From jharris at widomaker.com Sun May 1 22:20:40 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun May 1 22:16:58 2005 Subject: new (2005-05-01) keyanalyze results (+sigcheck) Message-ID: <20050501202040.GK356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-05-01/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 5a67a48564ebece131e4b0fd7e1c480de2321a95 11990988 preprocess.keys 3e5e64c185da3a4be2f2195c9fa085ed2025ae5d 7531143 othersets.txt 09ee079f6ad9c84951b2ad4d45ab492256c4db2c 3029298 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 53785ff4e903e7cfd510f1d6116196601e60a808 2290 keyring_stats 541d32dd8b7d1e7688b592f0b64895d51a591fa7 1192662 msd-sorted.txt.bz2 5f1cb85738cc7cc460040deb5f003b29936a4b76 26 other.txt 4ecc2664f8ac42347505683beac96397edb4e590 1619324 othersets.txt.bz2 0b7f60cbd0a83e1db2dc11a9605b0bb264cd07ab 4879529 preprocess.keys.bz2 86c23283551a8289c055e464251103393b8ed040 11991 status.txt abbb4c55b874374a99a9ea73eed0933183633938 210371 top1000table.html f11f307dafccadbc1600e7b5748710ceaa922ebc 30385 top1000table.html.gz 042d7e9d2f0465f4d1e7749812a2fbaeb928efef 10898 top50table.html fd0b8b62f5208b74a390d4fff01973db0698f257 2429 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050501/3845c289/attachment.pgp From wolfgang.rosenauer at an-netz.de Mon May 2 11:37:17 2005 From: wolfgang.rosenauer at an-netz.de (Wolfgang Rosenauer) Date: Mon May 2 12:33:09 2005 Subject: OpenPGP smartcard - authentication key Message-ID: <4275F4CD.7000107@an-netz.de> Hi, a little off-topic but maybe someone has some hints. As far as I understood it should be possible to save a SSH RSA key to the OpenPGP smartcard as authentication key. If this is true, how can this be done? Wolfgang From wolfgang.rosenauer at an-netz.de Mon May 2 11:34:58 2005 From: wolfgang.rosenauer at an-netz.de (Wolfgang Rosenauer) Date: Mon May 2 12:33:14 2005 Subject: gpg --change-pin doesn't work for me Message-ID: <4275F442.6020408@an-netz.de> Hi, I've got a new OpenPGP Smartcard and was able to add my GPG subkeys to it. But I can't change my pin via gpg --change-pin. I enter my old pin and my new pin twice but afterwards get only "Error changing the PIN: Allgemeiner Fehler". The GPG version is 1.4.0. Any ideas how what the problem could be or recommendations how to find the cause for the problem? Wolfgang From mk at fsfe.org Mon May 2 12:58:21 2005 From: mk at fsfe.org (Matthias Kirschner) Date: Mon May 2 12:54:31 2005 Subject: gpg --change-pin doesn't work for me In-Reply-To: <4275F442.6020408@an-netz.de> References: <4275F442.6020408@an-netz.de> Message-ID: <20050502105821.GI6409@mbwg.de> Hi Wolfgang, which smartcard reader are you using? * Wolfgang Rosenauer [2005-05-02 11:34:58 +0200]: > The GPG version is 1.4.0. Can you try GnuPG 1.4.1 + patch as described here http://www.gnupg.org/(en)/howtos/card-howto/en/ch02.html#id2464693 Best wishes, Matze -- Join the Fellowship and protect your freedom! (http://www.fsfe.org) From wolfgang.rosenauer at an-netz.de Mon May 2 13:42:14 2005 From: wolfgang.rosenauer at an-netz.de (Wolfgang Rosenauer) Date: Mon May 2 13:38:28 2005 Subject: gpg --change-pin doesn't work for me In-Reply-To: <20050502105821.GI6409@mbwg.de> References: <4275F442.6020408@an-netz.de> <20050502105821.GI6409@mbwg.de> Message-ID: <42761216.6020000@an-netz.de> Matthias Kirschner wrote: > which smartcard reader are you using? this error I get with a Towitoko chipdrive micro. I can test with a Reiner SCT cyberjack at home. > * Wolfgang Rosenauer [2005-05-02 11:34:58 +0200]: > >>The GPG version is 1.4.0. > > Can you try GnuPG 1.4.1 + patch as described here > http://www.gnupg.org/(en)/howtos/card-howto/en/ch02.html#id2464693 will try that soon. Thanks, Wolfgang From wk at gnupg.org Mon May 2 15:13:58 2005 From: wk at gnupg.org (Werner Koch) Date: Mon May 2 15:11:06 2005 Subject: gpg --batch --no-tty --gen-key In-Reply-To: <4279.wolfe.1114848229.squirrel@mail.riseup.net> (wolfe@riseup.net's message of "Sat, 30 Apr 2005 01:03:49 -0700 (PDT)") References: <4279.wolfe.1114848229.squirrel@mail.riseup.net> Message-ID: <87acndixd5.fsf@wheatstone.g10code.de> On Sat, 30 Apr 2005 01:03:49 -0700 (PDT), wolfe said: > gpg --no-tty --export-secret-keys --armor '$EMAIL' > $IDENT.sec.asc > gpg --no-tty --export --armor '$EMAIL' > $IDENT.pub.asc Do you really have a key with the string '$EMAIL' in a user ID? I guess what you want to use is gpg --batch --no-tty --export --armor "$EMAIL" > $IDENT.pub.asc Note the double quotes. Salam-Shalom, Werner From wk at gnupg.org Mon May 2 15:16:59 2005 From: wk at gnupg.org (Werner Koch) Date: Mon May 2 15:16:03 2005 Subject: GPG error code with successful signing operation In-Reply-To: (Alex L. Mauer's message of "Thu, 28 Apr 2005 00:11:20 -0500") References: Message-ID: <8764y1ix84.fsf@wheatstone.g10code.de> On Thu, 28 Apr 2005 00:11:20 -0500, Alex L Mauer said: > When GPG is set to use the gpg-agent but the gpg-agent is not available > (error message "gpg-agent is not available in this session" or "can't > connect to `/path/to/non-existent-pipe': No such file or directory"), it > produces a fatal error code of 2 even if the passphrase is successfully You have set $GPG_AGENT_INFO and --use-agent but for some reasons the daemon died or is not available. This is indeed something to investigate and thus flagged as a real error. Please give version numbers and the exact error strings you see when sending bug reports. Shalom-Salam, Werner From davebgimp at gmail.com Mon May 2 15:54:40 2005 From: davebgimp at gmail.com (daveb) Date: Mon May 2 15:50:56 2005 Subject: Installing GNUPG on a USB Flash drive Message-ID: <3c8e7d2c0505020654319a2032@mail.gmail.com> I'm looking to install GNUPG on a 512 meg USB Flash drive. Since I bounce around between OS's on a daily basis (I use Mac, XP and Linux on a regular basis), I thought it would be a great if I could just plug it in, navigate via the command line and go. I did a bit of looking around and have noticed that others have done this. What I'm looking for is links to possibly a tutorial or any instructions. I'm mainly an end-user, so this is unfamiliar territory. I understand that I'll be needing to partition the Flash drive for the different OS's. Anyway, has anyone done this, or at least installed for one particular OS? Any info pointing me in the right direction is greatly appreciated. Thanks. From wk at gnupg.org Mon May 2 16:12:33 2005 From: wk at gnupg.org (Werner Koch) Date: Mon May 2 16:11:05 2005 Subject: OpenPGP smartcard - authentication key In-Reply-To: <4275F4CD.7000107@an-netz.de> (Wolfgang Rosenauer's message of "Mon, 02 May 2005 11:37:17 +0200") References: <4275F4CD.7000107@an-netz.de> Message-ID: <87ll6xhg32.fsf@wheatstone.g10code.de> On Mon, 02 May 2005 11:37:17 +0200, Wolfgang Rosenauer said: > As far as I understood it should be possible to save a SSH RSA key to > the OpenPGP smartcard as authentication key. > If this is true, how can this be done? If that is an 1024 bit RSA key, this is indeed possible. The HOWTO will tell you: http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO In short: Use gpg --edit-key and then the command keytocard. The problem might be to convert an SSH key to a GnuPG key. There is no instant solution for 1.4 - with 1.9 and the gpg-agent SSH support is included and a mere ssh-add will be suffcient; but well the key is then stored in gpg-agent's own format. In general I do not suggest to do this at all. Better generate a new key on-card and use this as your new ssh key. It is pretty simple to change your ssh key and this allows you to slowly retire your old ssh key. Shalom-Salam, Werner From hawke at hawkesnest.net Mon May 2 16:25:51 2005 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Mon May 2 16:33:15 2005 Subject: GPG error code with successful signing operation In-Reply-To: <8764y1ix84.fsf__11235.1215132096$1115039919$gmane$org@wheatstone.g10code.de> References: <8764y1ix84.fsf__11235.1215132096$1115039919$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > You have set $GPG_AGENT_INFO and --use-agent but for some reasons the > daemon died or is not available. This is indeed something to > investigate and thus flagged as a real error. Certainly it's a real error. But it's not a fatal error, as the gpg man page states error code 2 to mean. IMO it should have its own error code so that it can be tested for specifically since error code 2 is too generic and could signify a bunch of other problems as well. > Please give version numbers and the exact error strings you see when > sending bug reports. Sorry, I missed the version number. Gnupg 1.4.0. Thanks. -Alex Mauer "hawke" -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050502/a0c49ec9/signature.pgp From radu.gpg at ohmi.org Mon May 2 15:58:01 2005 From: radu.gpg at ohmi.org (Radu Hociung) Date: Mon May 2 16:51:59 2005 Subject: GPGME support for expiring signatures Message-ID: <427631E9.5060606@ohmi.org> Hello, I've been looking high and low for a way set an expiration date on signatures being generated with GPGME (this would be the equivalent to --openpgp --ask-sig-expire in gpg), but can't find it. Is this possible with GPGME, and how is it done? Thank you kindly, Radu. From dgc at uchicago.edu Mon May 2 17:37:19 2005 From: dgc at uchicago.edu (David Champion) Date: Mon May 2 17:33:18 2005 Subject: Installing GNUPG on a USB Flash drive In-Reply-To: <3c8e7d2c0505020654319a2032@mail.gmail.com> References: <3c8e7d2c0505020654319a2032@mail.gmail.com> Message-ID: <20050502153719.GM10793@monkey.uchicago.edu> * On 2005.05.02, in <3c8e7d2c0505020654319a2032@mail.gmail.com>, * "daveb" wrote: > looking around and have noticed that others have done this. What I'm > looking for is links to possibly a tutorial or any instructions. I'm I don't have this, I'm afraid. However: > mainly an end-user, so this is unfamiliar territory. I understand that > I'll be needing to partition the Flash drive for the different OS's. I've not needed to partition the drive. I made some efforts early on to partition it with both a Mac and a PC partition table. I believe this should be possible as they occupy different parts of the disk, and one can craft the ptables so as to avoid one another, but in the end it just wasn't worth the effort. The Mac can read the USB drive if it's partitioned as a single FAT32/VFAT pratition, so I just do that. This has the advantage also of