From wk at gnupg.org Wed May 1 12:18:43 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 May 2013 12:18:43 +0200 Subject: [Announce] GPA 0.9.4 released Message-ID: <87wqrjq9z0.fsf@vigenere.g10code.de> Hello! We are pleased to announce GPA version 0.9.4. GPA is a graphical frontend for the GNU Privacy Guard (GnuPG, http://www.gnupg.org). GPA can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys. You can find the release here: ftp://ftp.gnupg.org/gcrypt/gpa/gpa-0.9.4.tar.bz2 (713k) ftp://ftp.gnupg.org/gcrypt/gpa/gpa-0.9.4.tar.bz2.sig and soon on all ftp.gnupg.org mirrors. A binary version for Windows will soon be released as part of Gpg4win 2.1.1; see http://gpg4win.org. The SHA1 checksum for this release is: d4b22b6d1f0ce25244c5a001e3bcbc36aff13ecf gpa-0.9.4.tar.bz2 Noteworthy changes in version 0.9.4 (2013-05-01) ------------------------------------------------ * Added scrollbars to the verification result window. * Improved searching in the key listing. * Now uses the native theme under Windows. * The usual collecton of minor bug fixes. If you want to contribute to the development of GPA, please subscribe to the gnupg-devel mailing list [1] and read the file doc/HACKING. The driving force behind the development of GPA is my company g10 Code. Maintenance and improvement of GnuPG and related software, such as GPA, takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Shalom-Salam, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html . -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 204 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From roam at ringlet.net Wed May 1 14:44:09 2013 From: roam at ringlet.net (Peter Pentchev) Date: Wed, 1 May 2013 15:44:09 +0300 Subject: random_seed - no locks available In-Reply-To: <517EE656.8030305@securemecca.net> References: <517EE656.8030305@securemecca.net> Message-ID: <20130501124409.GA6659@straylight.m.ringlet.net> On Mon, Apr 29, 2013 at 09:29:58PM +0000, Henry Hertz Hobbit wrote: > On 04/29/2013 02:43 PM, M Russell wrote: > > Hello, > > > > I hope someone might be able to lend me a hand. I am running > > into an error message that I resolve. I get a lock error when > > trying to encrypt or decrypt a file. I found other forums > > that suggest deleting the random_seed file and killing the rpm > > process, but I don't have a rpm process running. Renaming the > > file allowed the system to recreate the random_seed file, but > > the error persists. I have noticed the file size is 0 which > > would be appropriate since the file cannot be locked. An > > strace shows the error message, but it doesn't appear to point > > anything else out. A lsof doesn't show the file is open. I'm > > not sure where else to look. Has anyone seen this and have any > > suggestions? > > > > I'm running centos 6.2, gnupg 2.0.14, libgcrypt 1.4.5 > > > > can't lock `/home/mruss/.gnupg/random_seed': No locks available > > note: random_seed file not updated > > > > > > open("/home/mruss/.gnupg/random_seed", O_RDONLY) = 10 > > fcntl(10, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = -1 ENOLCK (No locks available) > > open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > write(2, "can't lock `/home/mruss/.gnupg/random_seed': No locks available\n", 68) = 68 > > close(10) = 0 > > Note that random_seed is opened RDONLY. The lock is just for > reading and it is non-blocking. Why it should be there at > all when you are really locking nothing (len=0) is a bit of > a mystery. The length was probably set from a file stat. Werner already replied on this one - len == 0 has a special meaning and should indeed be correct here. > There are basically three reasons for errno to be set to ENOLCK: > > 1. You are out of lock table space (most likely). Closing down > everything and then rebooting is perhaps the best way to > return sanity to the world. > > 2. You have too many segment lockdowns. What segements? > Notice that the length is zero. > > 3. Something like an NFS system problem. That probably is not > applicable. Actually this would be my first question to the original poster - is there any chance that your home directory is remotely mounted using NFS or some other remote filesystem protocol for which your kernel does not really support file locking? (I have seen quite some usage of user home directories exported via NFS in shared environments, e.g. universities) If it is NFS, you might want to look into enabling file locking using something like the "nfslock" service, rpc.lockd or something similar on both the client and the server, just in case. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 This sentence contradicts itself - or rather - well, no, actually it doesn't! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From wk at gnupg.org Wed May 1 14:37:31 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 May 2013 14:37:31 +0200 Subject: [Announce] GPGME 1.4.1 released Message-ID: <87sj26ri44.fsf@vigenere.g10code.de> Hello! I am pleased to announce version 1.4.1 of GPGME. GnuPG Made Easy (GPGME) is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines as included in GnuPG easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management. Noteworthy changes in version 1.4.1 (2013-05-01) * Fixed reading of gpg.conf files with excessive use of the group option. This fixes problems using the settings dialog of GPA, Kleopatra and possible other GnuPG frontends. * Fixed building with the i686-w64-mingw32 toolchain. * Disabled FD passing by default for Apple. You may download this library and its OpenPGP signature from: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.bz2 (936k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.bz2.sig GZIP compressed tarballs are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.gz (1185k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.gz.sig As an alternative you may use a patch file to upgrade the previous version of the library: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.0-1.4.1.diff.bz2 (7k) SHA-1 checksums are: d6110763e7459214fd72705e87ebc682e3b5815e gpgme-1.4.1.tar.bz2 db5b2df70319d92711cb733ef3ee5258c14e7694 gpgme-1.4.1.tar.gz 4120127f68cfbab64f3447ec0dfa1f3484d3f693 gpgme-1.4.0-1.4.1.diff.bz2 Please send questions regarding the use of GPGME to the gnupg-devel mailing list: http://lists.gnupg.org/mailman/listinfo/gnupg-devel If you need commercial support, you may want to consult this listing: http://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 204 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From roam at ringlet.net Thu May 2 02:09:54 2013 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 2 May 2013 03:09:54 +0300 Subject: random_seed - no locks available In-Reply-To: <20130501124409.GA6659@straylight.m.ringlet.net> References: <517EE656.8030305@securemecca.net> <20130501124409.GA6659@straylight.m.ringlet.net> Message-ID: <20130502000954.GA6352@straylight.m.ringlet.net> On Wed, May 01, 2013 at 03:44:09PM +0300, Peter Pentchev wrote: > On Mon, Apr 29, 2013 at 09:29:58PM +0000, Henry Hertz Hobbit wrote: > > On 04/29/2013 02:43 PM, M Russell wrote: > > > Hello, > > > > > > I hope someone might be able to lend me a hand. I am running > > > into an error message that I resolve. I get a lock error when > > > trying to encrypt or decrypt a file. I found other forums > > > that suggest deleting the random_seed file and killing the rpm > > > process, but I don't have a rpm process running. Renaming the > > > file allowed the system to recreate the random_seed file, but > > > the error persists. I have noticed the file size is 0 which > > > would be appropriate since the file cannot be locked. An > > > strace shows the error message, but it doesn't appear to point > > > anything else out. A lsof doesn't show the file is open. I'm > > > not sure where else to look. Has anyone seen this and have any > > > suggestions? > > > > > > I'm running centos 6.2, gnupg 2.0.14, libgcrypt 1.4.5 > > > > > > can't lock `/home/mruss/.gnupg/random_seed': No locks available > > > note: random_seed file not updated > > > > > > > > > open("/home/mruss/.gnupg/random_seed", O_RDONLY) = 10 > > > fcntl(10, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = -1 ENOLCK (No locks available) > > > open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > > open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > > open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > > open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > > write(2, "can't lock `/home/mruss/.gnupg/random_seed': No locks available\n", 68) = 68 > > > close(10) = 0 > > > > Note that random_seed is opened RDONLY. The lock is just for > > reading and it is non-blocking. Why it should be there at > > all when you are really locking nothing (len=0) is a bit of > > a mystery. The length was probably set from a file stat. > > Werner already replied on this one - len == 0 has a special meaning and > should indeed be correct here. > > > There are basically three reasons for errno to be set to ENOLCK: > > > > 1. You are out of lock table space (most likely). Closing down > > everything and then rebooting is perhaps the best way to > > return sanity to the world. > > > > 2. You have too many segment lockdowns. What segements? > > Notice that the length is zero. > > > > 3. Something like an NFS system problem. That probably is not > > applicable. > > Actually this would be my first question to the original poster - is > there any chance that your home directory is remotely mounted using NFS > or some other remote filesystem protocol for which your kernel does not > really support file locking? (I have seen quite some usage of user home > directories exported via NFS in shared environments, e.g. universities) > > If it is NFS, you might want to look into enabling file locking using > something like the "nfslock" service, rpc.lockd or something similar on > both the client and the server, just in case. Just in case it wasn't clear, by "you" in these two paragraphs I am referring to the original poster, M Russell, and not to Henry Hertz Hobbit. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If there were no counterfactuals, this sentence would not have been paradoxical. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From dkg at fifthhorseman.net Thu May 2 04:16:26 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 01 May 2013 22:16:26 -0400 Subject: Confusion with signature digest type. In-Reply-To: <517CDD1B.2030906@sixdemonbag.org> References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> Message-ID: <5181CC7A.5090006@fifthhorseman.net> On 04/28/2013 04:26 AM, Robert J. Hansen wrote: > On 4/27/2013 8:01 PM, Daniel Kahn Gillmor wrote: >> I don't think this recommendation was made to defend against preimage >> attacks. Avoiding the use of SHA-1 in certifications in general is a >> step towards defend against collision attacks, which is territory that >> SHA-1 is heading into. (i agree that if sha-1 falls victim to preimage >> attacks we have much much bigger problems). > > I'm having a little bit of trouble connecting the dots, Daniel. (This > may be due to the late hour: at 4:30am I'm only awake due to a caffeine IV.) > > If I sign my certificate using SHA-1 today, how does that facilitate a > collision attack against that certification? It doesn't facilitate a collision attack against that specific certification; but if a collision attack is possible against a particular digest, then *any* signature made over that digest becomes suspect. That is, should a collision attack become viable against a particular digest, there's no way to tell whether any given signature that uses that digest was made before or after the collision attack was possible. So responsible clients that want to ensure that their certifications (including self-certifications) are acceptable to their more security-conscious peers should ensure that their certifications don't use digests that are at risk of collision attacks. For example, let's say you're in the habit of regularly signing a changing collection of data for $job, and those signatures use SHA1. An exploit comes along against SHA1 that renders it vulnerable to collision attacks. Eve manages to inject data into your collection that makes the data collection have the same digest as a particularly weird User ID when bound to your primary key (i'm handwaving past the details of the OpenPGP boilerplate involved in a self-sig here). Eve waits for you to make your regular data collection signature, and then rips it out and attaches it to your primary key, thereby creating an assertion that you have a new identity that you wish to be public and associated with your old ones. granted, this is not the end of the world (we all know that your e-mail address isn't really president at whitehouse.gov), but anyone who believes SHA-1-based certifications won't be able to tell whether rjh thinks he is the President of the USA or whether the President thinks he is rjh. You can avoid all of this by making all of your certifications (including your self-sigs) over a widely-accepted digest that is not thought to close to the risk of collision attacks; SHA-256 seems like a reasonable choice. There is no good reason for anyone interacting with modern infrastructure to make their default certifications with anything weaker. For the few people who need to ensure that their key can be accepted by legacy systems that don't support SHA-256, systems that want to be legacy-compatible could issue each self-sig in duplicate form: one using SHA1, timestamped at N-1 seconds since the epoch, and the other using SHA256, timestamped at N seconds since the epoch. Modern tools that can interpret the SHA256 certification would use it (and ignore the older cert that uses the weaker digest) and legacy SHA2-incapable systems could interpret the older cert. does this make the concern (and one approach to addressing it) more clear? Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From brewsome at hotmail.com Thu May 2 04:19:25 2013 From: brewsome at hotmail.com (brewsome) Date: Wed, 1 May 2013 21:19:25 -0500 Subject: random_seed - no locks available In-Reply-To: <20130501124409.GA6659@straylight.m.ringlet.net> References: , <517EE656.8030305@securemecca.net>, <20130501124409.GA6659@straylight.m.ringlet.net> Message-ID: Thanks for the responses. I did find out that the home drive is a NFS mount. NFS is version 3, and I don't see any nolock option specified in /etc/fstab. It appears that NFS is mounted properly. I'm thinking it might be a NFS problem too, but not sure were. I'll dig into that side more. Date: Wed, 1 May 2013 15:44:09 +0300 From: roam at ringlet.net To: hhhobbit at securemecca.net Subject: Re: random_seed - no locks available CC: gnupg-users at gnupg.org On Mon, Apr 29, 2013 at 09:29:58PM +0000, Henry Hertz Hobbit wrote: > On 04/29/2013 02:43 PM, M Russell wrote: > > Hello, > > > > I hope someone might be able to lend me a hand. I am running > > into an error message that I resolve. I get a lock error when > > trying to encrypt or decrypt a file. I found other forums > > that suggest deleting the random_seed file and killing the rpm > > process, but I don't have a rpm process running. Renaming the > > file allowed the system to recreate the random_seed file, but > > the error persists. I have noticed the file size is 0 which > > would be appropriate since the file cannot be locked. An > > strace shows the error message, but it doesn't appear to point > > anything else out. A lsof doesn't show the file is open. I'm > > not sure where else to look. Has anyone seen this and have any > > suggestions? > > > > I'm running centos 6.2, gnupg 2.0.14, libgcrypt 1.4.5 > > > > can't lock `/home/mruss/.gnupg/random_seed': No locks available > > note: random_seed file not updated > > > > > > open("/home/mruss/.gnupg/random_seed", O_RDONLY) = 10 > > fcntl(10, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = -1 ENOLCK (No locks available) > > open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) > > write(2, "can't lock `/home/mruss/.gnupg/random_seed': No locks available\n", 68) = 68 > > close(10) = 0 > > Note that random_seed is opened RDONLY. The lock is just for > reading and it is non-blocking. Why it should be there at > all when you are really locking nothing (len=0) is a bit of > a mystery. The length was probably set from a file stat. Werner already replied on this one - len == 0 has a special meaning and should indeed be correct here. > There are basically three reasons for errno to be set to ENOLCK: > > 1. You are out of lock table space (most likely). Closing down > everything and then rebooting is perhaps the best way to > return sanity to the world. > > 2. You have too many segment lockdowns. What segements? > Notice that the length is zero. > > 3. Something like an NFS system problem. That probably is not > applicable. Actually this would be my first question to the original poster - is there any chance that your home directory is remotely mounted using NFS or some other remote filesystem protocol for which your kernel does not really support file locking? (I have seen quite some usage of user home directories exported via NFS in shared environments, e.g. universities) If it is NFS, you might want to look into enabling file locking using something like the "nfslock" service, rpc.lockd or something similar on both the client and the server, just in case. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 This sentence contradicts itself - or rather - well, no, actually it doesn't! _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Thu May 2 05:49:53 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 01 May 2013 23:49:53 -0400 Subject: Web of Trust in Practical Usage In-Reply-To: References: <517D094F.4040507@digitalbrains.com> Message-ID: <5181E261.6000806@fifthhorseman.net> Peter Lebbing's thoughtful consideration of the issues in this thread was spot-on, imho. Thanks, Peter! On 04/29/2013 12:29 AM, Quinn Wood wrote: > My question in simpler terms could probably be summed up "How can one find > the most popular- most signed- key (matching some query such as name or > email of course) while successfully avoiding falsely inflated signature > counts (such as keys which only have more signatures than another due to > their age or due to actual malicious acts like mass signing.) One person's "falsely-inflated signature counts" is another person's "well-established participant in the keysigning culture", i'm afraid. One of the beauties of OpenPGP's certification model is that no one can require anyone to consider any particular certification (or set of certifications) to be acceptable or valid. And this is a good thing, because if you tell me that the "most popular" key is just the one signed by the most other keys, and the key you're looking for belongs to a user named "Alice ", then all i have to do is scan the keyservers for such a key, see that it has certifications from N keys on it, and then create a new key with User ID "Alice ", plus N+1 new keys, and have them all certify the new key+userid. when the cost of a new "sockpuppet" identity is nil, voting systems (like "most popular key") tend toward being gameable. what specifically are you trying to do in the bigger picture? maybe folks here can give you some suggestions if we can see what you're trying to accomplish in the abstract? hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu May 2 06:03:53 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 02 May 2013 00:03:53 -0400 Subject: Confusion with signature digest type. In-Reply-To: <5181CC7A.5090006@fifthhorseman.net> References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> <5181CC7A.5090006@fifthhorseman.net> Message-ID: <5181E5A9.1080603@sixdemonbag.org> On 5/1/2013 10:16 PM, Daniel Kahn Gillmor wrote: > It doesn't facilitate a collision attack against that specific > certification; but if a collision attack is possible against a > particular digest, then *any* signature made over that digest becomes > suspect. First, thank you for a thorough reply. I appreciate it a great deal. I think we may be using two different definitions of collision attack. > That is, should a collision attack become viable against a particular > digest, there's no way to tell whether any given signature that uses > that digest was made before or after the collision attack was possible. In the absence of a trusted timestamp, yes. (Of course, then this becomes a question of whether the trusted timestamp is susceptible to attack. I concede that this isn't a solution but just a reification one level deeper.) > Eve manages to inject data into your collection that makes the > data collection have the same digest as a particularly weird User ID > when bound to your primary key (i'm handwaving past the details of the > OpenPGP boilerplate involved in a self-sig here). Are you sure that this is a collision attack? It seems to me you've created a preimage scenario here. And if so, I stand by my statement of "then I'm completely screwed on a dozen different fronts simultaneously and my certificate is the least of my worries." :) (For those confused by the difference -- I'm certain Daniel isn't -- all preimage attacks are collision attacks, but relatively few collision attacks are preimage attacks. Wikipedia defines a collision attack as being able to "find two arbitrary different messages m1 and m2 such that hash(m1) = hash(m2)." The 'arbitrary' is important: you only care about finding a collision, but you don't care one whit what that collision is over. By comparison, a preimage attack means finding a specific message that hashes out to a specific value. By manipulating the data I'm signing, Eve is finding a specific message: by specifying "it must hash out to the same as a signature he made in the past", Eve is specifying a particular hash value. This is why his scenario seems to me to be a preimage attack in disguise, rather than a collision attack.) (However, it is certainly possible that I've misunderstood his scenario.) > There is no good reason for anyone interacting with modern > infrastructure to make their default certifications with anything weaker. I continue to think that you're worrying about how you're going to turn the coffeepot off as you're fleeing a house fire. :) From dkg at fifthhorseman.net Thu May 2 06:33:18 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 02 May 2013 00:33:18 -0400 Subject: Confusion with signature digest type. In-Reply-To: <5181E5A9.1080603@sixdemonbag.org> References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> <5181CC7A.5090006@fifthhorseman.net> <5181E5A9.1080603@sixdemonbag.org> Message-ID: <5181EC8E.9010003@fifthhorseman.net> On 05/02/2013 12:03 AM, Robert J. Hansen wrote: >> Eve manages to inject data into your collection that makes the >> data collection have the same digest as a particularly weird User ID >> when bound to your primary key (i'm handwaving past the details of the >> OpenPGP boilerplate involved in a self-sig here). > > Are you sure that this is a collision attack? It seems to me you've > created a preimage scenario here. And if so, I stand by my statement of > "then I'm completely screwed on a dozen different fronts simultaneously > and my certificate is the least of my worries." :) if it was a preimage attack (even for SHA1), then yeah, it'd be game over in a lot of horrible ways i don't want to think about in detail right now :) It's a collision attack based on the idea that: a) Eve can inject arbitrary data into the collection that she expects you to sign, and b) Eve can inject arbitrary data into the self-sig that she's crafting (e.g. in a "tumor" in non-critical subpackets of the Eve-generated self-sig). So Eve's work is to manipulate both X (the data repository) and Y (the self-sig she's crafting) until she can coax them into a collision. She doesn't care what the collision is, so she's not involved in a pre-image attack. As i understand it, this is roughly analogous to the attack used against rapidssl in http://www.win.tue.nl/hashclash/rogue-ca/, which exploited cryptogrpahic weaknesses in MD5's collision resistance to mint an exploitable intermediate CA. In that attack, they manipulated X (the expected serial number and timestamp and distinguished name in the X.509 cert generated by RapidSSL) and Y (the "tumor" in their bogus, handcrafted intermediate X.509 CA cert) until they found an MD5 collision, and then got RapidSSL to issue the predictable cert at the expected timestamp with the expected serial number. Once the X.509 cert was issued, they spliced the good signature onto the bogus cert, and had themselves a cert that any browser would accept. If you think this analogy doesn't hold, please let me know where it falls apart. >> There is no good reason for anyone interacting with modern >> infrastructure to make their default certifications with anything weaker. > > I continue to think that you're worrying about how you're going to turn > the coffeepot off as you're fleeing a house fire. :) I still maintain that encouraging people to use SHA-1 for any certification (including self-sigs) is leaving the coffeepot on, but the house is not yet on fire. Let's turn off the coffeepot :) SHA-1 is a fine digest for fingerprints, which are generated from material entirely under the user's control, and cannot be influenced by an outside party, and can never be confused or substituted by such things. this is because fingerprints rely on preimage resistnace, But it is ill-advised to make new signatures over any digest that has significantly weakened collision-resistance; this is particularly true when stronger digests are widely available, as is the case with SHA-256. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu May 2 06:48:44 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 02 May 2013 00:48:44 -0400 Subject: Confusion with signature digest type. In-Reply-To: <5181EC8E.9010003@fifthhorseman.net> References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> <5181CC7A.5090006@fifthhorseman.net> <5181E5A9.1080603@sixdemonbag.org> <5181EC8E.9010003@fifthhorseman.net> Message-ID: <5181F02C.3060000@sixdemonbag.org> On 5/2/2013 12:33 AM, Daniel Kahn Gillmor wrote: > if it was a preimage attack (even for SHA1), then yeah, it'd be game > over in a lot of horrible ways i don't want to think about in detail > right now :) I think I can make a compelling argument this is a preimage attack and not a collision attack, and I think I can sum it up in one sentence: > So Eve's work is to manipulate both X (the data repository) and Y (the > self-sig she's crafting) until she can coax them into a collision. She > doesn't care what the collision is, so she's not involved in a pre-image > attack. She cares what the collision is: it has to be a valid OpenPGP signature sequence. I concur that this scenario is deeply troubling. However, I think the scenario as you've described it depends on a preimage attack and at that point, as we've agreed, we're all screwed. (As a comment for people who may be thinking Daniel and I are vehemently disagreeing: sure, we don't agree, but I think we're far, far closer to agreement than discord.) > I still maintain that encouraging people to use SHA-1 for any > certification (including self-sigs) is leaving the coffeepot on, but the > house is not yet on fire. Let's turn off the coffeepot :) Oh, please don't misunderstand me, I'm not encouraging the continued use of SHA-1. I'm simply not encouraging the wholesale migration to SHA256, not at this point in time. (Encouraging people to have a plan, though, sure.) As a general rule, I've found the GnuPG developers to be quite capable of coding sensible default behaviors. I expect that Werner has been thinking of these problems, and if-and-when Werner and g10 Code decide to shift the default behaviors I'm certain it will be towards a stronger hash algorithm. In my experience, there is no such thing as a painless tradeoff. The instant you encourage someone to deviate from the defaults you open the door to a flood of questions. Some of them are quite reasonable ("why should I use SHA256 when SHA512 is available?") and some show their authors started sniffing glue at a tender age. The only constant is that the instant you tell someone to mess with the defaults, any and all future problems they have are suddenly your fault and your responsibility to solve. I don't see the situation with SHA-1 is so dire that we need to jump the gun on GnuPG's natural migration towards stronger hash algorithms. Given that, and given that I don't want to field a ton of "I changed my .gnupg file just the way you said and it doesn't work" type of questions, well -- I concur that moving to better hash algorithms is the way to go. I'm unconvinced that the situation right now is so dire that we need to leapfrog GnuPG's development process. From rjh at sixdemonbag.org Thu May 2 06:51:58 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 02 May 2013 00:51:58 -0400 Subject: Confusion with signature digest type. In-Reply-To: <5181F02C.3060000@sixdemonbag.org> References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> <5181CC7A.5090006@fifthhorseman.net> <5181E5A9.1080603@sixdemonbag.org> <5181EC8E.9010003@fifthhorseman.net> <5181F02C.3060000@sixdemonbag.org> Message-ID: <5181F0EE.2080109@sixdemonbag.org> On 5/2/2013 12:48 AM, Robert J. Hansen wrote: > She cares what the collision is: it has to be a valid OpenPGP signature > sequence. Erf, did I really write that? s/signature/User ID The point being the User ID isn't allowed to be completely arbitrary: there's a lot of structure to it. I think that's what kicks this into a preimage. From dkg at fifthhorseman.net Thu May 2 07:00:38 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 02 May 2013 01:00:38 -0400 Subject: Confusion with signature digest type. In-Reply-To: <5181F0EE.2080109@sixdemonbag.org> References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> <5181CC7A.5090006@fifthhorseman.net> <5181E5A9.1080603@sixdemonbag.org> <5181EC8E.9010003@fifthhorseman.net> <5181F02C.3060000@sixdemonbag.org> <5181F0EE.2080109@sixdemonbag.org> Message-ID: <5181F2F6.9030302@fifthhorseman.net> On 05/02/2013 12:51 AM, Robert J. Hansen wrote: > On 5/2/2013 12:48 AM, Robert J. Hansen wrote: >> She cares what the collision is: it has to be a valid OpenPGP signature >> sequence. > > Erf, did I really write that? > > s/signature/User ID > > The point being the User ID isn't allowed to be completely arbitrary: > there's a lot of structure to it. I think that's what kicks this into a > preimage. the same can be said of X.509 certificates. there is a lot of structure in them too, but nonetheless a collision attack was sufficient to mint a new certificate from rapidSSL's predictable signing policy. The User ID itself does have well-defined structure, it's true -- in particular, it has to be a valid UTF-8 bytestream. However, the selfsig is made on a digest over many things, only one of which is the User ID. for example, it could contain an arbitrary OpenPGP notation subpacket, which can itself include an arbitrary bytestream in the value field, particularly if notation flag 0x80 is cleared. Compare this to the X.509 ASN.1 "tumor" used in http://www.win.tue.nl/hashclash/rogue-ca/ This is an attack against the digest's collision-resistance, not against its preimage resistance. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu May 2 11:48:54 2013 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 May 2013 11:48:54 +0200 Subject: Confusion with signature digest type. In-Reply-To: <5181F02C.3060000@sixdemonbag.org> (Robert J. Hansen's message of "Thu, 02 May 2013 00:48:44 -0400") References: <20130426011312.GA427@blisses.org> <5179F8E5.1080504@sixdemonbag.org> <517C66D0.2070705@fifthhorseman.net> <517CDD1B.2030906@sixdemonbag.org> <5181CC7A.5090006@fifthhorseman.net> <5181E5A9.1080603@sixdemonbag.org> <5181EC8E.9010003@fifthhorseman.net> <5181F02C.3060000@sixdemonbag.org> Message-ID: <87fvy5r9tl.fsf@vigenere.g10code.de> On Thu, 2 May 2013 06:48, rjh at sixdemonbag.org said: > thinking of these problems, and if-and-when Werner and g10 Code decide > to shift the default behaviors I'm certain it will be towards a stronger > hash algorithm. We always tried to make sure that new algorithms are deployed for a long time before we make them the default. The next big change will be the switch to ECC and we not even have a real GnuPG release with. I expect that in a few years we can/need to switch to ECC and with that the end of signing SHA-1 digests will have come. Given that you need to create a new key anyway, the hash algorithm will be a non-brainer then. The special cases which Daniel constructed are, well, special cases and not the common use of signatures. People designing such a system should really consult with an expert to come up with a proper plan on how to implement that system. And that plan should include a discussion of used algorithms and threat models. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From outer at interlog.com Thu May 2 00:56:24 2013 From: outer at interlog.com (Richard Outerbridge) Date: Wed, 1 May 2013 18:56:24 -0400 Subject: [Announce] GPA 0.9.4 released In-Reply-To: <87wqrjq9z0.fsf@vigenere.g10code.de> References: <87wqrjq9z0.fsf@vigenere.g10code.de> Message-ID: <03F2C666-3627-4101-9BC9-5D06ECFEF2BB@interlog.com> -----BEGIN PGP SIGNED MESSAGE----- w - does the new GPA work with win7-64? or are you still waiting 4funding? On 2013-05-01 (121), at 06:18:43, Werner Koch wrote: __outer -----BEGIN PGP SIGNATURE----- Version: 10.3.0.8741 wsBVAwUBUYGdRUJrWteExW9jAQGMLwgAurmlVYGmxQpKHso9C4MzjnVeoMnV+6aL nA28FT/TlHHsDEHQZFSTtA9N7976qg08C7rPW7KNqe30eouIO49kLAACPLQDvCL1 vGiCqy36nfMwCnak8HHpFCYkEBHHnuDLClbfqwmi5tR9ucs+/5na2+z3iVPy7ZgU LtNbvxSBcpsBhXwVBJyQf9aKTtdjHAT2QIzGFykVZ3x+a7SBIgCKHybJGsOjvj90 JihR5XU+5PPB2IriUkrUPeEFcQC6JXYzXxwIlISj/toqulTTMrokGRJXHfDeLwmI OVlK3XhCUKwJ2IA/HfyFpZmt2psixMd5rfsWqoSYCLPJBGmMUnbI2g== =Qal0 -----END PGP SIGNATURE----- > Hello! > > We are pleased to announce GPA version 0.9.4. From r132 at rufon.com.tw Thu May 2 02:51:35 2013 From: r132 at rufon.com.tw (=?utf-8?B?5YSS6aKo566h55CG6YOoLea9mOWPs+aWhw==?=) Date: Thu, 2 May 2013 08:51:35 +0800 Subject: FW: gpgee operation failed Message-ID: <000301ce46cf$32b461e0$981d25a0$@com.tw> Hi, Peter. Thanks for help. I definitely will try your method next time because my colleague do the PC recovery into earlier date. Then, everyrhing goes back to normal. It used to work without signing the identity of public key though.Right now, I have no PC to try it out until next error occurs. I believe I downloaded this version "gpg4win-1.1.4.exe 17-Feb-2009 17:46 9.5M " . It is a little bit old but I have a hard time to install newer version on my windows XP SP3. It simplely doesn?t work on my windows XP. I googled it . Some people said , it is not compatible with windows XP SP3 Chinese system. That is why I only install the older version of gpg4win. AS for the pictures in the mail, I was not aware of that. I will make a shortcut link next time . Again, Thanks. Yuwen Pan Best Regards, -----Original Message----- From: Peter Lebbing [mailto:peter at digitalbrains.com] Sent: Monday, April 29, 2013 10:02 PM To: ?????-??? Cc: gnupg-users at gnupg.org Subject: Re: gpgee operation failed On 29/04/13 05:39, ?????-??? wrote: > Can someone help me with this error? It says "Key validity - Unknown", so it seems you haven't signed the key and GnuPG is refusing to encrypt to a key of which the identity is unverified. > My program version is 1.1.4. Are we talking about GnuPG 1.1.4? Because that should be exhibited in a museum instead of run on your computer. It is way too old to use. If it's the GPG4Win version, I can't tell how old it is. HTH, Peter. PS: I might be mistaken, but I think you're not supposed to include pictures in mails on the mailing list. It's better to put it on the web somewhere and include a link to it in your mail. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at Can someone help me with this error? It says "Key validity - Unknown", so it seems you haven't signed the key and GnuPG is refusing to encrypt to a key of which the identity is unverified. > My program version is 1.1.4. Are we talking about GnuPG 1.1.4? Because that should be exhibited in a museum instead of run on your computer. It is way too old to use. If it's the GPG4Win version, I can't tell how old it is. HTH, Peter. PS: I might be mistaken, but I think you're not supposed to include pictures in mails on the mailing list. It's better to put it on the web somewhere and include a link to it in your mail. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Thu May 2 13:27:41 2013 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 May 2013 13:27:41 +0200 Subject: [Announce] GPA 0.9.4 released In-Reply-To: <03F2C666-3627-4101-9BC9-5D06ECFEF2BB@interlog.com> (Richard Outerbridge's message of "Wed, 1 May 2013 18:56:24 -0400") References: <87wqrjq9z0.fsf@vigenere.g10code.de> <03F2C666-3627-4101-9BC9-5D06ECFEF2BB@interlog.com> Message-ID: <87bo8tr58y.fsf@vigenere.g10code.de> On Thu, 2 May 2013 00:56, outer at interlog.com said: > w - does the new GPA work with win7-64? Sure it has always worked with it. What does not work with 64 bit versions of Windows is GpgOL (Outlook plugin) [1] and GpgEX (Explorer plugin). If you encountered a problem with GPA in the 1.1.1-beta installer from last year: This was my fault: I forgot to port a patch for glib to the there included updated glib version. Salam-Shalom, Werner [1] It also does not work with any version of Outlook 2010. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From abel at guardianproject.info Thu May 2 20:06:03 2013 From: abel at guardianproject.info (Abel Luck) Date: Thu, 02 May 2013 18:06:03 +0000 Subject: 2.0.20 beta available In-Reply-To: <87bo93wwcc.fsf@vigenere.g10code.de> References: <87bo93wwcc.fsf@vigenere.g10code.de> Message-ID: <5182AB0B.2080609@guardianproject.info> Is it planned to support --delete-secret-keys? ~abel Werner Koch: > Hi, > > it is now more than a year since we released 2.0.19. Thus it is really > time to get 2.0.20 out of the door. If you want to quickly try a beta > you may use: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.20-beta118.tar.bz2 > > Please send bug reports only to the mailing list. > > > Noteworthy changes in version 2.0.20 (unreleased) > ------------------------------------------------- > > * The hash algorithm is now printed for sig records in key listings. > > * Decryption using smartcards keys > 3072 bit does not work. > > * New meta option ignore-invalid-option to allow using the same > option file by other GnuPG versions. > > * [gpg] Skip invalid keyblock packets during import to avoid a DoS. > > * [gpg] Correctly handle ports from DNS SRV records. > > * [gpg-agent] Avoid tty corruption when killing pinentry. > > * [scdaemon] Rename option --disable-keypad to --disable-pinpad. > > * [scdaemon] Better support for CCID readers. Now, the internal CCID > driver supports readers without the auto configuration feature. > > * [scdaemon] Add pinpad input for PC/SC, if your reader has pinpad > and it supports variable length PIN input, and you specify > --enable-pinpad-varlen option. > > * [scdaemon] New option --enable-pinpad-varlen. > > * [scdaemon] Install into libexecdir to avoid accidental execution > from the command line. > > > The code also builds for Windows and we plan to do a Gpg4win release > soon after 2.0.20. > > > Shalom-Salam, > > Werner > > From pete at heypete.com Thu May 2 20:21:07 2013 From: pete at heypete.com (Pete Stephenson) Date: Thu, 02 May 2013 20:21:07 +0200 Subject: 2.0.20 beta available In-Reply-To: <5182AB0B.2080609@guardianproject.info> References: <87bo93wwcc.fsf@vigenere.g10code.de> <5182AB0B.2080609@guardianproject.info> Message-ID: <5182AE93.6050405@heypete.com> On 5/2/2013 8:06 PM, Abel Luck wrote: > Is it planned to support --delete-secret-keys? Do existing versions not support --delete-secret-keys? I've been using 2.0.17 and 2.0.19 on both Linux and Windows and have had no issues with --delete-secret-keys. It seems to have worked for me: I moved several secret keys over to smartcards (after making offline, secure backups, of course), deleted the secret keys from the keyring, and gnupg created the appropriate stubs pointing to the smartcard without any issues. Cheers! -Pete From mailinglisten at hauke-laging.de Thu May 2 23:41:17 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 02 May 2013 23:41:17 +0200 Subject: determine encryption key without trying to decrypt Message-ID: <1986359.SInG3qgfbV@inno> Hello, how can I determine the key(s) for which a file has been encrypted without gpg trying to decrypt the file? I don't understand why --list-packets tries to decrypt it anyway. --batch and --no-tty do not solve the problem. I don't consider my two ideas very elegant: 1) Call "gpg --status-fd $whatever --list-packets file.gpg", get the info from --status-fd and kill gpg 2) Start another gpg-agent, this one with --batch, and let gpg connect to this instance. I cannot imagine that this cannot be done with the gpg call alone so I hope I just don't see the good solution. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-courses.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Thu May 2 23:53:54 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 02 May 2013 23:53:54 +0200 Subject: determine encryption key without trying to decrypt In-Reply-To: <5182DEC1.2060005@sumptuouscapital.com> References: <1986359.SInG3qgfbV@inno> <5182DEC1.2060005@sumptuouscapital.com> Message-ID: <2717787.sbVJbZW6ba@inno> Am Do 02.05.2013, 23:46:41 schrieb Kristian Fiskerstrand: > > how can I determine the key(s) for which a file has been encrypted > > without gpg trying to decrypt the file? > Try --list-only Yeah, that's it. Still dark corners in man gpg I am unfamiliar with... And what a response time, serverfault-like. :-) Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-courses.