509 certificate and OpenPGP Card
In-Reply-To: <5086B64E.2080203@gmx.net> (Michael Freischlad's message of "Tue, 
	23 Oct 2012 17:22:54 +0200")
References: <5086B64E.2080203@gmx.net>
Message-ID: <877gqhds9f.fsf@vigenere.g10code.de>

On Tue, 23 Oct 2012 17:22, freischlad at gmx.net said:

> What am I doing wrong?

You need to use Scute.  It takes care of presenting all required
information to Mozilla.  That mainly means that it uses the key on the
card to lookup the certificate in the GnuPG keybox (via gpgsm).  The
card does not store the certificate.

We have tested Scute only with Firefox and thus you may may have
problems if you use it for mail.  Should be easy to fix, though.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From rjh at sixdemonbag.org  Wed Oct 24 09:27:28 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 24 Oct 2012 03:27:28 -0400
Subject: FAQ update
Message-ID: <50879860.9010009@sixdemonbag.org>

The FAQ that was mentioned earlier this year is still being worked
on/revised.  Werner requested that we shift to using org-mode
formatting, so I took the XML markup and wrote a small script to convert
it to org-mode.

There is a GitHub repo set up for the FAQ at:

	http://github.com/rjhansen/gpgfaq

There is also a preview version of the HTMLified output at:

	http://sixdemonbag.org/gnupgfaq.html

Remember, this is not an official FAQ, and it's also a work in progress.
 Any and all constructive criticism will be warmly received.


From Freischlad at gmx.net  Wed Oct 24 09:39:29 2012
From: Freischlad at gmx.net (Michael Freischlad)
Date: Wed, 24 Oct 2012 09:39:29 +0200
Subject: Problem with x.509 certificate and OpenPGP Card
Message-ID: <20121024073929.241210@gmx.net>

Werner, thank you for your quick response.

> card to lookup the certificate in the GnuPG keybox (via gpgsm).  The
> card does not store the certificate.

Because of the Specifications on http://g10code.com/p-card.html ("Data onject to store a X.509 certificate") I thought it would be possible.

As far as I understand the card is capable of storing a complete certificate (sec key and pub key). But this certificate is not supposed to be used with the on card generated key(s). Am I right?

So it should be possible to transfer a off card generated key that might be used without scute? But then the key is extractable from the card if one knows the PIN!?

> We have tested Scute only with Firefox and thus you may may have
> problems if you use it for mail.  Should be easy to fix, though.

I'll try out and report asap.

Thanks and regards,
Michael



From incognit0 at mixnym.net  Tue Oct 23 18:41:25 2012
From: incognit0 at mixnym.net (incognit0 at mixnym.net)
Date: Tue, 23 Oct 2012 16:41:25 -0000
Subject: batch erroring with renaming - Permission denied
Message-ID: <bsuuoknygs.uxbknq@mixnym.net>

  I am executing a --batch file and am getting the below error messages.

Contents of bat file:
C:\gnupg\gpg.exe --batch --homedir c:\gnupg\ --yes --no-default-keyring --keyring c:\gnupg\pubring.gpg --delete-key "the-key-name" 

Error messages:
gpg: renaming `c:\gnupg\pubring.gpg' to `c:\gnupg\pubring.bak' failed: Permission denied
gpg: deleting keyblock failed: file rename error
gpg: the-key-name: delete key failed: file rename error

How do I give gpg the permission to rename the pubring.gpg to pubring.bak?  It is not write protected.




From jaimefdez86 at gmail.com  Wed Oct 24 11:33:09 2012
From: jaimefdez86 at gmail.com (=?ISO-8859-1?Q?Jaime_Fern=E1ndez?=)
Date: Wed, 24 Oct 2012 11:33:09 +0200
Subject: [gnupg-users] Decrypting file encrypted for multiple recipients
	using a given ID in batch mode
In-Reply-To: <87mwzijuao.fsf@vigenere.g10code.de>
References: <CALMWyX75Fm_s5Bv+KqVQyi1QF7Hch+g95U15+rSywTSsFeSZug@mail.gmail.com>
	<87mwzijuao.fsf@vigenere.g10code.de>
Message-ID: <CALMWyX48a_J_C=9eHsEYEoUX0u9H4vf0c4-xVApecZ2B_tPW3w@mail.gmail.com>

Thanks, I will take this on mind.

2012/10/19 Werner Koch <wk at gnupg.org>

> On Sun,  7 Oct 2012 02:34, jaimefdez86 at gmail.com said:
>
> > If I type a password gpg will try it with all the posible recipients but
> > this is not the behaviour that I want, is there any way to force a user?
>
> FWIW: GnuPG 2.1.0-beta prodives the option --try-secret-key to make
> things easier with hidden recipients.
>
>
> Shalom-Salam,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121024/ee0701c1/attachment.htm>

From jaimefdez86 at gmail.com  Wed Oct 24 11:29:46 2012
From: jaimefdez86 at gmail.com (=?ISO-8859-1?Q?Jaime_Fern=E1ndez?=)
Date: Wed, 24 Oct 2012 11:29:46 +0200
Subject: [gnupg-users] Change key password in batch mode
In-Reply-To: <87ipa6ju1l.fsf@vigenere.g10code.de>
References: <CALMWyX7w9iCymoUB3esrYpjVqorBSAcortDU4oJ4T7amhTWRag@mail.gmail.com>
	<87ipa6ju1l.fsf@vigenere.g10code.de>
Message-ID: <CALMWyX4sM56WMojMyJNsVzRE8AGsREKLvWXTRSo21B+ufKf85w@mail.gmail.com>

2012/10/19 Werner Koch <wk at gnupg.org>

> On Mon,  8 Oct 2012 13:13, jaimefdez86 at gmail.com said:
>
> > $ gpg --batch --passphrase-fd 0 --status-fd 2 --command-fd 0 --edit-key
> user
>
> What's wrong with
>
>   gpg2 --passwd USER
>
> ?
>

But then I have to use pinentry, and I don't want to. I tried

     gpg --passwd USER --batch --passphrase-fd 0

but I can only write the old-password, the command finished without leave
me type the new password. I think that passphrase-fd only read one password
at a time.


>
> > But gpg never gives me the chance to write the new password. I saw other
> > similar post
>
> Do not use --passphrase-fd along with --command-fd.
>
>
 I had used these options together to change the expiration date, is it
wrong?


>
> Salam-Shalom,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
Thanks for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121024/2612ebc6/attachment.htm>

From wk at gnupg.org  Wed Oct 24 14:59:42 2012
From: wk at gnupg.org (Werner Koch)
Date: Wed, 24 Oct 2012 14:59:42 +0200
Subject: Problem with x.509 certificate and OpenPGP Card
In-Reply-To: <20121024073929.241210@gmx.net> (Michael Freischlad's message of
	"Wed, 24 Oct 2012 09:39:29 +0200")
References: <20121024073929.241210@gmx.net>
Message-ID: <873914do01.fsf@vigenere.g10code.de>

On Wed, 24 Oct 2012 09:39, Freischlad at gmx.net said:

> As far as I understand the card is capable of storing a complete certificate (sec key and pub key). But this certificate is not supposed to be used with the on card generated key(s). Am I right?

It is up to you how you use it.  GnuPG does not make use of the field.

> So it should be possible to transfer a off card generated key that might be used without scute? But then the key is extractable from the card if one knows the PIN!?

It all depends on how you connect Thunderbird to the card.  We support
the card only via the GnuPG stack.  Scute works on top of this stack.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Wed Oct 24 15:01:48 2012
From: wk at gnupg.org (Werner Koch)
Date: Wed, 24 Oct 2012 15:01:48 +0200
Subject: batch erroring with renaming - Permission denied
In-Reply-To: <bsuuoknygs.uxbknq@mixnym.net> (incognit0@mixnym.net's message of
	"Tue, 23 Oct 2012 16:41:25 -0000")
References: <bsuuoknygs.uxbknq@mixnym.net>
Message-ID: <87y5iwc9c3.fsf@vigenere.g10code.de>

On Tue, 23 Oct 2012 18:41, incognit0 at mixnym.net said:

> gpg: renaming `c:\gnupg\pubring.gpg' to `c:\gnupg\pubring.bak' failed: Permission denied
> gpg: deleting keyblock failed: file rename error

It is possible that another process accesses pubring.gpg without doing
proper locking.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From ricul77 at gmail.com  Wed Oct 24 15:41:31 2012
From: ricul77 at gmail.com (Richi Lists)
Date: Wed, 24 Oct 2012 15:41:31 +0200
Subject: SmartCard reader
Message-ID: <1351086091.8967.2.camel@onenc>

Hi,

how are the chances that I can use an agrolis (http://argolis.com/) usb
smart card reader with GPG?
It shows up as /dev/ttyACM0 

Rgds
Richard



From wk at gnupg.org  Thu Oct 25 11:04:04 2012
From: wk at gnupg.org (Werner Koch)
Date: Thu, 25 Oct 2012 11:04:04 +0200
Subject: [gnupg-users] Change key password in batch mode
In-Reply-To: <CALMWyX4sM56WMojMyJNsVzRE8AGsREKLvWXTRSo21B+ufKf85w@mail.gmail.com>
	("Jaime =?utf-8?Q?Fern=C3=A1ndez=22's?= message of "Wed, 24 Oct 2012
	11:29:46 +0200")
References: <CALMWyX7w9iCymoUB3esrYpjVqorBSAcortDU4oJ4T7amhTWRag@mail.gmail.com>
	<87ipa6ju1l.fsf@vigenere.g10code.de>
	<CALMWyX4sM56WMojMyJNsVzRE8AGsREKLvWXTRSo21B+ufKf85w@mail.gmail.com>
Message-ID: <87vcdyc48r.fsf@vigenere.g10code.de>

On Wed, 24 Oct 2012 11:29, jaimefdez86 at gmail.com said:

> But then I have to use pinentry, and I don't want to. I tried

You have to ;-).  Search this list for pinentry wrapper to see how you
can work around it.

> me type the new password. I think that passphrase-fd only read one password
> at a time.

Right.

>  I had used these options together to change the expiration date, is it
> wrong?

Yes.  If you want to use GnuPG-1, have a look at GPGME, it makes this
relativly easy.  You can find example code in GPA.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From jv at dodec.lt  Sat Oct 27 05:40:53 2012
From: jv at dodec.lt (jv at dodec.lt)
Date: Sat, 27 Oct 2012 06:40:53 +0300
Subject: Limit of maximum password length
Message-ID: <508B57C5.2020803@dodec.lt>

Hi,

I'm not sure why, but there is a password length limit on 1.x version 
(even in the latest release), not sure why ?