allowing me a single keystore for all the operating systems. I've set up my USB drive with some subdirectories: .../bin .../arch/Darwin .../arch/Linux .../arch/OpenBSD .../arch/FreeBSD ["..." is the mountpoint of the USB drive on whatever system I'm using.] Inside each of the arch/* directories are gpg executables for each system type, as well as whatever shared libraries (*.so or *.dylib) the executable needs to run. In general I've compiled the gpg executables statically, so they don't need shared libs, but in some cases I did not. In .../bin I have a script called "wrapper". There are also files named "gpg", "gpgsplit", and "pgpring". These are copies of "wrapper", since FAT32 doesn't support symbolic links. I've attached the "wrapper" script to this mail. The effect of all this is that if I call .../bin/gpg with its path, it figures out where it is and what system type it's on, adds the arch/${SYSTEM} directory to LD_LIBRARY_PATH or DYLD_LIBRARY_PATH, and runs the "real" gpg executable from the same location. This has gotten me all the multiplatform function I wanted from the USB drive, with a single keystore also residing on the drive. I also don't need to depend on the integrity of the gpg executables or libraries on the host system. This isn't perfect, and I'm sure someone out there is happy to point out some of the flaws in this system. They're correctible, if you're really worried -- the problems are in the implementation, not the concept. If I get worried I'll rewrite the wrapper. -- -D. dgc@uchicago.edu NSIT University of Chicago -------------- next part -------------- #!/bin/sh ## Get system type uname=${UNAME-`uname -s`} ## Find my directory's parent directory dir=`dirname $0` if [ "$dir" = "." ]; then parent=.. else parent=`dirname ${dir}` fi arch=${parent}/arch/${uname} ## If asked to link programs, link them to wrapper -- but don't ## link wrapper to wrapper, that could be trouble on some planets. if [ "$1" = "link" ]; then shift for file in "$@"; do [ ! "${file}" = "wrapper" ] && cp -fp "$0" "${dir}/${file}" done exit fi ## Find the basename being executed. If it's "wrapper", then shift ## ahead to the next word and use that. So you can run "gpg --list-keys" ## either by linking/copying "wrapper" to "gpg", or by executing ## "wrapper gpg --list-keys". exec=`basename $0` if [ "${exec}" = "wrapper" ]; then exec="$1" shift fi ## Force in preloading library paths, in case we have shared libraries ## in arch directory we favor over native ones. DYLD_* is for BSDish ## things, including Darwin/MacOS X. LD_* is for other things. DYLD_LIBRARY_PATH=${arch} if [ -n "${LD_LIBRARY_PATH}" ]; then LD_LIBRARY_PATH=${arch}/${LD_LIBRARY_PATH} else LD_LIBRARY_PATH=${arch}:/lib:/usr/lib:/opt/lib:/usr/local/lib fi export DYLD_LIBRARY_PATH LD_LIBRARY_PATH ## Finally, exec the real program. exec ${arch}/${exec} --homedir=`pwd` --lock-never --no-permission-warning "$@" From matthew.east at breathe.com Tue May 3 05:06:25 2005 From: matthew.east at breathe.com (Matthew East) Date: Tue May 3 05:59:29 2005 Subject: 2 noob problems Message-ID: <1115089586.7258.10.camel@localhost.mdke> Hello, I am a relative newcomer to the world of GPG and I seek some help on a couple of problems I have. First, when searching for keys on keyservers (i've tried the one supplied by default with gpg as well as pgp.mit.edu) using the "gpg --search-keys" command, it just sits there for ages without doing anything. I have the agent enabled via evolution as well and that is also just sitting there without finding the key. Can anyone help? It would be much appreciated. Sometimes it seems to work, but sometimes not, and I have no idea why. The other thing is that, given that I am a beginner, I have self-signed my key a few times and then deleted the signature, when I was discovering how everything worked. Now I've discovered that my key appears like this (despite the fact that it seems fine if I check it locally): http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x0E6B06FF Is there anything I can do about this? many thanks indeed, -- Matthew East matthew.east@breathe.com From linux at codehelp.co.uk Tue May 3 10:00:25 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue May 3 09:55:49 2005 Subject: 2 noob problems In-Reply-To: <1115089586.7258.10.camel@localhost.mdke> References: <1115089586.7258.10.camel@localhost.mdke> Message-ID: <200505030900.28847.linux@codehelp.co.uk> On Tuesday 03 May 2005 4:06 am, Matthew East wrote: > First, when searching for keys on keyservers (i've tried the one > supplied by default with gpg as well as pgp.mit.edu) using the "gpg > --search-keys" command, it just sits there for ages without doing > anything. What command are you using? Search by keyid where possible or at least by something that's likely to be uncommon, like the email address. Don't underestimate how many keys are out there. > I have the agent enabled via evolution as well and that is > also just sitting there without finding the key. Can anyone help? Can you connect to the keyserver at all? This could be a network problem or a firewall problem. Try --recv-key with your keyid. > The other thing is that, given that I am a beginner, I have self-signed > my key a few times and then deleted the signature, when I was > discovering how everything worked. Now I've discovered that my key > appears like this (despite the fact that it seems fine if I check it > locally): Keyservers don't delete signatures so every time you self-sign, it remains on the keyserver. Deleting the signature once a key has been sent to a keyserver is pointless because refreshing the key will always import all the old signatures. > Is there anything I can do about this? Don't send test keys to keyservers! Revoke this key and start again with a new one. If you want to do more local testing, use a second key that you never send to a keyserver. Keyservers exist for the benefit of others, not for your test purposes. The keys are there to help other people verify and sign your key. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050503/5916a77e/attachment.pgp From ts at musketa.de Tue May 3 10:34:28 2005 From: ts at musketa.de (Daniel Musketa) Date: Tue May 3 11:24:22 2005 Subject: decrypting large files failes Message-ID: <42773794.6000605@musketa.de> Hello, I get the following error while trying to decrypt a file (using gnupg 1.4.0 on Win2k): gpg: packet(6) with unknown version 207 gpg: Warnung: Verschl\x81sselte Botschaft ist manipuliert worden! gpg: packet(1) with unknown version 22 The file size is 4.5 GB. The first part (with some gpg files only 500 MB, with others 2 GB) is decrypted correctly. Decrypting smaller files works fine. Is there a size limit for creating gpg files? From wolfgang.rosenauer at an-netz.de Tue May 3 14:56:45 2005 From: wolfgang.rosenauer at an-netz.de (Wolfgang Rosenauer) Date: Tue May 3 14:52:35 2005 Subject: OpenPGP smartcard - authentication key In-Reply-To: <87ll6xhg32.fsf@wheatstone.g10code.de> References: <4275F4CD.7000107@an-netz.de> <87ll6xhg32.fsf@wheatstone.g10code.de> Message-ID: <4277750D.5010101@an-netz.de> Werner Koch wrote: > If that is an 1024 bit RSA key, this is indeed possible. The HOWTO > will tell you: > > http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO > > In short: Use gpg --edit-key and then the command keytocard. The > problem might be to convert an SSH key to a GnuPG key. There is no > instant solution for 1.4 - with 1.9 and the gpg-agent SSH support is > included and a mere ssh-add will be suffcient; but well the key is > then stored in gpg-agent's own format. > > In general I do not suggest to do this at all. Better generate a new > key on-card and use this as your new ssh key. It is pretty simple to > change your ssh key and this allows you to slowly retire your old ssh > key. OK, I've generated an authentication key within GPG on the card. Now there are some questions left ;-) How to get this special public key out of the complete public-key of this GPG ID? I've tried gpg -a --export KEYID but I'm not sure if this is the correct format for SSH usage. The other thing is (more an OpenSSH question) how to tell openssh to use the key from the card? Thanks, Wolfgang From DBSMITH at OhioHealth.com Tue May 3 14:57:01 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Tue May 3 14:52:48 2005 Subject: decrypting large files failes In-Reply-To: <42773794.6000605@musketa.de> Message-ID: If you do not get a resultion within gpg, then you could "split" the file, using split on the command line. This will divide the file in 2. Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams Daniel Musketa Sent by: To gnupg-users-bounc gnupg-users@gnupg.org es@gnupg.org cc Subject 05/03/2005 04:34 decrypting large files failes AM Hello, I get the following error while trying to decrypt a file (using gnupg 1.4.0 on Win2k): gpg: packet(6) with unknown version 207 gpg: Warnung: Verschl\x81sselte Botschaft ist manipuliert worden! gpg: packet(1) with unknown version 22 The file size is 4.5 GB. The first part (with some gpg files only 500 MB, with others 2 GB) is decrypted correctly. Decrypting smaller files works fine. Is there a size limit for creating gpg files? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Tue May 3 15:44:32 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 3 15:41:08 2005 Subject: OpenPGP smartcard - authentication key In-Reply-To: <4277750D.5010101@an-netz.de> (Wolfgang Rosenauer's message of "Tue, 03 May 2005 14:56:45 +0200") References: <4275F4CD.7000107@an-netz.de> <87ll6xhg32.fsf@wheatstone.g10code.de> <4277750D.5010101@an-netz.de> Message-ID: <871x8octkv.fsf@wheatstone.g10code.de> On Tue, 03 May 2005 14:56:45 +0200, Wolfgang Rosenauer said: > I've tried gpg -a --export KEYID but I'm not sure if this is the > correct format for SSH usage. No, it is not. What you export with this is the entire OpenPGP Key with primary key, UserIDs and subkeys. And well, it is still an OpenPGP key. We do have all the code required spreaded around in different modules and thus it will be easy to write a converter; it just needs to get done. Moritz, would you mind to write such a tool? I suggest to base it on the code to read card version 1.0 keys in scdaemon and the ssh code from the agent. Put this under gnupg/tools/. $ foo shall print the key in SSH format. Print an error if this key is not suitable for authentication. > The other thing is (more an OpenSSH question) how to tell openssh to > use the key from the card? This is easier: Just install gnupg 1.9.16, read the manual of the scdaemon and gpg-agent and enable ssh-support. Works very well, unless you want to use the reader aso with gnupg 1.4 - this won't work becuase scdaemon/gpg-agent have exclusive access to the reader. I am working on this; it will need changes in scdaemon and gpg 1.4. Salam-Shalom, Werner From wk at gnupg.org Tue May 3 15:48:16 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 3 15:46:05 2005 Subject: decrypting large files failes In-Reply-To: <42773794.6000605@musketa.de> (Daniel Musketa's message of "Tue, 03 May 2005 10:34:28 +0200") References: <42773794.6000605@musketa.de> Message-ID: <87wtqgbeu7.fsf@wheatstone.g10code.de> On Tue, 03 May 2005 10:34:28 +0200, Daniel Musketa said: > Is there a size limit for creating gpg files? In general no. However there might be a problem with the Windows version. There is a workaround which will work for sure: gpg -e message.gpg gpg message This way gpg does not know about the files but takes any input of any size and pipes it to the output. Opening the files and the redirection is done by Windows (cmd.exe). Shalom-Salam, Werner From folkert at vanheusden.com Tue May 3 17:33:38 2005 From: folkert at vanheusden.com (folkert@vanheusden.com) Date: Tue May 3 17:29:25 2005 Subject: selecting the preferred UID Message-ID: <20050503153336.GL17236@vanheusden.com> Hi, If I do a list-key on my key: folkert@keetweej:~$ gpg --list-key 1F28D8AE pub 1024D/1F28D8AE 2005-01-21 uid Folkert van Heusden (use this one if you want to reach me at the AMC) uid Folkert van Heusden (key used after 2005-01-21) uid Folkert van Heusden uid Folkert van Heusden (e-mail address at Yacht) uid Folkert van Heusden (e-mail address at AMC) uid [jpeg image of size 10520] sub 4096g/E4151B95 2005-01-21 it shows my 'F.J.vanHeusden@amc.uva.nl' as the first UID. I would like to have my 'folkert@vanheusden.com' as the primary UID. How can I change this? Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050503/702f6d13/attachment.pgp From matthew.east at breathe.com Tue May 3 16:24:38 2005 From: matthew.east at breathe.com (matthew.east@breathe.com) Date: Tue May 3 17:29:30 2005 Subject: 2 noob problems In-Reply-To: References: Message-ID: > On Tuesday 03 May 2005 4:06 am, Matthew East wrote: >> First, when searching for keys on keyservers (i've tried the one >> supplied by default with gpg as well as pgp.mit.edu) using the "gpg >> --search-keys" command, it just sits there for ages without doing >> anything. > > What command are you using? Search by keyid where possible or at least by > something that's likely to be uncommon, like the email address. Don't > underestimate how many keys are out there. Yeah that's definitely not the problem, i have tried keyids and exact email addresses. >> I have the agent enabled via evolution as well and that is >> also just sitting there without finding the key. Can anyone help? > Can you connect to the keyserver at all? This could be a network problem or a > firewall problem. > > Try --recv-key with your keyid. Doesn't work: just sits there. I also think it must be network related. AFAIK my firewall doesn't restrict any outgoing packets, could it be my ISP? Is there any way I can test? the crazy thing is that in the past sometimes it has worked. But I have no idea what has caused it to stop working. >> The other thing is that, given that I am a beginner, I have self-signed >> my key a few times and then deleted the signature, when I was >> discovering how everything worked. Now I've discovered that my key >> appears like this (despite the fact that it seems fine if I check it >> locally): > > Keyservers don't delete signatures so every time you self-sign, it remains on > the keyserver. Deleting the signature once a key has been sent to a keyserver > is pointless because refreshing the key will always import all the old > signatures. > >> Is there anything I can do about this? > > Don't send test keys to keyservers! > > Revoke this key and start again with a new one. If you want to do more local > testing, use a second key that you never send to a keyserver. > > Keyservers exist for the benefit of others, not for your test purposes. The > keys are there to help other people verify and sign your key. I understand this: at the same time I did not intend the key to be a test, I was just a beginner. Matt From mconahan at zixtestott.com Tue May 3 19:24:14 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Tue May 3 19:20:18 2005 Subject: Encrypting for a user who has a IDEA public key Message-ID: <4277B3BE.1010803@zixtestott.com> Hi everyone, I created a PGP keypair using a PGPCorp desktop client, where the key used the IDEA cipher. I then exported the public cert, and successfully imported it into GnuPG. I then was able to encrypt a message for the PGPCorp user, and the PGPCorp user was able to decrypt the message with their private key. Is this expected behaviour of GnuPG? I thought GnuPG does not support the IDEA algorithm in any form. Could someone please shed some light on this? From mconahan at zixtestott.com Tue May 3 19:32:51 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Tue May 3 19:28:49 2005 Subject: Encrypting for a user who has a IDEA public key In-Reply-To: <4277B3BE.1010803@zixtestott.com> References: <4277B3BE.1010803@zixtestott.com> Message-ID: <4277B5C3.8040601@zixtestott.com> mconahan@zixtestott.com wrote: > Hi everyone, > > I created a PGP keypair using a PGPCorp desktop client, where the > key used the IDEA cipher. I then exported the public cert, and > successfully imported it into GnuPG. I then was able to encrypt a > message for the PGPCorp user, and the PGPCorp user was able to decrypt > the message with their private key. Is this expected behaviour of > GnuPG? I thought GnuPG does not support the IDEA algorithm in any > form. Could someone please shed some light on this? > One more question...how do you find out what the list of preferred algorithms are for a public key imported into GnuPG? From wk at gnupg.org Tue May 3 20:41:41 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 3 20:41:05 2005 Subject: selecting the preferred UID In-Reply-To: <20050503153336.GL17236@vanheusden.com> (folkert@vanheusden.com's message of "Tue, 3 May 2005 17:33:38 +0200") References: <20050503153336.GL17236@vanheusden.com> Message-ID: <87u0lkb196.fsf@wheatstone.g10code.de> On Tue, 3 May 2005 17:33:38 +0200, folkert said: > it shows my 'F.J.vanHeusden@amc.uva.nl' as the first UID. > I would like to have my 'folkert@vanheusden.com' as the primary UID. > How can I change this? gpg --edit-key your_key - select the user ID (1 selects the first, 2, the second etc.) - "primary" - "save" Send the key to the keyservers. Salam-Shalom, Werner From folkert at vanheusden.com Tue May 3 21:16:53 2005 From: folkert at vanheusden.com (Folkert van Heusden) Date: Tue May 3 21:12:44 2005 Subject: selecting the preferred UID In-Reply-To: <87u0lkb196.fsf@wheatstone.g10code.de> References: <20050503153336.GL17236@vanheusden.com> <87u0lkb196.fsf@wheatstone.g10code.de> Message-ID: <3652.194.109.22.149.1115147813.squirrel@keetweej.vanheusden.com> >> it shows my 'F.J.vanHeusden@amc.uva.nl' as the first UID. >> I would like to have my 'folkert@vanheusden.com' as the primary UID. >> How can I change this? > gpg --edit-key your_key > - select the user ID (1 selects the first, 2, the second etc.) > - "primary" > - "save" > Send the key to the keyservers. Thanks. Found out that you also need to 'unselect' the old primary one. Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden! +------------------------------------------------------------------+ |UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/)| |a try, it brings monitoring logfiles to a different level! See | |http://vanheusden.com/multitail/features.html for a feature list. | +------------------------------------------= www.unixsoftware.nl =-+ From davebgimp at gmail.com Tue May 3 21:48:34 2005 From: davebgimp at gmail.com (daveb) Date: Tue May 3 21:45:00 2005 Subject: How to install your GPG keys to a USB dongle for Windows Message-ID: <3c8e7d2c050503124865b3b5a7@mail.gmail.com> I recently decided to store my keyrings on a USB dongle. I had a lot of trouble finding information on how to do this properly for Windows (lots of info for Linux though). After figuring it out, I thought I'd pass on the information. How to install your GPG keys to a USB dongle for WIN XP 1. Install the latest binary version of GnuPG 2. Attach your USB dongle and create a folder named keys, or whatever's appropriate for you. If you have pre-existing keyrings, place them here. 3. Open REGEDIT (START > RUN > type regedit) 4. In REGEDIT, navigate to HKEY_CURRENT_USER\Software\GNU\GnuPG 5. Right click in the folder and select NEW > STRING VALUE 6. Name it "HomeDir" (without the parenthsis, of course) 7. Right-click the entry and select MODIFY. 