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From kristian.fiskerstrand at sumptuouscapital.com Thu May 2 23:46:41 2013 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 02 May 2013 23:46:41 +0200 Subject: determine encryption key without trying to decrypt In-Reply-To: <1986359.SInG3qgfbV@inno> References: <1986359.SInG3qgfbV@inno> Message-ID: <5182DEC1.2060005@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/02/2013 11:41 PM, Hauke Laging wrote: > Hello, > > how can I determine the key(s) for which a file has been encrypted > without gpg trying to decrypt the file? Hi Hauke, Try --list-only - -- - ---------------------------- Kristian Fiskerstrand Twitter: @krifisk - ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Docendo discimus We learn by teaching -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.0-beta210 (GNU/Linux) iQIcBAEBCAAGBQJRgt68AAoJEAt/i2Dj7frjMS4P/3tzsHIeiydHEaEATJd8Lxqf e4xvhSfoSUscAA4ak4nt3Ld6lfzXJiBYmKgRrHBM6/KUsFJM1e/gR1HEfvqiPcIK DTw5WuLv5lmuZwxqBCh/AYOUDkrS2WADnQsKIlpDqF6YYjqxf0Vuho5YrYGe7p7/ ItR9AqxybGKRr5LVbqz8A4se0rYSU9Ok2AWU8VGd9ZIIjYrlwLYju1XUyTcBK3s+ Q/wkaYuMCm4Lx76Ui8dfsB6JL96O8CZB5S2MKeJ8bo++DmarnZEwsoLRriFNeaZy 5LelVm9ENBkZkZBjhR76KngWnUzyqoyVXzZma5+Fjz6qhYyWocJgTTcXHd680cJL F+fm4PnOXNIZqP83uNfAW+JozlD5RjLw7W2B7kWRLeZUgWiHfwCWMP7GbkAk0nda L0sK/oNq3hBgiFod4BYd06LxJMYxS9bjpp+XfP+7zbsEw/MW6OQyhrK2eN3Vk9W5 Vhy3tpgYAIh1qrkuxq3I0ZPFodOPRZoULLQxbV/rzwre2pb/5d+wBGRL2Js6ibVT 1FtjPkhyxJug2yLRFGvWRnj9J/3V+ac9IoB6GYxNFVyKx+BfDLzxlxkCNh/8VVB7 QTCaJ44svF6QFFmxi8G9jDTB/W6xvrvkfQJoh7f40UQX1HC56LBB4xqN3bhJ48bL yGGTzww3hGj3VGPu6Ybk =zTCy -----END PGP SIGNATURE----- From branko at majic.rs Fri May 3 09:53:45 2013 From: branko at majic.rs (Branko Majic) Date: Fri, 3 May 2013 09:53:45 +0200 Subject: Developing JavaCard applet In-Reply-To: <5173A80F.3060302@gmail.com> References: <5173A80F.3060302@gmail.com> Message-ID: <20130503095345.5c45873a@zetkin.primekey.se> On Sun, 21 Apr 2013 10:49:19 +0200 NdK wrote: > Hello all. > > I'm planninng to start work on a "OpenGPGCard TNG" ( :) ) that allows: > - exportable keys only towards user-certified devices > - support for 2048 bit keys -- more if HW allows it > - storage for "many" (thought at least 18 to allow 1 key per year till > 2030) encryption keys (current + expired ones), plus regular signature > and auth keys, plus an extra auth key for RFID auth. > > What I'd like to achieve is that the user is in control of what to do > with his keys: choose if they're exportable or not, choose to allow > export only to other cards, choose if exported key can be re-exported, > etc. But that policy have to be chosen before generating/importing the > signature key: once a signature key is in-place, policy cannot be > altered any more. > That would allow the use of a single card/token per identity, with > keys that can be backed up but remain safe (well, technically the > user could choose to export against an insecure SW key container, but > it's his coice: why should I forbid it? And even if I'd forbid it, he > would simply generate the key in the SW key container then import to > the card, and sw RNGs are usually "less secure" than TRNGs in cards, > or even alter the applet to disable the check...). > > The applet will (obviously) be open-source. > The target card is any GP 2.1.1 (no need for extended APDUs -- they > will be simulated) -- I'll test on JCOP41 72k and SmartCaf? Expert > 144k. > > Comments? Suggestions? Other missing features? > > BYtE, > Diego. > Hello Diego, That certainly sounds interesting. I can volunteer to test it out once you have some workable code - I have a couple of Oberthur cards that are collecting the dust :) What I might be even more interested in is if you could describe the development process you use for working on a JavaCard applet - there's very little resources out there to get people up and running with such exotic topic. The added value would be ability for more people to chip in with contributions :) Best regards -- Branko Majic Jabber: branko at majic.rs Please use only Free formats when sending attachments to me. ?????? ????? ?????: branko at majic.rs ????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From ndk.clanbo at gmail.com Fri May 3 10:18:12 2013 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 03 May 2013 10:18:12 +0200 Subject: Developing JavaCard applet In-Reply-To: <20130503095345.5c45873a@zetkin.primekey.se> References: <5173A80F.3060302@gmail.com> <20130503095345.5c45873a@zetkin.primekey.se> Message-ID: <518372C4.8040103@gmail.com> Il 03/05/2013 09:53, Branko Majic ha scritto: >> I'm planninng to start work on a "OpenGPGCard TNG" ( :) ) that >> allows: - exportable keys only towards user-certified devices - >> support for 2048 bit keys -- more if HW allows it - storage for >> "many" (thought at least 18 to allow 1 key per year till 2030) >> encryption keys (current + expired ones), plus regular signature >> and auth keys, plus an extra auth key for RFID auth. [...] > That certainly sounds interesting. Hope so :) I didn't yet start massive pgp use just 'cause those limitations. > I can volunteer to test it out once you have some workable code - I > have a couple of Oberthur cards that are collecting the dust :) How much memory do they have? I think that less than 64K won't be enough... But you could start experimenting with "old plain" JCOpenPGP (currently on Sourceforge) that we'll be using as a basis. > What I might be even more interested in is if you could describe > the development process you use for working on a JavaCard applet - > there's very little resources out there to get people up and > running with such exotic topic. The added value would be ability > for more people to chip in with contributions :) It's already documented (by Petr Svenda) and there's even a VM: see https://minotaur.fi.muni.cz:8443/~xsvenda/docuwiki/doku.php?id=public:smartcard:javacardcompilation BYtE, Diego. From branko at majic.rs Fri May 3 10:32:24 2013 From: branko at majic.rs (Branko Majic) Date: Fri, 3 May 2013 10:32:24 +0200 Subject: Developing JavaCard applet In-Reply-To: <518372C4.8040103@gmail.com> References: <5173A80F.3060302@gmail.com> <20130503095345.5c45873a@zetkin.primekey.se> <518372C4.8040103@gmail.com> Message-ID: <20130503103224.17799018@zetkin.primekey.se> On Fri, 03 May 2013 10:18:12 +0200 NdK wrote: > > I can volunteer to test it out once you have some workable code - I > > have a couple of Oberthur cards that are collecting the dust :) > How much memory do they have? I think that less than 64K won't be > enough... But you could start experimenting with "old plain" JCOpenPGP > (currently on Sourceforge) that we'll be using as a basis. The ones I got are Oberthur Cosmo V7 64K. I hope that'll be enough - personally I'm ok if I can even store smaller number of keys on it. No idea what your estimates are on how big the applet itself will be. > > What I might be even more interested in is if you could describe > > the development process you use for working on a JavaCard applet - > > there's very little resources out there to get people up and > > running with such exotic topic. The added value would be ability > > for more people to chip in with contributions :) > It's already documented (by Petr Svenda) and there's even a VM: see > https://minotaur.fi.muni.cz:8443/~xsvenda/docuwiki/doku.php?id=public:smartcard:javacardcompilation Cool link, bookmarked for future use :) Best regards -- Branko Majic Jabber: branko at majic.rs Please use only Free formats when sending attachments to me. ?????? ????? ?????: branko at majic.rs ????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From kwadronaut at aktivix.org Fri May 3 10:12:39 2013 From: kwadronaut at aktivix.org (kwadronaut at aktivix.org) Date: Fri, 03 May 2013 08:12:39 +0000 Subject: determine encryption key without trying to decrypt In-Reply-To: <1986359.SInG3qgfbV@inno> References: <1986359.SInG3qgfbV@inno> Message-ID: <20130503081239.17149fb0vgim6yd3@newyear.aktivix.org> Hi, Quoting Hauke Laging : > how can I determine the key(s) for which a file has been encrypted > without gpg > trying to decrypt the file? I don't understand why --list-packets tries to > decrypt it anyway. --batch and --no-tty do not solve the problem. Because of the --hidden-recipient (or --hidden-encrypt-to name) functionality, you're sort-of obliged to simply throw whatever secret keys you have at it and hopefully be able to decrypt it. Why don't you use the option from the faq [1], is there something wrong with: gpg --batch --decrypt --list-only --status-fd 1 2>/dev/null | \ awk '/^\[GNUPG:\] ENC_TO / { print $3 }' Ciao, kwadronaut [1] http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-get-list-of-key-ids-used-to-encrypt-a-message From kiblema at gmail.com Fri May 3 10:45:06 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 10:45:06 +0200 Subject: Suggest please Message-ID: hi guys i am just beginning using gpg/pgp, so my apologies in advance for my confusions. i've read and tried several times to encrypt csv files with a private-key, and to decrypt them back with public key. actually, these different csv files should be encrypted by several different users, and sent to only one mail-adress. there are also several other users on a virtual machine, who should be able to decrypt them. we have to do these with private-public-key case. What i now did is, i created a key-pair, have sent public-key to those, who will encrypt files. i am able to decrypt these files with my private-key. the problem is, i only can decrypt the files. is it possible to do it in any other way, but using also priv-pub-key? i am like stuck.. I appreciate any of your help and suggestion, lena -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri May 3 12:38:07 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 03 May 2013 12:38:07 +0200 Subject: Suggest please In-Reply-To: (Lema KB's message of "Fri, 3 May 2013 10:45:06 +0200") References: Message-ID: <87a9ocpcvk.fsf@vigenere.g10code.de> On Fri, 3 May 2013 10:45, kiblema at gmail.com said: > confusions. i've read and tried several times to encrypt csv files with a > private-key, and to decrypt them back with public key. That is the wrong. You encrypt with the public key and you decrypt with the private key. > What i now did is, i created a key-pair, have sent public-key to those, who > will encrypt files. i am able to decrypt these files with my private-key. > the problem is, i only can decrypt the files. You want that other are also able to decrypt the file? Then you need to encrypt the file to all of them: gpg -e -r userid_1 -r userid_2 -r userid_3 file.csv Then send file.csv.gpg to a all mentioned users and they will all be able to decrypt the file. The size of the encrypted file won't change noticeable. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kiblema at gmail.com Fri May 3 13:58:39 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 13:58:39 +0200 Subject: Suggest please In-Reply-To: <87a9ocpcvk.fsf@vigenere.g10code.de> References: <87a9ocpcvk.fsf@vigenere.g10code.de> Message-ID: Hi Werner let's say, user_1 created public-private-key_1. then senders should encrypt it with public-key_1 but for all user_1, user_2, etc. with which private key will user_2, user_3,.. decrypt this file.csv, which is encrypted with public-key_1? thanks in advance On Fri, May 3, 2013 at 12:38 PM, Werner Koch wrote: > On Fri, 3 May 2013 10:45, kiblema at gmail.com said: > > > confusions. i've read and tried several times to encrypt csv files with a > > private-key, and to decrypt them back with public key. > > That is the wrong. You encrypt with the public key and you decrypt with > the private key. > > > What i now did is, i created a key-pair, have sent public-key to those, > who > > will encrypt files. i am able to decrypt these files with my private-key. > > the problem is, i only can decrypt the files. > > You want that other are also able to decrypt the file? Then you need to > encrypt the file to all of them: > > gpg -e -r userid_1 -r userid_2 -r userid_3 file.csv > > Then send file.csv.gpg to a all mentioned users and they will all be > able to decrypt the file. The size of the encrypted file won't change > noticeable. > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kiblema at gmail.com Fri May 3 14:03:26 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 14:03:26 +0200 Subject: Suggest please In-Reply-To: References: <87a9ocpcvk.fsf@vigenere.g10code.de> Message-ID: or can it be solved through binding PGP with Active Directory? How do i do that, can you pls give any link? thanks in advance On Fri, May 3, 2013 at 1:58 PM, Lema KB wrote: > Hi Werner > > let's say, user_1 created public-private-key_1. then senders should > encrypt it with public-key_1 but for all user_1, user_2, etc. > > with which private key will user_2, user_3,.. decrypt this file.csv, which > is encrypted with public-key_1? > > > thanks in advance > > > On Fri, May 3, 2013 at 12:38 PM, Werner Koch wrote: > >> On Fri, 3 May 2013 10:45, kiblema at gmail.com said: >> >> > confusions. i've read and tried several times to encrypt csv files with >> a >> > private-key, and to decrypt them back with public key. >> >> That is the wrong. You encrypt with the public key and you decrypt with >> the private key. >> >> > What i now did is, i created a key-pair, have sent public-key to those, >> who >> > will encrypt files. i am able to decrypt these files with my >> private-key. >> > the problem is, i only can decrypt the files. >> >> You want that other are also able to decrypt the file? Then you need to >> encrypt the file to all of them: >> >> gpg -e -r userid_1 -r userid_2 -r userid_3 file.csv >> >> Then send file.csv.gpg to a all mentioned users and they will all be >> able to decrypt the file. The size of the encrypted file won't change >> noticeable. >> >> >> Shalom-Salam, >> >> Werner >> >> -- >> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hhhobbit at securemecca.net Fri May 3 14:05:02 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri, 03 May 2013 12:05:02 +0000 Subject: Suggest please In-Reply-To: References: Message-ID: <5183A7EE.2070605@securemecca.net> On 05/03/2013 08:45 AM, Lema KB wrote: Werner is of course correct but since you need to do a send to userid_1, userid_2, and userid_3 you will need the public key for all three of the recipients. You need the public key for each person you want to send a public key enciphered (encrypted) file or message to. Public / Private Key Enciphering - encrypted with the other person's (or people's) public key(s). No pass-phrase is required. - can only be decrypted by the person (or people) that has the private key(s) that is associtated with public key(s) that the file or message was encrypted with. They also need to know the pass-phrase unless the pinentry program decides to supply their pass-phrase forever. Don't laugh too loud. It happened to me. I must provide my pass-phrase again now. Thank goodness! Private / Public Key signatures (used for verification) - the file or message is signed with your private key. You must use your pass-phrase when signing. This was most critical for the pinetry supplying the pass-phrase for me. You should be required to supply the pass-phrase for all signings with the only laxity being a one-time supply of pass-phrase for a batch of files. - verified with your public key with them importing it and then giving it the proper (hopefully) level of trust when they edit and lsign / sign your public key. They have known you all your life? Then your key deserves the highest level of trust no matter what you do in life. The verification is that the person is really who they claim to be. My primer reference book is "PGP & GPG, Email For The PRACTICAL Paranoid" by Michael W. Lucas. I hope he gives another edition some time since GPG4Win has improved and simpliied a lot of things for Windows users. Disclaimer: I do NOT get a cut of the profits from the sale of the book. HHH From Dave.Smith at st.com Fri May 3 14:09:15 2013 From: Dave.Smith at st.com (David Smith) Date: Fri, 3 May 2013 13:09:15 +0100 Subject: Suggest please In-Reply-To: References: <87a9ocpcvk.fsf@vigenere.g10code.de> Message-ID: <5183A8EB.1010607@st.com> On 05/03/13 12:58, Lema KB wrote: > Hi Werner > > let's say, user_1 created public-private-key_1. then senders should > encrypt it with public-key_1 but for all user_1, user_2, etc. > > with which private key will user_2, user_3,.. decrypt this file.csv, > which is encrypted with public-key_1? No. user_1, user_2 and user_3 each generate their own public-private keypair. So: Receiver_1 has public_key_1 and private_key_1 Receiver_2 has public_key_2 and private_key_2 Receiver_3 has public_key_3 and private_key_3 They then all send their public keys to a fourth user, "Sender" (who may actually be one of the receivers, if you wish). Sender then encrypts the file using the public keys of all the Receivers. For example: gpg --recipient Receiver_1 \ --recipient Reciever_2 \ --recipient Receiver_3 \ --encrypt-file file_to_be_encrypted Each of the three recipients will then be able to decrypt the file using their own private key. HTH... From kiblema at gmail.com Fri May 3 14:29:05 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 14:29:05 +0200 Subject: Suggest please In-Reply-To: <5183A8EB.1010607@st.com> References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> Message-ID: It is not appropriate for us to have several public-private-keys. Can GnuPG be downloaded on a virtual machine so, that, if one user on VM generates a pair-key, this pair-key will be also the keys of other user of this VM? So they all will be able to decrypt files using one private-key..? How to set it like that, if this is possible. On Fri, May 3, 2013 at 2:09 PM, David Smith wrote: > On 05/03/13 12:58, Lema KB wrote: > > Hi Werner > > > > let's say, user_1 created public-private-key_1. then senders should > > encrypt it with public-key_1 but for all user_1, user_2, etc. > > > > with which private key will user_2, user_3,.. decrypt this file.csv, > > which is encrypted with public-key_1? > > No. > > user_1, user_2 and user_3 each generate their own public-private > keypair. So: > > Receiver_1 has public_key_1 and private_key_1 > Receiver_2 has public_key_2 and private_key_2 > Receiver_3 has public_key_3 and private_key_3 > > They then all send their public keys to a fourth user, "Sender" (who may > actually be one of the receivers, if you wish). > > Sender then encrypts the file using the public keys of all the > Receivers. For example: > > gpg --recipient Receiver_1 \ > --recipient Reciever_2 \ > --recipient Receiver_3 \ > --encrypt-file file_to_be_encrypted > > Each of the three recipients will then be able to decrypt the file using > their own private key. > > HTH... > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ndk.clanbo at gmail.com Fri May 3 14:51:39 2013 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 03 May 2013 14:51:39 +0200 Subject: Suggest please In-Reply-To: References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> Message-ID: <5183B2DB.1080207@gmail.com> Il 03/05/2013 14:29, Lema KB ha scritto: > It is not appropriate for us to have several public-private-keys. Then probably you don't need encryption at all. Or you only need symmetric encryption (same key used both for enc and dec). > Can GnuPG be downloaded on a virtual machine so, that, if one user on VM > generates a pair-key, this pair-key will be also the keys of other user of > this VM? So they all will be able to decrypt files using one private-key..? Possible, but stupid (IMVHO). If you think VM access control is enough, then just use it and don't encrypt the file. Submission can be handled with a correct ACL (in *nix it could be rwxrwx-wx on a folder: only members of the group will be able to read the files in it, but every user can put his file there -- we used this method for lab projects). Another way can be a web form that stores an uploaded file in a private folder. PGP is not a "magic bullet": he does what it's designed to do (and I think it does it quite well), but won't prevent you from using it in really insecure ways. *SECRET* keys are called that way for a reason. BYtE, Diego. From kiblema at gmail.com Fri May 3 14:58:09 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 14:58:09 +0200 Subject: Suggest please In-Reply-To: <5183B2DB.1080207@gmail.com> References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> Message-ID: hi Diego We need encryption, because the files are sent via Email from other organisations. These files are then decrypted internally, that's why all/several Win-Users of us. On Fri, May 3, 2013 at 2:51 PM, NdK wrote: > Il 03/05/2013 14:29, Lema KB ha scritto: > > It is not appropriate for us to have several public-private-keys. > Then probably you don't need encryption at all. Or you only need > symmetric encryption (same key used both for enc and dec). > > > Can GnuPG be downloaded on a virtual machine so, that, if one user on VM > > generates a pair-key, this pair-key will be also the keys of other user > of > > this VM? So they all will be able to decrypt files using one > private-key..? > Possible, but stupid (IMVHO). If you think VM access control is enough, > then just use it and don't encrypt the file. > Submission can be handled with a correct ACL (in *nix it could be > rwxrwx-wx on a folder: only members of the group will be able to read > the files in it, but every user can put his file there -- we used this > method for lab projects). > Another way can be a web form that stores an uploaded file in a private > folder. > > PGP is not a "magic bullet": he does what it's designed to do (and I > think it does it quite well), but won't prevent you from using it in > really insecure ways. *SECRET* keys are called that way for a reason. > > BYtE, > Diego. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ndk.clanbo at gmail.com Fri May 3 15:09:24 2013 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 03 May 2013 15:09:24 +0200 Subject: Suggest please In-Reply-To: References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> Message-ID: <5183B704.1070501@gmail.com> Il 03/05/2013 14:58, Lema KB ha scritto: > We need encryption, because the files are sent via Email from other > organisations. These files are then decrypted internally, that's why > all/several Win-Users of us. Then you could setup a (different!) machine with a mail robot that receives those mails, decrypts 'em (with its own private key, *much* better if stored on a token/smartcard) and then stores the plaintext files in the drop-box folder where users can access 'em. No user is involved with crypto, and what's sent to the mailbox "magically" appears in the shared folder (they don't even need to know that the decoding machine exists! It probably could be a Raspberry Pi hidden in your server room :) ). BYtE, Diego. From kiblema at gmail.com Fri May 3 15:44:31 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 15:44:31 +0200 Subject: Suggest please In-Reply-To: <5183B704.1070501@gmail.com> References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> <5183B704.1070501@gmail.com> Message-ID: i've made this robot: it receives mail, decrypts files with my private-key, and saves them in a folder. But, someone should click on run.. This is me only. i need, that some others will be able to run it also. But it doesn't decrypt files, as the priv-key for decryption is mine. On Fri, May 3, 2013 at 3:09 PM, NdK wrote: > Il 03/05/2013 14:58, Lema KB ha scritto: > > > We need encryption, because the files are sent via Email from other > > organisations. These files are then decrypted internally, that's why > > all/several Win-Users of us. > Then you could setup a (different!) machine with a mail robot that > receives those mails, decrypts 'em (with its own private key, *much* > better if stored on a token/smartcard) and then stores the plaintext > files in the drop-box folder where users can access 'em. > No user is involved with crypto, and what's sent to the mailbox > "magically" appears in the shared folder (they don't even need to know > that the decoding machine exists! It probably could be a Raspberry Pi > hidden in your server room :) ). > > BYtE, > Diego. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kiblema at gmail.com Fri May 3 16:02:40 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 3 May 2013 16:02:40 +0200 Subject: Suggest please Message-ID: hi Henry can a symmetric cipher be/use also public-private-keys? On Fri, May 3, 2013 at 3:44 PM, Henry Hertz Hobbit wrote: > On 05/03/2013 08:45 AM, Lema KB wrote: > > > is it possible to do it in any other way, but using also priv-pub-key? i > am > > like stuck.. > > Yes, I imagine they told you to use a symmetric cipher. > Here are some scripts that may help (be sure to replace > my KEY NUMBER with yours and change the ".txt" extension > to ".sh" and make it executable: > > http://www.securemecca.com/public/GnuPG/ > > To encrypt use the crypt.sh script (be sure to replace > TWOFISH with the cipher that you prefer in the script. > The decrypt script will decrypt the file but make sure > you do NOT give it the ".gpg" extension or modify the > script. > > Also, if all you want to do is encrypt and you are on > Windows, you can use 7-Zip which has a built in AES-128 > symmetric cipher: > > http://www.7-zip.org > > The source code compiles and installs easily for 'nix > systems > > Don't feel bad about not understanding public / private > key encryption at first. Even engineers with Phd degrees > have problems. Only Mathematicians and Computer Scientists > can handle it and even then sometimes they have problems. > > HHH > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dave.Smith at st.com Fri May 3 16:10:46 2013 From: Dave.Smith at st.com (David Smith) Date: Fri, 3 May 2013 15:10:46 +0100 Subject: Suggest please In-Reply-To: References: Message-ID: <5183C566.8000109@st.com> On 05/03/13 15:02, Lema KB wrote: > can a symmetric cipher be/use also public-private-keys? No. The whole point of public/private cryptography is to use asymmetric ciphers. (caveat: actually, this is an over-simplification. In reality, gpg DOES use symmetric ciphers, but in a way that makes it look like it is using asymmetric ones). From ndk.clanbo at gmail.com Fri May 3 17:13:07 2013 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 03 May 2013 17:13:07 +0200 Subject: Suggest please In-Reply-To: References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> <5183B704.1070501@gmail.com> Message-ID: <5183D403.8080207@gmail.com> Il 03/05/2013 15:44, Lema KB ha scritto: > i've made this robot: it receives mail, decrypts files with my > private-key, and saves them in a folder. But, someone should click on > run.. This is me only. i need, that some others will be able to run it > also. But it doesn't decrypt files, as the priv-key for decryption is mine. Then just create "his" keypair and run it with a scheduler (like "once a minute"). But how to do this, is really OT here. BYtE, Diego. From wk at gnupg.org Fri May 3 17:06:39 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 03 May 2013 17:06:39 +0200 Subject: Suggest please In-Reply-To: (Lema KB's message of "Fri, 3 May 2013 14:29:05 +0200") References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> Message-ID: <87y5bwnlvk.fsf@vigenere.g10code.de> On Fri, 3 May 2013 14:29, kiblema at gmail.com said: > It is not appropriate for us to have several public-private-keys. Although I don't consider this a good idea: You may give a copy of the private key to all persons who need to decrypt the files. In general such a group owned private key is not a good idea but it is commonly done nevertheless. gpg --export-secret-key FINGERPRINT >privatekey.gpg and "gpg --import" that privatekey.gpg on the machines which need to decrypt. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ndk.clanbo at gmail.com Fri May 3 18:14:51 2013 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 03 May 2013 18:14:51 +0200 Subject: Suggest please In-Reply-To: <5183B2DB.1080207@gmail.com> References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> Message-ID: <5183E27B.80702@gmail.com> Il 03/05/2013 14:51, NdK ha scritto: > Submission can be handled with a correct ACL (in *nix it could be > rwxrwx-wx on a folder: only members of the group will be able to read > the files in it, but every user can put his file there -- we used this > method for lab projects). Just to be more precise, the setting as described have a behaviour that could not be what one expects: 1) knowing the file name everyone can read it 2) knowing the file name, everyone can delete it You can fix 1 by setting umask (on the filesystem, if dropbox is in its own partition) so that actual file permissions are 0640 or 0660. To fix 2 you should set the sticky bit on the folder. See http://stackoverflow.com/questions/869536/linux-directory-permissions-read-write-but-not-delete Tks to DKG for pointing this out. I'll try to be more precise next time. BYtE, Diego. From hhhobbit at securemecca.net Fri May 3 22:43:34 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri, 03 May 2013 20:43:34 +0000 Subject: Suggest please In-Reply-To: References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> <5183B704.1070501@gmail.com> Message-ID: <51842176.4070702@securemecca.net> First, a restriction on who can access folder restricted to just a group on 'nix should probably be: drwxrwx--- (chmod 770 dir - all group members can write) drwxr-x--- (chmod 750 dir - only owner can write) http://www.securemecca.com/public/ChmodTable.txt On OpenVMS you can and the military does just turn off the world permiesions leaving only SOG (System, Owner, Groupm originally it was SOGW). But OpenVMS has theirs done via a DACL. Windows has DACLs but really not for files / folders in the same way that OpenVMS / Unix / Linux do it. Unix / Linux file permission flags for the files is hard-wired (done deep within the bowels of the OS). Symmetric ciphers via GnuPG: ============================ You can use either a symmetric or public key cipher with GnuPG, but you really sort of need keys to even do symmetric ciphers via GnuPG or PGP from Symantec. This script is what I use if I want to make a file encrypted with a ymmetric cipher via GnuPG: http://www.securemecca.com/public/GnuPG (folder - I used decrypt for decrypting encrypted files) http://www.securemecca.com/public/GnuPG/ Pros: Can't think of any other than it saves all that typing. It MAY help you understand it. Maybe it will confuse you. Cons: Anybody who knows the password can decrypt it. Some times that is a positive. For top security it is a negative if the public key used to encipher a file is not yours (belongs to somebody else and you don't have the private keys). Symmetric cipher with AES-128 using 7-Zip: ========================================== You don't need keys. Just supply the password and let the other people know what the password is. on Unix / Linux you just use: this for a file: $ 7za a -p filename.7z filename and this for a directory (folder) $ 7za a -[ dirname.7z ./dirname Pros: provides symmetric encryption without keys! Blissfully dumps the UID:GID so it comes out right when root unzips it (owned by root in group root) no matter who it belonged to on the other system.. for 'nix. That is why I like it. Would love to have ClamAV source code in 7z format. It is great for sending lists of bad URLs / hosts to others since email scanner doesn't know what to do with it. Cons: Same as for GPG symmetric but no choice of CIPHER (uses AES-128) which may be unsatisfactory for some uses. Must build it yourself for 'nix. Do NOT use 7-zip for backups of system stuff or you wull have a chicken versus egg problem, encrypted or not. (APOLOGIES TO GNUPG ADVOCATES) Public / Private key implementation: ==================================== In reality there is a symmetric cipher hidden down in there. GnuPG pseudo-randomly (hopefully closer to randomly than to pseudo) creates a password for the symmetrically enciphered file and encrypts the password for the symmetric cipher using the other person's (people's) public key(s) with the ElGamal or similar public-key cipher. Each recipient gets their own copy (in the past the whole thing with Thunderbird plus Enitmail). But you do NOT encrypt the whole file with the public key. You use the public key to encipher only the password used to create the symmetric cipher. The way public / private key is normally used: ============================================== On Windows, GPG4WIN supplies an Outlook look-alike called Claws Mail that just looks at the recipients when you select encrypt and magically encrypts a message that the entire list of users can decrypt as long as you have the public key for each of the recipients on your key-ring. The enigmail plugin for the mail client program called Thunderbird does much the same thing. SEE! Public key encryption doesn't have to be all that complicated! Pros: When encrypted for JoeGoodGuy in Denver with the encryption being done in Syria (war-torn) nobody but JoeGoodGuy can decipher it. Be sure to wipe the original unenciphered file(s). Wikileaks Julian Assange knew this and encrypted all of those files with a symmetriic cipher anyway so everybody could decrypt the zip of all those files some time in the future no matter how long the password was. But if the journalist had their own public / private key pair it could have been encrypted with the journalist's public key and then only the journalist could have decrypted it. Pubic key encryption is used successfully for this purpose by civil rights activists world-wide. Cons: Initial confusion on how it works. Don't feel bad because even PhD engineers may need some time to finally understand how it works (which is why I recommended that book). Don't be afraid of using OpenPGP public key encryption. It really is superior when you have two people that semi-trust each other. "Spies take time to warm up to each other" said one of the people that broke the Enigma cipher machine. "Even if they are British and American spies they are hesitant to share secrets." If I encrypt a message to you using your public key, even I cannpt decipher it any more. Somehow that makes me feel SAFER. Don't give up on it - you can do it. GnuPG public key encryption is even used to make backups shipped over public networks because nobody but the person (hopefully not PEOPLE but maybe for companies) who has the private key and knows the pass-phrase can decipher it. public key encryption is superior for people in more than one geographic location. HHH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From abel at guardianproject.info Sat May 4 00:15:31 2013 From: abel at guardianproject.info (Abel Luck) Date: Fri, 03 May 2013 22:15:31 +0000 Subject: 2.0.20 beta available In-Reply-To: <5182AE93.6050405@heypete.com> References: <87bo93wwcc.fsf@vigenere.g10code.de> <5182AB0B.2080609@guardianproject.info> <5182AE93.6050405@heypete.com> Message-ID: <51843703.4070508@guardianproject.info> Pete Stephenson: > On 5/2/2013 8:06 PM, Abel Luck wrote: >> Is it planned to support --delete-secret-keys? > > Do existing versions not support --delete-secret-keys? > Oh, it must be not implemented in just 2.1 (git master). I just assumed it wasn't implemented in 2.0 either. I wonder why it was removed from 2.1. ~abel > I've been using 2.0.17 and 2.0.19 on both Linux and Windows and have had > no issues with --delete-secret-keys. It seems to have worked for me: I > moved several secret keys over to smartcards (after making offline, > secure backups, of course), deleted the secret keys from the keyring, > and gnupg created the appropriate stubs pointing to the smartcard > without any issues. > > Cheers! > -Pete > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From robertc at broadcom.com Fri May 3 23:27:42 2013 From: robertc at broadcom.com (Bob (Robert) Cavanaugh) Date: Fri, 3 May 2013 21:27:42 +0000 Subject: Libgcrypt (hopefully not OT) Message-ID: <8F0B09FC6339FA439524099BFCABC11F14179F@IRVEXCHMB11.corp.ad.broadcom.com> Hi All, I am using Libgcrypt 1.5.2 with gcc v 4.5.3 on Cygwin to use the MPI functions. Can you please provide some guidance on how to handle signed and negative MPIs? I cannot seem to get a negative MPI, which is causing problems with other computations (specifically gcry_mpi_invm never returns and hangs). As an alternative, Is it possible to use the ecc functions with a custom random number generator algorithm? Thanks, Bob Cavanaugh Broadcom Corporation 16340 West Bernardo Drive San Diego CA 92127 Work: 858-521-5562 Fax: 858-385-8810 Cell: 858-361-2068 From hhhobbit at securemecca.net Sat May 4 03:18:21 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sat, 04 May 2013 01:18:21 +0000 Subject: Suggest please In-Reply-To: <51842176.4070702@securemecca.net> References: <87a9ocpcvk.fsf@vigenere.g10code.de> <5183A8EB.1010607@st.com> <5183B2DB.1080207@gmail.com> <5183B704.1070501@gmail.com> <51842176.4070702@securemecca.net> Message-ID: <518461DD.3050500@securemecca.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/03/2013 08:43 PM, Henry Hertz Hobbit wrote: First, I think public key encryption is apropos for what you are doing if privacy is a concern. The way you approached it without telling us you are on Windows until later on indicates privacy IS a consideration for you. Now that I know you are on Windows I am curious what you are using to automate - Visual Basic, BAT, Power Shell, or something else. I run into too many problems with their darn spaces no matter which of these three I use. It is best to just add where gpg2 and everything else lives to your PATH. Here is where it is for the latest version of GPG4Win (at least on Windows 7) %ProgramFiles%\GNU\GnuPG >From my point of view object oriented scripting is strange. Scripts should be more verbal than noun oriented. If you need help in getting it going I will help but do NOT use what you would be sending to your cohorts. My public key is on the key-servers. For the long way Just go here: http://pgp.mit.edu/ Then enter my email address hhhobbit[gnat]securemecca.net Click on the top key, copy and paste it into a file and then import. Fast way is to just use PGP4Win's GUI to import the key directly from the key-servers. The first test is to send a publicly encrypted file. Then you do it for two users per Werner's statement and as you go along you will see what is appropriate for you. HHH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJRhGHcAAoJEMhFIk/IOUbwq/UIAKA/lpBKKbaCJVTIAq3ttgPi +dzgkGRFl3TOwlUyQutZ6AZiuIxw1uCUrCuWy+UacTRBe/qCcsJRLwlFNk6htiVt bB0YKXqUSt9lGfrLys4mMSP4EV1n5AF1aYodDPIsae7znQyKyjanx0oTP718Bniw QHPphFNuGs9XtQ9lo4wx5G7rKiOQzpWXjq6M8NBbmbMmUp+5hXRNjK/LHlHBX7Rk hTnq6vmKWLSUZDImCylEZAV7XG14XnqMDQ9URGt8uKbO+d3PH17rGgcDdltF53Hu lAMdOJQmjrMIg4TmJYZgM2KzDxcb/kcRH8tQjWUTRrVt4tY6cl+AT0BMJohJLQQ= =54Gp -----END PGP SIGNATURE----- From wood.quinn.s at gmail.com Sat May 4 00:15:36 2013 From: wood.quinn.s at gmail.com (Quinn Wood) Date: Fri, 3 May 2013 17:15:36 -0500 Subject: Web of Trust in Practical Usage In-Reply-To: <5181E261.6000806@fifthhorseman.net> References: <517D094F.4040507@digitalbrains.com> <5181E261.6000806@fifthhorseman.net> Message-ID: On 5/1/13, Daniel Kahn Gillmor wrote: > what specifically are you trying to do in the bigger picture? maybe > folks here can give you some suggestions if we can see what you're > trying to accomplish in the abstract? > I suppose I had hoped that the cost of generating new keys would prevent too much gaming in a WoT-vote based system. From dkg at fifthhorseman.net Sun May 5 06:10:14 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 05 May 2013 00:10:14 -0400 Subject: Web of Trust in Practical Usage In-Reply-To: References: <517D094F.4040507@digitalbrains.com> <5181E261.6000806@fifthhorseman.net> Message-ID: <5185DBA6.9050804@fifthhorseman.net> On 05/03/2013 06:15 PM, Quinn Wood wrote: > On 5/1/13, Daniel Kahn Gillmor wrote: >> what specifically are you trying to do in the bigger picture? maybe >> folks here can give you some suggestions if we can see what you're >> trying to accomplish in the abstract? > > I suppose I had hoped that the cost of generating new keys would > prevent too much gaming in a WoT-vote based system. even if you care about high quality entropy, new keys are pretty cheap. If you don't care about high quality entropy (you just want new keys and don't care how hard they are to guess) new keys are *outrageously* cheap. This isn't something you can rely on to just do aggregate voting, unfortunately. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From ndk.clanbo at gmail.com Sun May 5 08:43:43 2013 From: ndk.clanbo at gmail.com (NdK) Date: Sun, 05 May 2013 08:43:43 +0200 Subject: Web of Trust in Practical Usage In-Reply-To: <5185DBA6.9050804@fifthhorseman.net> References: <517D094F.4040507@digitalbrains.com> <5181E261.6000806@fifthhorseman.net> <5185DBA6.9050804@fifthhorseman.net> Message-ID: <5185FF9F.5060002@gmail.com> Il 05/05/2013 06:10, Daniel Kahn Gillmor ha scritto: > If you don't care about high quality entropy Even if you do: just add a NEUG token (or something similar) to the system and you have pretty high quality entropy at a good rate. But since the slow part of key generation is the primes selection, you could speed it up just recycling primes from different keys. N primes usually let you create N/2 keys, but you can generate N(N-1)/2 different keys. BYtE, Diego From wk at gnupg.org Mon May 6 11:10:53 2013 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 May 2013 11:10:53 +0200 Subject: 2.0.20 beta available In-Reply-To: <51843703.4070508@guardianproject.info> (Abel Luck's message of "Fri, 03 May 2013 22:15:31 +0000") References: <87bo93wwcc.fsf@vigenere.g10code.de> <5182AB0B.2080609@guardianproject.info> <5182AE93.6050405@heypete.com> <51843703.4070508@guardianproject.info> Message-ID: <87sj20o4ma.fsf@vigenere.g10code.de> On Sat, 4 May 2013 00:15, abel at guardianproject.info said: > Oh, it must be not implemented in just 2.1 (git master). I just assumed > it wasn't implemented in 2.0 either. I wonder why it was removed from 2.1. In 2.1 the secret keys are manage by gpg-agent and in theory gpg should not care about them. However, we also have import and export commands which tell the agent what to do with the secret keys (i.e. import or export). A delete command is a bit more difficult regarding the UI because it is possible that gpgme uses the same secret key for an X.509 certificate - it would then also be silently deleted. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon May 6 15:04:51 2013 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 May 2013 15:04:51 +0200 Subject: Web of Trust in Practical Usage In-Reply-To: <5185FF9F.5060002@gmail.com> (NdK's message of "Sun, 05 May 2013 08:43:43 +0200") References: <517D094F.4040507@digitalbrains.com> <5181E261.6000806@fifthhorseman.net> <5185DBA6.9050804@fifthhorseman.net> <5185FF9F.5060002@gmail.com> Message-ID: <87bo8ontsc.fsf@vigenere.g10code.de> On Sun, 5 May 2013 08:43, ndk.clanbo at gmail.com said: > But since the slow part of key generation is the primes selection, you > could speed it up just recycling primes from different keys. 2.1 already does something similar. Because the keys are generated by the gpg-agent daemon the prime cache in Libgcrypt is actually used: Libgcrypt first generates a pool of smaller primes and then tries permutations of them to find a suitable strong prime. The unused small pool primes are then put into a cache and used for the next prime generation. Anyway, with the move from RSA to ECC, we don't need the secret primes anymore. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon May 6 21:50:07 2013 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 May 2013 21:50:07 +0200 Subject: Libgcrypt (hopefully not OT) In-Reply-To: <8F0B09FC6339FA439524099BFCABC11F14179F@IRVEXCHMB11.corp.ad.broadcom.com> (Bob Cavanaugh's message of "Fri, 3 May 2013 21:27:42 +0000") References: <8F0B09FC6339FA439524099BFCABC11F14179F@IRVEXCHMB11.corp.ad.broadcom.com> Message-ID: <87y5brnb0w.fsf@vigenere.g10code.de> On Fri, 3 May 2013 23:27, robertc at broadcom.com said: > I am using Libgcrypt 1.5.2 with gcc v 4.5.3 on Cygwin to use the MPI > functions. Can you please provide some guidance on how to handle > signed and negative MPIs? I cannot seem to get a negative MPI, which Negative numbers are supported by the MPI subsystem but a rarely used. There is a macro mpi_is_neg to test for it. We have no explict function to negate an MPI. You would need to resort to somthing like void make_negative (gcry_mpi_t value) { gcry_mpi_t zero = gcry_mpi_new (0); gcry_mpi_sub (value, zero, value); gcry_mpi_release (zero); } Not pretty elegant or fast given that it only needs to toggle a bit. For the use of some macros the sign bit is exposed, so you could use a bad hack to do it faster. > As an alternative, Is it possible to use the ecc functions with a custom random number generator algorithm? Are you looking into deterministic DSA, similar to the draft-pornin-deterministic-dsa-01 I-D? We recently started a discussion on gcrypt-devel at gnupg.org about this. That ML would anyway be a better place for your questions. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From exaikt+xfzy at gmail.com Wed May 8 10:45:57 2013 From: exaikt+xfzy at gmail.com (Michael Scheer) Date: Wed, 08 May 2013 10:45:57 +0200 Subject: How can I extract the --embedded-filename for =?UTF-8?Q?scripting=3F?= Message-ID: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> Hi guys, in a script in a specific situation I use embedded filenames for decrypting (as in "gpg -v --use-embedded-filename file.gpg"). For this script I need to know the name of the resulting unencrypted file, because I want to check headers on this file and extract if it's a compressed file format. I don't see any way to get the file name within the script. My idea was to take the text output of "gpg -v --use-embedded-filename file.gpg" to a file via ">", but this is not possible, because it displays text on the console of course, as I have to enter a passphrase... Do you see any way to get the embedded file name for variables? TIA Michael From exaikt+xfzy at gmail.com Wed May 8 12:18:03 2013 From: exaikt+xfzy at gmail.com (Michael Scheer) Date: Wed, 08 May 2013 12:18:03 +0200 Subject: How can I extract the --embedded-filename for =?UTF-8?Q?scripting=3F?= In-Reply-To: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> Message-ID: <6f67dcd4358b80a809e0effd6537f584@minnit.de> I forgot to mention the GNUPG version: It's 1.4.13 From peter at digitalbrains.com Wed May 8 13:22:16 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 08 May 2013 13:22:16 +0200 Subject: How can I extract the --embedded-filename for scripting? In-Reply-To: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> Message-ID: <518A3568.6010603@digitalbrains.com> > Do you see any way to get the embedded file name for variables? I see two options. One: get the name before you write the decrypted file. Since the name is obviously encrypted, you do need your private key. $ gpg --with-colons --list-packets foo.gpg :pubkey enc packet: version 3, algo 1, keyid 26F7563E73A33BEE data: [2043 bits] :encrypted data packet: length: 86 mdc_method: 2 gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12 "Peter Lebbing " :compressed packet: algo=2 :literal data packet: mode b (62), created 1368011777, name="Hi Michael", raw data: 16 bytes I created a file named "Hi Michael" filled with 16 bytes of randomness. Two: get the name from status-fd during writing the decrypted file. $ gpg --status-fd 1 --use-embedded-filename foo.gpg [GNUPG:] ENC_TO 26F7563E73A33BEE 1 0 [GNUPG:] CARDCTRL 3 gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12 "Peter Lebbing " [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 2 7 [GNUPG:] PLAINTEXT 62 1368011777 Hi%20Michael [GNUPG:] PLAINTEXT_LENGTH 16 [GNUPG:] DECRYPTION_OKAY [GNUPG:] GOODMDC [GNUPG:] END_DECRYPTION HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Wed May 8 13:36:12 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 08 May 2013 13:36:12 +0200 Subject: How can I extract the --embedded-filename for scripting? In-Reply-To: <518A3568.6010603@digitalbrains.com> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> <518A3568.6010603@digitalbrains.com> Message-ID: <518A38AC.6010602@digitalbrains.com> Maybe I didn't read your message well enough before I answered. You said you couldn't use standard out. This is a crude way to get the status-fd stuff in a file as you mention: $ gpg --status-fd 3 --use-embedded-filename foo.gpg 3>foo.status You need a passphrase to unlock the secret key for user: [...] 2048-bit RSA key, ID [...] gpg:encrypted with 2048-bit RSA key, ID [...] $ cat foo-status [GNUPG:] ENC_TO [...] 1 0 [GNUPG:] USERID_HINT [...] [GNUPG:] NEED_PASSPHRASE [...] [...] 1 0 [GNUPG:] GOOD_PASSPHRASE [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 2 9 [GNUPG:] PLAINTEXT 62 1368012643 Hi%20Michael [GNUPG:] PLAINTEXT_LENGTH 16 [GNUPG:] DECRYPTION_OKAY [GNUPG:] GOODMDC [GNUPG:] END_DECRYPTION Since my own key is on a smartcard, I couldn't use it to test the "ask for password on the console" thing, so I used a test key which I don't want to reveal as it's a spam honeypot key. Bash scripting can do much nicer things with fd's than just throwing the output in a file. By the way, you never mentioned the platform you're working on. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From exaikt+xfzy at gmail.com Wed May 8 14:03:43 2013 From: exaikt+xfzy at gmail.com (Michael Scheer) Date: Wed, 08 May 2013 14:03:43 +0200 Subject: How can I extract the --embedded-filename for =?UTF-8?Q?scripting=3F?= In-Reply-To: <518A38AC.6010602@digitalbrains.com> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> <518A3568.6010603@digitalbrains.com> <518A38AC.6010602@digitalbrains.com> Message-ID: <135636ab83c0b528897c734db6a88211@minnit.de> HOLD ON - IT WORKS! Peter Lebbing: > $ gpg --status-fd 3 --use-embedded-filename foo.gpg 3>foo.status | "%GNUPGHOME%gpg.exe" --status-fd 2 --use-embedded-filename %1 2>"%temp%\out.txt" produces an out.txt with the desired contents, which I can grep out :-) --> [GNUPG:] PLAINTEXT 62 1368014323 ~20130508135842.ff0fcb7.tmp.7z MANY MANY THANKS, Peter. Best regards Michael From gmane.bl4 at gishpuppy.com Wed May 8 13:52:41 2013 From: gmane.bl4 at gishpuppy.com (gmane.bl4 at gishpuppy.com) Date: Wed, 8 May 2013 11:52:41 +0000 (UTC) Subject: How can I extract the --embedded-filename for scripting [GishPuppy] Message-ID: <20130508115241.60C20726FC@mail.gishpuppy.com> You do not indicate OS. Windows NT 5.x+ OS script: GPG -v --use-embedded-filename file.gpg 2>$$$.tmp FOR /F "tokens=2 delims='" %%I IN ('FIND "gpg: original file name" ^<$$$.tmp') DO ( @SET origFilename=%%I DEL $$$.tmp ) ECHO;%origFilename% Gishpuppy | To change the delivery settings for this email, click here: http://www.gishpuppy.com/cgi-bin/edit.py?email=gmane.bl4 at gishpuppy.com From peter at digitalbrains.com Wed May 8 17:18:01 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 08 May 2013 17:18:01 +0200 Subject: How can I extract the --embedded-filename for scripting? In-Reply-To: <135636ab83c0b528897c734db6a88211@minnit.de> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> <518A3568.6010603@digitalbrains.com> <518A38AC.6010602@digitalbrains.com> <135636ab83c0b528897c734db6a88211@minnit.de> Message-ID: <518A6CA9.2050509@digitalbrains.com> On 08/05/13 14:03, Michael Scheer wrote: > HOLD ON - IT WORKS! > | "%GNUPGHOME%gpg.exe" --status-fd 2 --use-embedded-filename %1 2>"%temp%\out.txt" 2 is standard error (at least, I suppose Windows does that too), so it will be mixed with any other output to stderr. On Linux, I see the "gpg: encrypted with..." message on stderr together with the status-fd output. Depending on the buffering chosen for standard error, it might be racey: if some other message mingles with [GNUPG:] PLAINTEXT... it might become unreadable for your script. Somebody with good Windows scripting knowledge might be able to help you keep it separate. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Wed May 8 21:01:38 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 08 May 2013 21:01:38 +0200 Subject: How can I extract the --embedded-filename for scripting? In-Reply-To: <518A38AC.6010602@digitalbrains.com> (Peter Lebbing's message of "Wed, 08 May 2013 13:36:12 +0200") References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> <518A3568.6010603@digitalbrains.com> <518A38AC.6010602@digitalbrains.com> Message-ID: <87k3n9l2i5.fsf@vigenere.g10code.de> On Wed, 8 May 2013 13:36, peter at digitalbrains.com said: > couldn't use standard out. This is a crude way to get the status-fd stuff in a > file as you mention: > > $ gpg --status-fd 3 --use-embedded-filename foo.gpg 3>foo.status That is not crude but a standard Unix pattern. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Thu May 9 10:30:43 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 09 May 2013 10:30:43 +0200 Subject: How can I extract the --embedded-filename for scripting? In-Reply-To: <87k3n9l2i5.fsf@vigenere.g10code.de> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> <518A3568.6010603@digitalbrains.com> <518A38AC.6010602@digitalbrains.com> <87k3n9l2i5.fsf@vigenere.g10code.de> Message-ID: <518B5EB3.2000202@digitalbrains.com> On 08/05/13 21:01, Werner Koch wrote: > That is not crude but a standard Unix pattern. I considered putting the status-fd stuff into a file, then reading the file and finally deleting it a much cruder method than connecting the parsing logic to fd 3 directly. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From hhhobbit at securemecca.net Thu May 9 19:17:58 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu, 09 May 2013 17:17:58 +0000 Subject: How can I extract the --embedded-filename for scripting? In-Reply-To: <518B5EB3.2000202@digitalbrains.com> References: <4267d7d5b77cac1b619750e2995fbd3c@minnit.de> <518A3568.6010603@digitalbrains.com> <518A38AC.6010602@digitalbrains.com> <87k3n9l2i5.fsf@vigenere.g10code.de> <518B5EB3.2000202@digitalbrains.com> Message-ID: <518BDA46.3090702@securemecca.net> On 05/09/2013 08:30 AM, Peter Lebbing wrote: > On 08/05/13 21:01, Werner Koch wrote: >> That is not crude but a standard Unix pattern. > > I considered putting the status-fd stuff into a file, then reading the file and > finally deleting it a much cruder method than connecting the parsing logic to fd > 3 directly. > > Peter. Peter[gnat]digitalbrains[dot]com's way of doing it: gpg --status-fd 3 --use-embedded-filename foo.gpg 3>foo.status That is probably incompatible with Windows doing it. The original poster already has the cmd.exe (BAT) script for doing it finished already. The way I handle it on Windows is to output the results of either stdout (>) or stderr (2>) to a file and then open that file with VBScript. Trapping the result in any Windows scripting language other than Power Shell (I am NOT very familiar with it) is problematical. That is why my advice is that the original file name should be preserved with an added ".gpg" for the encrypted file to make these things clear, e.g.: Design-Files is a folder. It is zipped into either a 7-Zip or zip file with all the contents in the folder zipped with it (recursive - the default for 7-Zip): Design-Files 7zips to Design-Files.7z Design-Files zips to Design-Files.zip When encrypting: Design-Files.zip is encrypted to Design-Files.zip.gpg Design-Files.7z is encrypted to Design-Files.7z.gpg MasterFile.txt is encrypted to MasterFile.txt.gpg That way the file name alone gives a clue as to whether further processing is necessary. I KNOW that VBScript can handle it this way. The only problem is to put an unzipper program some place in your %PATH% where there is no spaces or punctuation to that folder for the zip.exe or 7z.exe that you are using. One more thing. Windows Explorer should be set to show the entire file name. That also prevents *.pdf.exe files appearing to be *.pdf files as well. Ditto for *.doc.exe and similar files. But it makes some of this explicit for OpenPGP enciphered files and I KNOW that VBScript can handle it when it is done this way. 'Nix way: I am pretty sure that a grep for '\.tar\.gz', '\.tgz', /\.tbz' and '\.7z' after deciphering and redirected to files and than opening and processing those files on 'nix can also be done to perform the addiitional processing automatically (use file with a grep for certain patters as one last check), You are better off for the temporary files being put in either the current folder or ${HOME}/tmp if the perms on those folders is 700. Use of /tmp or even /var/tmp is unsafe. unless you are the only person on the system. Even if you are the only person have the script remove the tmp files and unset the relevant VARS. I turn history off in most of my scripts at the start and then turn history back on at the end of the script if security is a consideration: http://www.securemecca.com/public/GnuPG/ HHH From telegraph at gmx.net Thu May 9 18:49:04 2013 From: telegraph at gmx.net (Gregor Zattler) Date: Thu, 9 May 2013 18:49:04 +0200 Subject: Web of Trust in Practical Usage In-Reply-To: <517D094F.4040507@digitalbrains.com> References: <517D094F.4040507@digitalbrains.com> Message-ID: <20130509164904.GB28329@boo.workgroup> Hi Peter, gnupg-users, * Peter Lebbing [28. Apr. 2013]: > So while tools like PGP Pathfinder can find signature paths, it doesn't really > help for validity, which needs ownertrust of a direct parent of the key you want > validated. There are no ownertrust paths. There are no ownertrust paths but the pathfinder shows me how many disjunct paths are possible from my key to the other key. An attacker would have to introduce fake signatures in every of the disjunct paths. Since I choose the first nodes on the path because I checked their identity (papers) and signed their key, I have some means of making the attack more difficult. (All this implies that the pathfinder does not lie to me.) Ciao; Gregor From dkg at fifthhorseman.net Thu May 9 20:25:37 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 09 May 2013 14:25:37 -0400 Subject: Web of Trust in Practical Usage In-Reply-To: <20130509164904.GB28329@boo.workgroup> References: <517D094F.4040507@digitalbrains.com> <20130509164904.GB28329@boo.workgroup> Message-ID: <518BEA21.1070401@fifthhorseman.net> On 05/09/2013 12:49 PM, Gregor Zattler wrote: > There are no ownertrust paths but the pathfinder shows me how > many disjunct paths are possible from my key to the other key. > > An attacker would have to introduce fake signatures in every of > the disjunct paths. This is trivial to do. I suspect the main reason no one has bothered to do it is because no one is currently (that i know of) trying to use some sort of voting scheme in what is effectively an infinitely large pool, which would make them vulnerable to this attack. Please don't start using (or encouraging other people to use) such a voting scheme. It is not a reliable or responsible mechanism in this space. > Since I choose the first nodes on the path because I checked > their identity (papers) and signed their key, I have some means > of making the attack more difficult. if you're counting distinct paths, those paths can start anywhere in the chain. so if you say "i will make this more difficult for an attacker by only having ever signed the key of Alice", then your adversary just needs to get one key signed by Alice before they start injecting false identities, rather than getting a key signed by you. This is not significantly more difficult, and you have no way of knowing if it is happening or not. The responsibility ultimately rests on you to decide whose identity certifications you are willing to rely on. using a voting scheme is nearly equivalent to saying "anyone who has a key, i will rely on in the same way as anyone else". This choice is disastrous in an environment where it is easy to create and control "sockpuppet" accounts with their own keys, and those accounts/keys are indistinguishable from "real" accounts/keys. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From hans at guardianproject.info Thu May 9 16:28:27 2013 From: hans at guardianproject.info (Hans-Christoph Steiner) Date: Thu, 09 May 2013 10:28:27 -0400 Subject: GnuPG Command line: now in the Play Store! Message-ID: <518BB28B.9020009@guardianproject.info> https://play.google.com/store/apps/details?id=info.guardianproject.gpg This alpha release of our command-line developer tool brings GnuPG to Android for the first time! GNU Privacy Guard Command-Line (gpgcli) gives you command line access to the entire GnuPG suite of encryption software. GPG is GNU?s tool for end-to-end secure communication and encrypted data storage. This trusted protocol is the free software alternative to PGP. GnuPG 2.1 is the new modularized version of GnuPG that now supports OpenPGP and S/MIME. ***Setup*** Before using gpgcli, be sure to launch the app and let it finish its installation process. Once it has completed, then you're ready to use it. The easiest way to get started with gpgcli is to install Android Terminal Emulator. gpgcli will automatically configure Android Terminal Emulator as long as you have the "Allow PATH extensions" settings enabled. Get the Android Terminal Emulator at https://play.google.com/store/apps/details?id=jackpal.androidterm ***Please Report Bugs*** This is an early release of a big project, so there will inevitable be bugs. Help us improve this software by filing bug reports about any problem that you encounter. Feature requests are also welcome! https://dev.guardianproject.info/projects/gpgandroid/issues ***Coming Soon*** ? SECURITY FOR APPS: We have an API in the works so that developers can easily embed this into any app to give it state of the art security features. ? GUI: We?re building a graphical user interface for easy key management. ? STAY UP TO DATE: Sign up for our low-traffic Guardian-Dev mailing list to be notified when the API and GUI are released: https://lists.mayfirst.org/mailman/listinfo/guardian-dev. ? Find us in IRC, we want feedback! irc://irc.freenode.net/guardianproject irc://irc.oftc.net/guardianproject -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 939 bytes Desc: OpenPGP digital signature URL: From johanw at vulcan.xs4all.nl Thu May 9 21:46:10 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 09 May 2013 21:46:10 +0200 Subject: GnuPG Command line: now in the Play Store! In-Reply-To: <518BB28B.9020009@guardianproject.info> References: <518BB28B.9020009@guardianproject.info> Message-ID: <518BFD02.1010002@vulcan.xs4all.nl> On 09-05-2013 16:28, Hans-Christoph Steiner wrote: > This alpha release of our command-line developer tool brings GnuPG to Android > for the first time! Nice. But since I don't want Google controling my hardware and spy on it I don't have a Google account. Where can I download the apk installer? -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Fri May 10 18:37:08 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 May 2013 18:37:08 +0200 Subject: [Announce] GnuPg 2.0.20 released Message-ID: <87ip2qkczv.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.20. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.13) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). GnuPG-2 works best on GNU/Linux and *BSD systems but is also available for other Unices, Microsoft Windows and Mac OS X. What's New in 2.0.20 ==================== * Decryption using smartcards keys > 3072 bit does now work. * New meta option ignore-invalid-option to allow using the same option file by other GnuPG versions. * gpg: The hash algorithm is now printed for sig records in key listings. * gpg: Skip invalid keyblock packets during import to avoid a DoS. * gpg: Correctly handle ports from DNS SRV records. * keyserver: Improve use of SRV records * gpg-agent: Avoid tty corruption when killing pinentry. * scdaemon: Improve detection of card insertion and removal. * scdaemon: Rename option --disable-keypad to --disable-pinpad. * scdaemon: Better support for CCID readers. Now, the internal CCID driver supports readers without the auto configuration feature. * scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and it supports variable length PIN input, and you specify --enable-pinpad-varlen option. * scdaemon: New option --enable-pinpad-varlen. * scdaemon: Install into libexecdir to avoid accidental execution from the command line. * Support building using w64-mingw32. * Assorted bug fixes. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.20 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.20.tar.bz2 (4186k) gnupg-2.0.20.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.19-2.0.20.diff.bz2 (249k) A patch file to upgrade a 2.0.19 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. A binary version for Windows will be released next week as part of the Gpg4win project. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.20.tar.bz2 you would use this command: gpg --verify gnupg-2.0.20.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.20.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.20.tar.bz2 and check that the output matches the first line from the following list: 7ddfefa37ee9da89a8aaa8f9059d251b4cd02562 gnupg-2.0.20.tar.bz2 4afefda1f42c7b8065e97c6df051fab2db552642 gnupg-2.0.19-2.0.20.diff.bz2 Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Almost all mail clients support GnuPG-2. Mutt users may want to use the configure option "--enable-gpgme" during build time and put a "set use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: http://www.gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him them continue his work he asks to either purchase a support contract, engage them for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 204 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From abel at guardianproject.info Fri May 10 23:20:29 2013 From: abel at guardianproject.info (Abel Luck) Date: Fri, 10 May 2013 21:20:29 +0000 Subject: GnuPG Command line: now in the Play Store! In-Reply-To: <518BFD02.1010002@vulcan.xs4all.nl> References: <518BB28B.9020009@guardianproject.info> <518BFD02.1010002@vulcan.xs4all.nl> Message-ID: <518D649D.6030402@guardianproject.info> Johan Wevers: > On 09-05-2013 16:28, Hans-Christoph Steiner wrote: > >> This alpha release of our command-line developer tool brings GnuPG to Android >> for the first time! > > Nice. But since I don't want Google controling my hardware and spy on it > I don't have a Google account. Where can I download the apk installer? > We have nightly builds posted by our secure build box here: https://guardianproject.info/builds/GnuPrivacyGuard/ We'll push an official release to our F-droid repo shortly https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/ ~abel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xDA731A17.asc Type: application/pgp-keys Size: 15789 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From sonic at dersonic.org Sat May 11 20:05:43 2013 From: sonic at dersonic.org (Michael) Date: Sat, 11 May 2013 20:05:43 +0200 Subject: gnupg 2.0.20 on osx Message-ID: <518E8877.2000001@dersonic.org> Hi, i tried to compile the new version (2.0.20) on osx with 10.8.3 and xcode 4.6.2. I get a lot of errors from from the pcsc-wrapper: csc-wrapper.c:69: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'int' pcsc-wrapper.c:129: error: expected specifier-qualifier-list before 'pcsc_dword_t' pcsc-wrapper.c:149: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'pcsc_protocol' pcsc-wrapper.c:153: error: expected ')' before 'scope' pcsc-wrapper.c:160: error: expected declaration specifiers or '...' before 'pcsc_dword_t' pcsc-wrapper.c:162: error: expected declaration specifiers or '...' before 'pcsc_dword_t' pcsc-wrapper.c:164: error: expected declaration specifiers or '...' before 'pcsc_dword_t' pcsc-wrapper.c:167: error: expected declaration specifiers or '...' before 'pcsc_dword_t' pcsc-wrapper.c:168: error: expected declaration specifiers or '...' before 'pcsc_dword_t' ... any suggestions? cu Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4918 bytes Desc: S/MIME Cryptographic Signature URL: From wk at gnupg.org Sat May 11 21:49:38 2013 From: wk at gnupg.org (Werner Koch) Date: Sat, 11 May 2013 21:49:38 +0200 Subject: gnupg 2.0.20 on osx In-Reply-To: <518E8877.2000001@dersonic.org> (Michael's message of "Sat, 11 May 2013 20:05:43 +0200") References: <518E8877.2000001@dersonic.org> Message-ID: <87r4hdi9f1.fsf@vigenere.g10code.de> On Sat, 11 May 2013 20:05, sonic at dersonic.org said: > any suggestions? Yes, please apply the patch below. Seems nobody tried to build the beta on an Apple. Salam-Shalom, Werner >From 8ddf604659b93754ffa6dea295678a8adc293f90 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 25 Apr 2013 12:00:16 +0100 Subject: [PATCH] Fix syntax error for building on APPLE. * scd/pcsc-wrapper.c [__APPLE__]: Fix syntax error. -- For W32 and probably for Cygwin we don't need the wrapper, thus the problems does not exhibit itself. --- scd/pcsc-wrapper.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/scd/pcsc-wrapper.c b/scd/pcsc-wrapper.c index 7d9415a..f3d92ff 100644 --- a/scd/pcsc-wrapper.c +++ b/scd/pcsc-wrapper.c @@ -66,7 +66,7 @@ static int verbose; #if defined(__APPLE__) || defined(_WIN32) || defined(__CYGWIN__) -typedef unsinged int pcsc_dword_t; +typedef unsigned int pcsc_dword_t; #else typedef unsigned long pcsc_dword_t; #endif -- 1.7.7.1 -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bob.henson at galen.org.uk Mon May 13 13:57:27 2013 From: bob.henson at galen.org.uk (Bob Henson) Date: Mon, 13 May 2013 12:57:27 +0100 Subject: GnuPG 1.4.13 Message-ID: <5190D527.7040308@galen.org.uk> I've only just rejoined the list, so I'm sorry if this has already been asked. Is there a Windows binary for GnuPG 1.4.13 yet? I had a look on the site and the only reference to Windows that I could see was for Gpg4win, which only uses V.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Mon May 13 23:11:50 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 13 May 2013 17:11:50 -0400 Subject: GnuPG 1.4.13 In-Reply-To: <5190D527.7040308@galen.org.uk> References: <5190D527.7040308@galen.org.uk> Message-ID: <51915716.4000900@sixdemonbag.org> On 05/13/2013 07:57 AM, Bob Henson wrote: > I've only just rejoined the list, so I'm sorry if this has already been > asked. Is there a Windows binary for GnuPG 1.4.13 yet? ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe Enjoy! From oldbob at oldbob.co.uk Tue May 14 09:34:34 2013 From: oldbob at oldbob.co.uk (Bob Henson) Date: Tue, 14 May 2013 08:34:34 +0100 Subject: GnuPG 1.4.13 In-Reply-To: <51915716.4000900@sixdemonbag.org> References: <5190D527.7040308@galen.org.uk> <51915716.4000900@sixdemonbag.org> Message-ID: <5191E90A.4070103@oldbob.co.uk> On 13/05/2013 10:11 PM, Robert J. Hansen wrote: > On 05/13/2013 07:57 AM, Bob Henson wrote: >> I've only just rejoined the list, so I'm sorry if this has already been >> asked. Is there a Windows binary for GnuPG 1.4.13 yet? > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe > > Enjoy! > Thanks very much - duly installed. Regards, Bob From laurent.jumet at skynet.be Tue May 14 11:24:07 2013 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Tue, 14 May 2013 11:24:07 +0200 Subject: GnuPG 1.4.13 In-Reply-To: <5191E90A.4070103@oldbob.co.uk> Message-ID: Hello Bob ! Bob Henson wrote: >> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe > Thanks very much - duly installed. I'm using this for my own, you may find it useful too: http://www.pointdechat.net/MyMan_GnuPG-1413.pdf -- Laurent Jumet KeyID: 0xCFAF704C From oldbob at oldbob.co.uk Tue May 14 14:50:10 2013 From: oldbob at oldbob.co.uk (Bob Henson) Date: Tue, 14 May 2013 13:50:10 +0100 Subject: GnuPG 1.4.13 In-Reply-To: References: Message-ID: <51923302.602@oldbob.co.uk> On 14/05/2013 10:24 AM, Laurent Jumet wrote: > > Hello Bob ! > > Bob Henson wrote: > >>> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe > >> Thanks very much - duly installed. > > I'm using this for my own, you may find it useful too: > > http://www.pointdechat.net/MyMan_GnuPG-1413.pdf > Duly downloaded - thanks. Regards, Bob From hhhobbit at securemecca.net Tue May 14 17:45:14 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue, 14 May 2013 15:45:14 +0000 Subject: GnuPG 1.4.13 In-Reply-To: References: Message-ID: <51925C0A.8030800@securemecca.net> On 05/14/2013 09:24 AM, Laurent Jumet wrote: > > Hello Bob ! > > Bob Henson wrote: > >>> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe > >> Thanks very much - duly installed. > > I'm using this for my own, you may find it useful too: > > http://www.pointdechat.net/MyMan_GnuPG-1413.pdf Downloaded but will the second one stay there? Thanks From laurent.jumet at skynet.be Tue May 14 18:39:35 2013 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Tue, 14 May 2013 18:39:35 +0200 Subject: GnuPG 1.4.13 In-Reply-To: <51925C0A.8030800@securemecca.net> Message-ID: Hello Henry ! Henry Hertz Hobbit wrote: >>>> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe >> >>> Thanks very much - duly installed. >> >> I'm using this for my own, you may find it useful too: >> >> http://www.pointdechat.net/MyMan_GnuPG-1413.pdf > Downloaded but will the second one stay there? I'm not sure I understand what you mean. Second one is my own help I'm using, no more, based on the help in the package. -- Laurent Jumet KeyID: 0xCFAF704C From hhhobbit at securemecca.net Wed May 15 14:20:03 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Wed, 15 May 2013 12:20:03 +0000 Subject: GnuPG 1.4.13 In-Reply-To: References: Message-ID: <51937D73.3070203@securemecca.net> On 05/14/2013 04:39 PM, Laurent Jumet wrote: > > Hello Henry ! > > Henry Hertz Hobbit wrote: > >>>>> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe >>> >>>> Thanks very much - duly installed. >>> >>> I'm using this for my own, you may find it useful too: >>> >>> http://www.pointdechat.net/MyMan_GnuPG-1413.pdf > >> Downloaded but will the second one stay there? > > I'm not sure I understand what you mean. > Second one is my own help I'm using, no more, based on the help in the package. Things are having a way of disappearing faster than they come now. At least they are for me. I am just asking if you will remove it from that location in the future. I guess it is okay if we have another GnuPG version and you replace it with another file. But many times people won't upgrade for what ever reason (here, language issues for Chinese prevents going to GnuPG 2.x on Windows). Let me illustrate the concern a little more clearly. Things have a way disappearing right out from underneath people, expecially if you picked Gnome 1 & 2 (and KDE has language problems for Arabic and Perso-Arabic) on Linux: http://www.securemecca.com/public/DemingLinux/ OS: OpenSuse 11.4 (the last of Gnome 2 there) Video: ASUS GeForce GTX-650 (replaced GeForce 220) Reason: Can no longer use GoogleEarth Problem: Instructions from OpenSuSE point to their special OS folder. But every time they update the kernel KMS comes back with a Vengence and my resolution drops back down to 640x480 with NO way to increase it unless you change the kernel to get rid of KMS. Ergo, I have to alter the kernel to get my video resolution back up to 1920x1080 @ 60 Hz, I run 1680x1050 for both Ubuntu and Windows 7. I also had to install the approprtiate nVidia driver myself. In fact I had to do the entire thing myself and one of the instructions provided was WRONG. I first tried to do this the OpenSuSE way. But when I pointed to the proper folder for YUM unpdates, as usual, they were GONE! I imagine it disappeared the day OpenSuSE 12.1 came out. They are up to 12.3 now. Why fix what isn't broken? But in this case they broke what was fixed. I will finally have to update to OpenSuse 12.4 IF they have KDE. Gnome 3 is nothing more than an iPhone GUI dropped onto the desktop. You don't even have an xterm which was finally provided with Unity for Ubuntu 12.04. In addition to having to remove nouveau, this is just one example that somebody thinks I have time to do 4+ OS updates per year with every Linux distro and that I use nothing but Firefox and Libre Office. That is way too much change but in this case Gnome may as well close the door. Only LibreOffice and Firefox are provided with Gnome 3 with every distro I installed or tried to install this spring, I have finally given up completely on Fedora. I haven't been able to install Fedora for years because it doesn't have my current ASUS monitor or the previous ViewSonic monitor in its X-Windows DB. But with Gnome 3 you can't even use GnuPG any more. Where is Thundebird and the xterm to use it in? I couldn't find them. Like my friend who wrestled with Windows 8 for two days I finally gave up and went back to the very same OS I had, but swapped the machines they were on. Here comes another Ubuntu 10.04 update of the kernel and I may have to reinstall the Nvidia drivers there again (you must do it with OpenSuSE but I am counting on NO OS upgrades for the 11.4 version any more). On that machine I went from on motherboard Nvidia to a GEForce GT-640, again because GoogleEarth would no longer run. At least I can still use GnuPG because I can have an xterm which most of these modern GUIs with every Linux distro no longer provide. I can also run Thunderbird. Windows 8 also has the iPhone GUI mentality as well and even worse, forces you to use their email type setup which has extremely bad security problems. By that I mean your private becomes public and they expect ALL of your banking and financial stuff to go through them. I guess Microsoft fired all of their top-notch security people. I still consider Drop My Rights for XP in many ways better than the UAC for Windows 7. So stick to Windows 7 or Windows XP if you want to use GnuPG encryption on Microsoft Windows. You cannot use GnuPG or hardly anything else other than Internet Explorer and Microsoft Office on Windows 8. My friend couldn't find a way to do it. The reason everybody is getting this is because it DOES have repercussions on GnuPG. You won't be able to use GnuPG encryption any more until all these people provide a desktop or laptop OS where you can use GnuPG again! I don't want an OS where I cannot use GnuPG! HHH From kiblema at gmail.com Fri May 17 14:57:53 2013 From: kiblema at gmail.com (Lema KB) Date: Fri, 17 May 2013 14:57:53 +0200 Subject: Generating/Exporting under another user-account(Log on as a batch job rights) Message-ID: hi all I have to generate a key-pair using another user-account (which is given right in local security settings to log on as a batch job) and export its public key. i did generate on windows cmd, but after i taped the passphrase, cmd window just dissappeared. and if i type to list keys, a window appears and closes immediately, so fast that i can't read what it writes. What would you suggest, ho can i see what it did and which keys it has under this another user? Any of your help is appreciated, thanks in advance. kiblema -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at seibercom.net Fri May 17 16:14:32 2013 From: jerry at seibercom.net (Jerry) Date: Fri, 17 May 2013 10:14:32 -0400 Subject: Generating/Exporting under another user-account(Log on as a batch job rights) In-Reply-To: References: Message-ID: <20130517101432.0354a5fd@scorpio> On Fri, 17 May 2013 14:57:53 +0200 Lema KB articulated: > hi all > > I have to generate a key-pair using another user-account (which is > given right in local security settings to log on as a batch job) and > export its public key. > > i did generate on windows cmd, but after i taped the passphrase, cmd > window just dissappeared. and if i type to list keys, a window > appears and closes immediately, so fast that i can't read what it > writes. > > What would you suggest, ho can i see what it did and which keys it has > under this another user? > > Any of your help is appreciated, thanks in advance. > kiblema I don't know if this will work, but have you tried: script -k -- Jerry ? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ From hhhobbit at securemecca.net Fri May 17 16:43:07 2013 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri, 17 May 2013 14:43:07 +0000 Subject: Generating/Exporting under another user-account(Log on as a batch job rights) In-Reply-To: References: Message-ID: <519641FB.8080400@securemecca.net> On 05/17/2013 12:57 PM, Lema KB wrote: > hi all > > I have to generate a key-pair using another user-account (which is given > right in local security settings to log on as a batch job) and export its > public key. > > i did generate on windows cmd, but after i taped the passphrase, cmd window > just dissappeared. and if i type to list keys, a window appears and closes > immediately, so fast that i can't read what it writes. > > What would you suggest, ho can i see what it did and which keys it has > under this another user? > > Any of your help is appreciated, thanks in advance. > kiblema Which version of GnuPG are you using? If you are using 2.0.x just firing up Kleopatra shows all the keys on your key ring. If you are saying you are using a BAT file with GnuPG 1.4.x, the cmd window only stays open while the BAT file is being interpreted. If you put this on the next to last code line (I use setlocal at the start and endlocal): REM I usually put a remark before it but pause prints own message pause That will help you see the output of your various commands. But it will NOT help you if you want to see the keys or work with them from the command line. To do that, first make sure you add the folder where gpg.exe or gpg2.exe is at to your %PATH%. You may need to logout and then log back in to get the GnuPG folder added to the %PATH%. Then go to Start, (All) Programs, Accessories, and select cmd (or what ever it is named for you). In the command window which now stays up (this is now assuming you are using 1.4.x): C:\> gpg --list-keys That will let you know if the keys are there. BTW, you are STRONGLY encouraged to add the GnuPG home to your path. It is usually %ProgramFiles%\GNU\GnuPG (but you MUST fill out where %ProgramFiles% really is in the %PATH%) for GnuPG 2.x. GnuPG 1.4.x may be in a different folder than GnuPG. My machine that has both installed is turned off right now (heat wave). Did that help? HHH From me at timfriske.com Fri May 17 19:52:59 2013 From: me at timfriske.com (Tim Friske) Date: Fri, 17 May 2013 19:52:59 +0200 Subject: Public sign-only RSA key not restored when importing armored backup file. Message-ID: Hi, when I import the armored secret key file to restore the public and private parts of my own OpenPGP key the secret and public parts of my primary key and subkeys are restored *except* for the public part of my sign-only subkey. After the import the pubring.gpg file contains: 1. Certify-only primary RSA key (a) Encrypt-only sub-RSA key (b) Authenticate-only sub-RSA key The secring.ggp file contains: 2. Certify-only primary RSA key (a) Sign-only sub-RSA key (b) Encrypt-only sub-RSA key (c) Authenticate-only sub-RSA key Where is the public part of the sign-only sub-RSA key gone? When I restore the public key from the secret key with the gpgsplit program the previously missing public part of the sign-only sub-RSA key is back again. Any clues, why not the public parts of all secret (sub)keys are restored upon import? Many thanks in advance. Best regards TIm From mailinglisten at hauke-laging.de Sat May 18 03:35:29 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sat, 18 May 2013 03:35:29 +0200 Subject: Public sign-only RSA key not restored when importing armored backup file. In-Reply-To: References: Message-ID: <5196DAE1.7060708@hauke-laging.de> Am 17.05.2013 19:52, Tim Friske schrieb: > After the import the pubring.gpg file contains: How do you know that, from "gpg --list-keys" or from "gpg --list-packets ~/.gnupg/pubring.gpg"? > Where is the public part of the sign-only sub-RSA key gone? Probably the real question is: Why is it not shown? Please try gpg --list-options show-unusable-subkeys --list-keys > When I restore the public key from the secret key with the gpgsplit > program the previously missing public part of the sign-only sub-RSA > key is back again. I have to admit that this seems incompatible with my theory. Hauke -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 637 bytes Desc: OpenPGP digital signature URL: From me at timfriske.com Sat May 18 10:42:02 2013 From: me at timfriske.com (Tim Friske) Date: Sat, 18 May 2013 10:42:02 +0200 Subject: Public sign-only RSA key not restored when importing armored backup file. In-Reply-To: References: Message-ID: Hi Hauke, the attached file 0x7526FBF74D4020B6.sec.asc.txt contains the secret key material with 1 primary and 3 subkeys (R4096; C,S,E,A). With "gpg --armor --no-default-keyring --keyring ./0x7526FBF74D4020B6.sec.asc.txt --list-keys" all keys get correctly listed. Also when I import them into an empty pubring.gpg and secring.gpg file for test purposes with "gpg --armor --import 0x7526FBF74D4020B6.sec.asc.txt" all keys get correctly listed with "gpg -k" and "gpg -K". When I now mess with the expiration dates of all keys, save those changes, export, purge (delete-secret-and-public-keys) and re-import them again, the sign-only sub-RSA key is gone. Why is that? I don't understand. Also with "gpg --list-options show-unusable-subkeys --list-keys" I cannot resurrect the sign-only sub-RSA key. I'm left with 1 primary and only 2 subkeys (R4096, C,E,A). Any ideas? Best regards Tim 2013/5/17 Tim Friske : > Hi, > > when I import the armored secret key file to restore the public and > private parts of my own OpenPGP key the secret and public parts of my > primary key and subkeys are restored *except* for the public part of > my sign-only subkey. After the import the pubring.gpg file contains: > > 1. Certify-only primary RSA key > (a) Encrypt-only sub-RSA key > (b) Authenticate-only sub-RSA key > > The secring.ggp file contains: > > 2. Certify-only primary RSA key > (a) Sign-only sub-RSA key > (b) Encrypt-only sub-RSA key > (c) Authenticate-only sub-RSA key > > Where is the public part of the sign-only sub-RSA key gone? > > When I restore the public key from the secret key with the gpgsplit > program the previously missing public part of the sign-only sub-RSA > key is back again. > > Any clues, why not the public parts of all secret (sub)keys are > restored upon import? > > Many thanks in advance. > > Best regards > TIm -------------- next part -------------- -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: `~~~~?< lQdGBFGXNQgBEADCfnr6F4I7NjPgnXeqC4L2Hdd7oTBjmB4xPCpsR7KkzjBssOKI CyPaz6aPv0HCdygtQuVbCzXxNsHpRX+1ApbZojTHAD2VOaLVrLW3ZlwOy5GDv1IZ PTaK3+1aWWEv/BSwZB8r40Es0DZcu5E4FtSpMH4Bg65Gw6Jlq/80AO4TM0LtrvCK vXNgb+KOnxYu1GW7pnVdQB1oJBQtfo854XvJkYm911Oqkwp+oe9cxLNiUX6KGtQg qVXcs685Zm1e1NpSV8d34K0yPKDCgH/Ax+do5kWQRRW+uKnAfqSml2Je7wsPKNNt qY8vb55JGdmZQ/sFloEg2iR8OyzBnNBRHXGFqWef1J4aaBYCKAFcyZslgqeTf/8w WerwUetG7m9CPIUEJyI4RfnrGRT1KmeIaIbOSjYTB7255WkVP7rdthRJEMrCQVIC FC1AEZMffz6FtdFSF/nk5/5BpeAHegklNZY4Fyi2LUwexWIVHn3HzXXE2u4UR97j Ghh7rJsiHAEDYxYb75P/3tsWOqhzQQujZ1l1f5keJ6CgZa4ddaGrpH9oyAVf3Ctc GgunyfZllsgcGMCrrx4IvW9fcNFu1fdDcOPYgdNYe3UX0yIC5aYVPCVdIW2qYfAx /7Ejjxz8HNCHo8NIDfqXtNxpplPfdpUKaufpw3yrlH8v74+dNji8T5Lt3wARAQAB /gkDClBpwuya9oBMYBD8mbqSyCxWN+88DvEh4ge7Qu9ctl5vfIGB2OVFA6MKRTWd dpjhCLU/8NpaIlsybRt0N78tDdGNcrBzYDJT8Ncyw5fcAmgD45nlAK/djSZVAn7p cTebiK6Ht4GpVZiOJRJj6/oBn1IADUho+AWm2PcczRJxehrJKPSob3Gse7HMcZMh cGnSAPgW9TWiD+jXevTdVZ2gUY1c9DFpP0bn5WACPtXGZBTLQh+IOLd3Yi6sELck IOPpg/fnV8MAOqUgwLPF+tmx/C6VqSA1M6guSLrNwcSLbA96a3sCNgJIHZGXMiqy 0LVXxJUf0/BAn9doC1gLgU9f1CX6lvfDFsqy7CDRAJIMpvpHs4K5cnp4E8PtPiDt YRf+VY7S7w3OqxyAvSlXtV2nIpu/FXr3qcWkcARs3tbxORDfzEds4BTluUNcg1E1 yMqAVXGdM9/uVzPcosKhKHFKpmoopqASl01S6dSrEz6k/CkBtE/GJsXNoKFnA9Th cdTu2AHkzBqMms+knySYkDWJkzfr7oQBHLj/+0d2WTXfK5mmtvPrqD5yeLN5Vssw qn79iEf0freOnNXOyBuIDxhDr18huasx0dvd1O2z0YnoQY4j+q2ocR+TAKR7CoLX Oep5ewu/3KU+HPcNzCWK3U9SHHbd3JN/PXkA/E/NDaLQ4JrzgNWrz6HW4AlNossu /YXV9AumXgHoS4oBQMor1X1JH8wkAtJfIKtjoduyem3ghuQCHhJV4dgA/Cy5lywu XjyHFY6oCS4clurRxuZiw/0kDki4QQ9BsDsxYk/jEoiRyX4/ygP9Cn2XZWpYRPR7 W0V8yvDLHzXTy23m5r3csTxYdZfeH60eWvZy8u1+b6cy8tDBAaW/x62VBZ2FNmh0 KELYGXL9I1s1qImp2XM6k5zZm+pV5yQKYrvqp9nTFsMTmVwe55lv3WBqPC0raHXd NlSCgUT3G83DZX9FHt8JOvhBX/MLmGHIGc4ovIlBfaJdXtqujGBLdEJFX60HCnjL BNaTlnBdlpI4OV/kVfN0CIW09HMUmQ1I0RFeZJjRz3kiZuaQ/qLqGYJr0ttdcXIb tvtfE0+q7FU1k3jkp7NKxrHPu8wHF83OIfZyPQ/+gm7kM45KeTSfIvB3bQmUfimV jWf8a10ckwd5hnWWuF4jvBsdkA8XBSugZYaz15YEd8Z9Gb2dw8hplUajJZVZkK+h CYGMcPXzPgPnQ4calxV2JlQZbEC25rDoXqB3EmvsZSmcIXiYQwURcOKZytuxWXA/ IwNq+I4E1NWkYhJRb1BAoxIbD1KcIxgX7MdcTkNnrBnLkxA/SQbvAosLVLddxatH 2/+u8DVchs2tE0MyVXgb1zVQQz7M443Bz5FYIcs4tYuumXB8VqwsHuBcKd+DMFrS u6uEh6/r11MjDkvi3nQLM4z3qKxre+JyDo2rtHj1Yg2EKSUeIbUF1IrIXPIA0vyw md5LNr9IrbDW2qWtt8VSX5mUz3iV2dPRfFYAsZtfikQra37YLan9fTdEn3djE/dJ rDsAei36EOwebAfTk95fGUJZv2YshjMvmKimN7f3ob/OjpQos+2So1XPwfDWhIA5 vBWWW90Tmhuco95X/10AAfC7myQlX+x18XBWe6qGZ1G7ORPYCWIt9zyWC5x92qPW fh6a4EASCc9mmFUcAJCNoaQoyjOO/X6Qkhv+aUuCG3V0wgEhH2K7c2k8dXrxqc2f mvf0gTTzC4pU94rKXvQIugPukQdroJCBbBsJrn8iVXMxi8drDwmrGEq0FmJsYSBi bHViIDxibGFAYmx1Yi5kZT6JAmwEEwEKAFYFAlGXNQgCGwEFCQAJOoAMCwkNCAwH CwQKAwECCBUKCQgLAwIBBRYDAgEAAh4BAheAJBhoa3BzOi8vaGtwcy5wb29sLnNr cy1rZXlzZXJ2ZXJzLm5ldAAKCRB1Jvv3TUAgtum2D/9sgJpJ6z587phLFcsK4qJZ ho1OW/Kw+RKGurg4D4zZ8Vt5l+pUqKACqtjP2fNKLVF3Oqs+xE8I20SXEVeLohCs kV0+CjGoF2kTQUCfvQ85sVW4OoMD789w6ZeyjOStqMDwuBDtet6Qh9GQIr6p7IfS K455jlM4dZqsQr3mLLCPNbx7eWd6e8chI0lXvPZQ4eLxT7MASXBnuOJlybPOtoes NLFGBn1aty+XYjTjf6nIt9ameUkIWY4GjbctvVRE68GODNSuz9RHZIatoRrnjxpv P05ZVEucHDbeCMh6lW+80Z07pLvw3x+oOIpHORcyqst+g9Wn/2Zf3aCyMToNv/hc KwnpwXoOT3gdhBYZ0LOrBv2oI5EM3da3jr0DxLS8t3gjIMhV8Pwmim/Mh86kf5dz yo+tssuk/Ko8qxSFp0vUyVIf0gRMvWKVdldOOVaR4Ptk+QnX37w2sfkcyO5Yf6jd Mr+3w3y0XcroFCsJ4IgmCFnLY0Q/T1kw3m4qT80kUlXNT4adM+VvHKEs1tHUa6Zh LnIjZWSf9l5zVM2As7uO8NWTtuy1kt1FRdKkroEY3fxAT/Hp1QUUlfY6BTxvpihT UnzDQGKhz+J1okpkjppPhWeZcpDGioM371wrl4OfATz5oBs4UmOYRYFn3jC2Eju3 OYsFTFZSeO/zRX8aj/ZJw50HRgRRlzWAARAAv2rjoF36zdoa2jRsBvunrx7ge+tP HgL81tdeNfghVMVv21c9PFCvs0MzPoNhBNFvoNHUjuekFBQ3TtvobUt0899xFDor sFEkyOmkttMJNtI+Y2I8McNDtPyUbeWvChBSpZKDw6rIk5TySyBlU3VLc7aVYm2J Grt+TNSQeLc6NavpCJFDLFuQNkyr9f13n0oa+HQA8Z9yv39evYdqv7mQPAjYlmb3 ahi89j6PjEvZjF5vXe6OJ4bQ6OamV7DXYT05ATvp935qpjQ8X00GEMr9EQY1C6D7 9uCeJxj9BjwwmbKe7bqh/PNWZFF0RpQvzgwiuCwIH3T7k9cN/0tmxToodMpV55L5 qDzhjvHyFTcoQETsppbl0ZpKjTsjLTbCh9XHLztT5eLFQqG7Nx3yMhd2SG3Ucvs8 15ifEHN7ayfy7GEmMxxfPd4Kp7GB9YZMjAUg5lezP5LWpM8+blx++iiMTSawYEvy W7MhsRI+EnXNYKmBVusQ8J5efZNqI8FodqVNB0gnmxpVjzMxzaYACmUwz0isaSDv THDOwoq14oaFBHnJMI3U1eaGK6bm/3amHbqax8MDvSWHNid0O8rulbFu9Zh0vYnC KqbFt7hMw07RtPRSc3kxLjyANZi0aSpG7b5CgF64U5xkJ/+8CB7K/i493BUyRsoR mT1imI3pTUTubK8AEQEAAf4JAwpywXh1fYZlqGD30tSQHC/kMaT/kK+RW8dldpnY sn7479vQ1NyDBXk0NvmEaLFpkPovcpLAUecouwd5AHf5B5O/YGhWVk5XkEN3JXN5 0uEdo2PJu2YVD48LVUnfKfqjZOBRjTJ5MkvlfucdDnpC4ZHjfThBlwNfIoqHRrOK LQy74qLBrTkwmeTyCbXmEa5/XFZD1PJo421kt71uHTM+ByX43aotGY5Ci5u1aDHa Rc7lHkLQRT9GlNE841w1/CqqfiaymXQBPNTtyzSBx8r5FqcIEK7ROYc8lQxOBqZt qjXSam0eS2sXRtM3buvS4lQZSxqFQmpq3ZVGZTZ0YsGU+KebNEeSmHRsO+3RAvTX e4VPVZ1WpXHygDYgRrnUew+WtOD1j/hCS/DsPOU018EsQDy59soBtktR6Bv2HFWj 47bdwAyfYxAjwbfG6M/PWBnmcWEQiO7ooSkqg/teIV8MH1tR5n+E5o0s8rlGuEnB 2NucArHd4rh6BQft9Mb5o2W0+p3dGpzenfR/FnoLHs/VTsKtLHhYiuiJix/xooqc 0Sx38u3w8qUBLtUh8KHtJ1FJ8hDsPf6Ie3W+ThbsXTul7uYJSGxjj9SHvhCI7vZ0 6qESVi5U04QZ59Oq0VPH0rRj07A8Mp6p6Sd7eTVa4OqQV91xYh3DdhKirSs5RLdi ODkM/CSLjnk6BTEzxVgTTuoUQRuXWitv5wUznDFNPF5OfGIhI6GFKt5qJseDMGmN MNxiQ7ENZ+qHOwc/ZPnv7ApVEtyHH+lYrvTHVHvgwLV71epoDWIHriDk8MXNBztx laDWw1vO0Bi/utIH75AXwUNyGPhu7opmYTIg0fAX8mxTQMuTMDSNXpfjnhL+u8EI re5Ywc4g6McropAmzodv47IUdorELufh+fBTcQgh1abYuH07mIrGBJUR8PcW41ke r/wT5oHDcwr0Ix5O9lVgkMeQ1OmP28f0s3FV8ER+2W1dnZZUWmeJUSHCPY5NczZ2 JuDlhkP7umoYL2B67kNmg3CWgU3/Y+04ijrQq4QJnl/8mB5pN2k+Rc2l8RcUBJRv 0H3STR8LMEGvvshbFtTWTzJ222a/PTontpoX8ivSzb3jHrY+ysr1srg8I9yLalZz 9RJkwd0CU5jQGaIyUJotdSEiD6nJlFzVkIbWDPuGUGKEpXBuRngb3g2/lq5UPtIY 8dnqURUJppRQjrcgvMQGZIGksyLufnp6Edj6A9V+ML19XDvPDnX0ppCleu6hLWkp ImFXfKRXWXGbh/q6DJtMDOhw/eiEmsIVBK1OuxqY1cZ5P9fUdOrvVS6mLfY8hbeB sGbyReismL/J2GusNB7eowA/nluOgaTIPTVxZ3rOuaPyF0L0LpOp7p6jvRguaupk ta3XcLWPmJik3Iy0c0C8+Syzputb58+WmKet68kjJA93pgP3fwvnllLM0i5VUBcn dmbqTGCQ5EOV39lNiVPtKiAQnS/vk4QxLDdXyDHalZfpwrVG1JrU9T9uXgnf8A4X RgavP3F9RbI8f+1NWZCJ/7+ZtPAWDA/yJIaWiFppISinkg7YOXR1q7xaEFUvr6uR 10JW5oFVI4sklohrryxBQ6pMvlSw/taWiVsr9rHTJMRsQrndyJ3HpTfX8vB4nlV1 k8S7Go4V6EH8+JlAzP4sbEy+rwVt3qSgSfbPQzZrnB8i5mmLBqgqg2S7D70BSZXB UFZPc1gPCHW0wVvEQfh3Hg7eLdx8bjgP/NsEhYTP491QjWF+SI7aoxtGTLKa06nw B04NEE2x7wt4iQREBBgBCgAPBQJRlzWAAhsCBQkAEnUAAikJEHUm+/dNQCC2wV0g BBkBCgAGBQJRlzWAAAoJEIOOBz0F0mdcJhQP/i+GWV8yfPtXUIJpd39UB7c6om50 IFlGACk0lxE4WAh4TWCFs3mGCaM3t8a4incDS6nZ6SmEwkuwmPs13VS2QImTiUwS HXYQAIKxPY7I2Gd9zJWo+zWQqGpDWmytGtY1JbDomBNv6+tLl5S71abfbsTPV+g6 wq/tV4AhkWSrspFogi68WbXzdORNQi4S3eMXpAceQSoho5d8ljQXu2Np4FlJT3oT sBbcNosUY8Itc1Fu/sZo+tmo2WQ9SqqftmWs+d7acuYPVTKfnIhp4cyyojPBfQZl g7Q8Qk9NZLmwZzTEfKlT8wmgCUqi/sY1ecHRLp7T8vKmABXemHlyeVNmCuI0QLQY nSZpu0IENPAng/Z1ozz+UOgof+JbklIL2SCMOorCTnquFGHR8VL8dfv4A02DZCPQ Vuw99s2X1vWXms/2IDx44Xv7qJ18uVweBPVtyr7NddGZKvtcdnClCyUr/OGBqOlu 14iFDb5hRftDON1+v/hpRp1gCVTtRFJkNJn9w4wB1gSjJDfYfHYX0TT61Uxh/D6Q k2Hzi7JJUbFKzeBeY2OUEcud+tQIbhKk6tw1XU6CUsn9Izbh7WYp7/3HrXu3lIXN y7FwzrrQY90bgs+P+mTtLhKv2EDC0EsvRryqP2qFdh4Rn1LJWbItG0ClRnVdYqZR yzw3YhAEqcaHGDJ85t8P/RWDgjJTuYjcy9pfkAL1uOp3eEoszFdpKQK5iFfRV6GS 6exLNdU1hYDs4pv4YSvSovFCRcMMm21SaSmUcCgp/4fd3HSiwt1qzch+oaDSC9Fn gXJQ9tDLVXeh5sQC1FMQ6YhSkLceX+0AQ+rS0sX0qf4nmxMaQmaLSD+P4O4yqof3 LJuINd83yxROmHTQA/uOwkaenQN2g3M8LCb8lfIpux81SVQKFJLYjnkwWLF0a23+ K4n7TUJpHtGk7iaZ8NhHfVHvt7+Ju1IoKhIAYhNt4rm9nQeN8u2iUgeH+70lGEfZ d2Cb8VeXU4UieSezyy+mqQYQN5WQvs6r7ZoA6Vqdrt9xKcKbYfBsD+AlO4F0FTxX Y1/GxGaJoApKaVTlB1ONkE0aFSE60bs7whzI/dTceaLmV0wsRYNsUkKgQKwQWpdC i31j2zJBs8Tk6dWqeCl6W9YhyC3CNCcWK+SSbQ5ZuahoC2Pclwd9i7s5oMlguTfE EBaDqJUCOTRoZOkY+CrCC48qdbloDY1wn/vbEeWPlEgN8T2pLjeqbeb+lNRAg4PE JKi394FngJohwsesHyJki+t06TG4kTM0c1ItESyb+6tRnUvzTErgaUfRT5z0KeiM uOnUnxwU8+wUIiIIJoCZviLopZy9umjKQPg/pZhDZWCDSIEDQISCtRKFigyK11WJ nQdGBFGXNckBEACyXTQo0Zopoc9ZcCnktx5ziBecrHxuVq82uKw2hh2FfW9uTIGV +RQmRCaECdejM54FQqVxyHLyXT/HIKtkLqIRlZkC9X4P0/O6f/wFBlPBM+/IpOox gKpB1pcpHzmI+Aqr/r9zEeuC8VWuTn+3g1NxQrnjUrn5yIAuE+wkuy9HPzR5zIB3 DUFv/r45E8dWrs6c0jN8WmD+RmTlWiYY8OCEx++dP6+6Weof37x1yK6VCtan9AoJ PCBR89fBqCZB4OZjwOPHUX2U5MYFHON6sRWbV9PstZnlCX7wocmGVVwrz5tGR0Td x6v40fQMsWb/fxswXZG5wEMKj06PxjJWaIalbWtOu1U9BHKS+Tahp179E/oMjqCd YYngZxAO8X7mzryJt3nUDZXaJZ99N1Zt8c3YX/JhSfqXEeWq+c1OGqZQX6UbRWBf KoPwRDgo26JDCH756NYqUcZXnnB2fUtEVoUB9E9F2igjkdc664ebr3tJZOqtqLi1 nlO0i78/QJwSNT7x1I40SXSU8TZY8hFpvDMp0rlml8ufBLu6YPw8V5qW757OpG0b QK/6ZSESaDwG3EEa8gb4Ylp4/eKz1iCV4Zdo+MgpI5LmubHk7apmr5fM6+JHHK3s f0EgTVYCSI3ZfmMBW2qxh3T+vNK/AYlZYsy9j3kM+7ygC6gz9GV0JUAnCwARAQAB /gkDCmtnnbrxpOSOYIsRYEMPtSFO9423NqHhmYS6oZMGQ86CofnA8xJymvsXsOkX WMcEnFqt4R1IN6X+upLqI8nGqrcB+zWiq4Gq8p6wb6EXWCDaI4+FrLO8B97pTc4t 5HMR5kDyXTZxMokLDuMPPeo5DAC0LAa7PQfBNhA8oXqickCIQX1AielrnMgforcZ 1MS7MWYkpYC0e8lDePZbu47lwZqaaNDxvtcJJIo/CTqBAQ+or/KTmYkp5k8CelnR vmMZRyNFac2IRmvJt9P1Aa+2JSsvtsdiQ0w6VOzZN+cT4ZIhHiuU9torimvNq1qw 6y40TKT7D6OhuQSSqlLiZfCK78viKfJSvlyztGIqEoBjKoFIojs7Hi8cb63KGPBZ un2LfjIBkWJXtFV8/y2j/rsHkH+iS6KVELA94B8vZMU5ekZ9pQ+NJ+KFd7hS7kOA XJ/iE75tymroIZywEFwhS5pw8yvi1hP+tvVrh2AvZTdpo2suTm0saNJGYivF4bye W4mm7G4eDuRuClSlp8hx/rueQIKlEQbcbP95wAiQaGfx3AA0tiMTnaO4/uJ95kXn YfwWalSBNCU+HJZ4muutkCUZ+d8JVENWEst9H+yjcwo4kwrWiYdPoHqWNfea39Ax kMdflCG/MReQR/6KEJPvEsWswzXSROjv5k5dcP0GA+/HYHuYG0gCWGwBqIXZ8rUO P3dJ97fPNub3K/a939mV3Tvp+CWQ1iFIPc/J/kk7kvP++YE5JTAChO6cvxTZevB7 LJdV4qvXsVRLyRK78y5YqrBo1hnOVPapd431QXshP2ScHqISjM5VbUZEnTB19jdt o06/qx1+8HC3RCZaHqNvGJhaM4Ze0xuFYtOm2bkubm6e0Fu9Slr9uqnmczRDV7y8 XzbmP57qIDnT4kZ8Pp5mErQPu5TBrjNbKl12e9lo/KYhp83A1WAfUsuzRob5kCX4 GO8fj70Y7wAnK9mjDNe/FjMl1M9nVMU0JJFHObyWG6wJ0H3C6UyKneFWXs+REmPp Lc1UzFKaW5470Xf2RJf9Trabmxim++sjGPwKlYX/TcakNWlobNN9uVVgk4kPGu2A qWL4pyGbE3OVv9zfgLG/IIu5saqOorGhe5f45GY5+ECri3IR9j480cUbNakPXVyn yLVG8qr0t0dX9GqtXYsb8mu3MsBZ4iDY3uDCVv6aQMwEsRy0e8Yn0QKkuy0eGazv LnVnbUUrErxJ/r9gZU0/8il0CUN8pAkT8Hhu1NY7eoHetG975n2qT8fuiPRM196Z TpEmujK/9EKVnjOmT/0QaiiFqTDuo7oa4trYI3qHHirGG3QKTocZB+JM3Xhv8CZn iGg5s/1tyqnUlVY6kCGM1AwT9mOlxB/Q16IJF8B1YLNQysTcla5oMjXH/QsmwQnA spIuBrwU2K96B8tRsLyottZ2f7Y2Iw43zPySSUl/tB0fN8MBTutZ2Osm6ldsgGBT i7zwNX/84wC99a8koxY+K4LlHhf49Qzb4cturwlPi83BD4PGZoxo55aB/fZliiO+ CpemenCA3NvtMiFrKcTP8E4q/C35HzuuznohdxkH2+44yEuRsRXhyV/mkiK6zRay Nj9mYWOzmjcApd6l2l0ucT3e+zYgdh7pImf4PhEKFA04cAdM8zY5H8HHmW82x/Ae oZQG4eM1AWEmSrGJXii91/b91iY6UqOdzLdYthi62fytpAORx0YKGFiTvwPW6Vz1 /IRGxKl2VCKEGDsCE7Gia1ZQYYLdTavVcgAFicIbdWkw/mBbbAxWBJOJAiUEGAEK AA8FAlGXNckCGwwFCQAk6gAACgkQdSb7901AILZsLw//Wc2/7O+IqkiO8i68wrv4 v+QPKJswJcfwle4bef+FBWqXpgfbwatIHQGMEH5vvtq2YgsW2snI1FZuD2+ss2Xp irQBZ1biU37DeuMnGmsLutSEyGEMxh2BzDMQfJJBsCRgUr+1JUaklGkKKwto+y1C qV7eX3RxZZChSeuW2bouxIg11ZcVVg5E03c2enZTD5ZzdsCChH/+3DLSgUY8W0cz g/ctPHnHkfvXpH5mA83P+q2jWvX71FT8/Ldx+ZETDwl0tKkHYvs5benyUJXLoQXc KyFB8rxElqnocYoBeTJMjamXg/hXAvJqpXxm3lYc5klGaSYmlOY0s53oaVcYI1pO DovJmFB36OVEqMa0d7tGjSjph9CfwYVDGwc+zZkGBnYzj91qNuyy/ta5i8l+Lod9 +1ejCn9wWKs+XC33bt9lhg0aDm4n0KH+3M16tAI8C42f+p0ZfdKpAsxAS5G8cJyU bzQO1mkDTqHYHTa+KFZuZl/HObe4XtV27NS4BsyJN2AE9WihPYszkPGF6z2DBTee is0UQ1J01GrbbPFbKhDlDSs0QYB4nyHj4PYqzR59yH/k6d5vk3mm7SbRhFAA5RkH w0xIOO6ZAIAJ6Msh9HOpFhnUDnxcCvrhAixRa+WISEed9V136cl88KPciSaJGmgB QYjLredAvvd0JV8Jbj1AEDmdB0YEUZc2BwEQALRKZs0nsDPjwq/13e7/2CQupI5f xxaR7qyBQZ2wFthcVooZCPXf8tgvX7uqTymGUS5V19UcpeQ7SvAkZw9ft10AVLk1 f7BQrg6766nyBqsFQoidxY4dQlLICGtyG+Z2myBygQT8oGkVUNUQSp26rgJveih4 EEDo0sBxyi/UV8ThaskhIKIIpGxItvA2yj005WY5LZ86idBEfGGr7DGFVKim+fCE kEhlSK/Sdg2+VmG8N0se1cQg4LB2UgxxcuHMCW3pM3SHLidHOU7jp2bqyuVgnURR /yqv2hy6QnDS7jx59hwRzYM99n0DQhjACfLW7gF+9XiI9s09b2IMafz7PolyvuNn R6WwZNuMqtXAhlGGmmpYymhquEbYJOdSuDWxcFgiImd9GG9CHKmoCrEKwyfkVe78 ygGUXetF9Ha+g7lriv6Kvpnz6S4JTV8UAcClcJqoEVowXf/lbgd0YjStAWxgDES1 n1r4B58KWXfQ8fV+gI1F05wDLGYqnk/o8xJ4vuFcfT+DcxSvxIh1AX22VxEoVL7E ChuCY2bnhq1fxVXMwm01B+JyK467BAxmL8CqdfGohgptgS6GYCnLIMtrZ0B4LbzL yxeIU227yZ0Q96L9P1GdMq8LXXaL6DF3vsV83W+cb9GdPv1X24CjU3GOXex9zvgn 2dHsHpyE7KyEeUDJABEBAAH+CQMKtNOMMydkuidgyNEOotBzaihKje/C7ShtCX11 r/EX5Y664RfDaJ+uy84dwVr2l8iVV+tM+4AwEoiVqxI2vqPmLKo0WrqdMYhcUfT4 fPqU7mV5JF1iUspkNOVIabqKf8sdhniA6/ni4vviOiGSXTI7erQbfiRi9b+GqR8R ToXZmZwrXzi6jL+PAGBKQRXP8xW1hyioHgUV//hyAcZp8+X+fu+CclS4yDRl0nFi nYayo/FLcWN5zIFqIJZc+T0tW21VwEVjS4QUOEeKNuGc9JXuj3P7h24V+svfZlzR g1VIc8qJcNEmgP0Ju0/QxhyFTR4IrrPuCqBj/6MYOCaY+hPLT18cp6Y0BxEd+Ppb PqUc2jBG5Ux1YonEKi+FSrX5sSGODs1ql6/wv0s0Ipt2Hbf+/8rApEmyAOZHyHs0 ASqNAM6OwMGV4k2nUun+RzBek3jtwoeRvHEbKECrd5AWe4daXoXm1gdTcgH/0SMc F7OttxMisSnxpa57Q4QI9HHy7XpppXhoktUfUBP5K60wyiHdkO+glrb7O6wE14ZV iJYwRr1ef5UA9hOPnPpq/qZ24Guti3SiZpKmvZTrwIYFoiMp4pbQUw+SA5JxQj54 bV3QD4Rz39G6vNpqZcsJI/A///gJwAh1YouEhsvhHnZWQ2SdLCnMbnl4u4WV9te0 lw5VD5njuy9tnlscZHplfVJuZm2vK8xDRn6n0MQwg/hwkeL/48NTd4vuATqFtrYa Oxvfnemwe+pwwp1V3tamxXp4q+CxwFjABZDnfdZdnJxr9mMI0AJ/mfAmCdJdtBdC Z88hdDb+JP72qInHQkaqeLhGzeeCDrr+a5UoJgEYTW0wZmnYRau7Hs6lZ9pvSzB1 MWKpvBK0el8q2FFA1W2Id+PBr8YTQpr3Vn9zBcd57fKp7uUXOZNtS+qMI4uwWdl5 Ptw+IyXtvnQXHjGGiUzhT9K0CBl/AiPQwqbJOCC8j5s2xLqdQ65VtODvTQyJKg73 Hpm9ojwPHD5BE50QhxmXRRPsuCaPZjsihx3oIhIP4ck17d3K/eLPIh0CP+0kmKmJ gtG2SjDJu+50WHlKkG8og2S1EcgitinUwlYSEp6gAbM/jkX7BHr8jnWS4riZwe8W h6+4j8fsAvKzIZrJMRsw2mYJhaj/6cVUH/t1GqCi0Wt3Kmc+rEpf2o8HmLo3awA8 8UxAEu32XbDX88W3p153Ima7VSrqnDEvPgSR0Lqo8WY8H1WGcDCGuS+idbM9t49n avT5gqcdjB7JHGA50YWDuXn6lulq3xx1/6uG8NcJJhcqFc9oidxhif3CqaoyxZY5 vJba/f+BhiTBZhYMVDSQtRMKOqL9xZhzYdv1fGkBlvaSxLGhKMHq32wmpvSKjv1y QaVSmgY6G/+6aJ+tsIYXqxVw2xNVTqsZgUCBWgjTxZWMiEDHEUO8JPEQa/dYcQ90 gEMvC4n+EXQhh/xEGaNEMXu0/C7qRolohmh5Vk6kY4oBI5Ay4IRsy8OeVdtBsF/v 25+8tzeGckG1HeDMxT3qXntwpXglFN23h+nx/iFtsHQTpCPy2TnDKrwFYUXMmCxf YwuYUOaUIwpPn4RkrtgqOtgr45/ZmdcNbFXckT6qJg9qRe3R5SOD/66oEI+lI7nX UklhQtlmYGfGTfl/krbA32Lxf5XJUuTVkd1FPQmeR1wqUvaidoumO8yVKWEULKJQ 2ZCL32QKTDCjpLqe3sFzpKq6YSSwTwqnFFCK5Fkto7Z7jJwKHF0LykQ/eWczRQ8E 711kdL5CnxJxsokCJQQYAQoADwUCUZc2BwIbIAUJAEnUAAAKCRB1Jvv3TUAgts13 EACv0ANHVViIvrzABr3Q+uMdl7p/jsPM/+H/CYpgCZI9WSNf7HV8oQwmjKr7b5vN 7TRjzzFYSTJs5dkU//7qYn7Rhwjoe51BTCFjvFQRhBYkZocs3AQkUGpCUy0hjBIb Et9k+VbOzQyuqTet5cOOf/sTvxYzYfLhrZpCAEFWBBciONEIlMmMYvkHUK1R+zOf 8vAmmmWZF7aVR26Kg6cJrHP36kY0GicMpAzFGdMzrBWnT83s1MX9/4FcC1VTv/Fu 8aIagmfcZKizha/D9FX22txRJ2X/em5LYg2ciz1RQekvz5RzYao9n1XGyx/ksgn9 a7ptCaJqp9Dvhi6oEVLY7KYOdGJ+Diw21k3JtB/LcTiiYCZ3VEAZnK4L27tbO5IH tnXDaQLhGGB8YMhzVLqK5whVtiIZSa/AKR50SSWgqH2AKEGP/X3IWb2GXhgZc3v3 Fer3AoVrdDv3JhCMWXP1LFeURYd9+cOW73m0GvWpuiyKaLorABXbuTJWaQa37xa0 P9x8u/mktdHZgGXaqWoPZsLG433ApZ/nk3EBMGiVsbzDxZYnl6eQZ6v6v1Sizlap f8Leq1exZM+pZocgJ7jEH+3eihD1Hu/dWRxVjOaWFMNUoplDxXyYrIaw0pgTHgxT v5pR8Q2mGUY6KMNPc+bLSRjM6nPak5UhRKpZPn0sWOfYeg== =0rFo -----END PGP PRIVATE KEY BLOCK----- From me at timfriske.com Sat May 18 11:37:52 2013 From: me at timfriske.com (Tim Friske) Date: Sat, 18 May 2013 11:37:52 +0200 Subject: Fwd: Public sign-only RSA key not restored when importing armored backup file. In-Reply-To: References: Message-ID: Hi, I can reproduce the lost sign-only sub-RSA key behavior as follows: When you change the expiry date of the R4096(A) subkey (key 3, expire, e.g. 1, save), export the secret key in ASCII armored format (gpg --armor --output 0x7526FBF74D4020B6.sec.asc.txt --export-secret-keys 0x7526FBF74D4020B6), purge it (gpg --delete-secret-and-public-keys 0x7526FBF74D4020B6) and re-import it (gpg --import 0x7526FBF74D4020B6.sec.asc.txt) the sign-only sub-RSA key is not listed in the pubring.gpg file anymore but still in the secring.gpg file. Hope this helps to explain why. Best regards Tim ---------- Forwarded message ---------- From: Tim Friske Date: 2013/5/18 Subject: Re: Public sign-only RSA key not restored when importing armored backup file. To: gnupg-users at gnupg.org Hi Hauke, the attached file 0x7526FBF74D4020B6.sec.asc.txt contains the secret key material with 1 primary and 3 subkeys (R4096; C,S,E,A). With "gpg --armor --no-default-keyring --keyring ./0x7526FBF74D4020B6.sec.asc.txt --list-keys" all keys get correctly listed. Also when I import them into an empty pubring.gpg and secring.gpg file for test purposes with "gpg --armor --import 0x7526FBF74D4020B6.sec.asc.txt" all keys get correctly listed with "gpg -k" and "gpg -K". When I now mess with the expiration dates of all keys, save those changes, export, purge (delete-secret-and-public-keys) and re-import them again, the sign-only sub-RSA key is gone. Why is that? I don't understand. Also with "gpg --list-options show-unusable-subkeys --list-keys" I cannot resurrect the sign-only sub-RSA key. I'm left with 1 primary and only 2 subkeys (R4096, C,E,A). Any ideas? Best regards Tim 2013/5/17 Tim Friske : > Hi, > > when I import the armored secret key file to restore the public and > private parts of my own OpenPGP key the secret and public parts of my > primary key and subkeys are restored *except* for the public part of > my sign-only subkey. After the import the pubring.gpg file contains: > > 1. Certify-only primary RSA key > (a) Encrypt-only sub-RSA key > (b) Authenticate-only sub-RSA key > > The secring.ggp file contains: > > 2. Certify-only primary RSA key > (a) Sign-only sub-RSA key > (b) Encrypt-only sub-RSA key > (c) Authenticate-only sub-RSA key > > Where is the public part of the sign-only sub-RSA key gone? > > When I restore the public key from the secret key with the gpgsplit > program the previously missing public part of the sign-only sub-RSA > key is back again. > > Any clues, why not the public parts of all secret (sub)keys are > restored upon import? > > Many thanks in advance. > > Best regards > TIm -------------- next part -------------- -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: `~~~~?< lQdGBFGXNQgBEADCfnr6F4I7NjPgnXeqC4L2Hdd7oTBjmB4xPCpsR7KkzjBssOKI CyPaz6aPv0HCdygtQuVbCzXxNsHpRX+1ApbZojTHAD2VOaLVrLW3ZlwOy5GDv1IZ PTaK3+1aWWEv/BSwZB8r40Es0DZcu5E4FtSpMH4Bg65Gw6Jlq/80AO4TM0LtrvCK vXNgb+KOnxYu1GW7pnVdQB1oJBQtfo854XvJkYm911Oqkwp+oe9cxLNiUX6KGtQg qVXcs685Zm1e1NpSV8d34K0yPKDCgH/Ax+do5kWQRRW+uKnAfqSml2Je7wsPKNNt qY8vb55JGdmZQ/sFloEg2iR8OyzBnNBRHXGFqWef1J4aaBYCKAFcyZslgqeTf/8w WerwUetG7m9CPIUEJyI4RfnrGRT1KmeIaIbOSjYTB7255WkVP7rdthRJEMrCQVIC FC1AEZMffz6FtdFSF/nk5/5BpeAHegklNZY4Fyi2LUwexWIVHn3HzXXE2u4UR97j Ghh7rJsiHAEDYxYb75P/3tsWOqhzQQujZ1l1f5keJ6CgZa4ddaGrpH9oyAVf3Ctc GgunyfZllsgcGMCrrx4IvW9fcNFu1fdDcOPYgdNYe3UX0yIC5aYVPCVdIW2qYfAx /7Ejjxz8HNCHo8NIDfqXtNxpplPfdpUKaufpw3yrlH8v74+dNji8T5Lt3wARAQAB /gkDClBpwuya9oBMYBD8mbqSyCxWN+88DvEh4ge7Qu9ctl5vfIGB2OVFA6MKRTWd dpjhCLU/8NpaIlsybRt0N78tDdGNcrBzYDJT8Ncyw5fcAmgD45nlAK/djSZVAn7p cTebiK6Ht4GpVZiOJRJj6/oBn1IADUho+AWm2PcczRJxehrJKPSob3Gse7HMcZMh cGnSAPgW9TWiD+jXevTdVZ2gUY1c9DFpP0bn5WACPtXGZBTLQh+IOLd3Yi6sELck IOPpg/fnV8MAOqUgwLPF+tmx/C6VqSA1M6guSLrNwcSLbA96a3sCNgJIHZGXMiqy 0LVXxJUf0/BAn9doC1gLgU9f1CX6lvfDFsqy7CDRAJIMpvpHs4K5cnp4E8PtPiDt YRf+VY7S7w3OqxyAvSlXtV2nIpu/FXr3qcWkcARs3tbxORDfzEds4BTluUNcg1E1 yMqAVXGdM9/uVzPcosKhKHFKpmoopqASl01S6dSrEz6k/CkBtE/GJsXNoKFnA9Th cdTu2AHkzBqMms+knySYkDWJkzfr7oQBHLj/+0d2WTXfK5mmtvPrqD5yeLN5Vssw qn79iEf0freOnNXOyBuIDxhDr18huasx0dvd1O2z0YnoQY4j+q2ocR+TAKR7CoLX Oep5ewu/3KU+HPcNzCWK3U9SHHbd3JN/PXkA/E/NDaLQ4JrzgNWrz6HW4AlNossu /YXV9AumXgHoS4oBQMor1X1JH8wkAtJfIKtjoduyem3ghuQCHhJV4dgA/Cy5lywu XjyHFY6oCS4clurRxuZiw/0kDki4QQ9BsDsxYk/jEoiRyX4/ygP9Cn2XZWpYRPR7 W0V8yvDLHzXTy23m5r3csTxYdZfeH60eWvZy8u1+b6cy8tDBAaW/x62VBZ2FNmh0 KELYGXL9I1s1qImp2XM6k5zZm+pV5yQKYrvqp9nTFsMTmVwe55lv3WBqPC0raHXd NlSCgUT3G83DZX9FHt8JOvhBX/MLmGHIGc4ovIlBfaJdXtqujGBLdEJFX60HCnjL BNaTlnBdlpI4OV/kVfN0CIW09HMUmQ1I0RFeZJjRz3kiZuaQ/qLqGYJr0ttdcXIb tvtfE0+q7FU1k3jkp7NKxrHPu8wHF83OIfZyPQ/+gm7kM45KeTSfIvB3bQmUfimV jWf8a10ckwd5hnWWuF4jvBsdkA8XBSugZYaz15YEd8Z9Gb2dw8hplUajJZVZkK+h CYGMcPXzPgPnQ4calxV2JlQZbEC25rDoXqB3EmvsZSmcIXiYQwURcOKZytuxWXA/ IwNq+I4E1NWkYhJRb1BAoxIbD1KcIxgX7MdcTkNnrBnLkxA/SQbvAosLVLddxatH 2/+u8DVchs2tE0MyVXgb1zVQQz7M443Bz5FYIcs4tYuumXB8VqwsHuBcKd+DMFrS u6uEh6/r11MjDkvi3nQLM4z3qKxre+JyDo2rtHj1Yg2EKSUeIbUF1IrIXPIA0vyw md5LNr9IrbDW2qWtt8VSX5mUz3iV2dPRfFYAsZtfikQra37YLan9fTdEn3djE/dJ rDsAei36EOwebAfTk95fGUJZv2YshjMvmKimN7f3ob/OjpQos+2So1XPwfDWhIA5 vBWWW90Tmhuco95X/10AAfC7myQlX+x18XBWe6qGZ1G7ORPYCWIt9zyWC5x92qPW fh6a4EASCc9mmFUcAJCNoaQoyjOO/X6Qkhv+aUuCG3V0wgEhH2K7c2k8dXrxqc2f mvf0gTTzC4pU94rKXvQIugPukQdroJCBbBsJrn8iVXMxi8drDwmrGEq0FmJsYSBi bHViIDxibGFAYmx1Yi5kZT6JAmwEEwEKAFYFAlGXNQgCGwEFCQAJOoAMCwkNCAwH CwQKAwECCBUKCQgLAwIBBRYDAgEAAh4BAheAJBhoa3BzOi8vaGtwcy5wb29sLnNr cy1rZXlzZXJ2ZXJzLm5ldAAKCRB1Jvv3TUAgtum2D/9sgJpJ6z587phLFcsK4qJZ ho1OW/Kw+RKGurg4D4zZ8Vt5l+pUqKACqtjP2fNKLVF3Oqs+xE8I20SXEVeLohCs kV0+CjGoF2kTQUCfvQ85sVW4OoMD789w6ZeyjOStqMDwuBDtet6Qh9GQIr6p7IfS K455jlM4dZqsQr3mLLCPNbx7eWd6e8chI0lXvPZQ4eLxT7MASXBnuOJlybPOtoes NLFGBn1aty+XYjTjf6nIt9ameUkIWY4GjbctvVRE68GODNSuz9RHZIatoRrnjxpv P05ZVEucHDbeCMh6lW+80Z07pLvw3x+oOIpHORcyqst+g9Wn/2Zf3aCyMToNv/hc KwnpwXoOT3gdhBYZ0LOrBv2oI5EM3da3jr0DxLS8t3gjIMhV8Pwmim/Mh86kf5dz yo+tssuk/Ko8qxSFp0vUyVIf0gRMvWKVdldOOVaR4Ptk+QnX37w2sfkcyO5Yf6jd Mr+3w3y0XcroFCsJ4IgmCFnLY0Q/T1kw3m4qT80kUlXNT4adM+VvHKEs1tHUa6Zh LnIjZWSf9l5zVM2As7uO8NWTtuy1kt1FRdKkroEY3fxAT/Hp1QUUlfY6BTxvpihT UnzDQGKhz+J1okpkjppPhWeZcpDGioM371wrl4OfATz5oBs4UmOYRYFn3jC2Eju3 OYsFTFZSeO/zRX8aj/ZJw50HRgRRlzWAARAAv2rjoF36zdoa2jRsBvunrx7ge+tP HgL81tdeNfghVMVv21c9PFCvs0MzPoNhBNFvoNHUjuekFBQ3TtvobUt0899xFDor sFEkyOmkttMJNtI+Y2I8McNDtPyUbeWvChBSpZKDw6rIk5TySyBlU3VLc7aVYm2J Grt+TNSQeLc6NavpCJFDLFuQNkyr9f13n0oa+HQA8Z9yv39evYdqv7mQPAjYlmb3 ahi89j6PjEvZjF5vXe6OJ4bQ6OamV7DXYT05ATvp935qpjQ8X00GEMr9EQY1C6D7 9uCeJxj9BjwwmbKe7bqh/PNWZFF0RpQvzgwiuCwIH3T7k9cN/0tmxToodMpV55L5 qDzhjvHyFTcoQETsppbl0ZpKjTsjLTbCh9XHLztT5eLFQqG7Nx3yMhd2SG3Ucvs8 15ifEHN7ayfy7GEmMxxfPd4Kp7GB9YZMjAUg5lezP5LWpM8+blx++iiMTSawYEvy W7MhsRI+EnXNYKmBVusQ8J5efZNqI8FodqVNB0gnmxpVjzMxzaYACmUwz0isaSDv THDOwoq14oaFBHnJMI3U1eaGK6bm/3amHbqax8MDvSWHNid0O8rulbFu9Zh0vYnC KqbFt7hMw07RtPRSc3kxLjyANZi0aSpG7b5CgF64U5xkJ/+8CB7K/i493BUyRsoR mT1imI3pTUTubK8AEQEAAf4JAwpywXh1fYZlqGD30tSQHC/kMaT/kK+RW8dldpnY sn7479vQ1NyDBXk0NvmEaLFpkPovcpLAUecouwd5AHf5B5O/YGhWVk5XkEN3JXN5 0uEdo2PJu2YVD48LVUnfKfqjZOBRjTJ5MkvlfucdDnpC4ZHjfThBlwNfIoqHRrOK LQy74qLBrTkwmeTyCbXmEa5/XFZD1PJo421kt71uHTM+ByX43aotGY5Ci5u1aDHa Rc7lHkLQRT9GlNE841w1/CqqfiaymXQBPNTtyzSBx8r5FqcIEK7ROYc8lQxOBqZt qjXSam0eS2sXRtM3buvS4lQZSxqFQmpq3ZVGZTZ0YsGU+KebNEeSmHRsO+3RAvTX e4VPVZ1WpXHygDYgRrnUew+WtOD1j/hCS/DsPOU018EsQDy59soBtktR6Bv2HFWj 47bdwAyfYxAjwbfG6M/PWBnmcWEQiO7ooSkqg/teIV8MH1tR5n+E5o0s8rlGuEnB 2NucArHd4rh6BQft9Mb5o2W0+p3dGpzenfR/FnoLHs/VTsKtLHhYiuiJix/xooqc 0Sx38u3w8qUBLtUh8KHtJ1FJ8hDsPf6Ie3W+ThbsXTul7uYJSGxjj9SHvhCI7vZ0 6qESVi5U04QZ59Oq0VPH0rRj07A8Mp6p6Sd7eTVa4OqQV91xYh3DdhKirSs5RLdi ODkM/CSLjnk6BTEzxVgTTuoUQRuXWitv5wUznDFNPF5OfGIhI6GFKt5qJseDMGmN MNxiQ7ENZ+qHOwc/ZPnv7ApVEtyHH+lYrvTHVHvgwLV71epoDWIHriDk8MXNBztx laDWw1vO0Bi/utIH75AXwUNyGPhu7opmYTIg0fAX8mxTQMuTMDSNXpfjnhL+u8EI re5Ywc4g6McropAmzodv47IUdorELufh+fBTcQgh1abYuH07mIrGBJUR8PcW41ke r/wT5oHDcwr0Ix5O9lVgkMeQ1OmP28f0s3FV8ER+2W1dnZZUWmeJUSHCPY5NczZ2 JuDlhkP7umoYL2B67kNmg3CWgU3/Y+04ijrQq4QJnl/8mB5pN2k+Rc2l8RcUBJRv 0H3STR8LMEGvvshbFtTWTzJ222a/PTontpoX8ivSzb3jHrY+ysr1srg8I9yLalZz 9RJkwd0CU5jQGaIyUJotdSEiD6nJlFzVkIbWDPuGUGKEpXBuRngb3g2/lq5UPtIY 8dnqURUJppRQjrcgvMQGZIGksyLufnp6Edj6A9V+ML19XDvPDnX0ppCleu6hLWkp ImFXfKRXWXGbh/q6DJtMDOhw/eiEmsIVBK1OuxqY1cZ5P9fUdOrvVS6mLfY8hbeB sGbyReismL/J2GusNB7eowA/nluOgaTIPTVxZ3rOuaPyF0L0LpOp7p6jvRguaupk ta3XcLWPmJik3Iy0c0C8+Syzputb58+WmKet68kjJA93pgP3fwvnllLM0i5VUBcn dmbqTGCQ5EOV39lNiVPtKiAQnS/vk4QxLDdXyDHalZfpwrVG1JrU9T9uXgnf8A4X RgavP3F9RbI8f+1NWZCJ/7+ZtPAWDA/yJIaWiFppISinkg7YOXR1q7xaEFUvr6uR 10JW5oFVI4sklohrryxBQ6pMvlSw/taWiVsr9rHTJMRsQrndyJ3HpTfX8vB4nlV1 k8S7Go4V6EH8+JlAzP4sbEy+rwVt3qSgSfbPQzZrnB8i5mmLBqgqg2S7D70BSZXB UFZPc1gPCHW0wVvEQfh3Hg7eLdx8bjgP/NsEhYTP491QjWF+SI7aoxtGTLKa06nw B04NEE2x7wt4iQREBBgBCgAPBQJRlzWAAhsCBQkAEnUAAikJEHUm+/dNQCC2wV0g BBkBCgAGBQJRlzWAAAoJEIOOBz0F0mdcJhQP/i+GWV8yfPtXUIJpd39UB7c6om50 IFlGACk0lxE4WAh4TWCFs3mGCaM3t8a4incDS6nZ6SmEwkuwmPs13VS2QImTiUwS HXYQAIKxPY7I2Gd9zJWo+zWQqGpDWmytGtY1JbDomBNv6+tLl5S71abfbsTPV+g6 wq/tV4AhkWSrspFogi68WbXzdORNQi4S3eMXpAceQSoho5d8ljQXu2Np4FlJT3oT sBbcNosUY8Itc1Fu/sZo+tmo2WQ9SqqftmWs+d7acuYPVTKfnIhp4cyyojPBfQZl g7Q8Qk9NZLmwZzTEfKlT8wmgCUqi/sY1ecHRLp7T8vKmABXemHlyeVNmCuI0QLQY nSZpu0IENPAng/Z1ozz+UOgof+JbklIL2SCMOorCTnquFGHR8VL8dfv4A02DZCPQ Vuw99s2X1vWXms/2IDx44Xv7qJ18uVweBPVtyr7NddGZKvtcdnClCyUr/OGBqOlu 14iFDb5hRftDON1+v/hpRp1gCVTtRFJkNJn9w4wB1gSjJDfYfHYX0TT61Uxh/D6Q k2Hzi7JJUbFKzeBeY2OUEcud+tQIbhKk6tw1XU6CUsn9Izbh7WYp7/3HrXu3lIXN y7FwzrrQY90bgs+P+mTtLhKv2EDC0EsvRryqP2qFdh4Rn1LJWbItG0ClRnVdYqZR yzw3YhAEqcaHGDJ85t8P/RWDgjJTuYjcy9pfkAL1uOp3eEoszFdpKQK5iFfRV6GS 6exLNdU1hYDs4pv4YSvSovFCRcMMm21SaSmUcCgp/4fd3HSiwt1qzch+oaDSC9Fn gXJQ9tDLVXeh5sQC1FMQ6YhSkLceX+0AQ+rS0sX0qf4nmxMaQmaLSD+P4O4yqof3 LJuINd83yxROmHTQA/uOwkaenQN2g3M8LCb8lfIpux81SVQKFJLYjnkwWLF0a23+ K4n7TUJpHtGk7iaZ8NhHfVHvt7+Ju1IoKhIAYhNt4rm9nQeN8u2iUgeH+70lGEfZ d2Cb8VeXU4UieSezyy+mqQYQN5WQvs6r7ZoA6Vqdrt9xKcKbYfBsD+AlO4F0FTxX Y1/GxGaJoApKaVTlB1ONkE0aFSE60bs7whzI/dTceaLmV0wsRYNsUkKgQKwQWpdC i31j2zJBs8Tk6dWqeCl6W9YhyC3CNCcWK+SSbQ5ZuahoC2Pclwd9i7s5oMlguTfE EBaDqJUCOTRoZOkY+CrCC48qdbloDY1wn/vbEeWPlEgN8T2pLjeqbeb+lNRAg4PE JKi394FngJohwsesHyJki+t06TG4kTM0c1ItESyb+6tRnUvzTErgaUfRT5z0KeiM uOnUnxwU8+wUIiIIJoCZviLopZy9umjKQPg/pZhDZWCDSIEDQISCtRKFigyK11WJ nQdGBFGXNckBEACyXTQo0Zopoc9ZcCnktx5ziBecrHxuVq82uKw2hh2FfW9uTIGV +RQmRCaECdejM54FQqVxyHLyXT/HIKtkLqIRlZkC9X4P0/O6f/wFBlPBM+/IpOox gKpB1pcpHzmI+Aqr/r9zEeuC8VWuTn+3g1NxQrnjUrn5yIAuE+wkuy9HPzR5zIB3 DUFv/r45E8dWrs6c0jN8WmD+RmTlWiYY8OCEx++dP6+6Weof37x1yK6VCtan9AoJ PCBR89fBqCZB4OZjwOPHUX2U5MYFHON6sRWbV9PstZnlCX7wocmGVVwrz5tGR0Td x6v40fQMsWb/fxswXZG5wEMKj06PxjJWaIalbWtOu1U9BHKS+Tahp179E/oMjqCd YYngZxAO8X7mzryJt3nUDZXaJZ99N1Zt8c3YX/JhSfqXEeWq+c1OGqZQX6UbRWBf KoPwRDgo26JDCH756NYqUcZXnnB2fUtEVoUB9E9F2igjkdc664ebr3tJZOqtqLi1 nlO0i78/QJwSNT7x1I40SXSU8TZY8hFpvDMp0rlml8ufBLu6YPw8V5qW757OpG0b QK/6ZSESaDwG3EEa8gb4Ylp4/eKz1iCV4Zdo+MgpI5LmubHk7apmr5fM6+JHHK3s f0EgTVYCSI3ZfmMBW2qxh3T+vNK/AYlZYsy9j3kM+7ygC6gz9GV0JUAnCwARAQAB /gkDCmtnnbrxpOSOYIsRYEMPtSFO9423NqHhmYS6oZMGQ86CofnA8xJymvsXsOkX WMcEnFqt4R1IN6X+upLqI8nGqrcB+zWiq4Gq8p6wb6EXWCDaI4+FrLO8B97pTc4t 5HMR5kDyXTZxMokLDuMPPeo5DAC0LAa7PQfBNhA8oXqickCIQX1AielrnMgforcZ 1MS7MWYkpYC0e8lDePZbu47lwZqaaNDxvtcJJIo/CTqBAQ+or/KTmYkp5k8CelnR vmMZRyNFac2IRmvJt9P1Aa+2JSsvtsdiQ0w6VOzZN+cT4ZIhHiuU9torimvNq1qw 6y40TKT7D6OhuQSSqlLiZfCK78viKfJSvlyztGIqEoBjKoFIojs7Hi8cb63KGPBZ un2LfjIBkWJXtFV8/y2j/rsHkH+iS6KVELA94B8vZMU5ekZ9pQ+NJ+KFd7hS7kOA XJ/iE75tymroIZywEFwhS5pw8yvi1hP+tvVrh2AvZTdpo2suTm0saNJGYivF4bye W4mm7G4eDuRuClSlp8hx/rueQIKlEQbcbP95wAiQaGfx3AA0tiMTnaO4/uJ95kXn YfwWalSBNCU+HJZ4muutkCUZ+d8JVENWEst9H+yjcwo4kwrWiYdPoHqWNfea39Ax kMdflCG/MReQR/6KEJPvEsWswzXSROjv5k5dcP0GA+/HYHuYG0gCWGwBqIXZ8rUO P3dJ97fPNub3K/a939mV3Tvp+CWQ1iFIPc/J/kk7kvP++YE5JTAChO6cvxTZevB7 LJdV4qvXsVRLyRK78y5YqrBo1hnOVPapd431QXshP2ScHqISjM5VbUZEnTB19jdt o06/qx1+8HC3RCZaHqNvGJhaM4Ze0xuFYtOm2bkubm6e0Fu9Slr9uqnmczRDV7y8 XzbmP57qIDnT4kZ8Pp5mErQPu5TBrjNbKl12e9lo/KYhp83A1WAfUsuzRob5kCX4 GO8fj70Y7wAnK9mjDNe/FjMl1M9nVMU0JJFHObyWG6wJ0H3C6UyKneFWXs+REmPp Lc1UzFKaW5470Xf2RJf9Trabmxim++sjGPwKlYX/TcakNWlobNN9uVVgk4kPGu2A qWL4pyGbE3OVv9zfgLG/IIu5saqOorGhe5f45GY5+ECri3IR9j480cUbNakPXVyn yLVG8qr0t0dX9GqtXYsb8mu3MsBZ4iDY3uDCVv6aQMwEsRy0e8Yn0QKkuy0eGazv LnVnbUUrErxJ/r9gZU0/8il0CUN8pAkT8Hhu1NY7eoHetG975n2qT8fuiPRM196Z TpEmujK/9EKVnjOmT/0QaiiFqTDuo7oa4trYI3qHHirGG3QKTocZB+JM3Xhv8CZn iGg5s/1tyqnUlVY6kCGM1AwT9mOlxB/Q16IJF8B1YLNQysTcla5oMjXH/QsmwQnA spIuBrwU2K96B8tRsLyottZ2f7Y2Iw43zPySSUl/tB0fN8MBTutZ2Osm6ldsgGBT i7zwNX/84wC99a8koxY+K4LlHhf49Qzb4cturwlPi83BD4PGZoxo55aB/fZliiO+ CpemenCA3NvtMiFrKcTP8E4q/C35HzuuznohdxkH2+44yEuRsRXhyV/mkiK6zRay Nj9mYWOzmjcApd6l2l0ucT3e+zYgdh7pImf4PhEKFA04cAdM8zY5H8HHmW82x/Ae oZQG4eM1AWEmSrGJXii91/b91iY6UqOdzLdYthi62fytpAORx0YKGFiTvwPW6Vz1 /IRGxKl2VCKEGDsCE7Gia1ZQYYLdTavVcgAFicIbdWkw/mBbbAxWBJOJAiUEGAEK AA8FAlGXNckCGwwFCQAk6gAACgkQdSb7901AILZsLw//Wc2/7O+IqkiO8i68wrv4 v+QPKJswJcfwle4bef+FBWqXpgfbwatIHQGMEH5vvtq2YgsW2snI1FZuD2+ss2Xp irQBZ1biU37DeuMnGmsLutSEyGEMxh2BzDMQfJJBsCRgUr+1JUaklGkKKwto+y1C qV7eX3RxZZChSeuW2bouxIg11ZcVVg5E03c2enZTD5ZzdsCChH/+3DLSgUY8W0cz g/ctPHnHkfvXpH5mA83P+q2jWvX71FT8/Ldx+ZETDwl0tKkHYvs5benyUJXLoQXc KyFB8rxElqnocYoBeTJMjamXg/hXAvJqpXxm3lYc5klGaSYmlOY0s53oaVcYI1pO DovJmFB36OVEqMa0d7tGjSjph9CfwYVDGwc+zZkGBnYzj91qNuyy/ta5i8l+Lod9 +1ejCn9wWKs+XC33bt9lhg0aDm4n0KH+3M16tAI8C42f+p0ZfdKpAsxAS5G8cJyU bzQO1mkDTqHYHTa+KFZuZl/HObe4XtV27NS4BsyJN2AE9WihPYszkPGF6z2DBTee is0UQ1J01GrbbPFbKhDlDSs0QYB4nyHj4PYqzR59yH/k6d5vk3mm7SbRhFAA5RkH w0xIOO6ZAIAJ6Msh9HOpFhnUDnxcCvrhAixRa+WISEed9V136cl88KPciSaJGmgB QYjLredAvvd0JV8Jbj1AEDmdB0YEUZc2BwEQALRKZs0nsDPjwq/13e7/2CQupI5f xxaR7qyBQZ2wFthcVooZCPXf8tgvX7uqTymGUS5V19UcpeQ7SvAkZw9ft10AVLk1 f7BQrg6766nyBqsFQoidxY4dQlLICGtyG+Z2myBygQT8oGkVUNUQSp26rgJveih4 EEDo0sBxyi/UV8ThaskhIKIIpGxItvA2yj005WY5LZ86idBEfGGr7DGFVKim+fCE kEhlSK/Sdg2+VmG8N0se1cQg4LB2UgxxcuHMCW3pM3SHLidHOU7jp2bqyuVgnURR /yqv2hy6QnDS7jx59hwRzYM99n0DQhjACfLW7gF+9XiI9s09b2IMafz7PolyvuNn R6WwZNuMqtXAhlGGmmpYymhquEbYJOdSuDWxcFgiImd9GG9CHKmoCrEKwyfkVe78 ygGUXetF9Ha+g7lriv6Kvpnz6S4JTV8UAcClcJqoEVowXf/lbgd0YjStAWxgDES1 n1r4B58KWXfQ8fV+gI1F05wDLGYqnk/o8xJ4vuFcfT+DcxSvxIh1AX22VxEoVL7E ChuCY2bnhq1fxVXMwm01B+JyK467BAxmL8CqdfGohgptgS6GYCnLIMtrZ0B4LbzL yxeIU227yZ0Q96L9P1GdMq8LXXaL6DF3vsV83W+cb9GdPv1X24CjU3GOXex9zvgn 2dHsHpyE7KyEeUDJABEBAAH+CQMKtNOMMydkuidgyNEOotBzaihKje/C7ShtCX11 r/EX5Y664RfDaJ+uy84dwVr2l8iVV+tM+4AwEoiVqxI2vqPmLKo0WrqdMYhcUfT4 fPqU7mV5JF1iUspkNOVIabqKf8sdhniA6/ni4vviOiGSXTI7erQbfiRi9b+GqR8R ToXZmZwrXzi6jL+PAGBKQRXP8xW1hyioHgUV//hyAcZp8+X+fu+CclS4yDRl0nFi nYayo/FLcWN5zIFqIJZc+T0tW21VwEVjS4QUOEeKNuGc9JXuj3P7h24V+svfZlzR g1VIc8qJcNEmgP0Ju0/QxhyFTR4IrrPuCqBj/6MYOCaY+hPLT18cp6Y0BxEd+Ppb PqUc2jBG5Ux1YonEKi+FSrX5sSGODs1ql6/wv0s0Ipt2Hbf+/8rApEmyAOZHyHs0 ASqNAM6OwMGV4k2nUun+RzBek3jtwoeRvHEbKECrd5AWe4daXoXm1gdTcgH/0SMc F7OttxMisSnxpa57Q4QI9HHy7XpppXhoktUfUBP5K60wyiHdkO+glrb7O6wE14ZV iJYwRr1ef5UA9hOPnPpq/qZ24Guti3SiZpKmvZTrwIYFoiMp4pbQUw+SA5JxQj54 bV3QD4Rz39G6vNpqZcsJI/A///gJwAh1YouEhsvhHnZWQ2SdLCnMbnl4u4WV9te0 lw5VD5njuy9tnlscZHplfVJuZm2vK8xDRn6n0MQwg/hwkeL/48NTd4vuATqFtrYa Oxvfnemwe+pwwp1V3tamxXp4q+CxwFjABZDnfdZdnJxr9mMI0AJ/mfAmCdJdtBdC Z88hdDb+JP72qInHQkaqeLhGzeeCDrr+a5UoJgEYTW0wZmnYRau7Hs6lZ9pvSzB1 MWKpvBK0el8q2FFA1W2Id+PBr8YTQpr3Vn9zBcd57fKp7uUXOZNtS+qMI4uwWdl5 Ptw+IyXtvnQXHjGGiUzhT9K0CBl/AiPQwqbJOCC8j5s2xLqdQ65VtODvTQyJKg73 Hpm9ojwPHD5BE50QhxmXRRPsuCaPZjsihx3oIhIP4ck17d3K/eLPIh0CP+0kmKmJ gtG2SjDJu+50WHlKkG8og2S1EcgitinUwlYSEp6gAbM/jkX7BHr8jnWS4riZwe8W h6+4j8fsAvKzIZrJMRsw2mYJhaj/6cVUH/t1GqCi0Wt3Kmc+rEpf2o8HmLo3awA8 8UxAEu32XbDX88W3p153Ima7VSrqnDEvPgSR0Lqo8WY8H1WGcDCGuS+idbM9t49n avT5gqcdjB7JHGA50YWDuXn6lulq3xx1/6uG8NcJJhcqFc9oidxhif3CqaoyxZY5 vJba/f+BhiTBZhYMVDSQtRMKOqL9xZhzYdv1fGkBlvaSxLGhKMHq32wmpvSKjv1y QaVSmgY6G/+6aJ+tsIYXqxVw2xNVTqsZgUCBWgjTxZWMiEDHEUO8JPEQa/dYcQ90 gEMvC4n+EXQhh/xEGaNEMXu0/C7qRolohmh5Vk6kY4oBI5Ay4IRsy8OeVdtBsF/v 25+8tzeGckG1HeDMxT3qXntwpXglFN23h+nx/iFtsHQTpCPy2TnDKrwFYUXMmCxf YwuYUOaUIwpPn4RkrtgqOtgr45/ZmdcNbFXckT6qJg9qRe3R5SOD/66oEI+lI7nX UklhQtlmYGfGTfl/krbA32Lxf5XJUuTVkd1FPQmeR1wqUvaidoumO8yVKWEULKJQ 2ZCL32QKTDCjpLqe3sFzpKq6YSSwTwqnFFCK5Fkto7Z7jJwKHF0LykQ/eWczRQ8E 711kdL5CnxJxsokCJQQYAQoADwUCUZc2BwIbIAUJAEnUAAAKCRB1Jvv3TUAgts13 EACv0ANHVViIvrzABr3Q+uMdl7p/jsPM/+H/CYpgCZI9WSNf7HV8oQwmjKr7b5vN 7TRjzzFYSTJs5dkU//7qYn7Rhwjoe51BTCFjvFQRhBYkZocs3AQkUGpCUy0hjBIb Et9k+VbOzQyuqTet5cOOf/sTvxYzYfLhrZpCAEFWBBciONEIlMmMYvkHUK1R+zOf 8vAmmmWZF7aVR26Kg6cJrHP36kY0GicMpAzFGdMzrBWnT83s1MX9/4FcC1VTv/Fu 8aIagmfcZKizha/D9FX22txRJ2X/em5LYg2ciz1RQekvz5RzYao9n1XGyx/ksgn9 a7ptCaJqp9Dvhi6oEVLY7KYOdGJ+Diw21k3JtB/LcTiiYCZ3VEAZnK4L27tbO5IH tnXDaQLhGGB8YMhzVLqK5whVtiIZSa/AKR50SSWgqH2AKEGP/X3IWb2GXhgZc3v3 Fer3AoVrdDv3JhCMWXP1LFeURYd9+cOW73m0GvWpuiyKaLorABXbuTJWaQa37xa0 P9x8u/mktdHZgGXaqWoPZsLG433ApZ/nk3EBMGiVsbzDxZYnl6eQZ6v6v1Sizlap f8Leq1exZM+pZocgJ7jEH+3eihD1Hu/dWRxVjOaWFMNUoplDxXyYrIaw0pgTHgxT v5pR8Q2mGUY6KMNPc+bLSRjM6nPak5UhRKpZPn0sWOfYeg== =0rFo -----END PGP PRIVATE KEY BLOCK----- From kiblema at gmail.com Tue May 21 10:29:32 2013 From: kiblema at gmail.com (Lema KB) Date: Tue, 21 May 2013 10:29:32 +0200 Subject: difference between gpg.exe and gpg2.exe Message-ID: hi all who knows, what is the difference in using gpg.exe and gpg2.exe. till i used gpg2.exe for encryptions and decryptions. but what schould i use for generating key-pair on command line? thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: From kiblema at gmail.com Tue May 21 10:48:41 2013 From: kiblema at gmail.com (Lema KB) Date: Tue, 21 May 2013 10:48:41 +0200 Subject: Generating/Exporting under another user-account(Log on as a batch job rights) In-Reply-To: <20130517101432.0354a5fd@scorpio> References: <20130517101432.0354a5fd@scorpio> Message-ID: thanks for your replies i do have gnupg4win-2.1.0.exe. i wanted just to pen this Kleopatra.exe under another user (on cmd using runas command) to see the list of keys. but it says it's missing libkleo.dll file. but it opens from start-menu. where i find this file, or what does it mean? thanks in advance On Fri, May 17, 2013 at 4:14 PM, Jerry wrote: > On Fri, 17 May 2013 14:57:53 +0200 > Lema KB articulated: > > > hi all > > > > I have to generate a key-pair using another user-account (which is > > given right in local security settings to log on as a batch job) and > > export its public key. > > > > i did generate on windows cmd, but after i taped the passphrase, cmd > > window just dissappeared. and if i type to list keys, a window > > appears and closes immediately, so fast that i can't read what it > > writes. > > > > What would you suggest, ho can i see what it did and which keys it has > > under this another user? > > > > Any of your help is appreciated, thanks in advance. > > kiblema > > I don't know if this will work, but have you tried: > > script -k > > -- > Jerry ? > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the Reply-To header. > __________________________________________________________________ > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue May 21 11:08:36 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 21 May 2013 11:08:36 +0200 Subject: difference between gpg.exe and gpg2.exe In-Reply-To: References: Message-ID: <519B3994.9070402@digitalbrains.com> > who knows, what is the difference in using gpg.exe and gpg2.exe. It's most likely that gpg.exe is GnuPG 1.4.x, and gpg2.exe is GnuPG 2.0.x. GnuPG 1.4 is more suited for use on servers and the like, and GnuPG 2.0 is recommended for use on the desktop. GnuPG 1.4 is being maintained for situations where GnuPG 2.0 is not appropriate or less appropriate. > but what schould i use for generating key-pair on command line? Both will work just fine. But I'd recommend using GnuPG 2.0 unless you have a specific reason to use 1.4, such as needing it to work without an agent or pinentry helper. If these terms mean nothing to you, just keep on using 2.0 :). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From BHuber at swisher.com Mon May 20 22:57:15 2013 From: BHuber at swisher.com (Bettina Huber) Date: Mon, 20 May 2013 16:57:15 -0400 Subject: Total Newbie Can't Unpack Tar Ball on AIX Message-ID: An HTML attachment was scrubbed... URL: From pete at heypete.com Tue May 21 12:22:40 2013 From: pete at heypete.com (Pete Stephenson) Date: Tue, 21 May 2013 12:22:40 +0200 Subject: Total Newbie Can't Unpack Tar Ball on AIX In-Reply-To: References: Message-ID: On Mon, May 20, 2013 at 10:57 PM, Bettina Huber wrote: > This appears to be the correct command, because I've seen it in several > places in my research. But I can't do anything until I get this worked out. > I was hoping this would pretty simple - install (which, frankly, I don't see > any info on how to do, either), generate keys, export key to bank, voila. > Boy, was I wrong. Hi Bettina, I'm not familiar with the details of AIX, but it may have some sort of package manager or other centralized way to install software. I would hope they'd have a packaged version of GnuPG that would allow for you to easily install it. Once installed, it should be fairly straightforward to use. In your particular case, it looks like tar for AIX doesn't support bzip2 and so it displays the "I don't understand what you want, so here's the how-to-use-this-program" help message instead. You'd need to unbzip2 it first. Running "bunzip2 gnupg-2.0.20.tar-1.bz2" should unbzip2 the compressed file, while "tar -xvf gnupg-2.0.20.tar-1" (why is there a -1 at the end of the file? That's odd.) will then untar the tarball. The way you're doing things is decidedly non-trivial: it looks like you've downloaded the raw source code for GnuPG. To use it you would need to compile it and then install it. This is almost certainly not the preferred way of doing this and is usually something done by developers/programmers rather than average users. You should check to see if there's a packaged version of GnuPG for AIX. A quick Google search yields for GnuPG 1.4.x and for GnuPG 2.0.x, which looks promising, though I have no idea how reliable that particular site may be. Either version should be suitable for your purposes. Cheers! -Pete -- Pete Stephenson From jhs at berklix.com Tue May 21 12:43:41 2013 From: jhs at berklix.com (Julian H. Stacey) Date: Tue, 21 May 2013 12:43:41 +0200 Subject: Total Newbie Can't Unpack Tar Ball on AIX In-Reply-To: Your message "Mon, 20 May 2013 16:57:15 EDT." Message-ID: <201305211043.r4LAhfR3066867@fire.js.berklix.net> Hi, Please post plain text not HTML see below for help Reference: > From: Bettina Huber > Date: Mon, 20 May 2013 16:57:15 -0400 > Message-id: Bettina Huber wrote: > --===============1372097368== > Content-Type: text/html; charset="US-ASCII" > > Been told I now have to use this to develop > keys and sign a file that gets ftp'd to the bank.  We do not need > to encrypt the file.  Have read some of the documentation, but understand > very little of it - I can do basic commands, but nothing fancy, and have > simply not heard of most of the terminology thrown around there.  I > figured I'd do it one step at a time and eventually get it. >
>
I downloaded 2.0 and it is now in my > /usr/local/bin directory.  The directory location was a total guess > - can't find any documentation saying where it should go.  We run > AIX 6.1.   >
>
File name is:   gnupg-2.0.20.tar-1.bz2 >
>
Command used to unpack:   tar xvjf > gnupg-2.0.20.tar.bz2 >
>
This errored out.  Not with a specific > error message, but with the "you're not using the command properly" > type message, below: >
>
 tar xvjf gnupg-2.0.20.tar.bz2 >
Usage: tar -{c|r|t|u|x} [ -BdDEFhilmopRUsvwZ > ] [ -Number ] [ -f TarFil e ] >
           [ > -b Blocks ] [ -S [ Feet ] | [ Feet at Density ] | [ Blocksb ] ] >
           [ > -L InputList ] [-X ExcludeFile] [ -N Blocks ] [ -C Directory ] File ... >
Usage: tar {c|r|t|u|x} [ bBdDEfFhilLXmNopRsSUvwZ[0-9] > ] ] >
           [ > Blocks ] [ TarFile ] [ InputList ] [ ExcludeFile ] >
           [ > [ Feet ] | [ Feet at Density ] | [ Blocksb ] ] [-C Directory ] File ... >
>
This appears to be the correct command, > because I've seen it in several places in my research.  But I can't > do anything until I get this worked out.  I was hoping this would > pretty simple - install (which, frankly, I don't see any info on how to > do, either), generate keys, export key to bank, voila.  Boy, was I > wrong. >
>
Thanks a lot. >
>
>
> 
NOTICE:  This e-mail message and any attachments hereto, together with all other electronic or voice communications 