An example situation:

--gen-key
<..set everything.. including any length password..>

For testing I got password which is longer than 1024 chars. Now when 
trying to encrypt something I have to enter my password from secret key, 
so I put it into curses dialog window and afterwards I get this:
pinentry-curses: Assuan processing failed: write error
gpg-agent[25237]: command get_passphrase failed: Too much data for IPC layer
gpg: problem with the agent: Too much data for IPC layer
Can't edit this key: General error

why ? So such long key is useless and impossible to change password, 
because current password is too long.

Any solutions/workarounds?

Thanks,



From rjh at sixdemonbag.org  Sat Oct 27 07:03:10 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 27 Oct 2012 01:03:10 -0400
Subject: Limit of maximum password length
In-Reply-To: <508B57C5.2020803@dodec.lt>
References: <508B57C5.2020803@dodec.lt>
Message-ID: <508B6B0E.9000701@sixdemonbag.org>

On 10/26/12 11:40 PM, jv at dodec.lt wrote:
> I'm not sure why, but there is a password length limit on 1.x
> version (even in the latest release), not sure why ?

There are always limits.  If you're on a system with 4Gb RAM, good luck
putting in a passphrase longer than 4 billion characters.  Admittedly,
1024 characters is much less than four billion, but the point gets made:
there's always a limit somewhere, and the existence of a limit doesn't
really mean very much.  :)

I suppose my question is, why do you think you need such a long
passphrase?  The passphrase is used to create a 128-bit symmetric key,
so giving a passphrase of more than 128 bits of entropy gives you
nothing.  At a rather low estimate of 1.5 bits of entropy per glyph of
English text, that means you only really need 85 characters to get the
maximum entropy.

"To stand divided light at ev'n and poise their eyes, / Or nourish,
lik'ning spiritual, I have thou appear" -- to take two random lines of
random poetry -- is 105 characters and at least 158 bits of entropy.
Plenty enough for any purpose.  :)



From jv at dodec.lt  Sat Oct 27 07:58:50 2012
From: jv at dodec.lt (jv at dodec.lt)
Date: Sat, 27 Oct 2012 08:58:50 +0300
Subject: Limit of maximum password length
In-Reply-To: <508B6B0E.9000701@sixdemonbag.org>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
Message-ID: <508B781A.2030400@dodec.lt>

Hey Robert,

thanks for quick reply!

Well, I knew that there is a limit somewhere, but you know, having a 
passphrase longer than 1024 and not longer lets say than 2048 chars 
should not be a limit on 2012, don't you think so ? :)

To answer to your question about why I need so long psw is simple, the 
paranoia :)

By the way, you mentioned "105 characters and at least 158 bits of 
entropy", how do you control entropy when generating password ? And is 
it safe to use external entropy generator, say like rng tools ?

Thanks,
On 10/27/2012 8:03 AM, Robert J. Hansen wrote:
> On 10/26/12 11:40 PM, jv at dodec.lt wrote:
>> I'm not sure why, but there is a password length limit on 1.x
>> version (even in the latest release), not sure why ?
> There are always limits.  If you're on a system with 4Gb RAM, good luck
> putting in a passphrase longer than 4 billion characters.  Admittedly,
> 1024 characters is much less than four billion, but the point gets made:
> there's always a limit somewhere, and the existence of a limit doesn't
> really mean very much.  :)
>
> I suppose my question is, why do you think you need such a long
> passphrase?  The passphrase is used to create a 128-bit symmetric key,
> so giving a passphrase of more than 128 bits of entropy gives you
> nothing.  At a rather low estimate of 1.5 bits of entropy per glyph of
> English text, that means you only really need 85 characters to get the
> maximum entropy.
>
> "To stand divided light at ev'n and poise their eyes, / Or nourish,
> lik'ning spiritual, I have thou appear" -- to take two random lines of
> random poetry -- is 105 characters and at least 158 bits of entropy.
> Plenty enough for any purpose.  :)
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



From rjh at sixdemonbag.org  Sat Oct 27 08:54:09 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 27 Oct 2012 02:54:09 -0400
Subject: Limit of maximum password length
In-Reply-To: <508B781A.2030400@dodec.lt>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt>
Message-ID: <508B8511.4000705@sixdemonbag.org>

On 10/27/2012 1:58 AM, jv at dodec.lt wrote:
> Well, I knew that there is a limit somewhere, but you know, having a
> passphrase longer than 1024 and not longer lets say than 2048 chars
> should not be a limit on 2012, don't you think so ? :)

No, I don't.  I think that using passphrases longer than about 80
characters shows you don't understand the problem.  :)

> To answer to your question about why I need so long psw is simple, the
> paranoia :)

A 1024-character passphrase is so long I doubt you could memorize it
(unless you were to use the full text of some well-known poem, and in
that case it would be a poor passphrase).  That means you've got it on a
file somewhere and enter it via cut-and-paste.  That means instead of
safeguarding just your private key, you now need to safeguard your
private key, the file that contains your passphrase, and the OS calls
that implement C&P functionality.  This is a much, much weaker system
than if you were to use a "normal" passphrase.

Being too paranoid is just as bad, and maybe even worse, than not being
paranoid enough.

> By the way, you mentioned "105 characters and at least 158 bits of
> entropy", how do you control entropy when generating password ? And is
> it safe to use external entropy generator, say like rng tools ?

You control the entropy by coming to an informed estimate of how much
entropy is present per glyph of text.  Claude Shannon and others did
groundbreaking work in this field, and came up with numbers generally
falling around 2 bits per glyph.  Subtracting a bit to be on the side of
safety gives us 1.5 bits per glyph.

Alternately, you can do something like this:

===
rjh at flynn:~$ gpg --armor --gen-random 2 16
5FNsIpmx8UYa8lz/qWYEag==
===

That "5FNsIpmx..." is an example of a 128-bit passphrase.  That's the
gold standard for passphrases.

I'm not going to comment on external entropy generators.  I don't know
your particular situation, and that means I can't tell you what makes
sense for your particular needs.  Telling you a 1024+-character
passphrase doesn't make sense for your needs is one thing -- telling you
what makes sense for your needs is something else altogether.





From jv at dodec.lt  Sat Oct 27 09:58:04 2012
From: jv at dodec.lt (jv at dodec.lt)
Date: Sat, 27 Oct 2012 10:58:04 +0300
Subject: Limit of maximum password length
In-Reply-To: <508B8511.4000705@sixdemonbag.org>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
Message-ID: <508B940C.3010600@dodec.lt>

I thought that during new key generation event I have to utilize system, 
keyboard etc all the time, I see that I was wrong. Thanks for all 
answers, they are really helpful.
On 10/27/2012 9:54 AM, Robert J. Hansen wrote:
> On 10/27/2012 1:58 AM, jv at dodec.lt wrote:
>> Well, I knew that there is a limit somewhere, but you know, having a
>> passphrase longer than 1024 and not longer lets say than 2048 chars
>> should not be a limit on 2012, don't you think so ? :)
> No, I don't.  I think that using passphrases longer than about 80
> characters shows you don't understand the problem.  :)
>
>> To answer to your question about why I need so long psw is simple, the
>> paranoia :)
> A 1024-character passphrase is so long I doubt you could memorize it
> (unless you were to use the full text of some well-known poem, and in
> that case it would be a poor passphrase).  That means you've got it on a
> file somewhere and enter it via cut-and-paste.  That means instead of
> safeguarding just your private key, you now need to safeguard your
> private key, the file that contains your passphrase, and the OS calls
> that implement C&P functionality.  This is a much, much weaker system
> than if you were to use a "normal" passphrase.
>
> Being too paranoid is just as bad, and maybe even worse, than not being
> paranoid enough.
>
>> By the way, you mentioned "105 characters and at least 158 bits of
>> entropy", how do you control entropy when generating password ? And is
>> it safe to use external entropy generator, say like rng tools ?
> You control the entropy by coming to an informed estimate of how much
> entropy is present per glyph of text.  Claude Shannon and others did
> groundbreaking work in this field, and came up with numbers generally
> falling around 2 bits per glyph.  Subtracting a bit to be on the side of
> safety gives us 1.5 bits per glyph.
>
> Alternately, you can do something like this:
>
> ===
> rjh at flynn:~$ gpg --armor --gen-random 2 16
> 5FNsIpmx8UYa8lz/qWYEag==
> ===
>
> That "5FNsIpmx..." is an example of a 128-bit passphrase.  That's the
> gold standard for passphrases.
>
> I'm not going to comment on external entropy generators.  I don't know
> your particular situation, and that means I can't tell you what makes
> sense for your particular needs.  Telling you a 1024+-character
> passphrase doesn't make sense for your needs is one thing -- telling you
> what makes sense for your needs is something else altogether.
>
>
>



From rjh at sixdemonbag.org  Sat Oct 27 10:28:10 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 27 Oct 2012 04:28:10 -0400
Subject: Limit of maximum password length
In-Reply-To: <508B940C.3010600@dodec.lt>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
	<508B940C.3010600@dodec.lt>
Message-ID: <508B9B1A.3000005@sixdemonbag.org>

On 10/27/2012 3:58 AM, jv at dodec.lt wrote:
> I thought that during new key generation event I have to utilize system,
> keyboard etc all the time, I see that I was wrong.

Depends a lot on your operating system.  For most modern OSes it's not
required at all -- I see that you're running on Windows, and there it's
(generally) not required.  There may some exotic systems somewhere that
it is required, but I've never seen it be required for any desktop system.



From jv at dodec.lt  Sat Oct 27 21:12:43 2012
From: jv at dodec.lt (jv at dodec.lt)
Date: Sat, 27 Oct 2012 22:12:43 +0300
Subject: Limit of maximum password length
In-Reply-To: <508B9B1A.3000005@sixdemonbag.org>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
	<508B940C.3010600@dodec.lt> <508B9B1A.3000005@sixdemonbag.org>
Message-ID: <508C322B.10004@dodec.lt>

Thanks Robert. One more thing, I want to revoke one my keys which has 
very long password, but the thing is that I cannot do that as ncurses 
does not accept long passwords. Is it somehow possible to bypass ncurses 
dialog window? If not, maybe you remember from which version gpg started 
to use curses windows as I remember several years ago it was not used.