8. Under VALUE DATA, type the full path to your desired key folder. For example, mine is F:\keys\ ("F" being the USB dongle). Hit OK. 9. Open a command prompt and type "gpg --version" or "gpg --list-keys". Check for the Home that is listed, it should now be your dongle and any keys in that folder should now be listed. You're done! From rmalayter at bai.org Tue May 3 22:34:35 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Tue May 3 22:31:00 2005 Subject: Encrypting for a user who has a IDEA public key Message-ID: <792DE28E91F6EA42B4663AE761C41C2A0404D5DB@cliff.bai.org> From: mconahan@zixtestott.com > Is this expected behaviour of > GnuPG? I thought GnuPG does not support the IDEA algorithm in any > form. Could someone please shed some light on this? The default fallback algorithm is 3DES... All OpenPGP-compliant programs must support it. If GnuPG can't find a matching cipher in its prefs list, it falls back to using 3DES. -ryan- From vedaal at hush.com Wed May 4 01:41:39 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed May 4 01:37:37 2005 Subject: Encrypting for a user who has a IDEA public key Message-ID: <200505032341.j43NfhpO003005@mailserver3.hushmail.com> mconahan at zixtestott.com wrote: > I created a PGP keypair using a PGPCorp desktop client, where the > key used the IDEA cipher. I then exported the public cert, and > successfully imported it into GnuPG. I then was able to encrypt a > message for the PGPCorp user, and the PGPCorp user was able to decrypt > the message with their private key. Is this expected behaviour of > GnuPG? I thought GnuPG does not support the IDEA algorithm in any > form. Could someone please shed some light on this? but pgp later than 2.x does you're right, if it were (classic) pgp 2.x, then a gnupg encrypted message would not be decipherable by the 2.x user unless IDEA was used all pgp > 8.1 supports all algorithms that gnupg does, including blowfish, and can decipher any message encrypted using any symmetric algorithm, >One more question...how do you find out what the list of preferred >algorithms are for a public key imported into GnuPG [1] --edit-key name [2] when the command line prompts: Command> then type showpref and gnupg displays a listing of the user's preferences for that key All the Best, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From wolfgang.rosenauer at an-netz.de Wed May 4 13:25:39 2005 From: wolfgang.rosenauer at an-netz.de (Wolfgang Rosenauer) Date: Wed May 4 13:21:03 2005 Subject: OpenPGP smartcard - authentication key In-Reply-To: <871x8octkv.fsf@wheatstone.g10code.de> References: <4275F4CD.7000107@an-netz.de> <87ll6xhg32.fsf@wheatstone.g10code.de> <4277750D.5010101@an-netz.de> <871x8octkv.fsf@wheatstone.g10code.de> Message-ID: <4278B133.7020408@an-netz.de> Hi, Werner Koch wrote: >>The other thing is (more an OpenSSH question) how to tell openssh to >>use the key from the card? > > This is easier: Just install gnupg 1.9.16, read the manual of the > scdaemon and gpg-agent and enable ssh-support. Works very well, > unless you want to use the reader aso with gnupg 1.4 - this won't work > becuase scdaemon/gpg-agent have exclusive access to the reader. I am > working on this; it will need changes in scdaemon and gpg 1.4. OK, I have gnupg 1.9.16 installed now and configured scdaemon to connect with ctapi driver directly to the reader. (gpg-agent not running as daemon yet) I get the following now: - gpg --card-status does still work (gnupg 1.4.0) - gpg2 --card-status shows stark@t41p:~/.gnupg> gpg2 --card-status gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[9212]: NOTE: this is a development version! scdaemon[9212]: updating status of slot 0 to 0x0007 gpg-agent[9211]: card has S/N: D2760001240101010001000004B00000 scdaemon[9212]: app_readcert failed: Nicht unterst?tzte Verarbeitungsaufgabe gpg-agent[9211]: error reading certificate: Nicht unterst?tzte Verarbeitungsaufgabe gpg-agent[9211]: command learn failed: Nicht unterst?tzte Verarbeitungsaufgabe gpg: OpenPGP card not available: Nicht unterst?tzte Verarbeitungsaufgabe stark@t41p:~/.gnupg> scdaemon[9212]: ct_activate_card(0): activation failed: okay scdaemon[9212]: DBG: received data: 62 01 What does it mean? In addition I tried to understand the documentation correctly but failed :-( As soon as gpg-agent is running with --enable-ssh-support it will emulate the ssh-agent behaviour and I can add keys with ssh-add as before. But I haven't found an information how to add the authentication key from the OpenPGP card as SSH key. Thanks, Wolfgang From nbebout at gmail.com Wed May 4 17:23:14 2005 From: nbebout at gmail.com (Nicholas Bebout) Date: Wed May 4 18:19:37 2005 Subject: OpenPGP Smartcard Message-ID: Is there a way for people in the US to buy the OpenPGP smartcards? From mconahan at zixtestott.com Wed May 4 21:15:18 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Wed May 4 21:11:19 2005 Subject: How secure are GnuPG private keys stored? Message-ID: <42791F46.8040906@zixtestott.com> Hi everyone, I was wondering if anybody knew how securely the GnuPG private keys are stored? Are they stored as encrypted flat files? Michael From MailingLists at JoaoPinheiro.org Wed May 4 21:45:21 2005 From: MailingLists at JoaoPinheiro.org (=?ISO-8859-1?Q?Jo=E3o_Pinheiro?=) Date: Wed May 4 22:58:15 2005 Subject: Running GnuPG from a USB Pen Disk Message-ID: <42792651.6040208@JoaoPinheiro.org> Greetings everyone. I was wondering if anyone here would be able to help me out with a little problem I'm facing. I'm currently being required to use quite a lot of different machines and architectures every day. It gets a bit complicated for me to be able to use GnuPG on every single one of them. Up until now I have been carrying a pen disk with my keyring, the source code for gnupg and the windows installer around with me. It gets quite annoying for me to compile/install and configure gnupg on every single machine I need to use. For that reason, I would like to know if it would be possible for me to run gnupg from my usb pen disk using a common keyring directory for all architectures. Things would be organized something like this: /private/.gnupg/ /linux/gnupg/ /mac/GnuPG/ /win/GnuPG/ Would anyone be able to give me some pointers on how to achieve this? While I think the linux one would be easy to achieve, I'm not sure of how to do this on Win or Mac. I have noticed that the windows installer adds several elements to the windows registry. How can I work around this? Would compiling my own windows version help me get around this issue? Thanks in advance, Jo?o Pinheiro From vedaal at hush.com Thu May 5 01:35:46 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Thu May 5 01:31:43 2005 Subject: Running GnuPG from a USB Pen Disk Message-ID: <200505042335.j44NZnnY087908@mailserver3.hushmail.com> João Pinheiro wrote: [...] > I would like to know > if it would be possible > for me to run gnupg from my usb pen disk > using a common keyring directory for all architectures. it can be set up to run from a floppy, and certainly from a usb drive the directions (and downloadable prepared gnupg) are available here: http://www.torduninja.tk/ (instructions are also available in how to compile it on your own) once you are done, just double-click the go.bat file, and a dos window opens, ready for your gnupg command line, (*no* registry entries or modifications are necessary) to confirm that it was set up correctly on your floppy or usb drive, type: gpg -h and the gnupg version and helpfile should appear, letting you know that gnupg is ready to go once it works on one windows computer, it will work on any of them without any further changes, (other than a possible letter change for the usb drive) vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From hhhobbit7 at netscape.net Thu May 5 06:24:27 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Thu May 5 06:20:48 2005 Subject: 2 noob problems Message-ID: <7252015D.1F1DFFBA.0307202B@netscape.net> Matthew East wrote: > Hello, > > I am a relative newcomer to the world of GPG and I seek some > help on a couple of problems I have. > > First, when searching for keys on keyservers (i've tried the > one supplied by default with gpg as well as pgp.mit.edu) using > the "gpg --search-keys" command, it just sits there for ages > without doing anything. I have the agent enabled via evolution > as well and that is also just sitting there without finding > the key. Can anyone help? It would be much appreciated. > Sometimes it seems to work, but sometimes not, and I have no > idea why. > > The other thing is that, given that I am a beginner, I have > self-signed my key a few times and then deleted the signature, > when I was discovering how everything worked. Now I've > discovered that my key appears like this (despite the fact > that it seems fine if I check it locally): > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x0E6B06FF > > Is there anything I can do about this? PUNT! REALLY! [1] You don't sign your own key. I would suggest you do the following to handle the problem. gpg --gen-revoke 0E6B06FF gpg -a --export 0E6B06FF > matthew_east.asc Now upload the revoked key to the server. It will still hang around a while, but at least you can get rid of it. [2] Delete EVERYTHING. Start new, but don't play around with the key servers. Pick your keys to expire in one year, and a big enough keysize for the symmetric crypts. SEND your key to another user (yes, I will help out) and just privately sign this other person's key and do some learning. [3] Once you have a more firm idea of what you are doing, THEN you can upload your public key to a key server. [4] One thing that I have noticed is that the key servers are notorious for passing the buck to another key server. I would like to say that opening up ports 10 and 11371 on the router will help, but it won't because even if the router allows it in, which private NAT address is it supposed to send the packet to? All the keyserver on the outside knows is your WAN address, and it MUST send it to that address even if it KNOWS your internal IP NAT address. That is why I say that the keyserver model should work more like DNS. I don't care if the keyserver that I sent the request to hands it off to another key server to do the dirty work - the reply should come back to the one I sent the request to. It beats me if that helps you, but you CAN get my private key from MIT (along with the email address it is tied to by going to: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xE1FA6C62 You will notice I did NOT sign my own key. Since I created it and also have the secret half of the key as well, it has ultimate authority (unless I have a multiple personality disorder). Ciao Henry Hertz Hobbit __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From rerng007 at gmail.com Thu May 5 10:06:00 2005 From: rerng007 at gmail.com (jonathan) Date: Thu May 5 11:00:51 2005 Subject: can not ? receive key : connection timeout Message-ID: <4279D3E8.9030909@gmail.com> Hello I am a new comer in linux . I want to receive key from key server with this code I grabed . $ gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 1F41B907 But I do this at my Home which have direct connection trough internet. It works fine. But when I try the same code at my office with connect trough proxy . I have to wait for a while and gpg print out error that "connection time out" several times. I think it may because proxy. I'm using Ubuntu Linux v5.04 both at my home and office . Any suggestion , please? From sbt at megacceso.com Thu May 5 13:04:39 2005 From: sbt at megacceso.com (=?ISO-8859-1?Q?Sergi_Blanch_i_Torn=E9?