As you are a company call a consultant :-) Or ...

tar command varies from one Unix to another,
j parameter is to specify to unpack bz2,
but j may not be recognised,
to see if j is supported by your tar, type & read 
	man tar
if not supported either install a better tar, or easier:
	bzip2 -d gnupg-2.0.20.tar.bz2

then next problem:
I presume what you downloaded is sources, so you will need to compile
them first.

After you understand man tar do this
	mkdir gnupg-2.0.20
	cd gnupg-2.0.20
	tar xvf ../gnupg-2.0.20.tar

Then as always, one of the file names beginning with a capital
letter 
	ls [A-Z]*
will tell you how to build & install binaries
read
	README
	INSTALL 

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.


From peter at digitalbrains.com  Tue May 21 13:02:17 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 21 May 2013 13:02:17 +0200
Subject: Total Newbie Can't Unpack Tar Ball on AIX
In-Reply-To: <201305211043.r4LAhfR3066867@fire.js.berklix.net>
References: <201305211043.r4LAhfR3066867@fire.js.berklix.net>
Message-ID: <519B5439.2080303@digitalbrains.com>

On 21/05/13 12:43, Julian H. Stacey wrote:
> then next problem:
> I presume what you downloaded is sources, so you will need to compile
> them first.

If somebody has a link to binaries for AIX, that might be a much shorter route
to a working GnuPG. Unfortunately I can't provide such a link.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 


From kiblema at gmail.com  Tue May 21 13:43:37 2013
From: kiblema at gmail.com (Lema KB)
Date: Tue, 21 May 2013 13:43:37 +0200
Subject: Generating/Exporting under another user-account(Log on as a batch
 job rights)
In-Reply-To: 
References: 
 <20130517101432.0354a5fd@scorpio>
 
Message-ID: 

hi Henry,

i followed your suggestions, i tried to open kleopatra under another
username (using runas) on command-line, but it doesn't open it. i wrote the
exact path to kleopatra.

i tried also gpg2 --list-keys, didn't help. i can't write pause, where i
shoul. i am not using BAT-file, i am directly running gpg in pub folder of
GnuPG4win.

but what i could do is, to generate keys under this another username. but
the window at the end disappears.
under my own username i can open kleopatar, which is in main folder GnuPG.
but under another user it doesn't.


pls help asap,
thanks in advance




On Tue, May 21, 2013 at 10:48 AM, Lema KB  wrote:

> thanks for your replies
>
> i do have gnupg4win-2.1.0.exe.
>
> i wanted just to pen this Kleopatra.exe under another user (on cmd using
> runas command) to see the list of keys. but it says it's missing
> libkleo.dll file. but it opens from start-menu.
>
> where i find this file, or what does it mean?
>
> thanks in advance
>
>
> On Fri, May 17, 2013 at 4:14 PM, Jerry  wrote:
>
>> On Fri, 17 May 2013 14:57:53 +0200
>> Lema KB articulated:
>>
>> > hi all
>> >
>> > I have to generate a key-pair using another user-account (which is
>> > given right in local security settings to log on as a batch job) and
>> > export its public key.
>> >
>> > i did generate on windows cmd, but after i taped the passphrase, cmd
>> > window just dissappeared. and if i type to list keys, a window
>> > appears and closes immediately, so fast that i can't read what it
>> > writes.
>> >
>> > What would you suggest, ho can i see what it did and which keys it has
>> > under this another user?
>> >
>> > Any of your help is appreciated, thanks in advance.
>> > kiblema
>>
>> I don't know if this will work, but have you tried:
>>
>>         script -k  
>>
>> --
>> Jerry ?
>>
>> Disclaimer: off-list followups get on-list replies or get ignored.
>> Please do not ignore the Reply-To header.
>> __________________________________________________________________
>>
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From exaikt+xfzy at gmail.com  Tue May 21 13:52:28 2013
From: exaikt+xfzy at gmail.com (exaikt+xfzy at gmail.com)
Date: Tue, 21 May 2013 13:52:28 +0200
Subject: Generating/Exporting under another user-account(Log on as a batch
 job rights)
In-Reply-To: 
References: 
 <20130517101432.0354a5fd@scorpio>
 
 
Message-ID: 

Am 21.05.2013 13:43, schrieb Lema KB:

> but what i could do is, to generate keys under this another username.
> but the window at the end disappears.

You want to start cmd.exe first, cd to where you need to be and then do 
your commands. Otherwise you won't see error messages in case of errors.


From exaikt+xfzy at gmail.com  Tue May 21 14:27:28 2013
From: exaikt+xfzy at gmail.com (exaikt+xfzy at gmail.com)
Date: Tue, 21 May 2013 14:27:28 +0200
Subject: Generating/Exporting under another user-account(Log on as a batch
 job rights)
In-Reply-To: 
References: 
 <20130517101432.0354a5fd@scorpio>
 
 
 
 
 
Message-ID: 

Am 21.05.2013 14:05, schrieb Lema KB:

> C:Program Files (x86)GNUGnuPGpubrunas /user:domainbatchuser
> "C:Program Files (x86)GNUGnuPGpubgpg2 --gen-key"
>
> it opens another batch-window and does generate it there, but it
> closes itself after giving passphrase.

First start a sheer cmd.exe via runas, then use this new cmd window for 
your gpg commands.


From hhhobbit at securemecca.net  Tue May 21 15:59:34 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Tue, 21 May 2013 13:59:34 +0000
Subject: Total Newbie Can't Unpack Tar Ball on AIX
In-Reply-To: 
References: 
Message-ID: <519B7DC6.8060207@securemecca.net>

On 05/20/2013 08:57 PM, Bettina Huber wrote:
> Been told I now have to use this to develop keys and sign a file that gets ftp'd 
> to the bank.  We do not need to encrypt the file.  Have read some of the 
> documentation, but understand very little of it - I can do basic commands, but 
> nothing fancy, and have simply not heard of most of the terminology thrown 
> around there.  I figured I'd do it one step at a time and eventually get it.
> 
> I downloaded 2.0 and it is now in my /usr/local/bin directory.  The directory 
> location was a total guess - can't find any documentation saying where it should 
> go.  We run AIX 6.1.

This is probably just the source code and if it is then
it should be put into the /usr/local/src folder.

> File name is:   gnupg-2.0.20.tar.bz2
> 
> Command used to unpack:   tar xvjf gnupg-2.0.20.tar.bz2

YOU HAVE YOUR WORK CUT OUT FOR YOU!  I think you are
also going to need a RNG (Random Number Generator)
on AIX.  You may want to sign it on some other system
other than AIX?  I am suggesting this is the EASY way
to do it.  It is the way I would do it and I am a very
good sysadmin.

Usually, I use a "-" in front of the options but unless
AIX has provided support for bzip2 you don't have it.  The
"x" stands for extract, the "v" means verbose, the "j' means
bzip2, and the 'f' means the file is specified next. If
you have man pages set up a "man tar" will give you all
of the options.  To find if you have bzip2, in a terminal
type:

which bzip2
which bunzip2

If you get nothing back then bzip2 isn't on your system.
perzl.org has provided lots of things, but no updates to
gnupg since 2.0.13.  But that does handle your needs and
is available in binary form.  Just remember you may still
have to set up a RNG (Random Number Generator).

http://www.perzl.org/aix/index.php?n=Updates.Updates-2009
http://www.perzl.org/aix/index.php?n=Main.Gnupg2
http://www.perzl.org/aix/index.php?n=Main.Gcc
http://www.perzl.org/aix/index.php?n=Main.Bzip2

I would advise installing bzip2 but even after it is
installed your tar may not support an integrated bzip2
(the 'j' flag).  In that case the above file could still
be extracted with:

bzip2 -dc gnupg-2.0.20.tar.bz2 | tar -xvf -
# or if you don't need a list:
bzip2 -dc gnupg-2.0.20.tar.bz2 | tar -xf -

bullfreewahre has some things for AIX 5.1:

http://www.bullfreeware.com/index2.php?page=lppaix51

I would go with the bzip2 binary or just zip the folder
with the files using zip or what they can handle.  Then I
would transfer the zipped file to a Linux or protected
Windows system and sign the files there.  Believe me,
it would be far easier to set up your OpenPGP keys
with GnuPG on either Linux or Windows and do it that
way.  Even if you do it from AIX later, you can still
export your keys from Windows or Linux and import them
on AIX.  But setting up GnuPG even from binaries is
NOT trivial on AIX.  Once you have it set up though,
it is just as easy to use GnuPG on AIX as it is on
Windows or Linux.

If you still want to create it from source Here are the
tools you will need at a minimum for making gnupg from
source for AIX:

gcc
automake
autoconf
m4
gettext

If you are a real good sysadmin and still want to go this
way, contact me and I will help as much as I can but
remember that I don't have an AIX system in front of me.
Also, many production AIX systems are not supposed to
have gcc on them because that may violate either company
or country regulations like Sarbanes-Oxley or HIPAA,
I will also take it out of group since it is non-gnupg.
Since AIX probably does not have a RNG you will need to
set that up too.  I think it would actually be easier to
generate your keys on Windows or Linux and tranfer them
to AIX if you MUST sign the file(s) on AIX.  You are
biting off a lot of work to put GnuPG on AIX anyway
and doing it from source is difficult.

But if you still want to create it from source, contact me
personally since most of this is AIX specific and only
incidentally related to GnuPG.  Are you sure the files
must be signed on AIX?  Putting GnuPG on AIX is not
trivial, especially if the binary package doesn't
provide some way to set up a RNG.  OTOH, if the binary
install also sets up the RNG ... go right ahead.

hhhobbit



From MichaelQuigley at TheWay.Org  Tue May 21 16:15:51 2013
From: MichaelQuigley at TheWay.Org (MichaelQuigley at TheWay.Org)
Date: Tue, 21 May 2013 10:15:51 -0400
Subject: Total Newbie Can't Unpack Tar Ball on AIX
In-Reply-To: 
References: 
Message-ID: 

"Gnupg-users"  wrote on 05/21/2013 07:01:25 
AM:

> ----- Message from Peter Lebbing  on Tue, 
> 21 May 2013 13:02:17 +0200 -----
> 
> To:
> 
> "Julian H. Stacey" 
> 
> cc:
> 
> gnupg-users at gnupg.org
> 
> Subject:
> 
> Re: Total Newbie Can't Unpack Tar Ball on AIX
> 
> On 21/05/13 12:43, Julian H. Stacey wrote:
> > then next problem:
> > I presume what you downloaded is sources, so you will need to compile
> > them first.
> 
> If somebody has a link to binaries for AIX, that might be a much shorter 
route
> to a working GnuPG. Unfortunately I can't provide such a link.
> 
> Peter.

Here's a couple links:

http://www.oss4aix.org/download/latest/aix61/

  -- scan down for gnupg-1.4.13-1.aix5.1.ppc.rpm

http://www.perzl.org/aix/index.php?n=Main.Gnupg

  should be able to download the same file

HTH -- Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From hhhobbit at securemecca.net  Tue May 21 18:28:13 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Tue, 21 May 2013 16:28:13 +0000
Subject: Generating/Exporting under another user-account(Log on as a batch
 job rights)
In-Reply-To: 
References: 
 <20130517101432.0354a5fd@scorpio>
 
Message-ID: <519BA09D.5040406@securemecca.net>

On 05/21/2013 08:48 AM, Lema KB wrote:
> thanks for your replies
> 
> i do have gnupg4win-2.1.0.exe.
> 
> i wanted just to pen this Kleopatra.exe under another user (on cmd using
> runas command) to see the list of keys. but it says it's missing
> libkleo.dll file. but it opens from start-menu.
> 
> where i find this file, or what does it mean?
> 
> thanks in advance

They are in:

%ProgramFiles%\GNU\GnuPG\

That is usually (if %SystemDrive% is C:):
C:\Program Files\GNU\GnuPG\

If you need them in the cmd.exe then just add the REAL folder
(don't use %ProgramFiles%) to your PATH.  To do that on Windows 7:

1. Right click on My Computer on desktop and click Properties
2. In the System Properties Windows click on the Advanced tab
3. In the Advanced section click the Environmmnt Variables button
4. Select the PATH (may be Path) variable then click Edit
5. At the of the PATH you add:
   ;C:\Program Files\GNU\GnuPG\
   (if it already has a ";" at the end you only need one
    semi-colon)
6. Save the change and then OK your way back out.

You will probably have to logout and then log back in.
libkleo.dll, kleopatra.exe, gpg2.exe and all the other files
associated with 2.0 are in this folder.  There may be others
but if they are they will be in C;\Windows\system32 which
ia already in the PATH.

I don't have gpg 1.x on Windows.  If I remmber correctly gpg
1.x is also in the same folder.  If so then just typing gpg
on the command line will also work if you have the GnupG version
one.  IOW:

C:\> gpg.exe --list-keys

should list your keys.  If you have gpg2.exe in your PATH,
it should now pop-up Kleopatra to show the keys once
this folder is added to your PATH environment variable:

C:\> gpg2.exe --list-keys

You can always use Windows Explorer or My Computer and ask it
to find gpg.exe or gpg2.exe.  If it finds only one then that is
what you have.  Since you specified gnupg4win-2.1.0.exe there
will be no gpg.exe, just a gpg2.exe.

I leave it as an exercies to you in how to turn off that dumb
hide files misfeature.  While your at it, you may as well set
it to show the entire file name.

hhhobbit



From wk at gnupg.org  Tue May 21 19:06:10 2013
From: wk at gnupg.org (Werner Koch)
Date: Tue, 21 May 2013 19:06:10 +0200
Subject: Generating/Exporting under another user-account(Log on as a batch
 job rights)
In-Reply-To: <519BA09D.5040406@securemecca.net> (Henry Hertz Hobbit's message
 of "Tue, 21 May 2013 16:28:13 +0000")
References: 
 <20130517101432.0354a5fd@scorpio>
 
 <519BA09D.5040406@securemecca.net>
Message-ID: <87d2sk9sal.fsf@vigenere.g10code.de>

On Tue, 21 May 2013 18:28, hhhobbit at securemecca.net said:

> 5. At the of the PATH you add:
>    ;C:\Program Files\GNU\GnuPG\
>    (if it already has a ";" at the end you only need one
>     semi-colon)

You should not add this but 

    ;C:\Program Files\GNU\GnuPG\pub

so that other software does not accidently pick up binaries or DLLs only
used with GnuPG and software knowing about it.  Note that the Gpg4win
installer does this all for you.

> what you have.  Since you specified gnupg4win-2.1.0.exe there
> will be no gpg.exe, just a gpg2.exe.

Actually there is but it is just an alias for gpg2.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From hhhobbit at securemecca.net  Tue May 21 20:53:23 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Tue, 21 May 2013 18:53:23 +0000
Subject: Windows 101 & GPG4WIN
Message-ID: <519BC2A3.3070708@securemecca.net>

All:

I assume anybody who has used Windows for a modicum of time
knows the following:

0. I take an extremely dim view of not setting your Windows
   system up to show the ENTIRE file name, including the
   extension.  I have thousands of malware ending in
   ".pdf.exe".  But it is appropriate for another reason
   which you will see shortly.

1. Using runas on Windows XP is only usefule for starting
   programs that will stay around.  Example, use this
   to start the cmd.exe window to type gpg2 in (GPG does NOT
   usually need elevated UAC privileges):  cmd.exe
   OTOH, if you mean runas in terms of the UAC, Windows 7
   doesn't even have a run command input box.  runas in that
   context means you are right clicking on the executable and
   perhaps giving the command higher privileges via the UAC.
   Actually that is more of a problem with Vista than Windows 7.
   Windows 7 usually just prompts you if you want to say,
   install Firefox in the %ProgramFiles% area.

2. Alternatively, cmd.exe can be started via Start, (All) Programs,
   Accessories, cmd (I think that is the name).  This brings
   up a cmd.exe window which will hang around until you close
   it.  THIS IS WHAT YOU SHOULD BE TYPING gpg2.exe and other
   commands in.

3. When you say batch and Windows to me, I filter out the --batch
   meaning of GnuPG.  I assume you are talking about a BAT file.
   (make this point explicit).  Here is an example:

	http://securemecca.com/public/GnuPG/testsig.txt

   I leave at as an exercise to download this file (and hopefully
   you have set your browser to download it to the desktop).

   Change the name of the file to testsig.bat.  Now you know
   why I advised that you show the entire file name.  The
   added security when you notice the ".pdf.exe" on the end
   of a file is just a bonus.  But there are times you need
   to see the entire file name not to get all fouled up.
   This is one of those times.

   Right click on the testsig.bat file and from the GPG4Win
   menu make a detached signature file of the testsig.bat file.
   The detached signature file will be named testsig.bat.sig.

   Add this to your PATH (and then logout and back in):

	;C:\Program Files\GNU\GnuPG

   Double click on the testsig.bat file on XP (you may need to
   do a runas on Windows Vista (horrors) or Windows 7 (better).
   The "pause" in a BAT file prevents the cmd window that
   has just popped up from disappearing until you tap the
   enter key.  But you could also have typed the gpg2.exe
   command in a cmd.exe window.

4, With GPG4Win 2.x I have never needed anything but the GUI
   tools.  Given how brain damaged cmd.exe is compared to
   something like bash or ksh I much prefer doing it the
   Windows GUI way but it is your choice.

5. If you are talking about this with a second user and automating
   the verify with a batch (*.BAT) file they need their own
   separate key-pair.  Then they need to import your key onto
   their key-ring to verify.  Example using my public key:

	http://securemecca.com/public/GnuPG/testsig.txt
	http://securemecca.com/public/GnuPG/testsig.txt.sig

   You would need my C83946F0 key on the key-servers added to
   yor key-ring and given some sort of trust (suggest only
   local trust), preferably in Kleopatra.

hhhobbit
-- 
Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop
Thinking has been suspended indefinitely
Anybody caught thinking will be immediately shot!


From peter at digitalbrains.com  Tue May 21 21:36:44 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 21 May 2013 21:36:44 +0200
Subject: Windows 101 & GPG4WIN
In-Reply-To: <519BC2A3.3070708@securemecca.net>
References: <519BC2A3.3070708@securemecca.net>
Message-ID: <519BCCCC.3070206@digitalbrains.com>

On 21/05/13 20:53, Henry Hertz Hobbit wrote:
>    Double click on the testsig.bat file on XP (you may need to
>    do a runas on Windows Vista (horrors) or Windows 7 (better).

This file looks just fine to me, but in general I'd caution anyone not to run
commands they do not understand just because some guy on the internetz told them
to do it.

Note that the mail was also not signed, so even if you trust HHH you cannot know
in this case it wasn't an impostor pretending to be HHH.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 


From jhs at berklix.com  Wed May 22 00:50:15 2013
From: jhs at berklix.com (Julian H. Stacey)
Date: Wed, 22 May 2013 00:50:15 +0200
Subject: Total Newbie Can't Unpack Tar Ball on AIX 
In-Reply-To: Your message "Tue, 21 May 2013 13:59:34 -0000."
 <519B7DC6.8060207@securemecca.net> 
Message-ID: <201305212250.r4LMoFeN088067@fire.js.berklix.net>

Hi,
Reference:
> From:		Henry Hertz Hobbit  
> Reply-to:	hhhobbit at securemecca.net 
> Date:		Tue, 21 May 2013 13:59:34 +0000 

> to do it.  It is the way I would do it and I am a very
> good sysadmin.


I dont know H3 from a bar of soap, but original poster Bettina wrote
"I can do basic commands, but nothing fancy" so she needs easiest help.


> If you are a real good sysadmin and still want to go this

Bettina wrote:
	"Subject:        Re: Total Newbie"
So "If" fails & text beyond too much.

MichaelQuigley at TheWay.Org seems to have best (& inicely concise) suggestion 
for Bettina:
	http://lists.gnupg.org/pipermail/gnupg-users/2013-May/046679.html

As she got dropped off CC line I've restored her.  If she fals off
CC again, she can also follow all answers on web if not subscribed:

http://lists.gnupg.org/pipermail/gnupg-users/2013-May/046671.html

---------
PS Off topic, that 1st URL in chain has chopped content as just HTML,
Maybe postmaster at gnupg.org or webmaster@ should contact postmaster@
or webmaster@ freebsd.org & ask what demime they run in chain for
http://lists.freebsd.org/mailman/listinfo as I don't reall there
empty content pages with just "An HTML attachment was scrubbed...  "
though I may be wrong.

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.


From hhhobbit at securemecca.net  Wed May 22 10:20:05 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Wed, 22 May 2013 08:20:05 +0000
Subject: Generating/Exporting under another user-account(Log on as a batch
 job rights)
In-Reply-To: <87d2sk9sal.fsf@vigenere.g10code.de>
References: 
 <20130517101432.0354a5fd@scorpio>
 
 <519BA09D.5040406@securemecca.net> <87d2sk9sal.fsf@vigenere.g10code.de>
Message-ID: <519C7FB5.4040301@securemecca.net>

On 05/21/2013 05:06 PM, Werner Koch wrote:
> On Tue, 21 May 2013 18:28, hhhobbit at securemecca.net said:
> 
>> 5. At the of the PATH you add:
>>    ;C:\Program Files\GNU\GnuPG\
>>    (if it already has a ";" at the end you only need one
>>     semi-colon)
> 
> You should not add this but 
> 
>     ;C:\Program Files\GNU\GnuPG\pub

I stand corrected.  This means NOTHING needs to be
added to the PATH if pub is in the PATH AND if you just
use gpg.exe.  You have both gpg.exe and gpg2.exe in the
pub folder.  One of the commands given to gpg2.exe
attempted to open Kleopatra.  If you want Kleopatra,
use the GUI tools.  You are bound to have a collision
with some of those DLL files in the GnuPG folder sooner
or later.  Yes, I looked at ALL of the DLL file names.

But you don't run the gpg.exe command from the Start -> Run
of Windows XP.  You run it from a command window (cmd.exe)
that is ever present until you close the command window.

You can put a "pause" in a BAT file and that WILL stop
a temporary cmd.exe that was messaged from a double click
on a BAT file from closing.  In my UnixUtil scripts an
echo of a message and then a read does the same thing.
It hangs until you press the Enter key.  But once you
tap Enter, the temporary command window closes and
disappears.

But you can NOT run a command from the Start -> Run of
Windows XP / 2003 Server without the windows immediately
closing once the program or BAT file is finished.  I
thought this was common knowledge for Windows users.
I must be wrong because they took that run feature out
of Windows 7.  On Windows 7 you have no option but to
start a stationary cmd.exe and once that is done this
problem goes away.

Just remember to use gpg.exe in the command window
instead of gpg2.exe if you run into problems.



From mixmaster at remailer.privacy.at  Tue May 21 23:55:15 2013
From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria))
Date: Tue, 21 May 2013 23:55:15 +0200 (CEST)
Subject: is there a way to modify the date when signing?
Message-ID: 


Hello,

Is there a way to make a signature cleartext or detached, with the date
modified, erased, or otherwise different then system date?

I would like to sign all my messages and have it appear to be signed on
the Epoch date 1970...unless there is some other default way gnupg 
handles signing date masking.

Thanks



From nobody at remailer.paranoici.org  Wed May 22 00:20:42 2013
From: nobody at remailer.paranoici.org (Anonymous)
Date: Tue, 21 May 2013 22:20:42 +0000 (UTC)
Subject: how to decrypt messages to hidden recipient
Message-ID: <328cf26549890ff1df12c32ce2647315@remailer.paranoici.org>

hello,

I would like to decrypt messages stored in a folder:

folder
1 2 3 4 5...n

All messages are encrypted to hidden recipients.  I have only one key
which I want to be trying to use.  

How can I try to decrypt all the files in the folder trying my
specified secret key?

For instance
for each file in folder
	try to decrypt file with key k
	if decrypted, display
	else, continue





From nobody at dizum.com  Tue May 21 23:51:04 2013
From: nobody at dizum.com (Nomen Nescio)
Date: Tue, 21 May 2013 23:51:04 +0200 (CEST)
Subject: what is a default anonymous key to look like?
Message-ID: <711b6ff9d940a32ccb1528309e234b48@dizum.com>

Hi, I would like to create an "anonymous" key to be posted
or handed out.

I don't want to fill in real name, email, etc.

Is there a way to do this?  Or at least some common default
options for these fields?




From wk at gnupg.org  Wed May 22 11:59:37 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 22 May 2013 11:59:37 +0200
Subject: is there a way to modify the date when signing?
In-Reply-To:  (Anonymous
 Remailer's message of "Tue, 21 May 2013 23:55:15 +0200 (CEST)")
References: 
Message-ID: <87wqqr8hdi.fsf@vigenere.g10code.de>

On Tue, 21 May 2013 23:55, mixmaster at remailer.privacy.at said:

> I would like to sign all my messages and have it appear to be signed on
> the Epoch date 1970...unless there is some other default way gnupg 

Don't do that; there was no OpenPGP in 1970 and on some systems you may
run into problems.  If you want to use a faked date, better use
2001-01-01 or so.

With newer versions of GnuPG-2 you may use

  --faked-system-time 20010101T000000

alternative use seconds since Epoch.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Wed May 22 12:11:12 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 22 May 2013 12:11:12 +0200
Subject: Total Newbie Can't Unpack Tar Ball on AIX
In-Reply-To: <201305212250.r4LMoFeN088067@fire.js.berklix.net> (Julian
 H. Stacey's message of "Wed, 22 May 2013 00:50:15 +0200")
References: <201305212250.r4LMoFeN088067@fire.js.berklix.net>
Message-ID: <87sj1f8gu7.fsf@vigenere.g10code.de>

On Wed, 22 May 2013 00:50, jhs at berklix.com said:

> empty content pages with just "An HTML attachment was scrubbed...  "

Well, there should be a link so you don't need to build the URL
yourself.  However, pipermail is so broken that I don't want to invest
any time in fixing this and maintain the patches.  There is just no
easier to install solution than pipermail.  Most use gmane, anyway.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From zece at riseup.net  Wed May 22 10:59:45 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Wed, 22 May 2013 08:59:45 +0000
Subject: Keyring on external encrypted drive
Message-ID: <519C8901.2010308@riseup.net>

Hey fellas!

For the sake of portability I was reading about keeping the keyring on a
removable drive. I searched online but I get other things. Is it
possible to have the keys some other place? How do I tell GnuPG on some
other computer that it should look on the drive, but not copy or move
the contents?