Thanks,
On 10/27/2012 11:28 AM, Robert J. Hansen wrote:
> On 10/27/2012 3:58 AM, jv at dodec.lt wrote:
>> I thought that during new key generation event I have to utilize system,
>> keyboard etc all the time, I see that I was wrong.
> Depends a lot on your operating system.  For most modern OSes it's not
> required at all -- I see that you're running on Windows, and there it's
> (generally) not required.  There may some exotic systems somewhere that
> it is required, but I've never seen it be required for any desktop system.
>



From rjh at sixdemonbag.org  Sat Oct 27 21:17:47 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 27 Oct 2012 15:17:47 -0400
Subject: Limit of maximum password length
In-Reply-To: <508C322B.10004@dodec.lt>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
	<508B940C.3010600@dodec.lt> <508B9B1A.3000005@sixdemonbag.org>
	<508C322B.10004@dodec.lt>
Message-ID: <508C335B.8030903@sixdemonbag.org>

On 10/27/2012 3:12 PM, jv at dodec.lt wrote:
> Is it somehow possible to bypass ncurses dialog window?

You want to use GnuPG 1.4, which does not use gpg-agent for handling
passphrases.



From jv at dodec.lt  Sat Oct 27 22:21:08 2012
From: jv at dodec.lt (jv at dodec.lt)
Date: Sat, 27 Oct 2012 23:21:08 +0300
Subject: Limit of maximum password length
In-Reply-To: <508C335B.8030903@sixdemonbag.org>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
	<508B940C.3010600@dodec.lt> <508B9B1A.3000005@sixdemonbag.org>
	<508C322B.10004@dodec.lt> <508C335B.8030903@sixdemonbag.org>
Message-ID: <508C4234.7060506@dodec.lt>

Ok thanks, just found that compiling gpg without agent can be workaround 
as well.
On 10/27/2012 10:17 PM, Robert J. Hansen wrote:
> On 10/27/2012 3:12 PM, jv at dodec.lt wrote:
>> Is it somehow possible to bypass ncurses dialog window?
> You want to use GnuPG 1.4, which does not use gpg-agent for handling
> passphrases.
>



From John at enigmail.net  Mon Oct 29 09:14:08 2012
From: John at enigmail.net (John Clizbe)
Date: Mon, 29 Oct 2012 03:14:08 -0500
Subject: Limit of maximum password length
In-Reply-To: <508C4234.7060506@dodec.lt>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
	<508B940C.3010600@dodec.lt> <508B9B1A.3000005@sixdemonbag.org>
	<508C322B.10004@dodec.lt> <508C335B.8030903@sixdemonbag.org>
	<508C4234.7060506@dodec.lt>
Message-ID: <508E3AD0.9070301@enigmail.net>

jv at dodec.lt wrote:
> Ok thanks, just found that compiling gpg without agent can be workaround 
> as well.
> On 10/27/2012 10:17 PM, Robert J. Hansen wrote:
>> On 10/27/2012 3:12 PM, jv at dodec.lt wrote:
>>> Is it somehow possible to bypass ncurses dialog window?
>> You want to use GnuPG 1.4, which does not use gpg-agent for handling
>> passphrases.

You may bypass the gpg-agent that way, but you still have to worry about
maximum lengths in whatever shell you're using on Windows (7).

Good luck.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 888 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121029/26094627/attachment.pgp>

From auto48352680 at hushmail.com  Mon Oct 29 19:05:56 2012
From: auto48352680 at hushmail.com (User)
Date: Mon, 29 Oct 2012 13:05:56 -0500
Subject: new release of GPA
In-Reply-To: <k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
Message-ID: <k6mgik$nqb$1@ger.gmane.org>

On 10/10/2012 2:19 PM, John wrote:
> "Werner Koch"  wrote in message
> news:87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org at vigenere.g10code.de...
> 
> 
> On Tue,  9 Oct 2012 19:41, jw72253 at verizon.net said:
>> The latest beta version fails to work properly on my 64-bit Windows 7 OS.
> 
> Is this the version from the latest gpg4win beta?
> 
> I got it here:   http://www.gpg4win.org/download.html
> 
> 
> it is Gpg4win 2.1.1 beta. In this package I selected the options for
> installing only GPA and 2.0.19.

You may want to take a look at GPGshell for an alternative. It works
well on WinXP - Win7, and it is 64-bit compatible. I'm using it without
any issues. From what I can see, it actually has more functionality
too. It's available here:

http://www.jumaros.de/rsoft/





From rjh at sixdemonbag.org  Mon Oct 29 19:34:37 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 29 Oct 2012 14:34:37 -0400
Subject: new release of GPA
In-Reply-To: <k6mgik$nqb$1@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
Message-ID: <508ECC3D.1040505@sixdemonbag.org>

On 10/29/2012 2:05 PM, User wrote:
> You may want to take a look at GPGshell for an alternative.

GPGshell is not Free Software, and for that reason it's not exactly
appropriate to recommend it on this list.  Whether we agree or disagree
with the Free Software Foundation -- I personally disagree with them,
and particularly RMS, an awful lot -- the fact remains that GnuPG is a
GNU project, and we should respect their rules when we're participating
on an official GNU mailing list.  :)

What about GPGshell do you find to be a clear win over GPA?  How can the
GPA maintainers make GPA competitive with GPGshell?



From auto48352680 at hushmail.com  Mon Oct 29 21:28:02 2012
From: auto48352680 at hushmail.com (User)
Date: Mon, 29 Oct 2012 15:28:02 -0500
Subject: new release of GPA
In-Reply-To: <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
Message-ID: <k6mosn$5c6$1@ger.gmane.org>

On 10/29/2012 1:34 PM, Robert J. Hansen wrote:
> On 10/29/2012 2:05 PM, User wrote:
>> You may want to take a look at GPGshell for an alternative.
> 
> GPGshell is not Free Software, and for that reason it's not exactly
> appropriate to recommend it on this list.  

It is free and it says "Freeware" right on the page where the reference
to downloading it was shown:

> Whether we agree or disagree
> with the Free Software Foundation -- I personally disagree with them,
> and particularly RMS, an awful lot -- the fact remains that GnuPG is a
> GNU project, and we should respect their rules when we're participating
> on an official GNU mailing list.  :)

And there was no disrespect intended from what I can see. "The fact
remains that..." the GnuPG product is apparently broken and the OP was
looking for a GUI program. Not everyone wants to use a CLI.

> What about GPGshell do you find to be a clear win over GPA?  

Well have you seen what all it can do? At least twice as many of the Gpg
commands and options are accessible from the GUI, and how many
enhancements to GPA have there been in the last few years?  Seems like
the GUI and the Windows port in particular exist out of deference at best.
> How can the
> GPA maintainers make GPA competitive with GPGshell?

Listening to its users?




From rjh at sixdemonbag.org  Mon Oct 29 21:41:31 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 29 Oct 2012 16:41:31 -0400
Subject: new release of GPA
In-Reply-To: <k6mosn$5c6$1@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
Message-ID: <508EE9FB.3020508@sixdemonbag.org>

On 10/29/2012 04:28 PM, User wrote:
> It is free and it says "Freeware" right on the page where the
> reference to downloading it was shown:

It is not Free Software.

http://www.gnu.org/philosophy/free-sw.html

"'Free software' means software that respects users' freedom and
community.  Roughly, the users have the freedom to run, copy,
distribute, study, change and improve the software. ... 'free software'
is a matter of liberty, not price.  To understand the concept, you
should think of 'free' as in 'free speech,' not as in 'free beer.'"

GPGshell is free-as-in-beer software, but it is not free-as-in-speech
software.  Quoting from http://www.jumaros.de/rsoft/faq.html :

"Do you publish your source-codes?

No!  But when you've got the source-code for Windows, you can ask me again."

GPGshell does not make their source code available to their users.  That
means it cannot be considered Free Software under GNU's definition.  And
since this mailing list is associated with GNU, and GNU requests that
people not recommend the use of nonfree software, I think it's only
reasonable that we comply with their request.

> And there was no disrespect intended from what I can see. "The fact 
> remains that..." the GnuPG product is apparently broken and the OP
> was looking for a GUI program. Not everyone wants to use a CLI.

"Broken" is pretty strong language.

Not everyone wants a CLI, true.  That doesn't mean GnuPG is broken: it
means that GnuPG does not satisfy the needs of some users.

> Well have you seen what all it can do?

No, because I use the CLI.

> At least twice as many of the Gpg commands and options are accessible
> from the GUI, and how many enhancements to GPA have there been in the
> last few years?  Seems like the GUI and the Windows port in
> particular exist out of deference at best.

Could you perhaps make a list of, say, the top five features GPGshell
supports that GPA doesn't?  Things that you, yourself, use regularly,
and which would make GPA better suited for you?  I'm sure the GPA
maintainers would be very interested in hearing it.


From auto48352680 at hushmail.com  Mon Oct 29 22:37:09 2012
From: auto48352680 at hushmail.com (User)
Date: Mon, 29 Oct 2012 16:37:09 -0500
Subject: new release of GPA
In-Reply-To: <508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
Message-ID: <k6msug$9a4$1@ger.gmane.org>

On 10/29/2012 3:41 PM, Robert J. Hansen wrote:
> On 10/29/2012 04:28 PM, User wrote:
>> It is free and it says "Freeware" right on the page where the
>> reference to downloading it was shown:
> It is not Free Software.
>
> http://www.gnu.org/philosophy/free-sw.html
>
> "'Free software' means software that respects users' freedom and
> community.  Roughly, the users have the freedom to run, copy,
> distribute, study, change and improve the software. ... 'free software'
> is a matter of liberty, not price.  To understand the concept, you
> should think of 'free' as in 'free speech,' not as in 'free beer.'"
>
> GPGshell is free-as-in-beer software, but it is not free-as-in-speech
> software.  Quoting from http://www.jumaros.de/rsoft/faq.html :
>
>
Just because "you" have decided to cherry pick your definition of the
English word "free" does not make it more or less so. The word not only
can be used to mean "unconstrained", such as you seem to want, but it
can, and in fact more commonly does, also mean "obtainable without any
payment". And you will find both these definitions in the online Free
Dictionary here: https://en.wiktionary.org/wiki/free.  Oh, and you
should feel "free" to quote me on that if you like.

