GNUPG 1.0

Zygo Blaxell eayhfhbo@umail.corel.com
Thu, 25 Nov 1999 16:52:11 GMT


Signed message created at Thu Nov 25 11:52:01 1999 by zblaxell@lain

------------=_943548717-24241-0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

[ Sorry for answering a FAQ, but I'd like to know how well I really know
this stuff ;-) ]

On Wed, 24 Nov 1999 19:30:42 -0800 (PST), Todd A. Jacobs <nospam@codegnome.=
org> wrote:

>On Sun, 21 Nov 1999 erikg@nbnet.nb.ca wrote:
>
>> something, someone that has my public key but let's say is running PGP
>> whatever version, they *can* decrypt my messages right?
>
>Only the owner of the secret key can decrypt a message once it has been
>encoded for that key. In short, the answer is "no."
But perhaps erikg meant to ask a different question: If someone is running PGP whatever version, and you send them an encrypted message with their public key, can they decrypt it? If you can get an implementation of RSA and IDEA from somewhere and load it into GnuPG as an extension, theoretically you can do this. Supposedly, you can send a PGP message to someone with a PGP version 2.x public key like this: gpg --load-extension idea --load-extension rsa --rfc1991 \ --digest-algo md5 --cipher-algo idea \ --encrypt --recipient <user ID> message-file.txt However, I just tested this with PGP 2.6.3a, and it didn't work. I created a new user account (so there's no user-specific configuration lying around), generated a passphrase-less PGP key, exported the public key from PGP, imported it into GPG, then tried to generate an encrypted message with GPG and decrypt it with PGP. Everything went well except for decrypting it: $ pgp -d test Pretty Good Privacy(tm) 2.6.3a - Public-key encryption for the masses. (c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1999/11/25 16:07 GMT File is encrypted. Secret key is required to read it.=20 Key for user ID: John Q. Smith <12345.6789@compuserve.com> 1024-bit key, key ID C47E0345, created 1999/11/25 Advisory warning: This RSA secret key is not protected by a passphrase. Just a moment.... Error: Decrypted plaintext is corrupted. =2E For a usage summary, type: pgp -h For more detailed help, consult the PGP User's Guide. If someone wants to look at this, secret keys and all (I generated the secret keys only for the purpose of this test--normally I don't use PGP at all), let me know.
>> really understand the trust thign.. I typed gpg --edit-key Acid-Duck
>
>You assign trust based on how much you trust the owner of the key to
>authenticate other keys.=20
Trust is a measure of whether or not you believe that the key belongs to a particular person. Mallory could generate a key with "Acid-Duck" and an email address in the user ID (not the same key data as the one you generated, but key data with the same name attached), and give it to Bob. If Bob encrypts a message with that key, Mallory (and only Mallory) can read it. Mallory might pass the message along to you with your public key, and Mallory might even pull the same trick on you so that when you send mail to Bob, Mallory can read it. As long as you and Bob never verify each other's keys, you'll never know that Mallory reads all your mail. If you trust Alice, you can tell gpg that you want gpg to trust Alice's key (by signing it with your key), as well as any key signed by Alice. If Alice also signs Bob's real key, then you can tell the difference=20 between Bob's real key, and the fake key with the same user ID generated by Mallory. AFAICT, this doesn't change very much of GPG's behavior...it will still verify signatures and return 0 exit status, even for untrusted keys. However, GPG will give you warning messages, and it will prompt you if you attempt to send a message to an untrusted key. For people writing wrappers around GPG (e.g. mail programs and GUIs), GPG will also output information on --status-fd about the GPG computed trust value. --=20 I don't speak for Corel. zygob@corel.ca at work, zblaxell@furryterror.org at play. GPG-encrypted email preferred at zblaxell@feedme.hungrycats.org GPG @ Home fingerprint: 2B32 546D 21A5 0DB2 20C8 AF10 1D4A 610E 6972 2DEE GPG @ Work fingerprint: CC25 D214 1B4B 2767 51B9 51E5 58DD 13B9 875B C08E ------------=_943548717-24241-0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA4PWkxWN0TuYdbwI4RAliyAJ4kare5mCA7k6le9jlD7KRz54FK7wCfTF4W Onr1jmAyAohTjlZPTD6IwOU= =IZZA -----END PGP SIGNATURE----- ------------=_943548717-24241-0-- -- The address in the headers is not the poster's real email address. Do not send private mail to the poster using your mailer's "reply" feature. CC's of mail to mailing lists are OK. Problem reports to "postmaster@umail.corel.com". The poster's email address is "zblaxell@lain.wine.lnx".