From Dave.Smith at st.com  Wed May 22 12:22:28 2013
From: Dave.Smith at st.com (David Smith)
Date: Wed, 22 May 2013 11:22:28 +0100
Subject: Keyring on external encrypted drive
In-Reply-To: <519C8901.2010308@riseup.net>
References: <519C8901.2010308@riseup.net>
Message-ID: <519C9C64.7020907@st.com>

On 05/22/13 09:59, Zece Anonimescu wrote:
> Hey fellas!
> 
> For the sake of portability I was reading about keeping the keyring on a
> removable drive. I searched online but I get other things. Is it
> possible to have the keys some other place? How do I tell GnuPG on some
> other computer that it should look on the drive, but not copy or move
> the contents?

I think the answer probably depends on which OS you are using.


From pete at heypete.com  Wed May 22 12:49:31 2013
From: pete at heypete.com (Pete Stephenson)
Date: Wed, 22 May 2013 12:49:31 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519C8901.2010308@riseup.net>
References: <519C8901.2010308@riseup.net>
Message-ID: 

On Wed, May 22, 2013 at 10:59 AM, Zece Anonimescu  wrote:
> Hey fellas!
>
> For the sake of portability I was reading about keeping the keyring on a
> removable drive. I searched online but I get other things. Is it
> possible to have the keys some other place? How do I tell GnuPG on some
> other computer that it should look on the drive, but not copy or move
> the contents?

Depending on your exact needs, you may find an OpenPGP smartcard to be
a better choice -- once the private key or keys are loaded onto the
card you can do all the normal operations (e.g. signing, decrypting,
etc.), but the keys cannot be extracted from the card (barring bad
guys with advanced means of disassembling microchips and reading out
their contents). All the private key operations are conducted on-card
and the keys never leave the card. If you need to, you can delete the
keys from the card but you can't access or copy them from the card.

See http://g10code.com/p-card.html for a description of the card. You
can buy it and the appropriate reader from
http://shop.kernelconcepts.de/index.php?cPath=1_26&sort=2a&language=en
. I've had good luck with the SCR-335 reader on both Windows and
several Linux distributions.

-- 
Pete Stephenson


From jhs at berklix.com  Wed May 22 13:45:56 2013
From: jhs at berklix.com (Julian H. Stacey)
Date: Wed, 22 May 2013 13:45:56 +0200
Subject: Total Newbie Can't Unpack Tar Ball on AIX 
In-Reply-To: Your message "Wed, 22 May 2013 12:11:12 +0200."
 <87sj1f8gu7.fsf@vigenere.g10code.de> 
Message-ID: <201305221146.r4MBju09012396@fire.js.berklix.net>

Werner Koch wrote:
> On Wed, 22 May 2013 00:50, jhs at berklix.com said:
> 
> > empty content pages with just "An HTML attachment was scrubbed...  "
> 
> Well, there should be a link so you don't need to build the URL
> yourself.  However, pipermail is so broken that I don't want to invest
> any time in fixing this and maintain the patches.  There is just no
> easier to install solution than pipermail.  Most use gmane, anyway.

OK, I had just thought there was perhaps an easy solution ready to
copy, but I understand about lack of time :-).

In off line mail, Henry wrote more help re. AIX to Bettina,
I searched for a link that info might be incorporated at,
or linked from along with URL from MichaelQuigley & found
	http://gnupg.org/download/supported_systems.en.html

There also is:
  FreeBSD with x86 CPU works fine.

I suggest that extend to:
  
  FreeBSD 
  
  with x86 & amd64 CPUs works fine.

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.


From zece at riseup.net  Wed May 22 14:00:31 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Wed, 22 May 2013 12:00:31 +0000
Subject: Keyring on external encrypted drive
In-Reply-To: <519C9C64.7020907@st.com>
References: <519C8901.2010308@riseup.net> <519C9C64.7020907@st.com>
Message-ID: <519CB35F.20004@riseup.net>

David Smith:
> I think the answer probably depends on which OS you are using.

Sorry, I didn't think that's an issue. I alternate between Windows and
Linux boxes. Does that mean there is a solution for Linux and one for
Windows?



From zece at riseup.net  Wed May 22 14:01:10 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Wed, 22 May 2013 12:01:10 +0000
Subject: Keyring on external encrypted drive
In-Reply-To: 
References: <519C8901.2010308@riseup.net>
 
Message-ID: <519CB386.2040205@riseup.net>

Pete Stephenson:
> Depending on your exact needs, you may find an OpenPGP smartcard to be
> a better choice -- once the private key or keys are loaded onto the
> card you can do all the normal operations (e.g. signing, decrypting,
> etc.), but the keys cannot be extracted from the card (barring bad
> guys with advanced means of disassembling microchips and reading out
> their contents). All the private key operations are conducted on-card
> and the keys never leave the card. If you need to, you can delete the
> keys from the card but you can't access or copy them from the card.

Are they pregenerated? Or it's up to me to create and erase them?

> See http://g10code.com/p-card.html for a description of the card. You

Only 2048bits lenght.

> can buy it and the appropriate reader from
> http://shop.kernelconcepts.de/index.php?cPath=1_26&sort=2a&language=en
> . I've had good luck with the SCR-335 reader on both Windows and
> several Linux distributions.

It's sad even this kind of hardware shares the fate of video cards or
wifi sticks. This shouldn't be luck but open drivers and firmware. After
all one can understand Adobe for being such a pain, otherwise people
won't feel a need to buy their product. But for hardware people the game
is so much different because people can't download their products from
warez sites. And hiding the latest tweak is also stupid because there
are patents to protect them.

But thank you for the pointers. And ? priced store is handy.


From rjh at sixdemonbag.org  Wed May 22 14:06:41 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 22 May 2013 08:06:41 -0400
Subject: [PATCH] Allow the user to specify AES256 as well as AES128.
In-Reply-To: <8761yb9xsr.fsf@vigenere.g10code.de>
References: <1369157640-13136-1-git-send-email-kylebutt@gmail.com>
 <1369184890.3501.0.camel@cfw2.gniibe.org>
 <8761yb9xsr.fsf@vigenere.g10code.de>
Message-ID: <519CB4D1.8010400@sixdemonbag.org>

On 5/22/2013 5:19 AM, Werner Koch wrote:
> The weakest link we have in the key protection is the passphrase -
> virtually nobody is able to remember a passphrase with 128 bit entropy
> and 256 bit is well out of scope.

It isn't that we can't memorize passphrases with 128 bits of entropy:
it's that doing so is hard.  I have five separate passphrases with 128
bits of entropy (16 bytes from /dev/urandom piped through a Base64
encoder) which I'm required to use for various reasons.  Keeping track
of them all is difficult and the every-six-months password change policy
is enough to make me fume with anger, but... it's certainly *possible*.

Frustrating, though, definitely.




From wk at gnupg.org  Wed May 22 17:34:58 2013
From: wk at gnupg.org (Werner Koch)
Date: Wed, 22 May 2013 17:34:58 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519CB386.2040205@riseup.net> (Zece Anonimescu's message of "Wed, 
 22 May 2013 12:01:10 +0000")
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net>
Message-ID: <87mwrn6na5.fsf@vigenere.g10code.de>

On Wed, 22 May 2013 14:01, zece at riseup.net said:

> Are they pregenerated? Or it's up to me to create and erase them?

You have to create them or load them onto the card.  There are several
HOWTOs.

> Only 2048bits lenght.

The current versions as distributed by kernelconcepts actually support
switching to at least 1024, 2048, 3072 and 4096 bit.  For 4096 bit you
should use the latest GnuPG version, though.

> It's sad even this kind of hardware shares the fate of video cards or
> wifi sticks. This shouldn't be luck but open drivers and firmware. After

Actually not, all the SCM reader I have seen work pretty well using our
own free software drivers.  The technical support has always been
responsive and helpful.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From ndk.clanbo at gmail.com  Wed May 22 22:08:27 2013
From: ndk.clanbo at gmail.com (NdK)
Date: Wed, 22 May 2013 22:08:27 +0200
Subject: Rewinding signature counter
Message-ID: <519D25BB.9020003@gmail.com>

Hello.

If, recovering from a backup, I "rewind" the signature counter on my
master key, what happens?

In other words: is it just "decorative" (like knowing 'more or less' how
many signatures I did) or it serves some purpose I (yet) don't understand?

That would impact heavily the backup policy...

Tks,
 Diego.


From pete at heypete.com  Wed May 22 22:14:53 2013
From: pete at heypete.com (Pete Stephenson)
Date: Wed, 22 May 2013 22:14:53 +0200
Subject: Rewinding signature counter
In-Reply-To: <519D25BB.9020003@gmail.com>
References: <519D25BB.9020003@gmail.com>
Message-ID: <519D273D.6050809@heypete.com>

On 5/22/2013 10:08 PM, NdK wrote:
> Hello.
> 
> If, recovering from a backup, I "rewind" the signature counter on my
> master key, what happens?
> 
> In other words: is it just "decorative" (like knowing 'more or less' how
> many signatures I did) or it serves some purpose I (yet) don't understand?
> 
> That would impact heavily the backup policy...

I presume you're referring to the signature counter on the OpenPGP
smartcards.

As far as I understand it the counter is purely for informational
purposes -- it might be useful for a person or organization who needs to
keep track of signatures for audit purposes, for example.


From nobody at remailer.paranoici.org  Thu May 23 02:34:43 2013
From: nobody at remailer.paranoici.org (Anonymous)
Date: Thu, 23 May 2013 00:34:43 +0000 (UTC)
Subject: is there a way to modify the date when signing?
References: 	
 <87wqqr8hdi.fsf@vigenere.g10code.de>
Message-ID: <6de964e56599b5a17ac17ea800ae7582@remailer.paranoici.org>


On Wed, 22 May 2013 11:59:37 +0200
Werner Koch  wrote:

> On Tue, 21 May 2013 23:55, mixmaster at remailer.privacy.at said:
>   
> > I would like to sign all my messages and have it appear to be
> > signed on the Epoch date 1970...unless there is some other default
> > way gnupg   
> 
> Don't do that; there was no OpenPGP in 1970 and on some systems you
> may run into problems.  If you want to use a faked date, better use
> 2001-01-01 or so.
> 
> With newer versions of GnuPG-2 you may use
> 
>   --faked-system-time 20010101T000000
> 
> alternative use seconds since Epoch.
>   

This is not working on my gnupg 2.0.20 or 2.0.19.  invalid option error.
I don't know what version I should be using, because the man page
option --try-secret-key also gives an error.  It does show the option
in my man page.



From zece at riseup.net  Thu May 23 12:17:15 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Thu, 23 May 2013 10:17:15 +0000
Subject: Keyring on external encrypted drive
In-Reply-To: <87mwrn6na5.fsf@vigenere.g10code.de>
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
Message-ID: <519DECAB.9000107@riseup.net>

Werner Koch:
> The current versions as distributed by kernelconcepts actually support
> switching to at least 1024, 2048, 3072 and 4096 bit.  For 4096 bit you
> should use the latest GnuPG version, though.

That's wonderful news.

But I recall that both on Fedora and Debian I had trouble using GnuPG
2.x and I went back to 1.x. When I want to use a key, GnuPG pops up a
window that works only with the keyboard. And for strong key protection
I use long generated strings that I keep in a KeePass or KeePassX
wallet. Either with KeePass way of entering data, or by copy and paste I
was unable to feed the beast my 64 char string of random letters,
numbers and signs. And doing that by hand sure takes the fun out of it.

> Actually not, all the SCM reader I have seen work pretty well using our
> own free software drivers.  The technical support has always been
> responsive and helpful.

That's excellent! I am going to write down the name SCM. I know it's
unfair, but I started to default that hardware manufacturers default on
the opaque side. And that's not an issue exclusive to the Linux crowd.
Buying a nice scaner that boldly prints "XP drivers" while having
problems with previous versions is bad. Finding out a few years later
that nobody gives a fuck about drivers for 7 is even worse. Talking
about hardware that doesn't even bother to break in order to throw it
away and searching for something new.


From zece at riseup.net  Thu May 23 12:49:39 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Thu, 23 May 2013 10:49:39 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
Message-ID: <519DF443.6080206@riseup.net>

Back in the days of PGP I generated quite a few keys. And toyed with
them as well. In time I discovered that people won't bother returning
the courtesy of signing. That people would rather make you read your
message over the phone than decrypt anything. And that a chain is a
strong as the weakest link so once encryption becomes spread is going to
be pretty useless.

I'm redescovering encryption from another point of view, the one of the
single user. As long as I do care about the data and I'm the sole user I
can employ whatever code I deem useful to make my data unreadable for a
third party, as long as the data does not leave my computer. Now I'm the
weakest link and I have no one to blame. Which is good. And along the
way I picked the anonymity concept. While in the real life that used to
be a given, same online there was no such thing. And I discover there
can be anonymity online. And that best code breakers use rubber hose
cryptography. So plausible deniability is something for a divorce trial.

That leads to the idea that having the cryptographic keys and signature
of one Emmanuel Goldstein instantly makes you Emmanuel Goldstein beyond
the proof of any photo ID telling another story.

So may I ask you why are you using the GPG keys?


From peter at digitalbrains.com  Thu May 23 13:29:44 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 23 May 2013 13:29:44 +0200
Subject: Bug preventing recent gpg4win from running on Chinese Windows XP?
In-Reply-To: <000301ce46cf$32b461e0$981d25a0$@com.tw>
References: <000301ce46cf$32b461e0$981d25a0$@com.tw>
Message-ID: <519DFDA8.9010505@digitalbrains.com>

On 02/05/13 02:51, ?????-??? wrote:
> I believe I downloaded this version "gpg4win-1.1.4.exe	17-Feb-2009 17:46
> 9.5M " . It is a little bit old but I have a hard time to install newer
> version on my windows XP SP3. It simplely doesn?t work on my windows XP. I
> googled it . Some people said , it is not compatible with windows XP SP3
> Chinese system. That is why I only install the older version of gpg4win.

Are the developers aware of a bug preventing use of recent gpg4win on a Chinese
Windows XP system? At a glance, it would appear to be something that ought to be
fixed. China isn't a tiny country either :).

I do appreciate that some bugs are too complicated to just go ahead and fix,
which is why I phrase it as I do.

The only relevant thing a quick Google turned up for me is a Kleopatra bug
report[1], where there even was very recent activity: a message dated 15 March:

> This issue should be resolved with current Kleopatra (From KDE 4.10.3) which
> will be released this week with a Gpg4win 2.1.1-beta version. @shi shou: Can
> you test it please if your problem is gone with this new version?

Peter.

[1] http://wald.intevation.org/tracker/index.php?func=detail&aid=1099&group_id
-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 


From wk at gnupg.org  Thu May 23 16:18:36 2013
From: wk at gnupg.org (Werner Koch)
Date: Thu, 23 May 2013 16:18:36 +0200
Subject: is there a way to modify the date when signing?
In-Reply-To: <6de964e56599b5a17ac17ea800ae7582@remailer.paranoici.org>
 (Anonymous's message of "Thu, 23 May 2013 00:34:43 +0000 (UTC)")
References: 
 <87wqqr8hdi.fsf@vigenere.g10code.de>
 <6de964e56599b5a17ac17ea800ae7582@remailer.paranoici.org>
Message-ID: <87k3mp6apv.fsf@vigenere.g10code.de>

On Thu, 23 May 2013 02:34, nobody at remailer.paranoici.org said:

> This is not working on my gnupg 2.0.20 or 2.0.19.  invalid option error.

It is quite possible that this only works in 2.1.  Thus you need to
resort to tools like datefudge


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Thu May 23 16:23:59 2013
From: wk at gnupg.org (Werner Koch)
Date: Thu, 23 May 2013 16:23:59 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519DECAB.9000107@riseup.net> (Zece Anonimescu's message of "Thu, 
 23 May 2013 10:17:15 +0000")
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net>
Message-ID: <87fvxd6agw.fsf@vigenere.g10code.de>

On Thu, 23 May 2013 12:17, zece at riseup.net said:

> But I recall that both on Fedora and Debian I had trouble using GnuPG
> 2.x and I went back to 1.x. When I want to use a key, GnuPG pops up a

That most likely reason is that you use gnome and gnome-keyring pretends
to be gpg-agent.  You can change the configuration of gnome-keyring to
not emulate gpg-agent.

> wallet. Either with KeePass way of entering data, or by copy and paste I
> was unable to feed the beast my 64 char string of random letters,
> numbers and signs. And doing that by hand sure takes the fun out of it.

In another thread I just mentioned this pseudo-security behaviour.  Even
the most trivial keylogger will then be able to sniff your passphrase.
But well, keyloggers are not trivial anymore, thus you are doomed
anyway.



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Thu May 23 16:27:58 2013
From: wk at gnupg.org (Werner Koch)
Date: Thu, 23 May 2013 16:27:58 +0200
Subject: Bug preventing recent gpg4win from running on Chinese Windows XP?
In-Reply-To: <519DFDA8.9010505@digitalbrains.com> (Peter Lebbing's message of
 "Thu, 23 May 2013 13:29:44 +0200")
References: <000301ce46cf$32b461e0$981d25a0$@com.tw>
 <519DFDA8.9010505@digitalbrains.com>
Message-ID: <87bo816aa9.fsf@vigenere.g10code.de>

On Thu, 23 May 2013 13:29, peter at digitalbrains.com said:

> Are the developers aware of a bug preventing use of recent gpg4win on a Chinese
> Windows XP system? At a glance, it would appear to be something that

Yeah, there is a KDE problem.  AFAIK, GPA works fine.

>> This issue should be resolved with current Kleopatra (From KDE 4.10.3) which
>> will be released this week with a Gpg4win 2.1.1-beta version. @shi shou: Can

Meanwhile it has been release (-beta197).  I would love to read a status
report on whether this bug has been fixed.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From zece at riseup.net  Thu May 23 17:37:53 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Thu, 23 May 2013 15:37:53 +0000
Subject: Keyring on external encrypted drive
In-Reply-To: <87fvxd6agw.fsf@vigenere.g10code.de>
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net> <87fvxd6agw.fsf@vigenere.g10code.de>
Message-ID: <519E37D1.8080801@riseup.net>

Werner Koch:
> That most likely reason is that you use gnome and gnome-keyring pretends
> to be gpg-agent.  You can change the configuration of gnome-keyring to
> not emulate gpg-agent.

Wrote that down. I'll do it next time.

> In another thread I just mentioned this pseudo-security behaviour.  Even
> the most trivial keylogger will then be able to sniff your passphrase.
> But well, keyloggers are not trivial anymore, thus you are doomed
> anyway.

Sorry for being thick. But when it comes to security and cryptography
one must be certain of understanding things. Do you mean that in
relation with KeePass? Because once a keylogger is installed the only
protection I see is detect it and remove it before it starts sending out
data. Or with gnome-keyring?

Anyway, would a onscreen keyboard would help against a keylogger?



From ndk.clanbo at gmail.com  Thu May 23 17:59:47 2013
From: ndk.clanbo at gmail.com (NdK)
Date: Thu, 23 May 2013 17:59:47 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519E37D1.8080801@riseup.net>
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net> <87fvxd6agw.fsf@vigenere.g10code.de>
 <519E37D1.8080801@riseup.net>
Message-ID: <519E3CF3.3050404@gmail.com>

Il 23/05/2013 17:37, Zece Anonimescu ha scritto:

> Anyway, would a onscreen keyboard would help against a keylogger?
Nope. I heard of keyloggers that take a snapshot of the screen at click
time. If you are so concerned about security, use a smartcard inserted
in a reader w/ pinpad -- but I don't know if such a reader will work
with OpenPgpCard.
And even then, you'd need a patched card that accepts a single PSO for
every PIN entry...

BYtE,
 Diego.



From pete at heypete.com  Thu May 23 18:22:13 2013
From: pete at heypete.com (Pete Stephenson)
Date: Thu, 23 May 2013 18:22:13 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519E3CF3.3050404@gmail.com>
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net> <87fvxd6agw.fsf@vigenere.g10code.de>
 <519E37D1.8080801@riseup.net> <519E3CF3.3050404@gmail.com>
Message-ID: 

On Thu, May 23, 2013 at 5:59 PM, NdK  wrote:
> Il 23/05/2013 17:37, Zece Anonimescu ha scritto:
>
>> Anyway, would a onscreen keyboard would help against a keylogger?
> Nope. I heard of keyloggers that take a snapshot of the screen at click
> time. If you are so concerned about security, use a smartcard inserted
> in a reader w/ pinpad -- but I don't know if such a reader will work
> with OpenPgpCard.

The card reader + pinpad sold at
http://shop.kernelconcepts.de/product_info.php?cPath=1_26&products_id=61
claims to be supported with GnuPG >1.4.0 so it should work fine.

> And even then, you'd need a patched card that accepts a single PSO for
> every PIN entry...

The standard OpenPGP smartcard has an option that, when enabled,
prompts for a PIN for every signature. It's probably a useful thing to
enable. It does not have an option (as far as I know, please correct
me if I'm wrong) to prompt for a PIN for every decryption operation.

-- 
Pete Stephenson


From ndk.clanbo at gmail.com  Thu May 23 20:25:24 2013
From: ndk.clanbo at gmail.com (NdK)
Date: Thu, 23 May 2013 20:25:24 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: 
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net> <87fvxd6agw.fsf@vigenere.g10code.de>
 <519E37D1.8080801@riseup.net> <519E3CF3.3050404@gmail.com>
 
Message-ID: <519E5F14.50000@gmail.com>

Il 23/05/2013 18:22, Pete Stephenson ha scritto:

> The card reader + pinpad sold at
> http://shop.kernelconcepts.de/product_info.php?cPath=1_26&products_id=61
> claims to be supported with GnuPG >1.4.0 so it should work fine.
...as long your passphrase is numeric-only.

[OT] *great* support page: the links to the manufacturer expose the PHP
code! :)

>> And even then, you'd need a patched card that accepts a single PSO for
>> every PIN entry...
> The standard OpenPGP smartcard has an option that, when enabled,
> prompts for a PIN for every signature. It's probably a useful thing to
> enable.
Really useful, IMVHO. Unless you have to sign *a lot* of things...

> It does not have an option (as far as I know, please correct
> me if I'm wrong) to prompt for a PIN for every decryption operation.
That would probably be way less useful: once authenticated you want to
be able to read all your mails, or to stay authenticated while you
change the page you're browsing.

BYtE,
 Diego.


From peter at digitalbrains.com  Thu May 23 20:43:28 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 23 May 2013 20:43:28 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519E5F14.50000@gmail.com>
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net> <87fvxd6agw.fsf@vigenere.g10code.de>
 <519E37D1.8080801@riseup.net> <519E3CF3.3050404@gmail.com>
 
 <519E5F14.50000@gmail.com>
Message-ID: <519E6350.7060205@digitalbrains.com>

On 23/05/13 20:25, NdK wrote:
> Really useful, IMVHO. Unless you have to sign *a lot* of things...

Werner Koch does not agree it's a security feature (and I suppose that's why you
think it's useful), as he said in this[1] thread:

> In any case it is not a security measure because the host may simply
> cache the PIN and and silently do a verify command before each sign
> operation.  To avoid that simple workaround, a pinpad reader which
> filters the VERIFY command would be needed.

Peter.

[1] http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046051.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 


From ndk.clanbo at gmail.com  Thu May 23 21:18:40 2013
From: ndk.clanbo at gmail.com (NdK)
Date: Thu, 23 May 2013 21:18:40 +0200
Subject: Keyring on external encrypted drive
In-Reply-To: <519E6350.7060205@digitalbrains.com>
References: <519C8901.2010308@riseup.net>
 
 <519CB386.2040205@riseup.net> <87mwrn6na5.fsf@vigenere.g10code.de>
 <519DECAB.9000107@riseup.net> <87fvxd6agw.fsf@vigenere.g10code.de>
 <519E37D1.8080801@riseup.net> <519E3CF3.3050404@gmail.com>
 
 <519E5F14.50000@gmail.com> <519E6350.7060205@digitalbrains.com>
Message-ID: <519E6B90.8070408@gmail.com>

Il 23/05/2013 20:43, Peter Lebbing ha scritto:

>> Really useful, IMVHO. Unless you have to sign *a lot* of things...
> Werner Koch does not agree it's a security feature (and I suppose that's why you
> think it's useful), as he said in this[1] thread:
> [1] http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046051.html

Similar threads appeared on OpenSC ML too.
That's why I was investigating a "port" of OpenPGPCarf to Yubico token
(that offers a button that can be read by the Java code -- too bad it
requires a library available from NXP only under strict NDA :(

A less robust (against invasive attacks) option could be the GNUK token.

>> In any case it is not a security measure because the host may simply
>> cache the PIN and and silently do a verify command before each sign
>> operation.  To avoid that simple workaround, a pinpad reader which
>> filters the VERIFY command would be needed.
The host may cache it only if it ever sees it :)
There exists cards with button and display: having an OOB bidirectional
channel can give much more security...

Another option could be a HOTP code instead of a static PIN (maybe I'll
include this in MyPGPid :) ).

BYtE,
 Diego.


From rjh at sixdemonbag.org  Thu May 23 23:24:56 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 23 May 2013 17:24:56 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <519DF443.6080206@riseup.net>
References: <519DF443.6080206@riseup.net>
Message-ID: <519E8928.6040103@sixdemonbag.org>

On 05/23/2013 06:49 AM, Zece Anonimescu wrote:
> And that best code breakers use rubber hose cryptography.

Rubber-hose cryptanalysis tips your target off to the fact their
communications have been cracked.  If I beat your passphrase out of you,
thirty seconds after I let you go you'll have alerted your friends and
generated a new keypair.

If I were breaking crypto, I would do everything I could to keep you
from discovering I was reading your traffic.  This would preclude such
methods.

> So plausible deniability is something for a divorce trial.

Not even then.  "Plausible deniability" is a myth, an ephemera.  One
person may believe your denials; another may not.  Whether they believe
you will have much more to do with how honest you've been the rest of
the time than with the particulars of cryptography you're using.  The
jury isn't going to be technically skilled.  Rather than evaluate
technology in a dry and strictly logical sense, they're going to look at
your performance on the witness stand and, from that, decide whether to
believe your denials.

> So may I ask you why are you using the GPG keys?

I'm not, save for package authentication on Linux-based systems.

This is something I wrote for PGP-Basics a few weeks ago.  It's bleak
and depressing, but I believe it's an accurate picture of where things
currently stand:


				* * * * *


Email is dying and has been for years.  Ask a college student today what
he or she thinks of email and you'll get told it's an antiquated
technology that their parents insist on still using.  The mean age of
habitual users of email keeps rising.  When it comes to technology and
demographics, a shrinking userbase that keeps rising in mean age is
about as bad as it gets.

So, why is it shrinking?

The first generation of internet protocols -- email being one of them,
since email is considerably older than TCP/IP -- were devoted to
creating commodity infrastructure.  Everyone was connected to everyone
else, information would flow like a mighty river, the huddled masses
would be freed from the chains of corporate control of data, and so on.

It was a great dream.  The only problem was it was horrifically naive.
The exact same things led to the internet turning into an open sewer.  A
lot of people, when looking at the anarchic free-for-all of the internet
and what's come as a result of it, are of the opinion that if this is
progress they'd like to go back.  (I don't have any children, but if I
did I might be one of these techno-Luddites.  Reading the comments on
any YouTube video will likely convince you of the truth of John
Gabriel's Greater Internet F*ckwad Theory [1].)

I maintain that people are not flocking to walled gardens because
they're dumb, or ill-informed, or anything else like that.  They're
flocking to walled gardens because the garden-keepers are promising "we
will have none of that here."  Those who keep the garden can see you and
what you're doing, they can kick you out of the garden if you misbehave,
and it comes at the low, low price of ceding a great deal of social
control to them.

Some years ago someone asked me why I hated Apple so much.  I told them
it was because I couldn't get _Playboy_ on my iPhone.  It's not that I
subscribe to _Playboy_ or even want to subscribe to it, but I want to be
in control of what I read -- I don't want Apple to decide for me what
I'm allowed to read.

My friend was confused.  "So.  Between an unfiltered internet -- which
I've often heard you call an open and festering sewer -- and a highly
filtered internet that leaves a nice environment everyone can play in,
you're going to blame Apple's filters /not letting in crap you don't
even like in the first place?/"

Uh... hrm... I gotta go think about that, y'know.

The moral of the story: maybe the reason why so many people are
embracing privacy-destroying walled gardens isn't because they're
ignorant, but because they have made a rational choice based on what
they see as the downsides of privacy when applied to large groups of
people who all serve as each others' audiences.

Or, less literally but more poetically:



	You talk like a Rosicrucian, who
	will love nothing but a sylph, who does
	not believe in the existence of a sylph,
	and who yet quarrels with the whole
	universe for not containing a sylph.

			-- Thomas Love Peacock, _Nightmare Abbey_





[1] http://www.penny-arcade.com/comic/2004/03/19



From kiblema at gmail.com  Fri May 24 09:56:17 2013
From: kiblema at gmail.com (Lema KB)
Date: Fri, 24 May 2013 09:56:17 +0200
Subject: generate/import/certify key(s) silently on cmd
Message-ID: 

hi all

Could you please help me, how i *silently* generate key-pair, and import
other's public key and then certify this public key on command-line of
windows(cmd.exe)? i mean, setting all as default, and asking only for
key-name and passphrase..

or is it possible to import and certify someones public-key without
generating own key-pair?

thank you in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From nobody at dizum.com  Fri May 24 03:14:41 2013
From: nobody at dizum.com (Nomen Nescio)
Date: Fri, 24 May 2013 03:14:41 +0200 (CEST)
Subject: how to decrypt messages to hidden recipient
References: <328cf26549890ff1df12c32ce2647315@remailer.paranoici.org>
Message-ID: 

BUMP please.

I am having issues with the --try-secret-key, it is giving
"invalid command" or something.  

My bash is a bit crappy but I am sure someone on this list can 
tell me the answer in 2 seconds.


gpg --try-secret-key my at gpg.key file

or what?

Thanks



From fritz at spamexpire-201305.rodent.frell.theremailer.net  Fri May 24 05:59:54 2013
From: fritz at spamexpire-201305.rodent.frell.theremailer.net (Fritz Wuehler)
Date: Fri, 24 May 2013 05:59:54 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
Message-ID: 

Zece Anonimescu  wrote:

> 
> I'm redescovering encryption from another point of view, the one of
> the single user. As long as I do care about the data and I'm the sole
> user I can employ whatever code I deem useful to make my data
> unreadable for a third party, as long as the data does not leave my
> computer. Now I'm the weakest link and I have no one to blame. Which
> is good. And along the way I picked the anonymity concept. While in
> the real life that used to be a given, same online there was no such
> thing. And I discover there can be anonymity online. And that best
> code breakers use rubber hose cryptography. So plausible deniability
> is something for a divorce trial.
> 
> That leads to the idea that having the cryptographic keys and
> signature of one Emmanuel Goldstein instantly makes you Emmanuel
> Goldstein beyond the proof of any photo ID telling another story.

No.  keys can be and are stolen.

> 
> So may I ask you why are you using the GPG keys?

Your anonymity, through whichever tool you are using, depends on
cryptographic signatures.  For instance, you seem to be posting from
riseup.net to protect your identity.  *Seem to be.*  But you only know
you are even
connecting to their server via their RSA sigs via their SSL certificate.

And how to verify that?  and so on...

So on some level PGP/GPG or some variation becomes important also for
"anonymity."  Tor, for instance, depends completely on crypto signatures
to function.



From net at janeden.net  Fri May 24 13:00:51 2013
From: net at janeden.net (Jan Eden)
Date: Fri, 24 May 2013 13:00:51 +0200
Subject: Pinentry does not appear when importing keys with gpgsm
Message-ID: <20130524110051.GA22625@uni-koeln.de>

Hi,

using GnuPG 2.0.19 and pinentry 0.8.3, I cannot import certificates with
private keys. There seems to be a problem between gpg-agent and
pinentry (excerpt from gpg-agent.log):

gpg-agent[22502]: chan_8 -> GETINFO pid
gpg-agent[22502]: chan_8 <- D 22503
gpg-agent[22502]: chan_8 <- OK
gpg-agent[22502]: chan_6 -> INQUIRE PINENTRY_LAUNCHED 22503
gpg-agent[22502]: chan_6 <- END
gpg-agent[22502]: chan_8 -> SETDESC Please enter the passphrase to unprotect the PKCS#12 object.
gpg-agent[22502]: chan_8 <- OK
gpg-agent[22502]: chan_8 -> SETPROMPT Passphrase:
gpg-agent[22502]: chan_8 <- OK
gpg-agent[22502]: chan_8 -> [[Confidential data not shown]]
gpg-agent[22502]: chan_8 <- [[Confidential data not shown]]
gpg-agent[22502]: chan_8 -> BYE
2013-05-24 12:40:34 gpg-agent[22502] command get_passphrase failed: Invalid IPC response
gpg-agent[22502]: chan_6 -> ERR 67109124 Invalid IPC response 
gpg-agent[22502]: chan_6 <- [eof]
gpg-agent[22499]: chan_6 <- [eof]

This is what is displayed in my shell:

gpgsm --import mycert.de.p12 
gpg-agent[22499]: enabled debug flags: command mpi crypto memory cache memstat hashing assuan
gpgsm: gpg-agent[22502]: enabled debug flags: command mpi crypto memory cache memstat hashing assuan
gpgsm: gpg-protect-tool: error while asking for the passphrase: Invalid IPC response
gpgsm: error running `/usr/local/libexec/gpg-protect-tool': exit status 2
gpgsm: total number processed: 0

Strangely enough, when generating certificate requests with gpgsm,
pinentry shows up properly, and the certificate request is created. Fom
gpg-agent.log (this is just the last of several pinentry instances):

gpg-agent[22594]: chan_10 -> GETINFO pid
gpg-agent[22594]: chan_10 <- D 22599
gpg-agent[22594]: chan_10 <- OK
gpg-agent[22594]: chan_6 -> INQUIRE PINENTRY_LAUNCHED 22599
gpg-agent[22594]: chan_6 <- END
gpg-agent[22594]: chan_10 -> SETDESC To complete this certificate request please enter the passphrase for the key you just created once more.%0A
gpg-agent[22594]: chan_10 <- OK
gpg-agent[22594]: chan_10 -> SETPROMPT Passphrase:
gpg-agent[22594]: chan_10 <- OK
gpg-agent[22594]: chan_10 -> [[Confidential data not shown]]
gpg-agent[22594]: chan_10 <- [[Confidential data not shown]]
gpg-agent[22594]: chan_10 <- [[Confidential data not shown]]
gpg-agent[22594]: chan_10 -> BYE
2013-05-24 12:52:55 gpg-agent[22594] DBG: agent_put_cache `6828DFFBCE9EB36CC5628D36C876D594C169D73D' requested ttl=0 mode=2
2013-05-24 12:52:55 gpg-agent[22594] DBG: skey: [open]
  [data="private-key"]
  ...

Kind regards,
Jan


From ira.kirschner at sungard.com  Fri May 24 15:27:27 2013
From: ira.kirschner at sungard.com (irak)
Date: Fri, 24 May 2013 06:27:27 -0700 (PDT)
Subject: --textmode not retaining the originating EOR
Message-ID: <1369402047291-30948.post@n7.nabble.com>

I am in the midst of changing my RedHat Linux environment from using PGP to
GPG (1.4.5). When I previously deciphered a client provided ".pgp" file, the
resultant file was CRLF terminated. No matter what I have tried using gpg to
decipher the same file, the resultant file is always LF terminated.

I have tried:
o  gpg --batch --yes --no-mdc-warning --skip-verify --passphrase $PHRASE -o
outfile.txt --textmode -d infile.pgp
o  gpg --batch --yes --no-mdc-warning --skip-verify --passphrase $PHRASE -o
outfile.txt --no-textmode -d infile.pgp
o  gpg --batch --yes --no-mdc-warning --skip-verify --passphrase $PHRASE -o
outfile.txt -t -d infile.pgp

All three of the above resulted in identical files with LF as the EOR. PGP
results in the same file but CRLF as the EOR.

What should I be doing to create a resultant file in the same manner that
the client created it?



--
View this message in context: http://gnupg.10057.n7.nabble.com/textmode-not-retaining-the-originating-EOR-tp30948.html
Sent from the GnuPG - User mailing list archive at Nabble.com.


From ira.kirschner at sungard.com  Fri May 24 15:50:55 2013
From: ira.kirschner at sungard.com (irak)
Date: Fri, 24 May 2013 06:50:55 -0700 (PDT)
Subject: --textmode not retaining the originating EOR
In-Reply-To: <1369402047291-30948.post@n7.nabble.com>
References: <1369402047291-30948.post@n7.nabble.com>
Message-ID: <1369403455847-30949.post@n7.nabble.com>

Update - I have tried this on gpg 2.0.14 and it still doesn't work as I
expect.



--
View this message in context: http://gnupg.10057.n7.nabble.com/textmode-not-retaining-the-originating-EOR-tp30948p30949.html
Sent from the GnuPG - User mailing list archive at Nabble.com.


From vedaal at nym.hush.com  Fri May 24 16:12:06 2013
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Fri, 24 May 2013 10:12:06 -0400
Subject: gpg 2.x or gpg 1.x // is there a way to tell which one was used from
 the encrypted file?
In-Reply-To: 
References: 	<20130307063440.934BEA6E43@smtp.hushmail.com>
 
Message-ID: <20130524141206.E302A10E2C8@smtp.hushmail.com>

Assuming one does not use the version line in an armored gnupg encrypted message,
is there a way to tell whether the message was encrypted with gnupg 1.x or 2.x,

(Assume also that the receiver can decrypt the message.)

I tried  --list-packets  with  the highest verbose option,
but no mention of the encrypting version is listed.

TIA,

vedaal



From wk at gnupg.org  Fri May 24 17:09:39 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 24 May 2013 17:09:39 +0200
Subject: gpg 2.x or gpg 1.x // is there a way to tell which one was used
 from the encrypted file?
In-Reply-To: <20130524141206.E302A10E2C8@smtp.hushmail.com>
 (vedaal@nym.hush.com's message of "Fri, 24 May 2013 10:12:06 -0400")
References: 
 <20130307063440.934BEA6E43@smtp.hushmail.com>
 
 <20130524141206.E302A10E2C8@smtp.hushmail.com>
Message-ID: <8761y84dos.fsf@vigenere.g10code.de>

On Fri, 24 May 2013 16:12, vedaal at nym.hush.com said:

> is there a way to tell whether the message was encrypted with gnupg 1.x or 2.x,


No.  It might be possible to guess a specific version by looking at some
packet details but that would be pretty fragile.  OpenPGP defines what's
on the wire and thus gpg has to conform to that.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Fri May 24 17:07:18 2013
From: wk at gnupg.org (Werner Koch)
Date: Fri, 24 May 2013 17:07:18 +0200
Subject: --textmode not retaining the originating EOR
In-Reply-To: <1369402047291-30948.post@n7.nabble.com> (irak's message of "Fri, 
 24 May 2013 06:27:27 -0700 (PDT)")
References: <1369402047291-30948.post@n7.nabble.com>
Message-ID: <87a9nk4dso.fsf@vigenere.g10code.de>

On Fri, 24 May 2013 15:27, ira.kirschner at sungard.com said:
> I am in the midst of changing my RedHat Linux environment from using PGP to
> GPG (1.4.5). When I previously deciphered a client provided ".pgp" file, the
> resultant file was CRLF terminated. No matter what I have tried using gpg to
> decipher the same file, the resultant file is always LF terminated.

That is a property of --textmode.  RFC 4880 section 5.9 says this:

   If it is a 't' (0x74), then it contains text data, and thus may need
   line ends converted to local form, or other text-mode changes.  The
   tag 'u' (0x75) means the same as 't', but also indicates that
   implementation believes that the literal data contains UTF-8 text.
   [...]

     - The remainder of the packet is literal data.

       Text data is stored with  text endings (i.e., network-
       normal line endings).  These should be converted to native line
       endings by the receiving software.

> What should I be doing to create a resultant file in the same manner that
> the client created it?

Use binary mode on the sending site (i.e don't use --textmode).  Or
convert it back to CRLF.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From ira.kirschner at sungard.com  Fri May 24 18:49:12 2013
From: ira.kirschner at sungard.com (irak)
Date: Fri, 24 May 2013 09:49:12 -0700 (PDT)
Subject: --textmode not retaining the originating EOR
In-Reply-To: <87a9nk4dso.fsf@vigenere.g10code.de>
References: <1369402047291-30948.post@n7.nabble.com>
 <87a9nk4dso.fsf@vigenere.g10code.de>
Message-ID: <1369414152803-30954.post@n7.nabble.com>

I don't understand your answer. The original encrypted (.pgp) is provided by
a client that transmits the file to me using a binary transmission. On my
Linux server when I previously deciphered the file, it resulted in a file
with CRLF as the EOR. When I use gpg, the result is LF as EOR.

Is there any control over the gpg decipher process that says don't default
to the local EOR but use what was stored in the file?



--
View this message in context: http://gnupg.10057.n7.nabble.com/textmode-not-retaining-the-originating-EOR-tp30948p30954.html
Sent from the GnuPG - User mailing list archive at Nabble.com.


From hhhobbit at securemecca.net  Fri May 24 21:57:35 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Fri, 24 May 2013 19:57:35 +0000
Subject: --textmode not retaining the originating EOR
In-Reply-To: <1369414152803-30954.post@n7.nabble.com>
References: <1369402047291-30948.post@n7.nabble.com>
 <87a9nk4dso.fsf@vigenere.g10code.de> <1369414152803-30954.post@n7.nabble.com>
Message-ID: <519FC62F.3080600@securemecca.net>

On 05/24/2013 04:49 PM, irak wrote:
> I don't understand your answer. The original encrypted (.pgp) is provided by
> a client that transmits the file to me using a binary transmission. On my
> Linux server when I previously deciphered the file, it resulted in a file
> with CRLF as the EOR. When I use gpg, the result is LF as EOR.
> 
> Is there any control over the gpg decipher process that says don't default
> to the local EOR but use what was stored in the file?

NO.  At least I could not find it in the man pages.  My memory
is hazy on this (going back over six years) but it seems like
PGP had an over-ride.  If it did, then it violated the RFC.

Werner is correct.  Do not use --textmode" if you want the
original mode for text files preserved.  The default is
--no-textmode implying that is what should be used if you
want to preserve the EOR of the original files.



From zece at riseup.net  Fri May 24 23:09:40 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Fri, 24 May 2013 21:09:40 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <519E8928.6040103@sixdemonbag.org>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
Message-ID: <519FD714.7060001@riseup.net>

Robert J. Hansen:> Rubber-hose cryptanalysis tips your target off to the
fact their
> communications have been cracked.  If I beat your passphrase out of you,
> thirty seconds after I let you go you'll have alerted your friends and
> generated a new keypair.

That's why there are enough holes in the laws of the so called Western
countries the law can keep you isolated for a long time. And in some
places with ridiculous orders of not using anything like a computer.
After 2001 they started building up laws to keep you as long as they
need. And you are going to be called suspect of terrorism.

> If I were breaking crypto, I would do everything I could to keep you
> from discovering I was reading your traffic.  This would preclude such
> methods.

But that is the romantic legend. If the people monitoring you would like
to make love to you they are going to tell the same story. What I see is
something like the story of Sabu from Lulzsec: make him an agent.

> Not even then.  "Plausible deniability" is a myth, an ephemera.  One
> person may believe your denials; another may not.  Whether they believe
> you will have much more to do with how honest you've been the rest of
> the time than with the particulars of cryptography you're using.  The
> jury isn't going to be technically skilled.  Rather than evaluate
> technology in a dry and strictly logical sense, they're going to look at
> your performance on the witness stand and, from that, decide whether to
> believe your denials.

I was saying the same thing.

>> So may I ask you why are you using the GPG keys?
>
> I'm not, save for package authentication on Linux-based systems.

So the question was not for you.