The fact remains true nonetheless: it is free of charge for me, or you,
to use.
>
> GPGshell does not make their source code available to their users.  That
> means it cannot be considered Free Software under GNU's definition.  And
> since this mailing list is associated with GNU, and GNU requests that
> people not recommend the use of nonfree software, I think it's only
> reasonable that we comply with their request.
>
>> And there was no disrespect intended from what I can see. "The fact 
>> remains that..." the GnuPG product is apparently broken and the OP
>> was looking for a GUI program. Not everyone wants to use a CLI.
> "Broken" is pretty strong language.
>
> Not everyone wants a CLI, true.  That doesn't mean GnuPG is broken: it
> means that GnuPG does not satisfy the needs of some users.
Now you are making up stories because no one ever said that GnuPG CLI
was broken, the whole discussion is about the GPA product, which is in
fact broken.  If you had bothered to read the OP, you should see that it
is too:

Message-ID: <000601cda645$65096080$2f1c2180$__5679.8464073383$1349808729$gmane$org at net>

"The latest beta version fails to work properly on my 64-bit Windows 7
OS. Whenever I open the File Manager, either with tool or from the menu,
the program stops working and closes with an error message saying
"gpa.exe has stopped working." Working without this feature in GPA is
rather restricted. "

 So, I checked it out and, indeed, upon trying to open the GPA File
Manager, the program gives a message saying it has stopped working, and
then it terminates.  Or are you inclined to find another convenient
definition to rationalize that this does not really mean it is broken? 
:)  Sorry about that, Robert, but it is surely broken, and it even tells
you so.

>
>> Well have you seen what all it can do?
> No, because I use the CLI.
>
>> At least twice as many of the Gpg commands and options are accessible
>> from the GUI, and how many enhancements to GPA have there been in the
>> last few years?  Seems like the GUI and the Windows port in
>> particular exist out of deference at best.
> Could you perhaps make a list of, say, the top five features GPGshell
> supports that GPA doesn't?  Things that you, yourself, use regularly,
> and which would make GPA better suited for you?  I'm sure the GPA
> maintainers would be very interested in hearing it.
I could yes, but perhaps you should look for yourself since you have
never seen it, by your own admission. Anyway, how can you honestly
continue to justify your position of respecting that this topic not be
discussed when you yourself continue to respond with one reason after
another in your defense?  Your very actions are contrary to your
purported opinion. 



From John at enigmail.net  Mon Oct 29 22:40:07 2012
From: John at enigmail.net (John Clizbe)
Date: Mon, 29 Oct 2012 16:40:07 -0500
Subject: new release of GPA
In-Reply-To: <508ECC3D.1040505@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org> <508ECC3D.1040505@sixdemonbag.org>
Message-ID: <508EF7B7.2050102@enigmail.net>

Robert J. Hansen wrote:
> On 10/29/2012 2:05 PM, User wrote:
>> You may want to take a look at GPGshell for an alternative.
> 
> GPGshell is not Free Software, and for that reason it's not exactly
> appropriate to recommend it on this list.  Whether we agree or disagree
> with the Free Software Foundation -- I personally disagree with them,
> and particularly RMS, an awful lot -- the fact remains that GnuPG is a
> GNU project, and we should respect their rules when we're participating
> on an official GNU mailing list.  :)
> 
> What about GPGshell do you find to be a clear win over GPA?  How can the
> GPA maintainers make GPA competitive with GPGshell?

OTOH, WinPT _IS_ Free in the RMS-sense.  Its feature set is much closer to
that of GPGshell.

http://winpt.wald.intevation.org/

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 888 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121029/32852b6e/attachment-0001.pgp>

From dougb at dougbarton.us  Mon Oct 29 22:43:29 2012
From: dougb at dougbarton.us (Doug Barton)
Date: Mon, 29 Oct 2012 14:43:29 -0700
Subject: new release of GPA
In-Reply-To: <k6msug$9a4$1@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
Message-ID: <508EF881.2000701@dougbarton.us>

On 10/29/2012 02:37 PM, User wrote:
> Just because "you" have decided to cherry pick your definition of the
> English word "free" does not make it more or less so.

It isn't Robert who is picking the definition, it's the FSF. Arguing
about the definition here isn't going to do anyone any good, since the
policy does not originate here. Please respect the policy of the list
(which I personally disagree with, FWIW).

Meanwhile, Robert has also suggested some useful avenues where you could
direct your efforts. Please do that, instead of picking fights on topics
that either cannot be changed, or are not productive.

Doug


From rjh at sixdemonbag.org  Mon Oct 29 22:50:14 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 29 Oct 2012 17:50:14 -0400
Subject: new release of GPA
In-Reply-To: <k6msug$9a4$1@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
Message-ID: <508EFA16.8080304@sixdemonbag.org>

On 10/29/2012 5:37 PM, User wrote:
> Just because "you" have decided to cherry pick your definition of the
> English word "free" does not make it more or less so. The word not only
> can be used to mean "unconstrained", such as you seem to want, but it
> can, and in fact more commonly does, also mean "obtainable without any
> payment". And you will find both these definitions in the online Free
> Dictionary here: https://en.wiktionary.org/wiki/free.  Oh, and you
> should feel "free" to quote me on that if you like.

Believe it or not, I do not agree with the Free Software Foundation.
(I've said this before: perhaps you didn't see it.)  That does not
change the fact that on a mailing list run by an FSF project, I believe
it is only reasonable to comply with their request that non-free
software, in the FSF sense of 'free software', not be recommended.

>>> And there was no disrespect intended from what I can see. "The fact 
>>> remains that..." the GnuPG product is apparently broken and the OP
>>> was looking for a GUI program. Not everyone wants to use a CLI.
>> "Broken" is pretty strong language.
>>
>> Not everyone wants a CLI, true.  That doesn't mean GnuPG is broken: it
>> means that GnuPG does not satisfy the needs of some users.
>
> Now you are making up stories because no one ever said that GnuPG CLI
> was broken...

Read your own words, please.  You're the one who said the GnuPG product,
not the GPA product.

> I could yes, but perhaps you should look for yourself since you have
> never seen it, by your own admission. Anyway, how can you honestly
> continue to justify your position of respecting that this topic not be
> discussed when you yourself continue to respond with one reason after
> another in your defense?  Your very actions are contrary to your
> purported opinion. 

I never said GPGshell shouldn't be *discussed*.  I said that the Free
Software Foundation would much rather that non-free software was not
*recommended* on FSF-related mailing lists.




From auto48352680 at hushmail.com  Mon Oct 29 23:31:42 2012
From: auto48352680 at hushmail.com (User)
Date: Mon, 29 Oct 2012 17:31:42 -0500
Subject: new release of GPA
In-Reply-To: <508EFA16.8080304__26186.7641158917$1351547476$gmane$org@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
	<508EFA16.8080304__26186.7641158917$1351547476$gmane$org@sixdemonbag.org>
Message-ID: <k6n04d$40f$1@ger.gmane.org>

On 10/29/2012 4:50 PM, Robert J. Hansen wrote:
> On 10/29/2012 5:37 PM, User wrote:
>> Just because "you" have decided to cherry pick your definition of the
>> English word "free" does not make it more or less so. The word not only
>> can be used to mean "unconstrained", such as you seem to want, but it
>> can, and in fact more commonly does, also mean "obtainable without any
>> payment". And you will find both these definitions in the online Free
>> Dictionary here: https://en.wiktionary.org/wiki/free.  Oh, and you
>> should feel "free" to quote me on that if you like.
> 
> Believe it or not, I do not agree with the Free Software Foundation.
> (I've said this before: perhaps you didn't see it.)  That does not
> change the fact that on a mailing list run by an FSF project, I believe
> it is only reasonable to comply with their request that non-free
> software, in the FSF sense of 'free software', not be recommended.
> 
>>>> And there was no disrespect intended from what I can see. "The fact 
>>>> remains that..." the GnuPG product is apparently broken and the OP
>>>> was looking for a GUI program. Not everyone wants to use a CLI.
>>> "Broken" is pretty strong language.
>>>
>>> Not everyone wants a CLI, true.  That doesn't mean GnuPG is broken: it
>>> means that GnuPG does not satisfy the needs of some users.
>>
>> Now you are making up stories because no one ever said that GnuPG CLI
>> was broken...
> 
> Read your own words, please.  You're the one who said the GnuPG product,
> not the GPA product.
> 
>> I could yes, but perhaps you should look for yourself since you have
>> never seen it, by your own admission. Anyway, how can you honestly
>> continue to justify your position of respecting that this topic not be
>> discussed when you yourself continue to respond with one reason after
>> another in your defense?  Your very actions are contrary to your
>> purported opinion. 
> 
> I never said GPGshell shouldn't be *discussed*.  I said that the Free
> Software Foundation would much rather that non-free software was not
> *recommended* on FSF-related mailing lists.
> 

You are obviously a troll, and not a very good one at that.  Good riddance.



From auto48352680 at hushmail.com  Mon Oct 29 23:37:53 2012
From: auto48352680 at hushmail.com (User)
Date: Mon, 29 Oct 2012 17:37:53 -0500
Subject: new release of GPA
In-Reply-To: <508EFA16.8080304__26186.7641158917$1351547476$gmane$org@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
	<508EFA16.8080304__26186.7641158917$1351547476$gmane$org@sixdemonbag.org>
Message-ID: <k6n0gi$a4q$1@ger.gmane.org>

On 10/29/2012 4:50 PM, Robert J. Hansen wrote:
> On 10/29/2012 5:37 PM, User wrote:
>> Just because "you" have decided to cherry pick your definition of the
>> English word "free" does not make it more or less so. The word not only
>> can be used to mean "unconstrained", such as you seem to want, but it
>> can, and in fact more commonly does, also mean "obtainable without any
>> payment". And you will find both these definitions in the online Free
>> Dictionary here: https://en.wiktionary.org/wiki/free.  Oh, and you
>> should feel "free" to quote me on that if you like.
> 
> Believe it or not, I do not agree with the Free Software Foundation.
> (I've said this before: perhaps you didn't see it.)  That does not
> change the fact that on a mailing list run by an FSF project, I believe
> it is only reasonable to comply with their request that non-free
> software, in the FSF sense of 'free software', not be recommended.
> 
>>>> And there was no disrespect intended from what I can see. "The fact 
>>>> remains that..." the GnuPG product is apparently broken and the OP
>>>> was looking for a GUI program. Not everyone wants to use a CLI.
>>> "Broken" is pretty strong language.
>>>
>>> Not everyone wants a CLI, true.  That doesn't mean GnuPG is broken: it
>>> means that GnuPG does not satisfy the needs of some users.
>>
>> Now you are making up stories because no one ever said that GnuPG CLI
>> was broken...
> 
> Read your own words, please.  You're the one who said the GnuPG product,
> not the GPA product.
> 
>> I could yes, but perhaps you should look for yourself since you have
>> never seen it, by your own admission. Anyway, how can you honestly
>> continue to justify your position of respecting that this topic not be
>> discussed when you yourself continue to respond with one reason after
>> another in your defense?  Your very actions are contrary to your
>> purported opinion. 
> 
> I never said GPGshell shouldn't be *discussed*.  I said that the Free
> Software Foundation would much rather that non-free software was not
> *recommended* on FSF-related mailing lists.
> 
As someone who appears not yet to have leaned how to reply to someone
else's post (all your responses were to your posts, not to the correct
post), do you really expect someone would take you seriously when it
comes to evaluating anything else?  What a joke!  :)  You must live in
la-la land, where all trolls like to linger.