=) Date: Thu May 5 14:00:56 2005 Subject: can not ? receive key : connection timeout In-Reply-To: <4279D3E8.9030909@gmail.com> References: <4279D3E8.9030909@gmail.com> Message-ID: <4279FDC7.4000003@megacceso.com> Hi, This command connect to the server by the default port 11371, are you allowed to open this comunication? En/na jonathan ha escrit: > Hello > I am a new comer in linux . I want to receive key from key > server with this code I grabed . > > > $ gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 1F41B907 > > But I do this at my Home which have direct connection trough internet. > It works fine. But when I try the same code at my office with > connect trough proxy . I have to wait for a while and > gpg print out error that "connection time out" several times. > I think it may because proxy. > > I'm using Ubuntu Linux v5.04 both at my home and office . > > Any suggestion , please? > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu May 5 14:19:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu May 5 14:15:47 2005 Subject: can not ? receive key : connection timeout In-Reply-To: <4279D3E8.9030909@gmail.com> References: <4279D3E8.9030909@gmail.com> Message-ID: <20050505121930.GB6977@jabberwocky.com> On Thu, May 05, 2005 at 03:06:00PM +0700, jonathan wrote: > Hello > I am a new comer in linux . I want to receive key from key > server with this code I grabed . > > > $ gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 1F41B907 > > But I do this at my Home which have direct connection trough internet. > It works fine. But when I try the same code at my office with > connect trough proxy . I have to wait for a while and > gpg print out error that "connection time out" several times. > I think it may because proxy. If you need to use a proxy, then add: keyserver-options http-proxy="http://whatever.your.proxy.is" to your gpg.conf David From list_lfa at yahoo.com Fri May 6 18:35:33 2005 From: list_lfa at yahoo.com (tom jones) Date: Fri May 6 19:31:31 2005 Subject: gpgme - gpgme_data_seek() failing with Message-ID: <20050506163534.25274.qmail@web14421.mail.yahoo.com> Hi, I am trying to get the encryption test distributed with gpgme 1.0.2 to work. Technically everything can work. If I do all the work in the main() everything goes fine. gpgme_data_seek() works fine in main(), returning 0, but any use of gpgme_data_seek() in a function outside of my main fails, returning -1. The error is Invalid Argument. As far as I can tell the data () being passed to the seek() looks scrambled. I've printed out the cipher data going in and the wierd thing is that even though the cipher text data looks random ( there's no -----BEGIN PGP MESSAGE----- and it isn't the data I passed it), like it's a memory problem, the layout of the text is similar to encrypted text and it ends with the line -----END PGP MESSAGE----- I've tried passing with and without pointers. After failing in the called function, trying seek() again in the main() works fine. I will happily send / post the exact code I am using, but I experience this problem with the gpgme t-encrypt.c test anyway. All help is appriciated. Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html From matthijs at cacholong.nl Fri May 6 21:22:09 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Fri May 6 22:23:52 2005 Subject: gpgme - gpgme_data_seek() failing with In-Reply-To: <20050506163534.25274.qmail@web14421.mail.yahoo.com> References: <20050506163534.25274.qmail@web14421.mail.yahoo.com> Message-ID: <427BC3E1.4030302@cacholong.nl> Did you compile it with: -D_FILE_OFFSET_BITS=64 Regards, tom jones wrote: > Hi, > > I am trying to get the encryption test distributed > with gpgme 1.0.2 to work. Technically everything can > work. > > If I do all the work in the main() everything goes > fine. gpgme_data_seek() works fine in main(), > returning 0, but any use of gpgme_data_seek() in a > function outside of my main fails, returning -1. The > error is Invalid Argument. > > As far as I can tell the data () being passed to the > seek() looks scrambled. I've printed out the cipher > data going in and the wierd thing is that even though > the cipher text data looks random ( there's no > -----BEGIN PGP MESSAGE----- and it isn't the data I > passed it), like it's a memory problem, the layout of > the text is similar to encrypted text and it ends with > the line > -----END PGP MESSAGE----- > > I've tried passing with and without pointers. After > failing in the called function, trying seek() again in > the main() works fine. > > I will happily send / post the exact code I am using, > but I experience this problem with the gpgme > t-encrypt.c test anyway. > > All help is appriciated. > > > > Yahoo! Mail > Stay connected, organized, and protected. Take the tour: > http://tour.mail.yahoo.com/mailtour.html > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050506/e50ae7e1/signature-0001.pgp From matthijs at cacholong.nl Fri May 6 21:26:38 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Fri May 6 22:24:01 2005 Subject: Strange behaviour... Message-ID: <427BC4EE.9070306@cacholong.nl> I don't know if it is a problem in gaim or in gpgme. But if i send a test message to the person on the other side. And i encrypt the message. Everytime i get another data hash back. I mean that the data between "----- BEGIN PGP MESSAGE -----" and "----- END PGP MESSAGE -----" Is this expected behaviour ? As you see i'm not that into GnuPG ;) Regards, Matthijs Mohlmann -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050506/87632a0e/signature.pgp From matthijs at cacholong.nl Fri May 6 22:32:20 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Fri May 6 22:28:24 2005 Subject: Strange behaviour... In-Reply-To: <427BC4EE.9070306@cacholong.nl> References: <427BC4EE.9070306@cacholong.nl> Message-ID: <427BD454.6000101@cacholong.nl> euhm, this message isn't send... you didn't see it ;) Regards, Matthijs Mohlmann Matthijs Mohlmann wrote: > I don't know if it is a problem in gaim or in gpgme. > > But if i send a test message to the person on the other side. And i > encrypt the message. > > Everytime i get another data hash back. I mean that the data between > "----- BEGIN PGP MESSAGE -----" and "----- END PGP MESSAGE -----" > > Is this expected behaviour ? As you see i'm not that into GnuPG ;) > > Regards, > > Matthijs Mohlmann > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050506/02279ddf/signature.pgp From matthijs at cacholong.nl Sat May 7 16:39:18 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Sat May 7 16:35:19 2005 Subject: I don't get it anymore... Message-ID: <427CD316.7010905@cacholong.nl> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050507/91988a29/signature.pgp From mailinglists at gkruijer.nl Tue May 10 15:20:44 2005 From: mailinglists at gkruijer.nl (Gerrit Kruijer) Date: Tue May 10 15:55:18 2005 Subject: Wherre to place keys under Linux Message-ID: <4280B52C.2020708@gkruijer.nl> Hi everybody, i have just installed GnuPG under Linux but have a question where to put my keys. I want to use my keys for both root and user. I know copy them after changes but i think that's not the best solution. Does someone know what's the wright place for those files and how to manage this? Kind regards, Gerrit From pt at radvis.nu Tue May 10 17:40:59 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Tue May 10 21:33:31 2005 Subject: How to change trust model Message-ID: <6.1.2.0.2.20050510173846.03d02c60@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I haven't managed to figure out how to change trust model. Now I am using the classic model on all installations, but on some of them an hierarchic model would suite better. What are the commands and options? And the implications of each model? V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCgNYIpPsTvNtsBX8RAmX7AJ9iAvothUvjdygDM46m8dJ/veXFtACeItqQ yGAhcQOeCWgvBYv67nrzE3w= =VAob -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue May 10 21:51:37 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue May 10 21:48:03 2005 Subject: How to change trust model In-Reply-To: <6.1.2.0.2.20050510173846.03d02c60@localhost> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> Message-ID: <20050510195137.GA24010@jabberwocky.com> On Tue, May 10, 2005 at 05:40:59PM +0200, Per Tunedal Casual wrote: > Hi, > I haven't managed to figure out how to change trust model. Now I am > using the classic model on all installations, but on some of them an > hierarchic model would suite better. > What are the commands and options? > And the implications of each model? You can switch trust models by doing: gpg --trust-model xxxxxx --check-trustdb You can switch at any time and as often as you like. David From pt at radvis.nu Tue May 10 23:52:19 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Tue May 10 23:46:11 2005 Subject: How to change trust model In-Reply-To: <20050510195137.GA24010@jabberwocky.com> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> Message-ID: <6.1.2.0.2.20050510234755.02e99428@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 21:51 2005-05-10, David Shaw wrote: >On Tue, May 10, 2005 at 05:40:59PM +0200, Per Tunedal Casual wrote: >> Hi, >> I haven't managed to figure out how to change trust model. Now I am >> using the classic model on all installations, but on some of them >> an >> hierarchic model would suite better. >> What are the commands and options? >> And the implications of each model? > >You can switch trust models by doing: > > gpg --trust-model xxxxxx --check-trustdb > >You can switch at any time and as often as you like. > >David I have tried: gpg --trust-model PGP --check-trustdb gpg --trust-model classic --check-trustdb gpg --trust-model direct --check-trustdb I don't see the difference between them. I am interested in the implications for the validity of keys. How can I make the best use of a signature from a CA? Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCgS0OpPsTvNtsBX8RArNRAKCT2hRjHoQK810MNBvuvul5VT8RrACeLhdU zHT4cxfDow1ZFhEusEKNtT8= =4PQQ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue May 10 23:58:11 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue May 10 23:54:28 2005 Subject: How to change trust model In-Reply-To: <6.1.2.0.2.20050510234755.02e99428@localhost> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> Message-ID: <20050510215811.GA24228@jabberwocky.com> On Tue, May 10, 2005 at 11:52:19PM +0200, Per Tunedal Casual wrote: > gpg --trust-model PGP --check-trustdb This is the "new" PGP trust model from PGP 5 and later. > gpg --trust-model classic --check-trustdb This is the standard old trust model from PGP 2.x and GnuPG 1.2.x. For most people, they will not see a difference between these two. Only if you are issuing trust signatures (tsign) will a difference show up. > gpg --trust-model direct --check-trustdb This is a no-trust model, where you set each key trust individually, and there are no calulations necessary. > I don't see the difference between them. I am interested in the > implications for the validity of keys. How can I make the best use of > a signature from a CA? I can't answer that question in those terms. I don't know what you want to do, who the CA is, how the CA signs... David From dshaw at jabberwocky.com Wed May 11 00:08:36 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed May 11 00:04:54 2005 Subject: Wherre to place keys under Linux In-Reply-To: <4280B52C.2020708@gkruijer.nl> References: <4280B52C.2020708@gkruijer.nl> Message-ID: <20050510220836.GB24228@jabberwocky.com> On Tue, May 10, 2005 at 03:20:44PM +0200, Gerrit Kruijer wrote: > Hi everybody, > i have just installed GnuPG under Linux but have a question where to put > my keys. > I want to use my keys for both root and user. I know copy them after > changes but i think that's not the best solution. > Does someone know what's the wright place for those files and how to > manage this? You can share keyrings if you specify the shared keyring via "keyring" and "secret-keyring" in both of your gpg.conf files. David From pt at radvis.nu Wed May 11 00:16:03 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Wed May 11 00:08:29 2005 Subject: How to change trust model In-Reply-To: <20050510215811.GA24228@jabberwocky.com> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> Message-ID: <6.1.2.0.2.20050511001159.02d49548@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 23:58 2005-05-10, David Shaw wrote: >On Tue, May 10, 2005 at 11:52:19PM +0200, Per Tunedal Casual wrote: > >> gpg --trust-model PGP --check-trustdb > >This is the "new" PGP trust model from PGP 5 and later. > >> gpg --trust-model classic --check-trustdb > >This is the standard old trust model from PGP 2.x and GnuPG 1.2.x. > >For most people, they will not see a difference between these two. >Only if you are issuing trust signatures (tsign) will a difference >show up. > >> gpg --trust-model direct --check-trustdb > >This is a no-trust model, where you set each key trust individually, >and there are no calulations necessary. > >> I don't see the difference between them. I am interested in the >> implications for the validity of keys. How can I make the best use >> of >> a signature from a CA? > >I can't answer that question in those terms. I don't know what you >want to do, who the CA is, how the CA signs... > >David Hi, >Only if you are issuing trust signatures (tsign) will a difference >show up. There you told something interesting. I haven't heard of that command before. Scenario: A new user has to quickly download keys to his contacts. The keys are signed by a mutually trusted CA. How can he get valid keys to use trusting the CA, rather than having to check and sign each of them? Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCgTKfpPsTvNtsBX8RAlvQAJ4xhZ95ulvGtQGQoESlPzEEHo7BbwCcCB9N UDlRBxDshskz4Shd6lQHgek= =9WUZ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed May 11 00:21:38 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed May 11 00:18:09 2005 Subject: How to change trust model In-Reply-To: <6.1.2.0.2.20050511001159.02d49548@localhost> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> <6.1.2.0.2.20050511001159.02d49548@localhost> Message-ID: <20050510222138.GC24228@jabberwocky.com> On Wed, May 11, 2005 at 12:16:03AM +0200, Per Tunedal Casual wrote: > Scenario: > A new user has to quickly download keys to his contacts. The keys are > signed by a mutually trusted CA. > How can he get valid keys to use trusting the CA, rather than having > to check and sign each of them? You don't need trust signatures or any special trust models for this. If you trust the CA, sign the CA key. If the CA has signed your contacts, then you're done. The contact keys are now valid. David From wizard at roborooter.com Wed May 11 01:12:39 2005 From: wizard at roborooter.com (Francis Gulotta) Date: Wed May 11 02:03:05 2005 Subject: Wherre to place keys under Linux In-Reply-To: <20050510220836.GB24228@jabberwocky.com> References: <4280B52C.2020708@gkruijer.nl> <20050510220836.GB24228@jabberwocky.com> Message-ID: <42813FE7.3010508@roborooter.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keep your keys under your user account and specify that root should look there in your gpg.conf. This way your user account will still be able to read and use them even after root's had a go at them. - -Francis David Shaw wrote: > On Tue, May 10, 2005 at 03:20:44PM +0200, Gerrit Kruijer wrote: > >>Hi everybody, >>i have just installed GnuPG under Linux but have a question where to put >>my keys. >>I want to use my keys for both root and user. I know copy them after >>changes but i think that's not the best solution. >>Does someone know what's the wright place for those files and how to >>manage this? > > > You can share keyrings if you specify the shared keyring via "keyring" > and "secret-keyring" in both of your gpg.conf files. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCgT/nTJEaZCt0gQsRAqPIAJ4/Tu8dVsEeQVv7gINI+ZgDUOH0ugCdEjvD EkLm1HBI0QmhhqCWh6hc8Rw= =c9d3 -----END PGP SIGNATURE----- From pt at radvis.nu Wed May 11 02:22:28 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Wed May 11 02:14:57 2005 Subject: How to change trust model In-Reply-To: <20050510222138.GC24228@jabberwocky.com> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> <6.1.2.0.2.20050511001159.02d49548@localhost> <20050510222138.GC24228@jabberwocky.com> Message-ID: <6.1.2.0.2.20050511021816.02d49640@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 00:21 2005-05-11, David Shaw wrote: >On Wed, May 11, 2005 at 12:16:03AM +0200, Per Tunedal Casual wrote: > >> Scenario: >> A new user has to quickly download keys to his contacts. The keys >> are >> signed by a mutually trusted CA. >> How can he get valid keys to use trusting the CA, rather than >> having >> to check and sign each of them? > >You don't need trust signatures or any special trust models for this. >If you trust the CA, sign the CA key. If the CA has signed your >contacts, then you're done. The contact keys are now valid. > >David > Yes, David, you are right. I want a bit more. Some contacts may not be directly signed by the CA, then the trust model will be important, I suppose. How can the signature of the CA be useful as far down the tree as possible? Can you please explain the PGP-model and how to issue trust signatures (tsign), with the implications for the validity of keys. Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCgVA+pPsTvNtsBX8RAm1PAJ9Ooh26ST8FCdRPJEwYdTQlFJYQgwCgh8Ck Tc1x/ILLENZb6XpjzXfS4j4= =T5eB -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed May 11 03:00:15 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed May 11 02:56:39 2005 Subject: How to change trust model In-Reply-To: <6.1.2.0.2.20050511021816.02d49640@localhost> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> <6.1.2.0.2.20050511001159.02d49548@localhost> <20050510222138.GC24228@jabberwocky.com> <6.1.2.0.2.20050511021816.02d49640@localhost> Message-ID: <20050511010015.GA24461@jabberwocky.com> On Wed, May 11, 2005 at 02:22:28AM +0200, Per Tunedal Casual wrote: > At 00:21 2005-05-11, David Shaw wrote: > >On Wed, May 11, 2005 at 12:16:03AM +0200, Per Tunedal Casual wrote: > > > >> Scenario: > >> A new user has to quickly download keys to his contacts. The keys > >> are > >> signed by a mutually trusted CA. > >> How can he get valid keys to use trusting the CA, rather than > >> having > >> to check and sign each of them? > > > >You don't need trust signatures or any special trust models for this. > >If you trust the CA, sign the CA key. If the CA has signed your > >contacts, then you're done. The contact keys are now valid. > > > >David > > > Yes, David, you are right. I want a bit more. > > Some contacts may not be directly signed by the CA, then the trust > model will be important, I suppose. How can the signature of the CA be > useful as far down the tree as possible? > > Can you please explain the PGP-model and how to issue trust signatures > (tsign), with the implications for the validity of keys. First, read this: http://download.cryptoex.com/documents/whitepaper/cex2003-pgp-in-unternehmen-en/Tech%20White%20Paper%202002%20-%20Using%20OpenPGP%20in%20Corporations.pdf It's a very good explanation of trust signature concepts. How they are used specifically in GnuPG is via the 'tsign' command. tsign is just like sign (or lsign) except that you are asked a few more questions by GnuPG. Think of tsign as a combination of a regular signature plus the ownertrust. This combines two different things from the classic trust model into one signature. First you are asked: Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I trust marginally 2 = I trust fully This is similar to the question you get asked when setting ownertrust. What GnuPG is asking is not how much you trust the user, but how much you trust the user to make good signatures. The next question is: Please enter the depth of this trust signature. A depth greater than 1 allows the key you are signing to make trust signatures on your behalf. The signature depth is how many levels "deep" can the power granted by this signature travel. For example, a level of 1 means that the key you sign is valid for you (just like a regular signature), but also that the ownertrust for this key is automatically set to MARGINAL or FULL (depending on how you answered the first question). A level of 2 means that the key you sign is valid for you, and the ownertrust is automatically set, AND (assuming the trust made it to FULL) that this key can issue signatures up to level 1 on your behalf. A level of 3 means all that, plus the key can issue signatures up to level 2, etc. You can think of a regular signature as a trust signature with a depth of 0. The next question: Please enter a domain to restrict this signature, or enter for none. This allows you to restrict (by domain name) the power of the signature. For example, let's say