> This is something I wrote for PGP-Basics a few weeks ago.  It's bleak
> and depressing, but I believe it's an accurate picture of where things
> currently stand:
>
>
> 				* * * * *
>
>
> Email is dying and has been for years.  Ask a college student today what
> he or she thinks of email and you'll get told it's an antiquated
> technology that their parents insist on still using.  The mean age of
> habitual users of email keeps rising.  When it comes to technology and
> demographics, a shrinking userbase that keeps rising in mean age is
> about as bad as it gets.

I don't like the mass media estimates: the next big thing, the yesterday
thing, the dying thing. I thought for a good ten minutes and I could not
find ONE single thing that was how predicted.

Besides, email is not dying. It's plain stupid to support such idea.
Sorry for the bluntness. Back in 1992 a handful of people were using
emails. For serious business they went on Usenet. Today every two bit
service needs an email to authenticate, to change passwords, to send
newsletters, to confirm shipments, invoices, you name it. The trafic is
higher. The users are 1.000 fold. I don't know the size difference. I'm
pulling numbers from a bag. In 1992 it was a way of scamming the postal
service out of their cents for a stamp. Today all the internal papers in
companies of all sizes are sent by mail. Blackberry? That's email too!
Have you got my fax? That's email too!

And even the logic is stupid. How much time for a tech to die? Ten times
its age at the starting point? Gopher is dead. Maybe.

You are just twisting facts to suit your needs. Email might seem old.
But amazon sends the reminders on email. And he'd rather receive a Dear
John by email and not on some public forum.

Anyway, where do you get those averages? Do they have any base? Or is it
more like we went to the campus next door. For the sake of simplicity
we're going to call it a regular campus. Although it isn't. And we
passed flyers at a certain hour. Or better: did some cute poll on our
new AJAX site.

> So, why is it shrinking?

It's growing. So much that Facebook needed to get that too. Thus the man
in the middle attack by showing people an @facebook.com fake email
instead of your real one. To protect the children who aren't alowed to
create an account obviously.

> The first generation of internet protocols -- email being one of them,
> since email is considerably older than TCP/IP -- were devoted to
> creating commodity infrastructure.  Everyone was connected to everyone
> else, information would flow like a mighty river, the huddled masses
> would be freed from the chains of corporate control of data, and so on.

Could you expand on how email was created to ?free from the chains of
corporate control of data??

> It was a great dream.  The only problem was it was horrifically naive.
> The exact same things led to the internet turning into an open sewer.  A
> lot of people, when looking at the anarchic free-for-all of the internet
> and what's come as a result of it, are of the opinion that if this is
> progress they'd like to go back.  (I don't have any children, but if I
> did I might be one of these techno-Luddites.  Reading the comments on
> any YouTube video will likely convince you of the truth of John
> Gabriel's Greater Internet F*ckwad Theory [1].)

Purists call it open sewer. I see it as an almost sterile environment.

The Internet (in the context it should be capitalised) is far from
anarchic. It's rather closer to the world of 1984. And is NOT free for
all. That's momma's boy thinking, not some research.

For getting online one needs an ISP. A computer equiped with whatever
hardware is needed for connecting with the ISP. Time. And powerlines.
That's the very basic. And probably everybody can tell you that. I'd add
a certain level of English. And some computer litteracy. Also at the
very basic level. Maybe in your school district that isn't a problem.
But the world is somehow larger than your end of the World. And while
rich overweight reporters whine about they sent notes to their coleagues
with pen on paper and the kids of today are doing iThings, I'm going to
tell about children who don't get enough minerals. Who don't have access
to clean water. And don't receive vaccines. And they also die of those
problems while stupid white people want to make laws to protect their
precious walking sperm and eggs from the evil of faked autism because of
the same vaccines.

Anarchic? You might be right. There is one anarchism, say Emma Goldman.
And what society at large has been educated to see: the absence of laws,
and strong police intervention, lack of high tech weapons to protect the
lice in Johnny's hair from the dangers of people armed with bows and
arrows on the other side of the Earth.

> I maintain that people are not flocking to walled gardens because
> they're dumb, or ill-informed, or anything else like that.  They're
> flocking to walled gardens because the garden-keepers are promising "we
> will have none of that here."  Those who keep the garden can see you and
> what you're doing, they can kick you out of the garden if you misbehave,
> and it comes at the low, low price of ceding a great deal of social
> control to them.

I'd bet you they are going to those you call them gardens because they
are certain it's not going to be them the one that gets kicked out. Just
the thought would be enough not to join. Do you use any research or is
gut feeling against gut feeling?

> Some years ago someone asked me why I hated Apple so much.  I told them
> it was because I couldn't get _Playboy_ on my iPhone.  It's not that I
> subscribe to _Playboy_ or even want to subscribe to it, but I want to be
> in control of what I read -- I don't want Apple to decide for me what
> I'm allowed to read.
>
> My friend was confused.  "So.  Between an unfiltered internet -- which
> I've often heard you call an open and festering sewer -- and a highly
> filtered internet that leaves a nice environment everyone can play in,
> you're going to blame Apple's filters /not letting in crap you don't
> even like in the first place?/"

So you're the one living in a walled garden. A child swearing is enough
to make an environment rude? It's only a child.

> Uh... hrm... I gotta go think about that, y'know.
>
> The moral of the story: maybe the reason why so many people are
> embracing privacy-destroying walled gardens isn't because they're
> ignorant, but because they have made a rational choice based on what
> they see as the downsides of privacy when applied to large groups of
> people who all serve as each others' audiences.

The rational choice of choosing Twitter after full page ads? Or because
the members of the government are there? The rational choice of ?there's
no equivalent?? And so on.



From zece at riseup.net  Fri May 24 23:12:32 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Fri, 24 May 2013 21:12:32 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: 
References: 
Message-ID: <519FD7C0.3030507@riseup.net>

Fritz Wuehler:
>> That leads to the idea that having the cryptographic keys and
>> signature of one Emmanuel Goldstein instantly makes you Emmanuel
>> Goldstein beyond the proof of any photo ID telling another story.
> No.  keys can be and are stolen.

I wasn't aware of this kind of argument. So if I have the key of EG, I
can walk away free just by saying they're stolen?

>> So may I ask you why are you using the GPG keys?
> 
> Your anonymity, through whichever tool you are using, depends on
> cryptographic signatures.  For instance, you seem to be posting from
> riseup.net to protect your identity.  *Seem to be.*  But you only know
> you are even
> connecting to their server via their RSA sigs via their SSL certificate.
> 
> And how to verify that?  and so on...
> 
> So on some level PGP/GPG or some variation becomes important also for
> "anonymity."  Tor, for instance, depends completely on crypto signatures
> to function.

I am aware of the usage of asymetric keys in daily computing. SSL, TLS,
WPA, and so on. But why are YOU using the GPG keys?



From rjh at sixdemonbag.org  Sat May 25 00:07:49 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 24 May 2013 18:07:49 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <519FD714.7060001@riseup.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net>
Message-ID: <519FE4B5.6090909@sixdemonbag.org>

On 5/24/2013 5:09 PM, Zece Anonimescu wrote:
> You are just twisting facts to suit your needs.

And at this point, you just became nasty enough to no longer be worth my
time.  I'll forgive a lot but I do draw a line.  That line gets drawn
where people accuse me of active malfeasance without a shred of
evidence.  That's the lowest form of ad hominem and I will not abide it.



From hhhobbit at securemecca.net  Sat May 25 03:36:27 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Sat, 25 May 2013 01:36:27 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <519FD714.7060001@riseup.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net>
Message-ID: <51A0159B.7010703@securemecca.net>

On 05/24/2013 09:09 PM, Zece Anonimescu wrote:
> Robert J. Hansen wrote:




>> This is something I wrote for PGP-Basics a few weeks ago.  It's bleak
>> and depressing, but I believe it's an accurate picture of where things
>> currently stand:


It looks spot on to me.  I cannot get anybody to use OpenPGP
because most don't use email any more and the few that will
still communicate with me via email say they don't need OpenPGP.
I have only one person that will communicate with me regularly
via email any more and he won't use OpenPGP.  He won't purchase
PGP and he stubbornly resists shifting away from Outlook as his
POP email program that he uses.

> Besides, email is not dying. It's plain stupid to support such idea.
> Sorry for the bluntness. Back in 1992 a handful of people were using
> emails. For serious business they went on Usenet. Today every two bit
> service needs an email to authenticate, to change passwords, to send
> newsletters, to confirm shipments, invoices, you name it. The trafic is
> higher. The users are 1.000 fold. I don't know the size difference. I'm
> pulling numbers from a bag. In 1992 it was a way of scamming the postal
> service out of their cents for a stamp. Today all the internal papers in
> companies of all sizes are sent by mail. Blackberry? That's email too!
> Have you got my fax? That's email too!

First, I have been using email and real Unix since the 1970s.
I didn't use email to avoid paying postage.  Mostly I was mailing
Prolog or other programs to others or them to me before 1995.

Second, a fax is not email either from either a transmission or
a legal standpoint.  Instead of being conducted down the
digital Internet TCP/IP highway, faxes are tunneled through telephony
equipment, digital or analog.  It is not legal to use even an
OpenPGP signature on an email as legal tender in a court of law.
But your hand writeen signature on a document that  faxedis legal
tender in the United States and many other countries.

Third, do a search for "PeskySpammer" in either DuckDuckGo.com or
Google.  Initially I was getting as much as a thousand messages
per day before the bounces subsided as more and more mail admins
finally keyed in on my advice on my blog.  Now I get almost no
bounces at all from mail servers.  Most mail systems drop the
spam messages sent directly from a hacked Windows PC machine that
pretend to come from some place else like a hot potato now.

But PeskySpammer's bots got the fake FROM email addresses
accidentally added to their TO lists.  I am still getting as
many as 100 messages per day because I get all of the messages
for users at the securemecca[gnot]com domain.  Others that have
their emsil set up the same way (they are mail admin for the
domain but have no control over the mail server) will be
getting the same thing.  There is so much spam that almost
nobody will answer me any more.  One of the reasons is that they
start a new email address to fight the spam and don't bother to
close down their old email address.  But most people have made
a permanent shift to Facebook or other social web sites so that
if I really need to contact them, I send them a snail-mail
message.  Many times even that is ignored since they monitor
their Facebook or other social service account messages and
that is all..  This doesn't bode well because I neither want
nor need a Facebook account or an account with the myriad of
other social services.

I suspect most people just select and delete all email messages
in their active email account every few weeks or months.  This
does not bode well for the usage of GnuPG.  I cannot get anybody
I know to use OpenPGP.  Even most of the people at SANS and other
people don't use OpenPGP encryption any more.  Maybe we need
a legal threat that says OpenPGP encryption is going to be taken
away from us to get people to use it.  They will use TLS, SSL or
other encryption that is "built-in" but don't even seem to
take that seriously any more.  I don't know what is happening
but I imagine a sociological or psycnhological dissertation
is in the offing because of people's behavior.  It really is
that bizarre now.  Nibiru - I don't know how many people believe
it but it numbers in the millions.



From ndk.clanbo at gmail.com  Sat May 25 10:54:34 2013
From: ndk.clanbo at gmail.com (NdK)
Date: Sat, 25 May 2013 10:54:34 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A0159B.7010703@securemecca.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A0159B.7010703@securemecca.net>
Message-ID: <51A07C4A.9000909@gmail.com>

Il 25/05/2013 03:36, Henry Hertz Hobbit ha scritto:

> I suspect most people just select and delete all email messages
> in their active email account every few weeks or months.  This
> does not bode well for the usage of GnuPG.
Actually it seems the ideal use for OpenPGPCard: once you change DEC
key, you can as well delete all your old (encrypted) mails.

Using a card only to store a key generated on a PC is, IMVHO, plain
nonsense -- and that's why I'm working on MyPGPid: I want to generate my
keys on-card, backup 'em ONLY to other cards, and use a single card (per
identity) while being able to read all my old messages, even if I change
my DEC key once a year (in a test scenario I could store 40 keys on a
72k card, still have to test how many on a 144k one).

PS: for the really paranoid, it's not hard to have a dead-man-switch
against coercition: if you don't connect to some service for enough
time, it uploads a revocation of all your keys to the keyservers so
everyone is alerted that something happened to you.

BYtE,
 Diego.


From zece at riseup.net  Sat May 25 12:29:26 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Sat, 25 May 2013 10:29:26 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A0159B.7010703@securemecca.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A0159B.7010703@securemecca.net>
Message-ID: <51A09286.4090909@riseup.net>

Henry Hertz Hobbit:
> First, I have been using email and real Unix since the 1970s.
> I didn't use email to avoid paying postage.  Mostly I was mailing
> Prolog or other programs to others or them to me before 1995.

You don't have to use email to avoid paying postage. Back in ?those
days? when people used to send letters instead of leaving unrelated
comments to Facebook statuses email wasn't the only mean of
communication. And it isn't today. Yet, today the postal service can
send you an email or SMS each time a parcel is delivered.

> Second, a fax is not email either from either a transmission or
> a legal standpoint.  Instead of being conducted down the
> digital Internet TCP/IP highway, faxes are tunneled through telephony
> equipment, digital or analog.  It is not legal to use even an
> OpenPGP signature on an email as legal tender in a court of law.
> But your hand writeen signature on a document that  faxedis legal
> tender in the United States and many other countries.

Quotation marks would have make a difference. It was a piece of an
imaginary dialogue: to make sure a fax has arrived people do use email.
They could use the phone, but the line can be busy. Well, I hear less
and less the busy signal over the phones. Nowadays the phone has more
lines, which does not enhance the abilities of the person on the other side.

> I suspect most people just select and delete all email messages
> in their active email account every few weeks or months.  This
> does not bode well for the usage of GnuPG.

Hence my initial question: why?



From peter at digitalbrains.com  Sat May 25 14:18:26 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 25 May 2013 14:18:26 +0200
Subject: --textmode not retaining the originating EOR
In-Reply-To: <1369414152803-30954.post@n7.nabble.com>
References: <1369402047291-30948.post@n7.nabble.com>
 <87a9nk4dso.fsf@vigenere.g10code.de> <1369414152803-30954.post@n7.nabble.com>
Message-ID: <51A0AC12.50407@digitalbrains.com>

On 24/05/13 18:49, irak wrote:
> I don't understand your answer.

If I understand correctly, it is the /sender/ who chooses how /you/ will see the
line endings. If they send it using the --textmode switch or the PGP equivalent
option, the .pgp file will be marked to instruct your GnuPG to convert the line
endings to local form, which is just LF. If the sender does not use --textmode
or its equivalent, you will get the EOL's that the original file of the sender
had. If they are using Windows, that will be CR-LF.

> Is there any control over the gpg decipher process that says don't default
> to the local EOR but use what was stored in the file?

I don't think so. HHH mentioned PGP might have this option. The alternative, as
Werner said, is to convert it yourself. As long as the file is consistent in its
line-endings, this shouldn't be a problem.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 


From pete at heypete.com  Sun May 26 01:29:32 2013
From: pete at heypete.com (Pete Stephenson)
Date: Sun, 26 May 2013 01:29:32 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A07C4A.9000909@gmail.com>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A0159B.7010703@securemecca.net>
 <51A07C4A.9000909@gmail.com>
Message-ID: <51A1495C.8090802@heypete.com>

On 5/25/2013 10:54 AM, NdK wrote:
> Using a card only to store a key generated on a PC is, IMVHO, plain
> nonsense -- and that's why I'm working on MyPGPid: I want to generate my
> keys on-card, backup 'em ONLY to other cards, and use a single card (per
> identity) while being able to read all my old messages, even if I change
> my DEC key once a year (in a test scenario I could store 40 keys on a
> 72k card, still have to test how many on a 144k one).

I'd also like the ability to transfer keys between cards, much like one
can transfer x.509 keys between HSMs.

That said, I don't really see using a PC-generated key on a card as
nonsensical. I do just that: I generated the key using a
freshly-installed Linux distribution on an offline PC with an added
hardware RNG for extra entropy. I burned a backup of the private key to
a few CD-Rs (one for an offsite, secure location like a safe deposit
box, the other kept locally in case of card failure), printed out a
paper backup, transferred the key to the card, and replaced the private
key on the PC with the stub pointing at the card.

I understand the "one person, one key, one card" position, but my usage
scenario is mainly "avoid the possibility where a remote attacker could
gain access to my private key" (e.g. with malware, keyloggers, etc.). If
someone has physically broken into my house or safe deposit box to get
my offline backups, I'll (a) know about it and (b) have bigger problems.

To answer Zece's original question as to why I use OpenPGP keys, I use
OpenPGP (specifically GnuPG) to send potentially sensitive information
over the internet. In my particular case, I'm an American living in
Switzerland for grad school and some family members living back in the
US act as my proxy for certain things that need to be taken care of back
in the US like taxes. We use GnuPG to send this information back and
forth as needed. Having it leak wouldn't be catastrophic, but I'd prefer
to keep it private if possible.

Additionally, the use of signatures is useful when corresponding with
people over the internet. I place a strong amount of confidence that
keys I've personally certified belong the to the person I met, but
untrusted signatures are still useful to me as they can be used to show
consistency over time.

For example, I've never met Werner Koch in person, haven't signed his
key, or have any idea if he is, in fact, named Werner Koch in real
life...but he's been going by that identity for years and using the same
key for signatures that whole time (as far as I can remember). Even
though I can't confidently map his key to a real-life identity, I can be
reasonably confident that the person posting as him today is the same
person who was posting as him a few years ago as the key used to make
the signatures is the same.

As always, your mileage may vary, but those are some of the main reasons
I use OpenPGP.

Cheers!
-Pete


From zece at riseup.net  Sun May 26 12:50:18 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Sun, 26 May 2013 10:50:18 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <519FD714.7060001@riseup.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net>
Message-ID: <51A1E8EA.4010201@riseup.net>

Zece Anonimescu:
> Robert J. Hansen:
>> Email is dying and has been for years.  Ask a college student today[...]
> 
> I don't like the mass media estimates: the next big thing, the yesterday
> thing, the dying thing. I thought for a good ten minutes and I could not
> find ONE single thing that was how predicted.

According to Technology Review [1] some 154 billion emails are sent each
day. So much for a dying technology. I rest my case.



From jeandavid8 at verizon.net  Sun May 26 13:47:50 2013
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Sun, 26 May 2013 07:47:50 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A1E8EA.4010201@riseup.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A1E8EA.4010201@riseup.net>
Message-ID: <51A1F666.7070104@verizon.net>

On 05/26/2013 06:50 AM, Zece Anonimescu wrote:
> Zece Anonimescu:
>> Robert J. Hansen:
>>> Email is dying and has been for years.  Ask a college student today[...]
>>
>> I don't like the mass media estimates: the next big thing, the yesterday
>> thing, the dying thing. I thought for a good ten minutes and I could not
>> find ONE single thing that was how predicted.
> 
> According to Technology Review [1] some 154 billion emails are sent each
> day. So much for a dying technology. I rest my case.
> 
Last I heard, and it seems to me to be true, something like 95% of
e-mails are spam.


From eray.aslan at caf.com.tr  Sun May 26 15:36:00 2013
From: eray.aslan at caf.com.tr (Eray Aslan)
Date: Sun, 26 May 2013 16:36:00 +0300
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A1E8EA.4010201@riseup.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A1E8EA.4010201@riseup.net>
Message-ID: <51A20FC0.70600@caf.com.tr>

On 26/05/13 13:50, Zece Anonimescu wrote:
> According to Technology Review [1] some 154 billion emails are sent each
> day. So much for a dying technology. I rest my case.

The college kids I talk to nowadays use email mostly for either
- official business
- communicating with their parents

and that's it.  Sure email is still relevant in the business world but
the future seems to have moved on.  The original assessment that email
is a dying tech/past its peak is spot on.

-- 
Eray Aslan 


From mailinglisten at hauke-laging.de  Sun May 26 17:12:11 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sun, 26 May 2013 17:12:11 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A20FC0.70600@caf.com.tr>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
Message-ID: <5077078.WVLqJge6PX@inno.berlin.laging.de>

Am So 26.05.2013, 16:36:00 schrieb Eray Aslan:

> The college kids I talk to nowadays use email mostly for either
> - official business
> - communicating with their parents
> 
> and that's it.

But will they use more or less email after college? The kind of communication 
changes over time. It did not change that much for earlier generations because 
there was nothing like Facebook from what the users could have turned to 
email.

E-Mail will still be there in ten years. Nearly nobody (no person, no 
organization) is capable of abandoning email (i.e. not having the capability 
of receiving and sending email).

What will Facebook be in ten years? Nobody knows.


> The original assessment that email is a dying tech/past its peak is spot on.

A "tying tech" is not the same as "a tech past its peak". I would not claim 
that email is the best tool for every application so it seems pretty normal to 
me that it loses market share if tools that do certain jobs better become 
available.

As long as you need an email address to register at Facebook and not a 
Facebook user name in order to register for an email account I doubt that 
Facebook is the more established service.


Hauke
-- 
?
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-courses.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: 

From rjh at sixdemonbag.org  Sun May 26 18:37:42 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 26 May 2013 12:37:42 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <5077078.WVLqJge6PX@inno.berlin.laging.de>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
Message-ID: <51A23A56.8040902@sixdemonbag.org>

On 5/26/2013 11:12 AM, Hauke Laging wrote:
> E-Mail will still be there in ten years.

In related news, you can still buy buggy whips:

http://www.amazon.com/Abetta-Buggy-Whip-Black-66/dp/B002HIX7P8

Nobody is saying email will go away.  I've only said that email is seen
by the upcoming generation as an ancient technology that their parents
use, that the upcoming generation does not use email as a preferred
method of communication, and that this does not make me bullish on the
long-term prospects of email.

Will it still be around in ten years?  Sure.  But so will buggy whips.



From jhs at berklix.com  Mon May 27 02:13:36 2013
From: jhs at berklix.com (Julian H. Stacey)
Date: Mon, 27 May 2013 02:13:36 +0200
Subject: [OT] Why are you using the GPG / PGP keys? 
In-Reply-To: Your message "Sun, 26 May 2013 17:12:11 +0200."
 <5077078.WVLqJge6PX@inno.berlin.laging.de> 
Message-ID: <201305270013.r4R0DaLn046359@fire.js.berklix.net>

From: Hauke Laging 

> Am So 26.05.2013, 16:36:00 schrieb Eray Aslan:
> 
> > The college kids I talk to nowadays use email mostly for either
> > - official business
> > - communicating with their parents
> >=20
> > and that's it.

Re. ~email is dieing~.

    Similar false "Unix is dieing" propesies were made 30 years back, eg:
    	http://www.groklaw.net/articlebasic.php?story=193
    "Saturday, August 09 2003 @ 10:42 PM EDT ...
    Sun CEO Scot McNealy recently said this about Linus' saying UNIX
    is dying: "You can go back over 21 years, and we've been reading
    that exact quote about Unix...." ..."

Young adults are lemmings, thoughtlessly rushing to the latest
glitzy fashion tech. gimmicks, aka F*book, MS-Win glitz, Slim white
neck pendant accessory (Mac) etc, to pose before their friends.

Responses to deter associates from joining social media web sites:

	... Yes, it's your right to choose, ...
	Pause ...  To make silly choices ! ...  But we're not daft too.

	The sites are useful, they must draw off some of the least
	competent & least thoughtful people, so reduce the `dumbing
	down' of the internet.

	Did you consider lax security & privacy ?  scandals, pictures
	seen by employers, data harvesting by giant multinationals ?

	With mail on own PC, + GPG encryption, one can control 
	embarassing text/pics & keys, but not on a commercial forum.


Was it AOL or compuserve who tried a closed net ? some people realised
they were locked in so left, the pressure built, & the ISP put in
a gateway.  When F*book growth levels off they may bend.

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.


From jeffenstein at gmail.com  Mon May 27 11:44:38 2013
From: jeffenstein at gmail.com (Jeff Fisher)
Date: Mon, 27 May 2013 11:44:38 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A20FC0.70600@caf.com.tr>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
Message-ID: <20130527094438.GA17214@ficus>

On Sun, May 26, 2013 at 04:36:00PM +0300, Eray Aslan wrote:
> On 26/05/13 13:50, Zece Anonimescu wrote:
> > According to Technology Review [1] some 154 billion emails are sent each
> > day. So much for a dying technology. I rest my case.
> 
> The college kids I talk to nowadays use email mostly for either
> - official business
> - communicating with their parents
> 
> and that's it.  Sure email is still relevant in the business world but
> the future seems to have moved on.  The original assessment that email
> is a dying tech/past its peak is spot on.

But what will they use once they start a job?  Surely they are not
going to send the report their boss requested with Facebook.

Cheers,
Jeff


From kiblema at gmail.com  Mon May 27 13:38:08 2013
From: kiblema at gmail.com (Lema KB)
Date: Mon, 27 May 2013 13:38:08 +0200
Subject: unattended signing key
Message-ID: 

Hi

I am writing a batch file, where i install gpg4win, generate keys, import
public key, and sign it. Could anyone help me, how i silently(unattended)
sign imported public-key?
i did edit the key, fpr, signed it but it is asking my passphrase.

or should i generate my secret-public-key without passphrase? i need just
encrypt files with someone's public-key sent me through email. which kind
of key should i generate for my own to do that?


Appreciate your answers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From mailinglisten at hauke-laging.de  Mon May 27 13:58:46 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Mon, 27 May 2013 13:58:46 +0200
Subject: unattended signing key
In-Reply-To: 
References: 
Message-ID: <1637042.rivm8ijDFm@inno.berlin.laging.de>

Am Mo 27.05.2013, 13:38:08 schrieb Lema KB:

> I am writing a batch file, where i install gpg4win, generate keys, import
> public key, and sign it. Could anyone help me, how i silently(unattended)
> sign imported public-key?
> i did edit the key, fpr, signed it but it is asking my passphrase.

You may use --passphrase-fd, --passphrase-file, or --passphrase; see the man 
page.

Or gpg-preset-passphrase as an alternative (if you manage to find out the 
keygrip).


Hauke
-- 
?
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: 

From mailinglisten at hauke-laging.de  Mon May 27 14:02:45 2013
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Mon, 27 May 2013 14:02:45 +0200
Subject: gpg-preset-passphrase: cache id
Message-ID: <1727393.SaegeYyeAF@inno.berlin.laging.de>

Hello,

I quote from the man page:

###############################################################
gpg-preset-passphrase [options] [command] cacheid

cacheid is either a 40 character keygrip of hexadecimal characters identifying 
the key for which the passphrase should be set or cleared. [...] Alternatively 
an arbitrary string may be used to identify a passphrase; it is suggested that 
such a string is prefixed with the name of the application (e.g foo:12346).
###############################################################

How is a passphrase with a cache id like foo:12346 used? Is it tried for all 
keys which do not have a keygrip entry?


Hauke
-- 
?
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-courses.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: 

From wk at gnupg.org  Mon May 27 15:24:36 2013
From: wk at gnupg.org (Werner Koch)
Date: Mon, 27 May 2013 15:24:36 +0200
Subject: gpg-preset-passphrase: cache id
In-Reply-To: <1727393.SaegeYyeAF@inno.berlin.laging.de> (Hauke Laging's
 message of "Mon, 27 May 2013 14:02:45 +0200")
References: <1727393.SaegeYyeAF@inno.berlin.laging.de>
Message-ID: <871u8s3697.fsf@vigenere.g10code.de>

On Mon, 27 May 2013 14:02, mailinglisten at hauke-laging.de said:

> How is a passphrase with a cache id like foo:12346 used? Is it tried for all 
> keys which do not have a keygrip entry?

No.  It is used with the commands 

  GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]]
                 [--qualitybar] 
                 [  ]
 
and 

  CLEAR_PASSPHRASE [--mode=normal] 

which both take care of the cache-id.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From rjh at sixdemonbag.org  Mon May 27 17:32:37 2013
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 27 May 2013 11:32:37 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <20130527094438.GA17214@ficus>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <519FD714.7060001@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <20130527094438.GA17214@ficus>
Message-ID: <51A37C95.20307@sixdemonbag.org>

On 5/27/2013 5:44 AM, Jeff Fisher wrote:
> But what will they use once they start a job?  Surely they are not
> going to send the report their boss requested with Facebook.

Currently, one of the hot and trending ideas is to contract with
Facebook to provide corporate enclaves for such things.

Look at git as an example.  Ever since GitHub went up, a lot of
businesses have outsourced that service to them.  You think you're
accessing the company's git server, but in reality you're talking to a
particular walled-off portion of GitHub.

The same is being talked about for Facebook, Google+, and many other
social media platforms.  The idea is to provide a corporate enclave for
communication and forbid access to things like games, personal accounts,
and whatnot.

Businesses don't generally like email.  Between spam and security
issues, email has never really lived up to the utopian vision we had for
it in the Seventies.  It used to be that businesses ran their own email
services, but now many outsource it to Google or Microsoft in order to
enjoy lower operational costs.  If they can get lower operational costs
by moving to a Facebook-like platform, they'll do it in a heartbeat.





From mwood at IUPUI.Edu  Tue May 28 15:22:56 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Tue, 28 May 2013 09:22:56 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A23A56.8040902@sixdemonbag.org>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
 <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org>
Message-ID: <20130528132256.GA15419@IUPUI.Edu>

On Sun, May 26, 2013 at 12:37:42PM -0400, Robert J. Hansen wrote:
> On 5/26/2013 11:12 AM, Hauke Laging wrote:
> > E-Mail will still be there in ten years.
> 
> In related news, you can still buy buggy whips:
> 
> http://www.amazon.com/Abetta-Buggy-Whip-Black-66/dp/B002HIX7P8
> 
> Nobody is saying email will go away.  I've only said that email is seen
> by the upcoming generation as an ancient technology that their parents
> use, that the upcoming generation does not use email as a preferred
> method of communication, and that this does not make me bullish on the
> long-term prospects of email.
> 
> Will it still be around in ten years?  Sure.  But so will buggy whips.

Hmm.  Each upcoming generation declares many things to be ancient
practice that their parents use, no longer relevant.  A few years
later they have found out why their parents use it and are using a lot
of it themselves.  It might be useful to look at the just-got-here
generation to see what *they* use, now that they have so much more
official business than they had in school a few years ago.

It also might be interesting to break down interpersonal communication
by categories and see whether different material is migrating to new
media at different rates.  Are tired jokes we've all seen a million
times moving off of email to Twitter faster than detailed business or
technical discussion, for example?  Were we doing stuff by email five
years ago which really didn't fit the email model very well, which
stuff is today escaping to media better designed for it?  Are newer
channels swelling with content because nobody thought seriously of
sharing *that* when email (or a phone call, or a paper letter) was the
best available channel?

I'm not even sure who would study such things.  Anthropologists, I suppose.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: 

From peter at digitalbrains.com  Tue May 28 18:32:13 2013
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 28 May 2013 18:32:13 +0200
Subject: Relevance of e-mail (was [OT] Why are you using the GPG / PGP
 keys?)
In-Reply-To: <20130528132256.GA15419@IUPUI.Edu>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
Message-ID: <51A4DC0D.5060401@digitalbrains.com>

Personally, I /am/ interested in why people use their keys (the original
question), and not in the relevance of e-mail.

So I changed the Subject:-line to indicate a split in the thread, in the hope
that people pick up this Subject:-line (or do the same) and that I can recognise
future "relevance of e-mail" e-mails.

If you find this inappropriate, please tell me. I'm not sure on the ethics of
renaming other people's conversations ;).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 


From forlasanto at gmail.com  Tue May 28 18:17:01 2013
From: forlasanto at gmail.com (Forlasanto)
Date: Tue, 28 May 2013 11:17:01 -0500
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <20130528132256.GA15419@IUPUI.Edu>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
Message-ID: <51A4D87D.2070303@gmail.com>

The fact remains that email is "the house that Jack built." The wall
plugs are upside down, the wiring is sketchy at best, the plumbing is
crazy and doesn't function correctly, the house is half wood and half
brick, and/Jack forgot to put locks on the doors./

The fact that younger generations don't see email as a viable system is
telling. It's an opportunity for something /better /to take email's
place. Hopefully something with built-in encryption, rather than
encryption tacked on as an afterthought. Just my two cents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From zece at riseup.net  Tue May 28 20:45:56 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Tue, 28 May 2013 18:45:56 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A4D87D.2070303@gmail.com>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com>
Message-ID: <51A4FB64.7080304@riseup.net>

Forlasanto:
> The fact remains that email is "the house that Jack built." The wall
> plugs are upside down, the wiring is sketchy at best, the plumbing is
> crazy and doesn't function correctly, the house is half wood and half
> brick, and/Jack forgot to put locks on the doors./

Doors should not have locks. So the best feature is marked as a failure?

> The fact that younger generations don't see email as a viable system is
> telling. It's an opportunity for something /better /to take email's
> place. Hopefully something with built-in encryption, rather than
> encryption tacked on as an afterthought. Just my two cents.

You have attachments. You have ASCII output from gpg. How much more
?built in?? Sounds like a replacement of .conf files with the wonders of
the Windows Registry. How much wasted energy because Facebook PR told
dimwits something!



From zece at riseup.net  Tue May 28 20:49:53 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Tue, 28 May 2013 18:49:53 +0000
Subject: Relevance of e-mail (was [OT] Why are you using the GPG / PGP
 keys?)
In-Reply-To: <51A4DC0D.5060401@digitalbrains.com>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4DC0D.5060401@digitalbrains.com>
Message-ID: <51A4FC51.7040901@riseup.net>

Peter Lebbing:
> If you find this inappropriate, please tell me. I'm not sure on the ethics of
> renaming other people's conversations ;).

I'm the creator of the thread and also share the guilt of highjacking
the thread because of a stupid article. And I fully agree with you to
change the subject. So far I counted only two answers.



From wk at gnupg.org  Tue May 28 21:28:17 2013
From: wk at gnupg.org (Werner Koch)
Date: Tue, 28 May 2013 21:28:17 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A4D87D.2070303@gmail.com> (forlasanto@gmail.com's message of
 "Tue, 28 May 2013 11:17:01 -0500")
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com>
Message-ID: <87wqqivr8u.fsf@vigenere.g10code.de>

On Tue, 28 May 2013 18:17, forlasanto at gmail.com said:

> crazy and doesn't function correctly, the house is half wood and half
> brick, and/Jack forgot to put locks on the doors./

Well, the mailbox at my door has no lock either and it suffers from the
spam problem too.  The solution is not to remove the mailbox and do
without snail mail.  Instead I sort spam out and almost all useful or
important mail arrives just fine; well as long as such mail comes in a
nice and ads free envelope with a real stamp on it.

> place. Hopefully something with built-in encryption, rather than
> encryption tacked on as an afterthought. Just my two cents.

There is not always a need for encryption, picture postcards don't need
an envelope and other mails comes in an (optional) closed envelope.
Similar to to RFC-822 and MIME.  The problem with encryption is not the
envelope used for the encryption but the procedures to keep track of the
address/key.

Encryption is nicely integrated into the mail protocol.  What we are
missing is encryption build into the low-level transport layer (i.e. IP
or TCP).  However, there was no business model for that, thus the
afterthought solutions offer a better opportunity for some.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From jeandavid8 at verizon.net  Tue May 28 21:49:15 2013
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Tue, 28 May 2013 15:49:15 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <87wqqivr8u.fsf@vigenere.g10code.de>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <87wqqivr8u.fsf@vigenere.g10code.de>
Message-ID: <51A50A3B.6040303@verizon.net>

On 05/28/2013 03:28 PM, Werner Koch wrote:
> On Tue, 28 May 2013 18:17, forlasanto at gmail.com said:
> 
>> crazy and doesn't function correctly, the house is half wood and half
>> brick, and/Jack forgot to put locks on the doors./
> 
> Well, the mailbox at my door has no lock either and it suffers from the
> spam problem too.  The solution is not to remove the mailbox and do
> without snail mail.  Instead I sort spam out and almost all useful or
> important mail arrives just fine; well as long as such mail comes in a
> nice and ads free envelope with a real stamp on it.

I demand a return address on it as well, including the name of the
sender. Lacking that, I assume they are ashamed of themselves and are
afraid I would not open it if I knew who it was from. So I do not open them.

Return addresses like

Suite 12345
123 Frammis Avenue
Washington, D.C. 98765

go into the trash too. No name, no open.  Of course, some senders also
go straight into the trash, too.

This would not be as useful with e-mail, since I can put any address I
want into the From: field. Of course, people could do that with their
envelopes, too, but they seem to do it less often.


From mwood at IUPUI.Edu  Tue May 28 22:05:39 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Tue, 28 May 2013 16:05:39 -0400
Subject: Relevance of e-mail (was [OT] Why are you using the GPG / PGP
 keys?)
In-Reply-To: <51A4DC0D.5060401@digitalbrains.com>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
 <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org>
 <20130528132256.GA15419@IUPUI.Edu>
 <51A4DC0D.5060401@digitalbrains.com>
Message-ID: <20130528200539.GA28011@IUPUI.Edu>

OK.

1.  Establish a pattern:  none genuine without this signature.  I
    understand it's not possible to prove that an unsigned message
    didn't come from me, but this couldn't hurt.

2.  OTOH I *can* show that a signed message must have been made with
    knowledge of a specific key, which I assert that I control.  When
    I do write something, I want my authorship to be believed.

3.  Habit.  The same reason I always automatically relock doors when I've
    entered:  if I have a policy then I don't have to make judgments
    in most cases.  (Yes, I *always* carry a house key.)  Considering
    all the gooey rubbish I *don't* send to my correspondents, I hold
    that the small cost of a signature is entirely negligible.

4.  Privacy.  While I prefer to hand-deliver things like new
    passwords, I'm willing to send them in encrypted emails if someone
    insists.  Or I might want to write to a family member something
    that's not super-secret but is nobody else's business.

5.  Cool factor. *blush*

6.  My signing habit is my tiny contribution toward a future in which
    any unsigned email is automatically suspect.  This would make it
    feasible, for example, to set up a rule sending all mail with
    no or unknown signature to a UCE folder (or the bitbucket).  I
    won't hold my breath while I wait, though.

I should distinguish signing and encryption.  I can count on my fingers
the number of encrypted emails I've sent, but I assert that I sign all
emails addressed to humans.  (Some mailing-list robots are fragile and
have trouble with signatures when directly addressed.  Boo.)

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: 

From hhhobbit at securemecca.net  Tue May 28 23:18:57 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Tue, 28 May 2013 21:18:57 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A4D87D.2070303@gmail.com>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com>
Message-ID: <51A51F41.6020402@securemecca.net>

On 05/28/2013 04:17 PM, Forlasanto wrote:
> The fact remains that email is "the house that Jack built." The wall
> plugs are upside down, the wiring is sketchy at best, the plumbing is
> crazy and doesn't function correctly, the house is half wood and half
> brick, and/Jack forgot to put locks on the doors./
> 
> The fact that younger generations don't see email as a viable system is
> telling. It's an opportunity for something /better /to take email's
> place. Hopefully something with built-in encryption, rather than
> encryption tacked on as an afterthought. Just my two cents.

It is a pretty good two cents but you don't understand where the
encryption is needed most.  What needs to happen is that the aging
SMTP protocol needs to be replaced by a SSMTP (Secure Simple Mail
Transfer Protocol):

http://securemecca.blogspot.com/2012/09/vote-against-spam.html

See "Mail Delivery Fix".  I have had a sysadmin for a Mathematics
department that I respect both professionally and personally that
didn't think too much of it because of all the shady SSL certs
for web-sites.  Yes, the shady SSL certs are there but I expect
people to use some common sense.  It would help if something like
a browser would allow you temporarily to over-ride the warning.
But what does Firefox and other browsers want to do?  They want
to PERMANENTLY store the exception.  The over-ride should have
that box unchecked.  You should only check it when you are sure
the warning is in error. We could end up with a list of shady email
certificates that the spam houses could block as well. But that
is better than nothing at all. Here is an email header for you
to look at:

http://securemecca.com/public/PeskySpammer/WackoBot.txt
(the Originating IP is where the email message really came
from, not 000123gw[GNAT]att.net - and it is a machine that
is in A-YAHOO-US9 that sent the message showing how deep
the problem is - yes, an infected windows machine at Yahoo
sent the message)

PeskySpammer saw me using the term hash-user in my blog so they
sold that email address to other spammers. PeskySpammer is either
completely in the Newark, NJ area or at least have a presence
there.  Not all of these spammers are in Russia or China.

PeskySpammer does more than just spam too.  They need a constant
crop of infected Windows machines to mail from.  They email out
dastardly links pretending to be somebody else (but Thunderbird
which is no longer available in Gnome 3 on OpenSuSE 12.3 that I
could see) does make the hidden links visible:

http://securemecca.com/public/PeskySpammer/Pictures/

But not only young people today, but a lot of people that used
to use email no longer use it.  Unless a way to get rid of the
spam can be devised only a few stalwarts that MUST use email
will use it.  But I dumped Gnome 3 entirely after looking at
OpenSuSE 12.3 with Gnome as the last straw because I could only
use Firefox and LibreOffice.  This smart-phone GUI on a desktop
shows that thinking is in short supply.  But they just approved
the iPhone and iPad for military use now.  The world is changing
but most of the changes aren't good.

The spammers and spear-phishers (mostly Chinese) have killed
email.  It is not so much that people have moved on but we
need opt-in policies and a thorough overhaul to make email
work again and nobody wants to do it.



From johanw at vulcan.xs4all.nl  Wed May 29 00:14:15 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed, 29 May 2013 00:14:15 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A51F41.6020402@securemecca.net>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
Message-ID: <51A52C37.2090306@vulcan.xs4all.nl>

On 28-05-2013 23:18, Henry Hertz Hobbit wrote:

> But what does Firefox and other browsers want to do?  They want
> to PERMANENTLY store the exception.

Still easier to use than my experience with my own mailserver. When I
set it up to accept only secure connections Thunderbird had no problems,
but my phone (Nokia E72) kept refusing to use the selfsigned certificate
permanantly. I had to approve it each time, even after importing it in
the phone. Until I found out, a year later and almost by accident, that
the CN field of the certificate has to exactly match the domainname of
the mailserver. After creating a new certificate it runs good, but too
much checks can also give problems and could have driven less tech-savy
people away from encryption.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From hhhobbit at securemecca.net  Wed May 29 01:00:06 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Tue, 28 May 2013 23:00:06 +0000
Subject: Relevance of e-mail (was [OT] Why are you using the GPG / PGP
 keys?)
In-Reply-To: <51A4DC0D.5060401@digitalbrains.com>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4DC0D.5060401@digitalbrains.com>
Message-ID: <51A536F6.3010203@securemecca.net>

On 05/28/2013 04:32 PM, Peter Lebbing wrote:
> Personally, I /am/ interested in why people use their keys (the original
> question), and not in the relevance of e-mail.

I use OpenPGP to sign my downloads for others.  Everybody
using my stuff are either French, Belgian, or Canadian
French.  The Linux people DO use the detached signature
files to verify that some hacker didn't sneak in and whack
things.  Don't laugh. The hackers HAVE hit my web-site and
despite the fact I don't use SQL it doesn't mean that SQL
isn't on the multi-homed web-server.  The hackers did do
damage to some of my pages and will probably continue to
do so.  The hackers are interested in replacing the downloads
with some copycat that would say, block legitimate web-sites
and allow infecting web-sites through. The web-site damage
I am referring to is NOT done by just some infected PC sending
SQL attack packets to web-sites at random.  These attacks
are done on purpose by a person / people. So OpenPGP detached
signatures DO help.  Why replace my downloads with false
downloads if the verification fails. I will know immediately
if my .profile or .bashrc files or other relevant files
have been tampered with.