From auto48352680 at hushmail.com  Tue Oct 30 00:11:56 2012
From: auto48352680 at hushmail.com (User)
Date: Mon, 29 Oct 2012 18:11:56 -0500
Subject: new release of GPA
In-Reply-To: <508EF881.2000701__31624.611587222$1351549867$gmane$org@dougbarton.us>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
	<508EF881.2000701__31624.611587222$1351549867$gmane$org@dougbarton.us>
Message-ID: <k6n2g4$331$1@ger.gmane.org>

On 10/29/2012 4:43 PM, Doug Barton wrote:
> On 10/29/2012 02:37 PM, User wrote:
>> Just because "you" have decided to cherry pick your definition of the
>> English word "free" does not make it more or less so.
> 
> It isn't Robert who is picking the definition, it's the FSF. Arguing
> about the definition here isn't going to do anyone any good, since the
> policy does not originate here. Please respect the policy of the list
> (which I personally disagree with, FWIW).
> 
> Meanwhile, Robert has also suggested some useful avenues where you could
> direct your efforts. Please do that, instead of picking fights on topics
> that either cannot be changed, or are not productive.
> 
> Doug
> 
He's a troll who couldn't find his way out of a wet paper bag. He
brought this up, not me. Or is "Robert" one of your sock puppets? If you
want to follow him down the "useful avenues" of la-la land, jump aboard.
 Me, I already know what the words "free" and "broken" mean. If you let
someone confuse you about such a simple topic, what the hell business do
you have looking at encryption software anyway? Your everyday
terminology is already encrypted in your mind.  :)



From biggles.trenton at gmail.com  Mon Oct 29 23:34:36 2012
From: biggles.trenton at gmail.com (Sin Trenton)
Date: Mon, 29 Oct 2012 23:34:36 +0100
Subject: new release of GPA
In-Reply-To: <mailman.8839.1351546238.2530.gnupg-users@gnupg.org>
References: <mailman.8839.1351546238.2530.gnupg-users@gnupg.org>
Message-ID: <508F047C.9010309@gmail.com>


> Just because "you" have decided to cherry pick your definition of the
> English word "free" does not make it more or less so. The word not only
> can be used to mean "unconstrained", such as you seem to want, but it
> can, and in fact more commonly does, also mean "obtainable without any
> payment". And you will find both these definitions in the online Free
> Dictionary here: https://en.wiktionary.org/wiki/free.  Oh, and you
> should feel "free" to quote me on that if you like.

Well, "he" nor "we" was/were actually the first to use this definition,
nor is it actually cherry picking;
https://en.wikipedia.org/wiki/Gratis_versus_libre
Apart from the two definitions, there is actually an old
definition/discussion regarding precisely this, as you can see. :)

Sin T.


From cwal989 at comcast.net  Tue Oct 30 00:13:40 2012
From: cwal989 at comcast.net (Christopher J. Walters)
Date: Mon, 29 Oct 2012 19:13:40 -0400
Subject: new release of GPA
In-Reply-To: <k6n04d$40f$1@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
	<508EFA16.8080304__26186.7641158917$1351547476$gmane$org@sixdemonbag.org>
	<k6n04d$40f$1@ger.gmane.org>
Message-ID: <508F0DA4.1010603@comcast.net>

On 10/29/2012 06:31 PM, User wrote:
> You are obviously a troll, and not a very good one at that.  Good riddance.

You just appear out of nowhere and try to start a flame war with a respected
member of this community, and call him a "troll".  Who here is using a hushmail
address?  Who here has flamed?  Even though you are not interested in the FSF's
definition of "free software", I will provide a link.

http://www.gnu.org/philosophy/free-sw.html

I will also state that I agree with Mr. Hansen on this issue, in that I don't
necessarily agree with the policy, but this list is maintained by the Free
Software Foundation, hence their rules apply.

Chris


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 121029-1, 10/29/2012
Tested on: 10/29/2012 7:13:41 PM
avast! - copyright (c) 1988-2012 AVAST Software.
http://www.avast.com





From cwal989 at comcast.net  Tue Oct 30 01:00:39 2012
From: cwal989 at comcast.net (Christopher J. Walters)
Date: Mon, 29 Oct 2012 20:00:39 -0400
Subject: Limit of maximum password length
In-Reply-To: <508B8511.4000705@sixdemonbag.org>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
Message-ID: <508F18A7.2010104@comcast.net>

On 10/27/2012 02:54 AM, Robert J. Hansen wrote:
> No, I don't.  I think that using passphrases longer than about 80
> characters shows you don't understand the problem.  :)

Yes, and only a savant could memorize even an 80 character passphrase.

> A 1024-character passphrase is so long I doubt you could memorize it

Well you could if you replaced you brain with a computer. ;)  Though, then
you'd have to protect your brain against hacking attacks, as well.

> ===
> rjh at flynn:~$ gpg --armor --gen-random 2 16
> 5FNsIpmx8UYa8lz/qWYEag==
> ===
> 
> That "5FNsIpmx..." is an example of a 128-bit passphrase.  That's the
> gold standard for passphrases.

Good idea.  It'll work on any system that will run GnuPG, and produce pretty
secure passphrases.  I still can't get over the 1024+ character passphrase.  I
could *never* remember something that long.

Chris



---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 121029-1, 10/29/2012
Tested on: 10/29/2012 8:00:59 PM
avast! - copyright (c) 1988-2012 AVAST Software.
http://www.avast.com





From rjh at sixdemonbag.org  Tue Oct 30 02:02:57 2012
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 29 Oct 2012 21:02:57 -0400
Subject: Limit of maximum password length
In-Reply-To: <508F18A7.2010104@comcast.net>
References: <508B57C5.2020803@dodec.lt> <508B6B0E.9000701@sixdemonbag.org>
	<508B781A.2030400@dodec.lt> <508B8511.4000705@sixdemonbag.org>
	<508F18A7.2010104@comcast.net>
Message-ID: <508F2741.1070508@sixdemonbag.org>

On 10/29/2012 8:00 PM, Christopher J. Walters wrote:
> Good idea.  It'll work on any system that will run GnuPG, and produce
> pretty secure passphrases.

Speaking only for myself, I find these passphrases to be at the upper
limit of what I can reliably memorize, and I can only keep track of four
or five.  But then again, how many extremely high-security passphrases
do any of us need?


From hka at qbs.com.pl  Tue Oct 30 10:45:12 2012
From: hka at qbs.com.pl (Hubert Kario)
Date: Tue, 30 Oct 2012 10:45:12 +0100
Subject: new release of GPA
In-Reply-To: <k6msug$9a4$1@ger.gmane.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
Message-ID: <1521560.gQvPGXkPry@k85hala03>

On Monday 29 of October 2012 16:37:09 User wrote:
> On 10/29/2012 3:41 PM, Robert J. Hansen wrote:
> > On 10/29/2012 04:28 PM, User wrote:
> >> It is free and it says "Freeware" right on the page where the
> > 
> >> reference to downloading it was shown:
> > It is not Free Software.
> > 
> > http://www.gnu.org/philosophy/free-sw.html
> > 
> > "'Free software' means software that respects users' freedom and
> > community.  Roughly, the users have the freedom to run, copy,
> > distribute, study, change and improve the software. ... 'free software'
> > is a matter of liberty, not price.  To understand the concept, you
> > should think of 'free' as in 'free speech,' not as in 'free beer.'"
> > 
> > GPGshell is free-as-in-beer software, but it is not free-as-in-speech
> 
> > software.  Quoting from http://www.jumaros.de/rsoft/faq.html :
> Just because "you" have decided to cherry pick your definition of the
> English word "free" does not make it more or less so.

Just shut it and stop making a fool out of yourself.

-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawer?w 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl


From wk at gnupg.org  Tue Oct 30 13:31:24 2012
From: wk at gnupg.org (Werner Koch)
Date: Tue, 30 Oct 2012 13:31:24 +0100
Subject: new release of GPA
In-Reply-To: <508EE9FB.3020508@sixdemonbag.org> (Robert J. Hansen's message of
	"Mon, 29 Oct 2012 16:41:31 -0400")
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org> <508EE9FB.3020508@sixdemonbag.org>
Message-ID: <87d30087kz.fsf@vigenere.g10code.de>

On Mon, 29 Oct 2012 21:41, rjh at sixdemonbag.org said:

> Could you perhaps make a list of, say, the top five features GPGshell
> supports that GPA doesn't?  Things that you, yourself, use regularly,

That is a good idea.  At least it might help us to stop responding to
recommendation of GPGshell.  BTW, why did the OP not also recommended PGP
Desktop?


Shalom-Salam,

   Werner


p.s.
Some may now that I am a bit upset of the GPGshell author because many
years ago I added features to GPG just to learn later that I helped him
to provide proprietary software (with or without backdoors - who knows).