It would be nice for other blockers to use OpenPGP enciphered
email messages where we discuss bad web-sites since an email
scanner WILL block the message.  Encrypting attachments with
7-Zip's AES-128 is messy and time consuming.  IOW, I have a
need for both OpenPGP enciphered email AND OpenPGP signed
email messages because hackers have attacked me and will
continue to attack.  Hackers have sent messages purportedly
from these other people.  But I know their sending IP
addresses and do check these suspicious messages.  But that
is time consuminmg so an OpenPGP signed message would
go a long way to ease my mind.  I got the very same
malicious link in an email message that took down Google
several years ago. The only differnce is that I use
Thunderbird with no HTML rendering for my main email despite
having four web-mail accounts. The spear attack looked
amateurish to me.  But if Google and others would have
used OpenPGP signed messages regularly, until the keys
are stolen and the pass-phrase sniffed, OpenPGP signed
mails CAN enhance security.

Whether people recognize it or not, many of the Linux
distros use OpenPGP signatures in *.deb, *.rpm and other
update files to verify that they really did come from where
they are purportedly from.  More than once on a Linux
distro update I get a message that says "This update
cannot be verified.  Do you want it?"  NO!  I will wait
for the update package that can be verified.  What is
doing the verification?  OpenPGP for every Linux distro
I have used for years.

HHH



From reynt0 at cs.albany.edu  Wed May 29 03:53:29 2013
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 28 May 2013 21:53:29 -0400 (EDT)
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <20130528132256.GA15419@IUPUI.Edu>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
Message-ID: 

On Tues, May 28, 2013 Mark H. Wood wrote:
  . . .
> Were we doing stuff by email five years ago which really
> didn't fit the email model very well, which stuff is
> today escaping to media better designed for it?
  . . .

Speaking only from my own observations, the quick chatty
time-wasting email sequences seem to have migrated to
SMS/Twitter/whatever, like kids (or others with nothing
better to do) on the phone all the time.  But I would say
email was not a good way to do that anyhow, it just seemed
cheaper than old phone calls used to be before wide
existence of personal phone devices (cell phones).  As far
as I see, email is still used for stuff that takes thought
or attention or responsibility, even though it may be sent
using the same smart phone as is used for texting/tweeting/whatever.


From dougb at dougbarton.us  Wed May 29 06:42:22 2013
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 28 May 2013 21:42:22 -0700
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A52C37.2090306@vulcan.xs4all.nl>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
 <51A52C37.2090306@vulcan.xs4all.nl>
Message-ID: <51A5872E.8030706@dougbarton.us>

On 05/28/2013 03:14 PM, Johan Wevers wrote:
> On 28-05-2013 23:18, Henry Hertz Hobbit wrote:
>
>> But what does Firefox and other browsers want to do?  They want
>> to PERMANENTLY store the exception.
>
> Still easier to use than my experience with my own mailserver. When I
> set it up to accept only secure connections Thunderbird had no problems,
> but my phone (Nokia E72) kept refusing to use the selfsigned certificate
> permanantly. I had to approve it each time, even after importing it in
> the phone. Until I found out, a year later and almost by accident, that
> the CN field of the certificate has to exactly match the domainname of
> the mailserver. After creating a new certificate it runs good, but too
> much checks can also give problems and could have driven less tech-savy
> people away from encryption.

You've actually hit on one of the key elements of the debate, the 
continuum of secure vs. convenient. "We" (for sufficiently competent 
definitions of "we") see the need for security, and are willing to pay 
the price. Average users want things to be "secure" (for sufficiently 
warm and fuzzy definitions of "secure"), but not "hard," or more 
accurately, inconvenient.

Not to pick on you, Johan, but I would regard your phone's refusal to 
accept the certificate as a feature. You regarded it as an inconvenience.

Furthermore, there is no reason to fool around with self-signed certs 
nowadays. Just trot over to https://www.startssl.com/ and get your free 
cert signed by a recognized CA. I use that for my web and mail systems 
(including secure SMTP), and it works just fine.

The reason I'm replying to this thread (which I keep hoping will 
suffocate under its own weight) at all is to point out that the whole 
idea of "everyone" should use encryption, or cryptography more 
generally, is absurd. Most users not only do not want the inconvenience, 
they don't care if their communication is observed. Where validity is 
concerned for e-mail there are things like SPF and DKIM that get you 90% 
there on a system level without the user having to do (or be 
inconvenienced by) anything.

Don't get me wrong, I still think that PGP is important, and would 
lament its passing if somehow it went away. But that's not the same 
thing as thinking "everyone should use encryption."

Doug



From edgard.devaux at gmx.fr  Wed May 29 08:12:06 2013
From: edgard.devaux at gmx.fr (edgard devaux)
Date: Wed, 29 May 2013 08:12:06 +0200
Subject: certificat for a key pair
Message-ID: <51A59C36.3050606@gmx.fr>

  hello
  using Gnupg with linux debian 7.0 and gnome; i created a key pair.
  my e-mail client asks me a certificat for personal to sign , and an 
other certificat for the key.
  How can i get this certificat for keyring , i don't find where .
  excuse my english (i'm franchman).
  thanks
  edgard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: Signature cryptographique S/MIME
URL: 

From net at janeden.net  Wed May 29 10:40:49 2013
From: net at janeden.net (Jan Eden)
Date: Wed, 29 May 2013 10:40:49 +0200
Subject: certificat for a key pair
In-Reply-To: <51A59C36.3050606@gmx.fr>
References: <51A59C36.3050606@gmx.fr>
Message-ID: <20130529084049.GA322@uni-koeln.de>

Sounds like your MUA supports S/MIME, you need a X.509 cert instead of a PGP keypair.

Kind regards,
Jan



On 29.05.2013, at 08:12, edgard devaux  wrote:

> hello
> using Gnupg with linux debian 7.0 and gnome; i created a key pair.
> my e-mail client asks me a certificat for personal to sign , and an other certificat for the key.
> How can i get this certificat for keyring , i don't find where .
> excuse my english (i'm franchman).
> thanks
> edgard
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3840 bytes
Desc: not available
URL: 

From me at janeden.net  Wed May 29 09:03:08 2013
From: me at janeden.net (Jan Eden)
Date: Wed, 29 May 2013 09:03:08 +0200
Subject: certificat for a key pair
In-Reply-To: <51A59C36.3050606@gmx.fr>
References: <51A59C36.3050606@gmx.fr>
Message-ID: 

Sounds like your MUA supports S/MIME, you need a X.509 cert instead of a PGP keypair.

Kind regards,
Jan



On 29.05.2013, at 08:12, edgard devaux  wrote:

> hello
> using Gnupg with linux debian 7.0 and gnome; i created a key pair.
> my e-mail client asks me a certificat for personal to sign , and an other certificat for the key.
> How can i get this certificat for keyring , i don't find where .
> excuse my english (i'm franchman).
> thanks
> edgard
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2505 bytes
Desc: not available
URL: 

From mwood at IUPUI.Edu  Wed May 29 14:49:59 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Wed, 29 May 2013 08:49:59 -0400
Subject: Relevance of e-mail (was [OT] Why are you using the GPG / PGP
 keys?)
In-Reply-To: <51A536F6.3010203@securemecca.net>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
 <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org>
 <20130528132256.GA15419@IUPUI.Edu>
 <51A4DC0D.5060401@digitalbrains.com>
 <51A536F6.3010203@securemecca.net>
Message-ID: <20130529124959.GA29664@IUPUI.Edu>

Ha, that reminds me, when I submit artifacts to Maven Central (a
public code repository) I'm required to OpenPGP sign them.  Maven has
a very nice plugin which handles this automatically.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: 

From mwood at IUPUI.Edu  Wed May 29 15:11:37 2013
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Wed, 29 May 2013 09:11:37 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A51F41.6020402@securemecca.net>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
 <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org>
 <20130528132256.GA15419@IUPUI.Edu> <51A4D87D.2070303@gmail.com>
 <51A51F41.6020402@securemecca.net>
Message-ID: <20130529131137.GB29664@IUPUI.Edu>

On Tue, May 28, 2013 at 09:18:57PM +0000, Henry Hertz Hobbit wrote:
> On 05/28/2013 04:17 PM, Forlasanto wrote:
> > The fact remains that email is "the house that Jack built." The wall
> > plugs are upside down, the wiring is sketchy at best, the plumbing is
> > crazy and doesn't function correctly, the house is half wood and half
> > brick, and/Jack forgot to put locks on the doors./
> > 
> > The fact that younger generations don't see email as a viable system is
> > telling. It's an opportunity for something /better /to take email's
> > place. Hopefully something with built-in encryption, rather than
> > encryption tacked on as an afterthought. Just my two cents.
> 
> It is a pretty good two cents but you don't understand where the
> encryption is needed most.  What needs to happen is that the aging
> SMTP protocol needs to be replaced by a SSMTP (Secure Simple Mail
> Transfer Protocol):
> 
> http://securemecca.blogspot.com/2012/09/vote-against-spam.html

The code is there.  The problem is that so few use it.  I always
enable STARTTLS but I see a lot of rejections.

I think that the problem that nobody wants to face is key management.
Vetting potential trusted introducers is *hard* and you have to keep
doing it periodically.  Maintaining trust stores is hard and tedious.
Most end users just don't do it.

To a certain extent the problem is fundamentally intractable.  Trust
is a complicated beast and depends on individual values and
judgments.  Automation can help but can't take it over.

> But not only young people today, but a lot of people that used
> to use email no longer use it.  Unless a way to get rid of the
> spam can be devised only a few stalwarts that MUST use email
> will use it.  But I dumped Gnome 3 entirely after looking at

I can't wait to see a serious legal or engineering discussion taking
place over Twitter.  No, on second thought I can....

Imagine if this thread were being carried on by us scribbling on each
other's Facebook walls.  *shudder*

> OpenSuSE 12.3 with Gnome as the last straw because I could only
> use Firefox and LibreOffice.  This smart-phone GUI on a desktop
> shows that thinking is in short supply.  But they just approved
> the iPhone and iPad for military use now.  The world is changing
> but most of the changes aren't good.

Wow, *real* military use?  I want to see an iPhone after Raytheon has
had a go at it.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: 

From dkg at fifthhorseman.net  Wed May 29 16:26:50 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 29 May 2013 10:26:50 -0400
Subject: certificat for a key pair
In-Reply-To: <51A59C36.3050606@gmx.fr>
References: <51A59C36.3050606@gmx.fr>
Message-ID: <51A6102A.6080500@fifthhorseman.net>

On 05/29/2013 02:12 AM, edgard devaux wrote:

>  using Gnupg with linux debian 7.0 and gnome; i created a key pair.
>  my e-mail client asks me a certificat for personal to sign , and an
> other certificat for the key.

what e-mail client?  what version?  does the e-mail client support
OpenPGP natively, or does it need a plugin?  if a plugin, which plugin
are you using?  what version?

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: 

From johanw at vulcan.xs4all.nl  Wed May 29 19:28:32 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed, 29 May 2013 19:28:32 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A5872E.8030706@dougbarton.us>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
 <51A52C37.2090306@vulcan.xs4all.nl> <51A5872E.8030706@dougbarton.us>
Message-ID: <51A63AC0.9080203@vulcan.xs4all.nl>

On 29-05-2013 6:42, Doug Barton wrote:

> Furthermore, there is no reason to fool around with self-signed certs
> nowadays. Just trot over to https://www.startssl.com/ and get your free
> cert signed by a recognized CA.

It seems not to be recognised by my phone though so there is no
advantage there over a selfsigned key. More of a disadvantage, since
using a selfsigned key allows me to keep out all the personal details
not strictly needed so when I'm on holiday peeping governments don't
know easily who's server I'm contacting (OK, security by obscurity but
still). And their key is valid only for 1 year, which is inconvenient.

Further they deliver the private key to you, so they have access to it.
A BIG security hole, especially since they're (also) US based, if they
have access so does the US government via the Patriot act, who has
probably already put me on their watch list for liking Wikileaks on
Facebook. Thanks but no thanks.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From dkg at fifthhorseman.net  Wed May 29 19:39:24 2013
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 29 May 2013 13:39:24 -0400
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A63AC0.9080203@vulcan.xs4all.nl>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
 <51A52C37.2090306@vulcan.xs4all.nl> <51A5872E.8030706@dougbarton.us>
 <51A63AC0.9080203@vulcan.xs4all.nl>
Message-ID: <51A63D4C.5030301@fifthhorseman.net>

On 05/29/2013 01:28 PM, Johan Wevers wrote:

[re: startssl]

> Further they deliver the private key to you, so they have access to it.

is this really the case?  There is no way to supply them with a certreq
without the secret key material?  I would find that really surprising,
and it should be better publicized if that's so.

> A BIG security hole, especially since they're (also) US based,

actually, startssl is based in israel.  whether that's better or worse
than being based in the US, i leave as an exercise to the reader.

	--dkg (who is based in the US)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: 

From pete at heypete.com  Wed May 29 19:43:31 2013
From: pete at heypete.com (Pete Stephenson)
Date: Wed, 29 May 2013 19:43:31 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A63AC0.9080203@vulcan.xs4all.nl>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
 <51A52C37.2090306@vulcan.xs4all.nl> <51A5872E.8030706@dougbarton.us>
 <51A63AC0.9080203@vulcan.xs4all.nl>
Message-ID: <51A63E43.4030707@heypete.com>

On 5/29/2013 7:28 PM, Johan Wevers wrote:
> It seems not to be recognised by my phone though so there is no
> advantage there over a selfsigned key.

That's odd. What phone do you have? They're certainly not in every
device, but their root is in iOS and Android devices, as well as pretty
much all the major desktop browsers.

> More of a disadvantage, since using a selfsigned key allows me to
> keep out all the personal details not strictly needed so when I'm on
> holiday peeping governments don't know easily who's server I'm
> contacting (OK, security by obscurity but still). And their key is
> valid only for 1 year, which is inconvenient.

Their free keys are only valid for one year, but paid users can get keys
that are valid for two years. That's not uncommon for many CAs.

> Further they deliver the private key to you, so they have access to it.
> A BIG security hole, especially since they're (also) US based, if they
> have access so does the US government via the Patriot act, who has
> probably already put me on their watch list for liking Wikileaks on
> Facebook. Thanks but no thanks.

They're based in Israel, not the US.

Additionally, it's an option to have them generate the private key for
customers who are too lazy to generate their own private key and CSR,
but it is not required: the certificate-creation procedure also allows
for customers to provide them with a CSR produced from a
customer-generated private key.

Cheers!
-Pete

ObDisclaimer: I'm a paid customer of StartSSL, but otherwise have no
connection or relationship with them.


From johanw at vulcan.xs4all.nl  Wed May 29 20:11:26 2013
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed, 29 May 2013 20:11:26 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A63E43.4030707@heypete.com>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
 <51A52C37.2090306@vulcan.xs4all.nl> <51A5872E.8030706@dougbarton.us>
 <51A63AC0.9080203@vulcan.xs4all.nl> <51A63E43.4030707@heypete.com>
Message-ID: <51A644CE.3000502@vulcan.xs4all.nl>

On 29-05-2013 19:43, Pete Stephenson wrote:

> That's odd. What phone do you have?

Nokia E72. One of their last Symbian models.

> Their free keys are only valid for one year, but paid users can get keys
> that are valid for two years. That's not uncommon for many CAs.

But hardly much better. My current key is valid for 50 years so I don't
really have to worry about expiring (I'm not sure if I won't expire
first before those 50 years are over...). Revoking and replacing it is
always an option when the domain name changes, technology requires an
update or the key gets compromised.

> They're based in Israel, not the US.

Wether that's better, worse or just the same is another question. But
they do have US offices (they list one in New York) so they're subject
to the Patriot Act. There is a reason that some cloud services in Europe
broadly advertise with the fact thay they keep absolutely no
relationship with the US.

> Additionally, it's an option to have them generate the private key for
> customers who are too lazy to generate their own private key and CSR,
> but it is not required: the certificate-creation procedure also allows
> for customers to provide them with a CSR produced from a
> customer-generated private key.

OK, I could not find that after a brief look, they did wrote about
sending a private key with password protection over the mail.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From pete at heypete.com  Wed May 29 20:29:34 2013
From: pete at heypete.com (Pete Stephenson)
Date: Wed, 29 May 2013 20:29:34 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A644CE.3000502@vulcan.xs4all.nl>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr> <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org> <20130528132256.GA15419@IUPUI.Edu>
 <51A4D87D.2070303@gmail.com> <51A51F41.6020402@securemecca.net>
 <51A52C37.2090306@vulcan.xs4all.nl> <51A5872E.8030706@dougbarton.us>
 <51A63AC0.9080203@vulcan.xs4all.nl> <51A63E43.4030707@heypete.com>
 <51A644CE.3000502@vulcan.xs4all.nl>
Message-ID: <51A6490E.2080500@heypete.com>

On 5/29/2013 8:11 PM, Johan Wevers wrote:
>> They're based in Israel, not the US.
> 
> Wether that's better, worse or just the same is another question.

Indeed.

> But they do have US offices (they list one in New York) so they're
> subject to the Patriot Act.

Do they? My understanding is that it's just a VoIP number that connects
to their Israeli offices. International calls to US numbers are often
considerably less expensive than those to, say, Israel, so that makes
some sense.

See 

> There is a reason that some cloud services in Europe broadly
> advertise with the fact thay they keep absolutely no relationship
> with the US.

Indeed.

I'm not a lawyer, but I don't see how having a phone number in the US
means that the whole organization is subject to the Patriot Act.

Even if it was, I'm not really seeing the major issue here: they claim
that there are no copies made of server-generated private keys at any
stage, so they wouldn't have any secret material to turn over. Since you
can submit CSRs for locally-generated keys then there's nothing private
at all for them to reveal other than the information in the certificate,
which is already public.

If they were subject to the Patriot Act, they might be compelled to
produce a new cert for a specific hostname (though I suspect they'd just
cancel the US VoIP line if that issue came up), but how is this
different from the many other US-based CAs?

>> Additionally, it's an option to have them generate the private key for
>> customers who are too lazy to generate their own private key and CSR,
>> but it is not required: the certificate-creation procedure also allows
>> for customers to provide them with a CSR produced from a
>> customer-generated private key.
> 
> OK, I could not find that after a brief look, they did wrote about
> sending a private key with password protection over the mail.

See : "The wizard doesn't force
subscribers to use private keys generated by the CA, instead clicking on
Skip at the step for private key generation allows to submit a
certificate request (CSR) prepared by the subscriber. Some server
software even requires this, most notable Java based software. The
creation of the private key by the wizard is completely optional and at
the sole risk of the subscriber."

Anyway, the overall point was "WebTrust-audited and widely-trusted
certificates are available for free from StartSSL, just as inexpensive
ones are available from other CAs in various countries, so cost should
not be a factor if one wishes to have secure, public-facing systems".

Using self-signed certs is perfectly suitable for internal systems or
those used by an individual or a small number of users, but for things
requiring access by the public (who might otherwise be suspicious or
technically unwilling or unable to configure their browser/mail
client/etc. to trust a self-signed cert) it makes a lot of sense to use
a cert signed by a CA.

Cheers!
-Pete



From hhhobbit at securemecca.net  Wed May 29 21:09:12 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Wed, 29 May 2013 19:09:12 +0000
Subject: certificat for a key pair
In-Reply-To: <51A59C36.3050606@gmx.fr>
References: <51A59C36.3050606@gmx.fr>
Message-ID: <51A65258.9040608@securemecca.net>

On 05/29/2013 06:12 AM, edgard devaux wrote:
>  hello
>  using Gnupg with linux debian 7.0 and gnome; i created a key pair.
>  my e-mail client asks me a certificat for personal to sign , and an
> other certificat for the key.
>  How can i get this certificat for keyring , i don't find where .
>  excuse my english (i'm franchman).
>  thanks
>  edgard

Thunderbird:
============
http://wiki.debian.org/EmailClients

If you are using Thunderbird, do NOT install enigmail with an
apt-get with a sudo!  Also do not set up one common folder but
have separate email sections for each POP or IMAP email account.
Another way to add enigmail to Thunderbird:

https://addons.mozilla.org/fr/thunderbird/addon/enigmail/

Add it as yourself, not as root.  The apt-get way of doing
things here may not work.  You end up installing it in the
system thunderbird (/usr/lib/thunderbird) folder.  You
want enigmail installed in your ~/.thunderbird folder.

Once enigmail is installed, you can specify specifically
what key you want used with each email account by clicking
on the email account and then view settings then OpenPGP.

Evolution:
==========
If you are using Evolution, GnuPG support is built in.
Just make sure it is set to use your GPG key and the
GPG key has your edgard-devaux at gmx.fr or other POP
email accounts set up.

You cannot use GnuPG with web-mail easily any more.
I have no experience with Icedove but it should be
similar to Thunderbird.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: 

From dougb at dougbarton.us  Wed May 29 21:27:05 2013
From: dougb at dougbarton.us (Doug Barton)
Date: Wed, 29 May 2013 12:27:05 -0700
Subject: certificat for a key pair
In-Reply-To: <51A65258.9040608@securemecca.net>
References: <51A59C36.3050606@gmx.fr> <51A65258.9040608@securemecca.net>
Message-ID: <51A65689.9020300@dougbarton.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/29/2013 12:09 PM, Henry Hertz Hobbit wrote:
| On 05/29/2013 06:12 AM, edgard devaux wrote:
|> hello using Gnupg with linux debian 7.0 and gnome; i created a
|> key pair. my e-mail client asks me a certificat for personal to
|> sign , and an other certificat for the key. How can i get this
|> certificat for keyring , i don't find where . excuse my english
|> (i'm franchman). thanks edgard
|
| Thunderbird: ============ http://wiki.debian.org/EmailClients
|
| If you are using Thunderbird, do NOT install enigmail with an
| apt-get with a sudo!  Also do not set up one common folder but have
| separate email sections for each POP or IMAP email account. Another
| way to add enigmail to Thunderbird:
|
| https://addons.mozilla.org/fr/thunderbird/addon/enigmail/
|
| Add it as yourself, not as root.  The apt-get way of doing things
| here may not work.  You end up installing it in the system
| thunderbird (/usr/lib/thunderbird) folder.  You want enigmail
| installed in your ~/.thunderbird folder.
|
| Once enigmail is installed, you can specify specifically what key
| you want used with each email account by clicking on the email
| account and then view settings then OpenPGP.

That advice is contrary to the conventional wisdom, which is to use
the same method to install Enigmail that you use to install
Thunderbird (i.e., apt-get + apt-get, or manually + manually). Can you
please explain your reasoning here?

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCAAGBQJRplaJAAoJEFzGhvEaGryEZeoH/jy168k9sksjZK/LoqJ/cFGX
/Tlz6NQPFuy64/9JKHBaccd4/9nWbmPU10M9jxBHRhqEkbdYfEQs0Xq0OmDsc6Sx
V+MOsqoyk2wTA/nuuwIrJ7QWXV6ONzIp4rspgCL/At/GATJyUSpvWR52k48oxZ6V
ykNkelLMjOUQbHFur8Ghnjbdr8Jtp1PPZeOI8j/R0znz0ZWupdMkJFZp78ll9HJw
CNtqcjG55LNbrKeKpzQSg3wX9u24QCHQaVq1FbK0QCOiMDjD4LR/sMtT2ZUFFffv
8j3223rFKGsNlYmRqahO9cuEt1K0P+WUdxFhF33Ptgsunc0Eizl4sFb+3qhCy1Y=
=CPFZ
-----END PGP SIGNATURE-----


From andy.ruddock at rainydayz.org  Wed May 29 23:48:02 2013
From: andy.ruddock at rainydayz.org (Andy Ruddock)
Date: Wed, 29 May 2013 22:48:02 +0100
Subject: certificat for a key pair
In-Reply-To: <51A65258.9040608@securemecca.net>
References: <51A59C36.3050606@gmx.fr> <51A65258.9040608@securemecca.net>
Message-ID: <51A67792.8050903@rainydayz.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Henry Hertz Hobbit wrote:
> On 05/29/2013 06:12 AM, edgard devaux wrote:
>> hello using Gnupg with linux debian 7.0 and gnome; i created a
>> key pair. my e-mail client asks me a certificat for personal to
>> sign , and an other certificat for the key. How can i get this
>> certificat for keyring , i don't find where . excuse my english
>> (i'm franchman). thanks edgard
> 
> Thunderbird: ============ http://wiki.debian.org/EmailClients
> 
> If you are using Thunderbird, do NOT install enigmail with an 
> apt-get with a sudo!  Also do not set up one common folder but have
> separate email sections for each POP or IMAP email account. Another
> way to add enigmail to Thunderbird:
> 
> https://addons.mozilla.org/fr/thunderbird/addon/enigmail/
> 
> Add it as yourself, not as root.  The apt-get way of doing things
> here may not work.  You end up installing it in the system
> thunderbird (/usr/lib/thunderbird) folder.  You want enigmail
> installed in your ~/.thunderbird folder.
> 
> Once enigmail is installed, you can specify specifically what key
> you want used with each email account by clicking on the email
> account and then view settings then OpenPGP.
> 

I've installed enigmail using apt-get, as recommended by Debian -
otherwise not much point in a .deb package, and it works perfectly.
The advantage of installing this way is that it is installed for all
users and both IceApe and IceDove take advantage of the same installation.

Cheers,

- -- 
Andy Ruddock
- ------------
andy.ruddock at rainydayz.org (OpenPGP Key ID 0xB0324245)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJRpneSAAoJECqtbbewMkJFWkwP/1KnOHDLWRcjZcf9sfov9nDM
GsNjZwknIBYyDc+1qHM5954tKlvBTCD4IlL9LXuE5Oklmzn4wqSPMYEj33PRK1Im
DxLJxMvEpc09NpLAy0x5A+n0p2c3THBNhEQROQ6ePML4bNPXWFhDIWWHetQB53c4
Id7Wjx9pTZToJA2Jn/jyWPRWIkHiVbCkeoL4m3sQ5ZUBN0ZzkOnDBZLGfcwlysSH
sYZf1QSPbPGlt1mxr4k4r9ZcTLqbZFSuP8Om5W8+UIFYFV4YC1X+u7Ro1dF8tE+9
QENY9qdzJlAok6wTsUhAUBcZTKUJOQnPFXAcLPQN+bYCGbaxtaBy0BjcpCEIURrK
JEDOdWXdujDTtMNMIm2r8lqxOJN51pIzu9HRJ5CAYKBgDnnBA4tBLJz90n7t4nbF
fdYBpav6OgfZH/3tXUsfOZw+g1cjVUEr4ua3JcYBRIRa+gxpGba7cRzkqtrS35gZ
SW89SpTGQq2gnhTqppjsoWtLkgsCBOhGvxlhcUyFtUzc5yVJQDWLl7c63IJyolPq
/vD79TjBDYviw43XgytqK6vNqylPUu+YwK9j6gREkZLE8MyonBFW6mvnpjuFqiDq
1IjuE5TZY/RtSPgEzZdCLiHII4m1C3PeH/U8kwe9g+DPwPDP/sQyZpfinAdPTjF4
k6+Sg4a7g4FRiqNDXeNh
=d1Im
-----END PGP SIGNATURE-----


From holtzm at cox.net  Thu May 30 05:18:30 2013
From: holtzm at cox.net (Robert Holtzman)
Date: Wed, 29 May 2013 20:18:30 -0700
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A51F41.6020402@securemecca.net>
References: <519DF443.6080206@riseup.net> <51A1E8EA.4010201@riseup.net>
 <51A20FC0.70600@caf.com.tr>
 <5077078.WVLqJge6PX@inno.berlin.laging.de>
 <51A23A56.8040902@sixdemonbag.org>
 <20130528132256.GA15419@IUPUI.Edu> <51A4D87D.2070303@gmail.com>
 <51A51F41.6020402@securemecca.net>
Message-ID: <20130530031830.GA4041@cox.net>

On Tue, May 28, 2013 at 09:18:57PM +0000, Henry Hertz Hobbit wrote:
> to use email no longer use it.  Unless a way to get rid of the
> spam can be devised only a few stalwarts that MUST use email
> will use it.  But I dumped Gnome 3 entirely after looking at
> OpenSuSE 12.3 with Gnome as the last straw because I could only
> use Firefox and LibreOffice.  

Just as an aside, I have, among others, ubuntu 12.04 on my box running
straight Gnome3. Chromium runs without a hitch. No time to check
different mail clients. Which one were you trying to install?

If what you say is true, it sounds like a Suse problem, not a Gnome one.

-- 
Bob Holtzman
If you think you're getting free lunch, 
check the price of the beer.
Key ID: 8D549279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: 

From hhhobbit at securemecca.net  Thu May 30 08:28:55 2013
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Thu, 30 May 2013 06:28:55 +0000
Subject: certificat for a key pair
In-Reply-To: <51A65689.9020300@dougbarton.us>
References: <51A59C36.3050606@gmx.fr> <51A65258.9040608@securemecca.net>
 <51A65689.9020300@dougbarton.us>
Message-ID: <51A6F1A7.5000000@securemecca.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/29/2013 07:27 PM, Doug Barton wrote:
> On 05/29/2013 12:09 PM, Henry Hertz Hobbit wrote: | On 05/29/2013
> 06:12 AM, edgard devaux wrote: |> hello using Gnupg with linux
> debian 7.0 and gnome; i created a |> key pair. my e-mail client
> asks me a certificat for personal to |> sign , and an other
> certificat for the key. How can i get this |> certificat for
> keyring , i don't find where . excuse my english |> (i'm
> franchman). thanks edgard | | Thunderbird: ============
> http://wiki.debian.org/EmailClients | | If you are using
> Thunderbird, do NOT install enigmail with an | apt-get with a sudo!
> Also do not set up one common folder but have | separate email
> sections for each POP or IMAP email account. Another | way to add
> enigmail to Thunderbird: | |
> https://addons.mozilla.org/fr/thunderbird/addon/enigmail/ | | Add
> it as yourself, not as root.  The apt-get way of doing things |
> here may not work.  You end up installing it in the system |
> thunderbird (/usr/lib/thunderbird) folder.  You want enigmail |
> installed in your ~/.thunderbird folder. | | Once enigmail is
> installed, you can specify specifically what key | you want used
> with each email account by clicking on the email | account and then
> view settings then OpenPGP.
> 
> That advice is contrary to the conventional wisdom, which is to
> use the same method to install Enigmail that you use to install 
> Thunderbird (i.e., apt-get + apt-get, or manually + manually). Can
> you please explain your reasoning here?

First, whose advice?  I was advised to blacklist nouveau with
a certain file on OpenSuSE 11.4 that didn't exist because Linux
cannot upgrade the video drivers when you install a new video
card so I had to do the upgrade manually as it always has been
done.  Hint:  look for a file with the pattern "blacklist" in
the /etc/modprobe.d/ folder and put the "blacklist nouveau" in
that file to get it to accept the new Nvidia driver - similarly
for Ubuntu which is Debian based for 10.04:

http://securemecca.com/public/DemingLinux/OpenSuseNvidia.txt
http://securemecca.com/public/DemingLinux/UbuntuNvidia.txt

OpenSuSE also installed the clamav program without creating
the requisite clamav group and clamav user (it really IS
necessary).  Ergo, much advice while being given with good
intentions is wrong.  Sometimes that wrong hurts and some
times it doesn't hurt.

In the case of adobe flash Player, just like downloading  my
video drivers files from either the chip creator or the video
card creator it hurts.  For Windows it doesn't hurt too bad
unless you are a gamer.  The drivers from Micorosoft are at
least 3 months and most likely 6 months to a year older than
what you get from the chip vendor.  For adobe flash player you
get a convoluted list of symlink files and no way to backroll
to the previous flash player because of lib or other problems,
with the Ubuntu update not supplying the update anyway.  So I
do it myself:

http://www.adobe.com/
(click on flash player under downloads)
http://securemecca.com/public/UbuntuFlashInstall-11.txt

Now I can backroll if needed.  Sysadmins for even small Linux
shops will set up a symlink on each machine in the plugins
to point to yet another symlink on a UFS mount.  They then
just remove and re-establish the symlink on the NFS mount to
point to the new flash player.  If they run into problems they
just point the symlink on the UFS mount back to the old binary.
That beats the convoluted mess I saw employed by Ubuntu where
they even had links going through /etc for flash player. Ubuntu
doesn't want to handle the flash player anyway since it is
licensed by Adobe.

In the case of enigmail, it is an add-on and like Firefox the
enigmail is just an XPI install file. Just like the XPI installs
got Adblock Plus (ABP), Cookie-Safe, and other Firefox add-ons
which are installed into ~/.mozilla/firefox, by Firefox, the
enigmail XPI install add-on gets installed into ~/.thunderbird
by Thunderbird.  That is the proper way to do it.

That is how I did it with OpenSuSE 11.4 which is an RPM based
Linux.  This time around I just closed Thunderbird on OpenSuSE,
removed all the files in ~/.thunderbird/${HASH}.default/Cache,
then made a backup:

$ cd ; umask 077 ; rm /home/backups/${USERNAME}/thunderbird.7z
$ 7za a -p /home/backups/${USERNAME}/thunderbird.7z ./.thunderbird
(this zips it with an AES-128 encryption - supply password)

I installed Thunderbird on Ubuntu 10.04 (the end of the line)
via Synaptic Package Manager.  I then copied the thunderbird.7z
file onto a flash drive and from it onto the Ubuntu machine which
had an older version of Thunderbird.  I then unzipped it into
the ${HOME} folder.  When Thunderbird started it automatically
checks and in that case backrolled to the previous version of
enigmail because of an older version of thunderbird.  Two days
later Ubuntu upgraded Thunderbird with me closing the Thunderbird
program first via the File - Quit method.  If you click on the
X icon Thunderbird may continue to run during the upgrade!  When
I started Thunderbird again it updated enigmail to the newer
version of enigmail.  Where did the enigmail downgrade and
upgrade come from?  The Mozilla distributed mirror download
servers.  You are going to get the proper version of enigmail
from them eventually so why not start there in the first place?
That is what the RPM based distros do anyway.  They consider it
safe enough and so do I. Debian was royally hacked years ago and
even linux.org (where the kernel is) was hacked a year or so
ago.  I haven't heard of the Mozilla mirrors being hacked but
it is possible. Even then you are depending on randomly
getting the bad enigmail XPI file from the hacked mirror server.
You are much more likely to get the new one.

Actually I regularly zip the ~/.thunderbird folder and transfer
it to ,y other machine to keep both versions in sync.
Thunderbird has never failed in older ---> newer.  It may fail
if you do a newer ---> older but only if the older version of
Thunderbird doesn't know what to do with a newer files.  I of
course move ~/.thunderbird to ~/zzz.thunderbird before putting
the new  files from the other machine in place.  This sneaker-net
synchronization has never failed.  You would probably turn
pale at doing it.  Me?  I have redundant mail on two systems in
case one machine fails (which has happened).  That is infinitely
more important than worrying how enigmail got installed into
my ~/.thunderbird folder.  If you want to use apt-get go ahead
but don't blame me when you shift to an RPM based Linux distro
and have to do it the Mozilla way anyway.

Oh yes, I have been using Unix since the 1970s, and have been a
Unix admin since the 1980s.  I can do things like re-establishing
/dev/null which may turn you pale when it gets lost by a Linux
install.  Why does Linux lose it when I have never had real Unix
lose it?  I don't know.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBCAAGBQJRpvGnAAoJEMhFIk/IOUbwTeQH/iQf/RBmmIrAe0PjRwdn6Egs
qB8ckSBVLMrG0FhexErnIjwCf6T57SrpXLJ5Ja486sz9Va6ftJVMhGz321WCM28y
6xllg9aD464MdKMZvF4jaQZ55xwUzef3yqKn2++oifsmRhp91WqZ3pGI2ZPTm/LB
z43BR1xa9X1GAnIxNiwsRzRyUwhHZ3IJbrPmjNi6o1fs3BeL7ro+J5pzUkRbtkw1
koJVgAo/CSlcxH+e52miYpAPg4A02s06p7zhjJQZVuld7jUc6YFZMyY192nZ2++x
5YZ48XC7vQAI/pQ2zacJe8DT+H+/BOBeUpDckIkIy4RHAwxzbkkkQzIZTaDMABA=
=judH
-----END PGP SIGNATURE-----


From dougb at dougbarton.us  Thu May 30 08:32:14 2013
From: dougb at dougbarton.us (Doug Barton)
Date: Wed, 29 May 2013 23:32:14 -0700
Subject: certificat for a key pair
In-Reply-To: <51A6F1A7.5000000@securemecca.net>
References: <51A59C36.3050606@gmx.fr> <51A65258.9040608@securemecca.net>
 <51A65689.9020300@dougbarton.us> <51A6F1A7.5000000@securemecca.net>
Message-ID: <51A6F26E.50805@dougbarton.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/29/2013 11:28 PM, Henry Hertz Hobbit wrote:
| First, whose advice?

The advice of the people who actually write Enigmail. All of your
irrelevant stuff aside, you still haven't explained yourself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCAAGBQJRpvJuAAoJEFzGhvEaGryEQp4H/jAYhGhep1wzrUiZCvpWJ/MD
b/eg4Gm2S1NYac/TIsuUO6wOJLT3m0XF2bK6QgB6jp+bQnlLkQaLfKZpARE3xtBa
ANRzfqj/IF4DggBsu64R78JN7g1PoQrC6qAltK1BZFEkSqZ0Z+lE/+dkhWzKBJaa
YM7M+3HFsBSIXgr356WQfCl1DmUdRGrt3cYxVAPOAKtCvLRmcInCKAGrcartV8Ob
l6V9HrdeOkjjYfkEZgnG0VE2nectnWFBVri/1oE/iXLp2ZNBLkl/ZTxM0L1t/NMg
dyXfJo8qyZnKvFtVJFIl9SzupMAqRZAKtN9bmG+AKfrqzFdsKOeIypFcZyW+/4U=
=2Wat
-----END PGP SIGNATURE-----


From nobody at dizum.com  Thu May 30 09:21:32 2013
From: nobody at dizum.com (Nomen Nescio)
Date: Thu, 30 May 2013 09:21:32 +0200 (CEST)
Subject: [OT] Why are you using the GPG / PGP keys?
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
Message-ID: <01944c2fae8fd94069ed9eb8c0d275a7@dizum.com>


"Robert J. Hansen"  wrote:

> Not even then.  "Plausible deniability" is a myth, an ephemera.  One
> person may believe your denials; another may not.  Whether they
> believe you will have much more to do with how honest you've been the
> rest of the time than with the particulars of cryptography you're
> using.  The jury isn't going to be technically skilled.  Rather than
> evaluate technology in a dry and strictly logical sense, they're
> going to look at your performance on the witness stand and, from
> that, decide whether to believe your denials.  

An example is a bomb threat sent via anonymous remailer.  Lacking other
information or evidence (such as hacked computer, hidden camara, etc), a
reasonable doubt would exist to a jury.

Plausible deniability is still something to shoot for, because in the
WORST case, it is plausible/possible/likely you sent the
message, and in the best and average case, you have complete
anonymity.  Where as if you use a medium without plausible deniability
property, the WORST/AVERAGE case is near certainty, and BEST case is
likely.




From zece at riseup.net  Thu May 30 13:17:02 2013
From: zece at riseup.net (Zece Anonimescu)
Date: Thu, 30 May 2013 11:17:02 +0000
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <01944c2fae8fd94069ed9eb8c0d275a7@dizum.com>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <01944c2fae8fd94069ed9eb8c0d275a7@dizum.com>
Message-ID: <51A7352E.1010006@riseup.net>

Nomen Nescio:
> Plausible deniability is still something to shoot for, because in the
> WORST case, it is plausible/possible/likely you sent the
> message, and in the best and average case, you have complete
> anonymity.  Where as if you use a medium without plausible deniability
> property, the WORST/AVERAGE case is near certainty, and BEST case is
> likely.

That WAS true. In a time before the legislation against terrorism. And
IF you had nothing to do with the (ridiculous name, heh?) intelligence.

Me thinks the difference is the people never bother to think the
concepts all the way. So it can be PLAUSIBLE DENIABILITY (PD) with
certain organisations which are willing to let go because they are
swamped in cases or the particular agent handling your case is quite
lazy. But it can also mean it can mean PLAUSIBLE GUILTY (PG). And while
PD works only once, PG can go ad infinitum. And don't forget there are
some organisations which activate worldwide for which any suspicion
means guilty without any respect for the facts.


From ndk.clanbo at gmail.com  Thu May 30 17:06:52 2013
From: ndk.clanbo at gmail.com (NdK)
Date: Thu, 30 May 2013 17:06:52 +0200
Subject: [OT] Why are you using the GPG / PGP keys?
In-Reply-To: <51A7352E.1010006@riseup.net>
References: <519DF443.6080206@riseup.net> <519E8928.6040103@sixdemonbag.org>
 <01944c2fae8fd94069ed9eb8c0d275a7@dizum.com> <51A7352E.1010006@riseup.net>
Message-ID: <51A76B0C.5030906@gmail.com>

Il 30/05/2013 13:17, Zece Anonimescu ha scritto:

> Me thinks the difference is the people never bother to think the
> concepts all the way. So it can be PLAUSIBLE DENIABILITY (PD) with
> certain organisations which are willing to let go because they are
> swamped in cases or the particular agent handling your case is quite
> lazy. But it can also mean it can mean PLAUSIBLE GUILTY (PG). And while
> PD works only once, PG can go ad infinitum. And don't forget there are
> some organisations which activate worldwide for which any suspicion
> means guilty without any respect for the facts.
That's why I don't like protocols requiring 'random' numbers: everything
'random' could actually be encrypted data to be used for a
steganographic side channel...

BYtE,
 Diego.


From bigras.bruno at gmail.com  Thu May 30 15:54:33 2013
From: bigras.bruno at gmail.com (Bruno Bigras)
Date: Thu, 30 May 2013 09:54:33 -0400
Subject: 'gpg-connect-agent KEYINFO --list' empty with OpenPGP smartcard
Message-ID: 

Hi,

I'm trying to use
https://gitorious.org/gnuk/gnuk/blobs/master/tool/pageant_proxy_to_gpg.py
to use Putty with my OpenPGP 2.0 smartcard on Windows but the script
fails when trying to get data from the gpg-agent with 'KEYINFO --list
--data'.

"KEYINFO --list --data" seems to only returns 'OK' even if I see my
smartcard with 'gpg2 --card-status' and I can use it to encrypt and
sign stuff. I don't know what the command should do but I guess it
should list my keys.

My key size is 4096

On Windows :
gpg (GnuPG) 2.0.19 (Gpg4win 2.1.1-34299-beta)
gpg-agent (GnuPG) 2.0.19 (Gpg4win 2.1.1-34299-beta)

gpg-agent is started automatically by Kleopatra.

C:\Users\bbigras>gpg-connect-agent -v "KEYINFO --list --data"
gpg-connect-agent: connection to agent established
OK
>

On Debian :
gpg (GnuPG) 2.0.19
gpg-agent (GnuPG) 2.0.19

To run the agent I have the following in ~/.profile:
eval $(gpg-agent --enable-ssh-support --daemon)

bruno at debian:~$ gpg-connect-agent -v "KEYINFO --list --data"
gpg-connect-agent: connection to agent established
OK
>

dmesg :
[   40.625537] usb 2-2: new full-speed USB device number 3 using ohci_hcd
[   41.157954] usb 2-2: New USB device found, idVendor=08e6, idProduct=3438
[   41.157958] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   41.157971] usb 2-2: Product: USB SmartCard Reader
[   41.157972] usb 2-2: Manufacturer: Gemalto
[   41.157973] usb 2-2: SerialNumber: 386B8D90
[   41.169691] WARNING! power/level is deprecated; use power/control instead


Any ideas?

Thanks,

Bruno