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Tue Oct 30 13:44:19 2012
From: wk at gnupg.org (Werner Koch)
Date: Tue, 30 Oct 2012 13:44:19 +0100
Subject: new release of GPA
In-Reply-To: <508EF881.2000701@dougbarton.us> (Doug Barton's message of "Mon, 
	29 Oct 2012 14:43:29 -0700")
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org> <508EF881.2000701@dougbarton.us>
Message-ID: <878vao86zg.fsf@vigenere.g10code.de>

On Mon, 29 Oct 2012 22:43, dougb at dougbarton.us said:

> It isn't Robert who is picking the definition, it's the FSF. Arguing
> about the definition here isn't going to do anyone any good, since the

Actually it is not just the FSF, but also the Open Source Initiative,
several governments, and the European Union.  Some of the countries even
have special regulations regarding Open Source (aka Free Software).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Tue Oct 30 13:45:57 2012
From: wk at gnupg.org (Werner Koch)
Date: Tue, 30 Oct 2012 13:45:57 +0100
Subject: new release of GPA
In-Reply-To: <508F0DA4.1010603@comcast.net> (Christopher J. Walters's message
	of "Mon, 29 Oct 2012 19:13:40 -0400")
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508__24698.3179975816$1351543330$gmane$org@sixdemonbag.org>
	<k6msug$9a4$1@ger.gmane.org>
	<508EFA16.8080304__26186.7641158917$1351547476$gmane$org@sixdemonbag.org>
	<k6n04d$40f$1@ger.gmane.org> <508F0DA4.1010603@comcast.net>
Message-ID: <874nlc86wq.fsf@vigenere.g10code.de>

On Tue, 30 Oct 2012 00:13, cwal989 at comcast.net said:

> http://www.gnu.org/philosophy/free-sw.html

For a more neutral view, I'd like to also post this link

  http://en.wikipedia.org/wiki/Free_Software


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From vedaal at nym.hush.com  Tue Oct 30 14:41:41 2012
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 30 Oct 2012 09:41:41 -0400
Subject: new release of GPA
Message-ID: <20121030134141.A15EB14DBDE@smtp.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Werner Koch wk at gnupg.org wrote on
Tue Oct 30 13:31:24 CET 2012 :

>BTW, why did the OP not also recommended PGP Desktop?

=====

It doesn't really exist anymore :-((

Since symantec took over PGP, 
not only are there no 'free' versions for anyone, 
and almost all the sites that have stored previous free versions, 
don't have working links to download any of them, 
(e.g pgp 8, or even 6.5.8 ). 

GnuPG is the ONLY free pgp privacy software available.

Thank You WK and all the gnupg support staff,
for developing it, allowing it to be easily downloaded, 
and actively maintaining it and improving it!!!


vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul

iQIcBAEBCAAGBQJQj9hoAAoJEFBvT6HTX7GGUY0P+wR49fcsqgMg2aGKheOP3mMY
Tp3nPNj1QnK7zFMyhs/smYAKAv99l60wkz2WdQ1ELnD9E6mPWfSywNvO9/dU4I/V
m8Zb3fT0/TvHIyOdVa0mAI8vMKJWKdovvbJRyvhiNO6D36bKw6YJEwcuWqaKRxH3
tVjKaYUr88GalBTHcnXkYsEemdT3ptKVx2GKWb15rYkSPW8nggvD6dywORblQoJE
C/xSN2N9jlzmaQz4A367FBixXIQoBtrTG7E7I04mMcNua1K9+dMr8wkn2vKsMeZt
RzS2tH/e0g+UIOHXjqli7CtJeOst6FIlZ0UOgLKViVmqB236qaDeoF/yONMfLGeU
BOwh799JNhTw8VlGdO3zK/3FewMsjiKzYwsg7xCJv+QNGBKhOjnSb3OnQ8MIk5KO
ilkuKFIayVU8ReqOFr+7ktyqb5OaOS+q1ltt/F0ahj1cVkexaJ9wHF3IUVMguJk/
nUyWZu/5s/UOmsPTH6Jzz5T3QDaJKqIIeLmoBI8tBG3CKffyQ8cNe5kHyD1YFUWQ
OWr8G1YpgF1FH0QiYe6BP9uQOK9V+4fTKwdF/PFGin+gcgIIiXOurx13kn/clwkc
UmHnp8Sw4EI07rw81rQhY/t4O4QTd+rNuNmbbfRIza+LdoM+hAa5iFX2UCr0LGvC
znAcMwe4cS4l9HgJW/+C
=8Vk8
-----END PGP SIGNATURE-----



From d.w.chadwick at kent.ac.uk  Tue Oct 30 17:40:38 2012
From: d.w.chadwick at kent.ac.uk (David Chadwick)
Date: Tue, 30 Oct 2012 16:40:38 +0000
Subject: new release of GPA
In-Reply-To: <508EE9FB.3020508@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org>
	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>
	<k6mosn$5c6$1@ger.gmane.org> <508EE9FB.3020508@sixdemonbag.org>
Message-ID: <50900306.9030603@kent.ac.uk>

Perhaps our anonymous user would like us to use his free software 
because it has nice backdoors in it that allow certain organisations to 
decrypt all our encrypted emails. And without access to the source code, 
we can never be sure that there aren't any. So I would not touch it with 
a barge pole

regards

David


On 29/10/2012 20:41, Robert J. Hansen wrote:
> On 10/29/2012 04:28 PM, User wrote:
>> It is free and it says "Freeware" right on the page where the
>> reference to downloading it was shown:
>
> It is not Free Software.
>
> http://www.gnu.org/philosophy/free-sw.html
>
> "'Free software' means software that respects users' freedom and
> community.  Roughly, the users have the freedom to run, copy,
> distribute, study, change and improve the software. ... 'free software'
> is a matter of liberty, not price.  To understand the concept, you
> should think of 'free' as in 'free speech,' not as in 'free beer.'"
>
> GPGshell is free-as-in-beer software, but it is not free-as-in-speech
> software.  Quoting from http://www.jumaros.de/rsoft/faq.html :
>
> "Do you publish your source-codes?
>
> No!  But when you've got the source-code for Windows, you can ask me again."
>
> GPGshell does not make their source code available to their users.  That
> means it cannot be considered Free Software under GNU's definition.  And
> since this mailing list is associated with GNU, and GNU requests that
> people not recommend the use of nonfree software, I think it's only
> reasonable that we comply with their request.
>
>> And there was no disrespect intended from what I can see. "The fact
>> remains that..." the GnuPG product is apparently broken and the OP
>> was looking for a GUI program. Not everyone wants to use a CLI.
>
> "Broken" is pretty strong language.
>
> Not everyone wants a CLI, true.  That doesn't mean GnuPG is broken: it
> means that GnuPG does not satisfy the needs of some users.
>
>> Well have you seen what all it can do?
>
> No, because I use the CLI.
>
>> At least twice as many of the Gpg commands and options are accessible
>> from the GUI, and how many enhancements to GPA have there been in the
>> last few years?  Seems like the GUI and the Windows port in
>> particular exist out of deference at best.
>
> Could you perhaps make a list of, say, the top five features GPGshell
> supports that GPA doesn't?  Things that you, yourself, use regularly,
> and which would make GPA better suited for you?  I'm sure the GPA
> maintainers would be very interested in hearing it.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From Gabriel.Mahu at iquestgroup.com  Tue Oct 30 14:59:22 2012
From: Gabriel.Mahu at iquestgroup.com (Gabriel Mahu)
Date: Tue, 30 Oct 2012 15:59:22 +0200
Subject: GPGME support for key preferences
Message-ID: <42F11A020E76D849B8EA616C1D1BDBE2BA55FEE0C8@exch2007.esp.local>

Hello *,

I am interested in a way of obtaining key preferences information using GPGME API. Being more specific, my target is represented by the last 4 lines of the output of the command "gpg -edit-key <target> showpref", the cipher, digest, compression and features lines. Is it even possible to obtain such information with GPGME or should I consider parsing the above command output?

Thank you for your time,
Gabriel Mahu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121030/54b56621/attachment.htm>

From mgharibi at evertz.com  Wed Oct 31 16:36:54 2012
From: mgharibi at evertz.com (Mojtaba Gharibi)
Date: Wed, 31 Oct 2012 11:36:54 -0400
Subject: How to clear gpgme passphrase cache or enter the passphrase every
	time?
Message-ID: <C70A636B101FD44999B82525C3E92AFA01B6A0F3@otis.burlington.evertz.tv>

Hi,

 

I am using the following test program shipped with GPGME to sign a
document.

However, the program never asks for my passphrase. Based on the error
message, I suspect it has cached some wrong passphrase. So I either need
to clear the cache or enter the passphrase each time I am using the
program. How can I do this?

 

Thanks,

M.

 

Error message:

run-sign: signing failed: Bad passphrase

and as I did printf debugging, this error happens when the program
executes the line: 

err = gpgme_op_sign (ctx, in, out, sigmode);

 

 

Test program:

 

/* run-sign.c  - Helper to perform a sign operation

   Copyright (C) 2009 g10 Code GmbH

 

   This file is part of GPGME.

 

   GPGME is free software; you can redistribute it and/or modify it

   under the terms of the GNU Lesser General Public License as

   published by the Free Software Foundation; either version 2.1 of

   the License, or (at your option) any later version.

 

   GPGME is distributed in the hope that it will be useful, but

   WITHOUT ANY WARRANTY; without even the implied warranty of

   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

   Lesser General Public License for more details.

 

   You should have received a copy of the GNU Lesser General Public

   License along with this program; if not, see
<http://www.gnu.org/licenses/>.

*/

 

/* We need to include config.h so that we know whether we are building

   with large file system (LFS) support. */

#ifdef HAVE_CONFIG_H

#include <config.h>

#endif

 

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

 

#include <gpgme.h>

 

#define PGM "run-sign"

 

#include "run-support.h"

 

 

static int verbose;

 

 

static void

print_result (gpgme_sign_result_t result, gpgme_sig_mode_t type)

{

  gpgme_invalid_key_t invkey;

  gpgme_new_signature_t sig;

 

  for (invkey = result->invalid_signers; invkey; invkey = invkey->next)

    printf ("Signing key `%s' not used: %s <%s>\n",

            nonnull (invkey->fpr),

            gpg_strerror (invkey->reason), gpg_strsource
(invkey->reason));

 

  for (sig = result->signatures; sig; sig = sig->next)

    {

      printf ("Key fingerprint: %s\n", nonnull (sig->fpr));

      printf ("Signature type : %d\n", sig->type);

      printf ("Public key algo: %d\n", sig->pubkey_algo);

      printf ("Hash algo .....: %d\n", sig->hash_algo);

      printf ("Creation time .: %ld\n", sig->timestamp);

      printf ("Sig class .....: 0x%u\n", sig->sig_class);

    }

}

 

 

 

static int

show_usage (int ex)

{

  fputs ("usage: " PGM " [options] FILE\n\n"

         "Options:\n"

         "  --verbose        run in verbose mode\n"

         "  --openpgp        use the OpenPGP protocol (default)\n"

         "  --cms            use the CMS protocol\n"

         "  --uiserver       use the UI server\n"

         "  --key NAME       use key NAME for signing\n"

         , stderr);

  exit (ex);

}

 

 

int

main (int argc, char **argv)

{

  int last_argc = -1;

  gpgme_error_t err;

  gpgme_ctx_t ctx;

  const char *key_string = NULL;

  gpgme_protocol_t protocol = GPGME_PROTOCOL_OpenPGP;

  gpgme_sig_mode_t sigmode = GPGME_SIG_MODE_NORMAL;

  gpgme_data_t in, out;

  gpgme_sign_result_t result;

 

 

  if (argc)

    { argc--; argv++; }

 

  while (argc && last_argc != argc )

    {

      last_argc = argc;

      if (!strcmp (*argv, "--"))

        {

          argc--; argv++;

          break;

        }

      else if (!strcmp (*argv, "--help"))

        show_usage (0);

      else if (!strcmp (*argv, "--verbose"))

        {

          verbose = 1;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--openpgp"))

        {

          protocol = GPGME_PROTOCOL_OpenPGP;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--cms"))

        {

          protocol = GPGME_PROTOCOL_CMS;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--uiserver"))

        {

          protocol = GPGME_PROTOCOL_UISERVER;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--key"))

        {

          argc--; argv++;

 

          if (!argc)

            show_usage (1);

          key_string = *argv;

          argc--; argv++;

        }

      else if (!strncmp (*argv, "--", 2))

        show_usage (1);

 

    }

 

 

  if (argc != 1)

    show_usage (1);

 

  if (key_string && protocol == GPGME_PROTOCOL_UISERVER)

    {

      fprintf (stderr, PGM ": ignoring --key in UI-server mode\n");

      key_string = NULL;

    }

 

  init_gpgme (protocol);

 

  err = gpgme_new (&ctx);

  fail_if_err (err);

  gpgme_set_protocol (ctx, protocol);

  gpgme_set_armor (ctx, 1);

 

 

  if (key_string)

    {

      gpgme_key_t akey;

 

      err = gpgme_get_key (ctx, key_string, &akey, 1);

      if (err)

        {

          exit (1);

        }

      err = gpgme_signers_add (ctx, akey);

      fail_if_err (err);

      gpgme_key_unref (akey);

    }

 

  err = gpgme_data_new_from_file (&in, *argv, 1);

  if (err)

    {

      fprintf (stderr, PGM ": error reading `%s': %s\n",

               *argv, gpg_strerror (err));

      exit (1);

    }

 

  err = gpgme_data_new (&out);

  fail_if_err (err);

 

  err = gpgme_op_sign (ctx, in, out, sigmode);

  result = gpgme_op_sign_result (ctx);

  if (result)

    print_result (result, sigmode);

  if (err)

    {

      fprintf (stderr, PGM ": signing failed: %s\n", gpg_strerror
(err));

      exit (1);

    }

 

  fputs ("Begin Output:\n", stdout);

  print_data (out);

  fputs ("End Output.\n", stdout);

  gpgme_data_release (out);

 

  gpgme_data_release (in);

 

  gpgme_release (ctx);

  return 0;

}

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121031/aa1a9f62/attachment-0001.htm>

From mgharibi at evertz.com  Wed Oct 31 16:29:44 2012
From: mgharibi at evertz.com (Mojtaba Gharibi)
Date: Wed, 31 Oct 2012 11:29:44 -0400
Subject: How to clear gpgme passphrase cache or enter the passphrase every
	time?
Message-ID: <C70A636B101FD44999B82525C3E92AFA01B6A0E9@otis.burlington.evertz.tv>

Hi,

 

I am using the following test program shipped with GPGME to sign a
document.

However, the program never asks for my passphrase. Based on the error
message, I suspect it has cached some wrong passphrase. So I either need
to clear the cache or enter the passphrase each time I am using the
program. How can I do this?

 

Thanks,

M.

 

Error message:

run-sign: signing failed: Bad passphrase

and as I did printf debugging, this error happens when the program
executes the line: 

err = gpgme_op_sign (ctx, in, out, sigmode);

 

 

Test program:

 

/* run-sign.c  - Helper to perform a sign operation

   Copyright (C) 2009 g10 Code GmbH

 

   This file is part of GPGME.

 

   GPGME is free software; you can redistribute it and/or modify it

   under the terms of the GNU Lesser General Public License as

   published by the Free Software Foundation; either version 2.1 of

   the License, or (at your option) any later version.

 

   GPGME is distributed in the hope that it will be useful, but

   WITHOUT ANY WARRANTY; without even the implied warranty of

   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

   Lesser General Public License for more details.

 

   You should have received a copy of the GNU Lesser General Public

   License along with this program; if not, see
<http://www.gnu.org/licenses/>.

*/

 

/* We need to include config.h so that we know whether we are building

   with large file system (LFS) support. */

#ifdef HAVE_CONFIG_H

#include <config.h>

#endif

 

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

 

#include <gpgme.h>

 

#define PGM "run-sign"

 

#include "run-support.h"

 

 

static int verbose;

 

 

static void

print_result (gpgme_sign_result_t result, gpgme_sig_mode_t type)

{

  gpgme_invalid_key_t invkey;

  gpgme_new_signature_t sig;

 

  for (invkey = result->invalid_signers; invkey; invkey = invkey->next)

    printf ("Signing key `%s' not used: %s <%s>\n",

            nonnull (invkey->fpr),

            gpg_strerror (invkey->reason), gpg_strsource
(invkey->reason));

 

  for (sig = result->signatures; sig; sig = sig->next)

    {

      printf ("Key fingerprint: %s\n", nonnull (sig->fpr));

      printf ("Signature type : %d\n", sig->type);

      printf ("Public key algo: %d\n", sig->pubkey_algo);

      printf ("Hash algo .....: %d\n", sig->hash_algo);

      printf ("Creation time .: %ld\n", sig->timestamp);

      printf ("Sig class .....: 0x%u\n", sig->sig_class);

    }

}

 

 

 

static int

show_usage (int ex)

{

  fputs ("usage: " PGM " [options] FILE\n\n"

         "Options:\n"

         "  --verbose        run in verbose mode\n"

         "  --openpgp        use the OpenPGP protocol (default)\n"

         "  --cms            use the CMS protocol\n"

         "  --uiserver       use the UI server\n"

         "  --key NAME       use key NAME for signing\n"

         , stderr);

  exit (ex);

}

 

 

int

main (int argc, char **argv)

{

  int last_argc = -1;

  gpgme_error_t err;

  gpgme_ctx_t ctx;

  const char *key_string = NULL;

  gpgme_protocol_t protocol = GPGME_PROTOCOL_OpenPGP;

  gpgme_sig_mode_t sigmode = GPGME_SIG_MODE_NORMAL;

  gpgme_data_t in, out;

  gpgme_sign_result_t result;

 

 

  if (argc)

    { argc--; argv++; }

 

  while (argc && last_argc != argc )

    {

      last_argc = argc;

      if (!strcmp (*argv, "--"))

        {

          argc--; argv++;

          break;

        }

      else if (!strcmp (*argv, "--help"))

        show_usage (0);

      else if (!strcmp (*argv, "--verbose"))

        {

          verbose = 1;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--openpgp"))

        {

          protocol = GPGME_PROTOCOL_OpenPGP;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--cms"))

        {

          protocol = GPGME_PROTOCOL_CMS;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--uiserver"))

        {

          protocol = GPGME_PROTOCOL_UISERVER;

          argc--; argv++;

        }

      else if (!strcmp (*argv, "--key"))

        {

          argc--; argv++;

 

          if (!argc)

            show_usage (1);

          key_string = *argv;

          argc--; argv++;

        }

      else if (!strncmp (*argv, "--", 2))

        show_usage (1);

 

    }

 

 

  if (argc != 1)

    show_usage (1);

 

  if (key_string && protocol == GPGME_PROTOCOL_UISERVER)

    {

      fprintf (stderr, PGM ": ignoring --key in UI-server mode\n");

      key_string = NULL;

    }

 

  init_gpgme (protocol);

 

  err = gpgme_new (&ctx);

  fail_if_err (err);

  gpgme_set_protocol (ctx, protocol);

  gpgme_set_armor (ctx, 1);

 

 

  if (key_string)

    {

      gpgme_key_t akey;

 

      err = gpgme_get_key (ctx, key_string, &akey, 1);

      if (err)

        {

          exit (1);

        }

      err = gpgme_signers_add (ctx, akey);

      fail_if_err (err);

      gpgme_key_unref (akey);

    }

 

  err = gpgme_data_new_from_file (&in, *argv, 1);

  if (err)

    {

      fprintf (stderr, PGM ": error reading `%s': %s\n",

               *argv, gpg_strerror (err));

      exit (1);

    }

 

  err = gpgme_data_new (&out);

  fail_if_err (err);

 

  err = gpgme_op_sign (ctx, in, out, sigmode);

  result = gpgme_op_sign_result (ctx);

  if (result)

    print_result (result, sigmode);

  if (err)

    {

      fprintf (stderr, PGM ": signing failed: %s\n", gpg_strerror
(err));

      exit (1);

    }

 

  fputs ("Begin Output:\n", stdout);

  print_data (out);

  fputs ("End Output.\n", stdout);

  gpgme_data_release (out);

 

  gpgme_data_release (in);

 

  gpgme_release (ctx);

  return 0;

}

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121031/fec4fea3/attachment-0001.htm>

From wk at gnupg.org  Wed Oct 31 17:51:56 2012
From: wk at gnupg.org (Werner Koch)
Date: Wed, 31 Oct 2012 17:51:56 +0100
Subject: How to clear gpgme passphrase cache or enter the passphrase every
	time?
In-Reply-To: <C70A636B101FD44999B82525C3E92AFA01B6A0F3@otis.burlington.evertz.tv>
	(Mojtaba Gharibi's message of "Wed, 31 Oct 2012 11:36:54 -0400")
References: <C70A636B101FD44999B82525C3E92AFA01B6A0F3@otis.burlington.evertz.tv>
Message-ID: <87hapa60ur.fsf@vigenere.g10code.de>

On Wed, 31 Oct 2012 16:36, mgharibi at evertz.com said:

> I am using the following test program shipped with GPGME to sign a
> document.

You don't need to paste the program, just the version of gpgme is
sufficient.

> However, the program never asks for my passphrase. Based on the error
> message, I suspect it has cached some wrong passphrase. So I either need

GPGME does not cache any passphrases.  That is the task of gpg-agent.

> run-sign: signing failed: Bad passphrase

It would be useful to see how you invoked the program what version of
GPGME, GnuPG, and what OS you are using.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From mgharibi at evertz.com  Wed Oct 31 18:02:18 2012
From: mgharibi at evertz.com (Mojtaba Gharibi)
Date: Wed, 31 Oct 2012 13:02:18 -0400
Subject: How to clear gpgme passphrase cache or enter the passphrase every
	time?
In-Reply-To: <87hapa60ur.fsf@vigenere.g10code.de>
References: <C70A636B101FD44999B82525C3E92AFA01B6A0F3@otis.burlington.evertz.tv>
	<87hapa60ur.fsf@vigenere.g10code.de>
Message-ID: <C70A636B101FD44999B82525C3E92AFA01B6A16E@otis.burlington.evertz.tv>

I have invoked the program in the following way:
/root/gpgme-1.3.2/tests/run-sign.o --key FPR_ID_OF_KEY samplefile

Thanks!
M.


-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: Wednesday, October 31, 2012 12:52 PM
To: Mojtaba Gharibi
Cc: gnupg-users at gnupg.org
Subject: Re: How to clear gpgme passphrase cache or enter the passphrase
every time?

On Wed, 31 Oct 2012 16:36, mgharibi at evertz.com said:

> I am using the following test program shipped with GPGME to sign a
> document.

You don't need to paste the program, just the version of gpgme is
sufficient.

> However, the program never asks for my passphrase. Based on the error
> message, I suspect it has cached some wrong passphrase. So I either
need

GPGME does not cache any passphrases.  That is the task of gpg-agent.

> run-sign: signing failed: Bad passphrase

It would be useful to see how you invoked the program what version of
GPGME, GnuPG, and what OS you are using.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From biggles.trenton at gmail.com  Wed Oct 31 17:28:31 2012
From: biggles.trenton at gmail.com (Sin Trenton)
Date: Wed, 31 Oct 2012 17:28:31 +0100
Subject: new release of GPA
In-Reply-To: <mailman.8923.1351699663.2530.gnupg-users@gnupg.org>
References: <mailman.8923.1351699663.2530.gnupg-users@gnupg.org>
Message-ID: <509151AF.9090504@gmail.com>

On 2012-10-30, vedaal at nym.hush.com wrote:
> Thank You WK and all the gnupg support staff,
> for developing it, allowing it to be easily downloaded, 
> and actively maintaining it and improving it!!!

May I concur with the former speaker, One, huge, great, amazed Thank You
to WK and all contributors for giving us this!!
You're greater than Libre Office and sliced bread combined. =o)

Sin T.


From johanw at vulcan.xs4all.nl  Wed Oct 31 18:06:43 2012
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed, 31 Oct 2012 18:06:43 +0100
Subject: new release of GPA
In-Reply-To: <50900306.9030603@kent.ac.uk>
References: <000601cda645$65096080$2f1c2180$@net>	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>	<k6mgik$nqb$1@ger.gmane.org>	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508@sixdemonbag.org> <50900306.9030603@kent.ac.uk>
Message-ID: <50915AA3.7030508@vulcan.xs4all.nl>

On 30-10-2012 17:40, David Chadwick wrote:

> Perhaps our anonymous user would like us to use his free software
> because it has nice backdoors in it that allow certain organisations to
> decrypt all our encrypted emails. And without access to the source code,
> we can never be sure that there aren't any. So I would not touch it with
> a barge pole

I doubt that in this case since it works as a shell for GnuPG. One can
always analyse the resulting message, and if some additional encryption
key turns up or extra message data is added after the message that would
be easily detectable. And more subtle backdoors, like tampering with the
RNG are nu issue since GnuPG itself deals with that.

-- 
Met vriendelijke groet / With kind regards,
Johan Wevers

PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From peter at digitalbrains.com  Wed Oct 31 19:21:33 2012
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 31 Oct 2012 19:21:33 +0100
Subject: new release of GPA
In-Reply-To: <50915AA3.7030508@vulcan.xs4all.nl>
References: <000601cda645$65096080$2f1c2180$@net>	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>	<k6mgik$nqb$1@ger.gmane.org>	<508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org>	<k6mosn$5c6$1@ger.gmane.org>
	<508EE9FB.3020508@sixdemonbag.org> <50900306.9030603@kent.ac.uk>
	<50915AA3.7030508@vulcan.xs4all.nl>
Message-ID: <50916C2D.1000707@digitalbrains.com>

On 31/10/12 18:06, Johan Wevers wrote:
> I doubt that in this case since it works as a shell for GnuPG.

It's code running as the user invoking it; it's not in any way restricted to
solely interfacing GnuPG. And if you have plans to attack people who use GnuPG,
putting your backdoor in a GUI for GnuPG means your backdoor ends up at people
you want to target. So it makes sense to put your backdoor there, and not in
something else.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From Mark.Knight at tescobank.com  Wed Oct 31 13:53:11 2012
From: Mark.Knight at tescobank.com (Knight, Mark (Tesco Bank))
Date: Wed, 31 Oct 2012 12:53:11 +0000
Subject: Faulting application gpg2
Message-ID: <14B890CD7A632A44A5349B1330155004BA417E8104@UKSDCCLUMS0330.ukroi.tesco.org>

Hi there...

Was there an answer to the query: Faulting application gpg2

As I am having exactly the same issue...

Faulting application gpg2.exe, version 0.0.0.0, time stamp 0x4fa14f63, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000, process id 0x1068, application start time 0x01cdb760d48d32b0.

If I run gpg -help logged on as user_account it works fine... but if I use a shell program (Autosys) to log on as the same user to execute the same command it fails with the above message

Please help!!!

Cheers
Mark

Mark Knight
IT Consultant
Tesco Bank - GI Operational MI - IT Systems Analyst
EHQ Building, 2 South Gyle Crescent, Edinburgh, EH12 9FQ
Phone:  0131 203 5761
Mobile:  07899 040106
mark.knight at tescobank.com<mailto:mark.knight at tescobank.com>


________________________________
Tesco Personal Finance plc is registered in Scotland No 173199.

Registered Office: Interpoint Building, 22 Haymarket Yards, Edinburgh, EH12 5BH. Authorised and regulated by the Financial Services Authority.

This e-mail message is confidential and for use by the addressee only. If you are not the addressee, please return the message to the sender by replying to it and then delete the message from your computer.

Internet e-mails are not necessarily secure. Tesco Personal Finance plc does not accept responsibility for changes made to this message after it was sent.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by Tesco Personal Finance plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121031/e4c77258/attachment-0001.htm>

From corsac at corsac.net  Wed Oct 31 16:17:20 2012
From: corsac at corsac.net (Yves-Alexis Perez)
Date: Wed, 31 Oct 2012 16:17:20 +0100
Subject: Card fails to decrypt using 4096-bit key
Message-ID: <1351696640.21551.9.camel@oban>

[sorry, I'm replying from an old mail and as I'm not subscribed I can't
reply with the full text and correct headers]


> However, whenever I try to decrypt a document encrypted to the
> 4096 bit encryption key on the card, the decryption process fails to
> even begin, with an error like the following:
> 
> 	Version: GnuPG v2.0.19 (Darwin)
> 	gpg: armor header: 
> 	gpg: public key is 0xA9D4A64F1FADF7D2
> 	gpg: using subkey 0xA9D4A64F1FADF7D2 instead of primary key
> 	0x24620B795999A6DB
> 	gpg: using subkey 0xA9D4A64F1FADF7D2 instead of primary key
> 	0x24620B795999A6DB
> 	gpg: encrypted with 4096 bit RSA key, ID 0xA9D4A64F1FADF7D2, created
> 	2012-05-16
> 	      "Kevin Kammer <kevin [at] hansaeditions.net>"
> 	gpg: public key decryption failed: General error
> 	gpg: decryption failed: No secret key
> 
Yes, I can confirm this. I have a recently bought OpenPGPv2 smartcard.
Signing using a 4096R key works just fine, but decryption using an 4096R
encryption key doesn't, with the same error. This is using GnuPG v2.0.19
on Debian sid, with pcscd 1.8.6 (in case that matters).

I don't know if the issue is in GnuPG (wether gpg, gpg-agent or
scdaemon) or in the smartcard, but I can do some debugging if needed.

Please CC: me on replies, I'm not subscribed to the list.
-- 
Yves-Alexis



From faramir.cl at gmail.com  Wed Oct 31 22:20:53 2012
From: faramir.cl at gmail.com (Faramir)
Date: Wed, 31 Oct 2012 18:20:53 -0300
Subject: new release of GPA
In-Reply-To: <508ECC3D.1040505@sixdemonbag.org>
References: <000601cda645$65096080$2f1c2180$@net>
	<87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de>
	<k54ho4$ggf$1__4990.56019257313$1349896891$gmane$org@ger.gmane.org>
	<k6mgik$nqb$1@ger.gmane.org> <508ECC3D.1040505@sixdemonbag.org>
Message-ID: <50919635.6070609@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 29-10-2012 15:34, Robert J. Hansen escribi?:
> On 10/29/2012 2:05 PM, User wrote:
>> You may want to take a look at GPGshell for an alternative.
> 
> GPGshell is not Free Software, and for that reason it's not
> exactly appropriate to recommend it on this list.  Whether we agree
> or disagree

  Well, that is true, and still, a lot of people love GPGShell
functionalities. It is sad to think that, not being free software, if
the developer stops supporting it, nobody can pick it and keep it updated.

> What about GPGshell do you find to be a clear win over GPA?  How
> can the GPA maintainers make GPA competitive with GPGshell?

  I don't remember GPA features, can it be installed without having to
upgrade to GPG 2.x branch? I'd like to give it a look again.

   Best Regards

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBCAAGBQJQkZY0AAoJEMV4f6PvczxAymcH+gIK314Jor8HwUFZmW/mkjlW
gjeOD9NGEha1oAPIS32EBJMwTxkTgSbwRheHRL2Sbq+ZBSlfdYoLzPVNlCpgunH1
1qUXe0eoHoYhgEU7H8q1xerNKDIhgM/WyMRQQw9FqVr0iRo6vgOFGS9oLxujp1Lr
3026R0ZhrJllFZv9NZSE/ut9TxhmIqmuEkws6gAKrW7THUwW5wgw3Y+kQ1t9zs1u
q0PPuJfC2q0cUmzUbm0xTwtrNAe5X3drdt93VGzNyPwzktb6zXxviFRRFATMCqML
kzOutt/A0FTGeV4jFHKFR49MU30HA39ZXx+urPjsnS8t4EpXtY+2NAhSLVSrRWM=
=yuOs
-----END PGP SIGNATURE-----