that you wanted to make a level 2 signature on a CA key for a particular company. You should be careful with making any level above 1, so you want to restrict this to that company. By giving a restriction of companyname.com here, only signatures issued by the CA key on keys in companyname.com will take effect. That's pretty much it. If you think about it, tsign is not generally useful outside of hierarchial environments with CAs. Some people are in hierarchial environments though, and this lets them interoperate. Incidentally, you can combine tsign with any of the other signing types (lsign, nrsign) in any combination you like: ltsign is a local trust signature, nrltsign is a nonrevocable local trust signature, etc. David From shavital at mac.com Wed May 11 12:05:15 2005 From: shavital at mac.com (Charly Avital) Date: Wed May 11 12:01:45 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <20050511072340.UHVE20235.fed1rmmtao10.cox.net@covenant> References: <20050511072340.UHVE20235.fed1rmmtao10.cox.net@covenant> Message-ID: <7af493b2697502d941270c261e239f1d@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I bought a perpetual Enterprise license for PGP 8.x, but I understand and agree that the upgrade to PGP 9.x could not, and should not be for free. But $ 69.00 "special" price for holders of a 8.x license? No. Someone suggested $ 19.00 or 29.00. Reasonable. I would even agree to $ 35.95. Special prices should be worked out for students, at or below the $ 30.00 mark. If the fee remains at 69.00, I'll bid good-bye and Godspeed to PGP (after >10 years), and welcome GPG! I'd prefer to contribute the 69 bucks (or whatever) to MacGPG. Charly - MacGPG 1.4.1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQoHY7269XHxycyfPAQhrBg/9GEXxrclCvPBpy3Nbz6NEx4PgeFxi9gZh KDNnDFltaazPM1SYVZyYCB7Dp0gM0o3hacZR67Ao/0m7GotklsmhjmE5mDq2hiEZ SCHOp0HRGeuXC1Qf3dUB5DO6MYz1S9wEmsdfuhLS6zfVGVTCKVAJq7zyQ20qqcWS sWq1kxRIjU/L9ItPQak/1lZqSrCpwjuVhAYQknttrsfXSOlpPGLhsWrXvumWaLU3 6JBo+hBJ0A6/7JeROXaj1p1+ZbG+8vBg1bbE9HQ1+NfFK46kLEur6hTSb/91Kzlo fSyG0Hbkrps1DFWt9D4IGGyDzwjxzlm6FZOkYXE1152bxlnOoaI6xQf0DKUx7d8s Mrwe/PL3GiuSduPFmHe1/4yNZiMUrhWKvfCHUuYRaASjaVBcZ3JlDmK3vQEwS7fp 6iIg0Ef4mfUWilqVPb03Yz8YH/xCkigbSmwMbJXA/JCc0eKAelMVUZc3vB3QO9pU a/DK3RClvk+buYw1vmUEXY9VPr3nu+eOmPocKoY7SBxEWYqkGj9s3js3L5R+WqM2 NsQ5VNW2Dx/7vNN+FI8q0nmuu4o4OXc/ekGcypMEZSFjLUX8Yu0baRJPHHI3W5/P eaxV3htjTGYFVN0VkDxmW+Xj2oCIwOUFv4U7pXJs8ATO1iE2w8oxwTl0V+nub8ck wN9MubS+r1o= =2fjc -----END PGP SIGNATURE----- From ktt3 at georgetown.edu Sat May 7 03:13:16 2005 From: ktt3 at georgetown.edu (Katarvia Taylor) Date: Wed May 11 13:04:48 2005 Subject: Help with installing GnuPG Message-ID: <427C162C.1060200@georgetown.edu> I installed the 1.4.1 version onto my system, but when I try to verify that is installed correctly I get an error file. I have also checked to ensure that I typed the Path correctly and I do not see where the problem is. Can you help me? Thanks From a_entin at hotmail.com Mon May 9 20:49:18 2005 From: a_entin at hotmail.com (Ari Entin) Date: Wed May 11 13:04:56 2005 Subject: --skip-verify Message-ID: Hi, I have turned off verification of signatures via the --skip-verify option and it works well. Problem is that it produces a message stating "gpg: signature verification suppressed." Is there any way to disable this message? It is causing some problems with writing error logs and our automated processes. Any suggestions would be very appreciated! Ari Entin From kfitzner at excelcia.org Wed May 11 14:40:41 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Wed May 11 14:36:35 2005 Subject: GnuPG Explorer Extension - GPGee version 1.0 released Message-ID: <4281FD49.9030200@excelcia.org> In the belief that GPGee is now ready for production use, I've just released version 1.0. For those who aren't familliar with it, GPGee is a Windows explorer shell extension. It adds support for GnuPG to the right-click context menu in Windows explorer. You can download it from the GPGee home page at: http://gpgee.excelcia.org GPGee's features include: - Sign, sign+encrypt, or encrypt multiple files at once. - Verify/decrypt multiple files at once - GPGee automatically detects the GnuPG file type and performs the correct operaation. - Can configure the location of the gpg.conf, public and secret keyrings files. Use GPGee with keys stored on usb flash drives. * - Quick-select encryption key groups. Encrypt to multiple recipients quickly and easily. * - Visual indication of the trust level of signatures * - Compares expiry date of keys against the date signatures were produced. - Context-sensitive help - It's free software, just like GnuPG. Inspect the code for yourself. * = New feature for 1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050511/f9976541/signature-0001.pgp From johanw at vulcan.xs4all.nl Wed May 11 15:21:03 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed May 11 16:42:34 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <7af493b2697502d941270c261e239f1d@mac.com> Message-ID: <200505111321.j4BDL3Hv001419@vulcan.xs4all.nl> Charly Avital wrote: >I bought a perpetual Enterprise license for PGP 8.x, but I understand >and agree that the upgrade to PGP 9.x could not, and should not be for >free. Isn't the source of pgp 9 available? Can't you compile your own version with the limitations stripped out? If source isn't available for this version I wouldn't use it anyway. >Someone suggested $ 19.00 or 29.00. Reasonable. I would even agree to $ >35.95. Why not $40? Or am I now not psychological enough? >If the fee remains at 69.00, I'll bid good-bye and Godspeed to PGP >(after >10 years), and welcome GPG! I'd prefer to contribute the 69 >bucks (or whatever) to MacGPG. GnuPG has other advantages, like not being windows-only and a decent commandline. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wizard at roborooter.com Wed May 11 19:01:48 2005 From: wizard at roborooter.com (Francis Gulotta) Date: Wed May 11 19:56:42 2005 Subject: GPG error generating keys In-Reply-To: <200504290907.59298.gustabares@verizon.net> References: <200504290907.59298.gustabares@verizon.net> Message-ID: <42823A7C.7080906@roborooter.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's trying to run it's interface on your terminal, how are you running the program? Is it just a command prompt, or is it through xterm or some other terminal program? - -Francis Gustavo Tabares wrote: > Hi all, > > I'm having problems generating a key: > > [blackbetty:~].gat$ gpg --gen-key > gpg (GnuPG) 1.2.7; Copyright (C) 2004 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > gpg: cannot open `/dev/tty': Is a directory > [blackbetty:~].gat$ > > > > Any ideas of what might be going on here? > > > Thanks, > Gus > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCgjp8TJEaZCt0gQsRAq0RAKDGTN35LAs7WtBYE9H3ENNPVKEthACbByaF bLSmappCebKgg6gvlD4LRtg= =ozQx -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Wed May 11 22:29:53 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed May 11 22:28:09 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <42822B90.2040109@mac.com> Message-ID: <200505112029.j4BKTrlw001235@vulcan.xs4all.nl> Charly Avital wrote: >I really don't care to compile PGP also. Come to think of it, I'm not >sure I would know how to do it. The advantage would be that you would be able to remove the crippleware instructions before compiling. >>>Someone suggested $ 19.00 or 29.00. Reasonable. I would even agree to $ >>>35.95. >> Why not $40? Or am I now not psychological enough? >I really don't know, I am not psychological at all. $ 35.95 sounds good. Some salespeople think that 39,95 looks much cheaper than 40. >> GnuPG has other advantages, like not being windows-only and a decent >> commandline. >Sorry but you've lost me. >What is Windows-only? PGP isn't available on other systems (I'm not sure about Macs, but there isn't a recent Linux version). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From erpo41 at hotpop.com Wed May 11 23:04:19 2005 From: erpo41 at hotpop.com (Erpo) Date: Wed May 11 23:40:37 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <200505111321.j4BDL3Hv001419@vulcan.xs4all.nl> References: <200505111321.j4BDL3Hv001419@vulcan.xs4all.nl> Message-ID: <1115845459.5018.7.camel@localhost.localdomain> On Wed, 2005-05-11 at 15:21 +0200, Johan Wevers wrote: > Isn't the source of pgp 9 available? Can't you compile your own version with > the limitations stripped out? If source isn't available for this version I > wouldn't use it anyway. IIRC, the source to PGP is available, but only for "peer review" purposes. The license prohibits compiling your own PGP binaries. I might be wrong. It's been a long time since I've read the license. > GnuPG has other advantages, like not being windows-only and a decent > commandline. I played with the PGP Desktop trials a while ago, and I have to say that it was a whole lot easier to use than GPG. I don't think I'd encourage people to use PGP, though. Eric From kfitzner at excelcia.org Thu May 12 02:50:20 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu May 12 02:47:57 2005 Subject: Newbie question : GPgee and GPGshell etc.. In-Reply-To: <1115821335.24107.233893827@webmail.messagingengine.com> References: <1115821335.24107.233893827@webmail.messagingengine.com> Message-ID: <4282A84C.1040001@excelcia.org> gpg.20.subu@spamgourmet.com wrote: > which one of these > - GPGshell > - WinPT > - GPGee > > is better for a starter with GPG First of all, let's get some definitions down because it can become confusing. WinPT is both an application and a group of tools. The application, Windows Privacy Tray, sits in the Windows task tray and gives you a GnuPG interface from there. The group of tools is the tray application bundled along with GnuPG itself. This distinction will become important later... for now, though, when I say "WinPT" I mean the tray application, not the group of tools. Now, to answer your question: GPG Shell is an ok program but not really designed for the GnuPG beginner. What is does when you tell it to do something is start the GngPG command for you and then dump you into a command prompt with that GnuPG command running so you can finish it (answer any questions GnuPG has for you). So, if you want to edit a key, it doesn't have a GUI mechanism to do so - it drops you into the GnuPG edit key command and you have to type all the key editing commands in. For a new person, WinPT will be easier to use. It doesn't expose quite as much of the inner workings of GnuPG - there are some things you can't do with it, but what it does do is completely through a GUI. Now, as far as GPGee goes, it isn't intended as a "competitor" to WinPT, but more as a complement. WinPT is a tray application that gives you a key manager and lets you perform GPG operations on the clipboard and the current window. GPGee isn't intended to do all that. It is only a Windows explorer shell extension. It adds GnuPG commands to the windows explorer right-click context menu. So, if you want to simple sign, encrypt, or verify one or more files, GPGee makes that very easy. There is no key management in it at all, so that would be something you would do through WinPT. The reason I made the distinction between the WinPT tray application and the WinPT group of tools, is that GPGee is going to become one of the tools included in WinPT. Timo Schulz had a different shell extension (WinFPSE) that was included in the WinPT bundle, but he wants to focus more on the tray application, and I will focus on the explorer extension. Hopefully once GPGee is in the bundle things will become less confusing for the new people just looking for a good front end. Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050511/f9063350/signature.pgp From kairaven at arcor.de Thu May 12 08:54:28 2005 From: kairaven at arcor.de (Kai Raven) Date: Thu May 12 08:50:16 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <1115845459.5018.7.camel@localhost.localdomain> References: <200505111321.j4BDL3Hv001419@vulcan.xs4all.nl> <1115845459.5018.7.camel@localhost.localdomain> Message-ID: <20050512085428.15227885@localhost.localdomain> Hi Erpo, On Wed, 11 May 2005 14:04:19 -0700 you wrote: > IIRC, the source to PGP is available, but only for "peer review" > purposes. The license prohibits compiling your own PGP binaries. I might > be wrong. It's been a long time since I've read the license. From the PGP 8 license: "What You Cannot Do. Under this license you do not have the right to, and you may not: (...) use executable code versions of PGP software programs created by compiling these source code files for any purpose or reason other than verifying that there are no unknown vulnerabilities (...) > I played with the PGP Desktop trials a while ago, and I have to say that > it was a whole lot easier to use than GPG. No. Today, they can use two shells under Windows with extensions for the explorer, a lot of gui's exist for other plattforms. GnuPG is well integrated in a lot of mail clients and in some instant messengers or they can use their own scripts for the console. They can get get help from a lot of manuals, howto's and so on... -- Ciao Kai WWW: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogweb.de/ OpenPGP: D6E995A0 Jabber: kraven@jabber.ccc.de From pt at radvis.nu Wed May 11 22:05:52 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Thu May 12 09:18:14 2005 Subject: How to change trust model In-Reply-To: <20050511010015.GA24461@jabberwocky.com> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> <6.1.2.0.2.20050511001159.02d49548@localhost> <20050510222138.GC24228@jabberwocky.com> <6.1.2.0.2.20050511021816.02d49640@localhost> <20050511010015.GA24461@jabberwocky.com> Message-ID: <6.1.2.0.2.20050511215558.03e03dc0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 03:00 2005-05-11, David Shaw wrote: >On Wed, May 11, 2005 at 02:22:28AM +0200, Per Tunedal Casual wrote: >> At 00:21 2005-05-11, David Shaw wrote: >> >On Wed, May 11, 2005 at 12:16:03AM +0200, Per Tunedal Casual >> >wrote: >> > >> >> Scenario: >> >> A new user has to quickly download keys to his contacts. The >> >> keys >> >> are >> >> signed by a mutually trusted CA. >> >> How can he get valid keys to use trusting the CA, rather than >> >> having >> >> to check and sign each of them? >> > >> >You don't need trust signatures or any special trust models for >> >this. >> >If you trust the CA, sign the CA key. If the CA has signed your >> >contacts, then you're done. The contact keys are now valid. >> > >> >David >> > >> Yes, David, you are right. I want a bit more. >> >> Some contacts may not be directly signed by the CA, then the trust >> model will be important, I suppose. How can the signature of the CA >> be >> useful as far down the tree as possible? >> >> Can you please explain the PGP-model and how to issue trust >> signatures >> (tsign), with the implications for the validity of keys. > >First, read this: > >http://download.cryptoex.com/documents/whitepaper/cex2003-pgp-in-unter >nehmen >-en/Tech%20White%20Paper%202002%20-%20Using%20OpenPGP%20in%20Corporati >ons.pdf > >It's a very good explanation of trust signature concepts. > >How they are used specifically in GnuPG is via the 'tsign' command. >tsign is just like sign (or lsign) except that you are asked a few >more questions by GnuPG. Think of tsign as a combination of a >regular >signature plus the ownertrust. This combines two different things >from the classic trust model into one signature. > >First you are asked: > > Please decide how far you trust this user to correctly verify > other > users' keys (by looking at passports, checking fingerprints from > different sources, etc.) > > 1 = I trust marginally > 2 = I trust fully > >This is similar to the question you get asked when setting >ownertrust. >What GnuPG is asking is not how much you trust the user, but how much >you trust the user to make good signatures. > >The next question is: > > Please enter the depth of this trust signature. > A depth greater than 1 allows the key you are signing to make > trust signatures on your behalf. > >The signature depth is how many levels "deep" can the power granted >by >this signature travel. For example, a level of 1 means that the key >you sign is valid for you (just like a regular signature), but also >that the ownertrust for this key is automatically set to MARGINAL or >FULL (depending on how you answered the first question). A level of >2 >means that the key you sign is valid for you, and the ownertrust is >automatically set, AND (assuming the trust made it to FULL) that this >key can issue signatures up to level 1 on your behalf. A level of 3 >means all that, plus the key can issue signatures up to level 2, etc. > >You can think of a regular signature as a trust signature with a >depth >of 0. > >The next question: > > Please enter a domain to restrict this signature, or enter for > none. > >This allows you to restrict (by domain name) the power of the >signature. For example, let's say that you wanted to make a level 2 >signature on a CA key for a particular company. You should be >careful >with making any level above 1, so you want to restrict this to that >company. By giving a restriction of companyname.com here, only >signatures issued by the CA key on keys in companyname.com will take >effect. > >That's pretty much it. If you think about it, tsign is not generally >useful outside of hierarchial environments with CAs. Some people are >in hierarchial environments though, and this lets them interoperate. > >Incidentally, you can combine tsign with any of the other signing >types (lsign, nrsign) in any combination you like: ltsign is a local >trust signature, nrltsign is a nonrevocable local trust signature, >etc. > >David > Hi again David, now I tried: 1. Creating one Root-CA, signing a CA-key by: gpg --edit-key keyid tsign with 2 = I trust fully and depth = 2 2. Letting a "user key" sign the Root-CA-key with ltsign with 2 = I trust fully and depth = 2 Result: Keys signed by the CA-key are valid for the user. Questions: Please explain the depth i detail. A. Would it be sufficient to choose depth = 1 for both trust signatures above? B. What happens if a key signed by the CA signs an other key with an ordinary exportable signature? C Why choose depth = 2? A scenario? Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCgmWPpPsTvNtsBX8RAmPlAJ9FiGjvWCyuZbQGeVmxxhO38FyXrgCfQDHb Su2RKtnglJAtPGHtEciOD6s= =O6iV -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu May 12 14:29:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu May 12 14:25:27 2005 Subject: How to change trust model In-Reply-To: <6.1.2.0.2.20050511215558.03e03dc0@localhost> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> <6.1.2.0.2.20050511001159.02d49548@localhost> <20050510222138.GC24228@jabberwocky.com> <6.1.2.0.2.20050511021816.02d49640@localhost> <20050511010015.GA24461@jabberwocky.com> <6.1.2.0.2.20050511215558.03e03dc0@localhost> Message-ID: <20050512122903.GA28699@jabberwocky.com> On Wed, May 11, 2005 at 10:05:52PM +0200, Per Tunedal Casual wrote: > now I tried: > 1. Creating one Root-CA, signing a CA-key by: > gpg --edit-key keyid > tsign > with 2 = I trust fully > and > depth = 2 > > 2. Letting a "user key" sign the Root-CA-key with > ltsign > with 2 = I trust fully > and > depth = 2 > > Result: > Keys signed by the CA-key are valid for the user. > > Questions: > Please explain the depth i detail. > > A. Would it be sufficient to choose depth = 1 for both trust > signatures above? Yes. You only have one link betweeen you and the user: you -> CA -> user Using a depth of 2 here will work, of course, but is overkill. > B. What happens if a key signed by the CA signs an other key with an > ordinary exportable signature? The usual thing happens, because that signature isn't part of the trust signature chain. We've already established that the key signed by the CA is valid, so if you have sufficient ownertrust set, then this other key would be valid as well. > C Why choose depth = 2? A scenario? You -> Big CA -> Little CA -> User Useful in a company with many subdivisions. You just sign the master CA with a depth of 2, the master CA signs the various subdivision keys with a level of 1, and the subdivision keys sign all the users in their subdivision. End result is that all users become valid to you. Signing someone with a level of 2 or greater gives them *a lot* of power. It basically means that not only are they trusted introducers for you, but they can grant the ability to be trusted introducers for you to someone else. David From johanw at vulcan.xs4all.nl Thu May 12 16:35:56 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu May 12 16:31:57 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <42827DE9.8020404@mac.com> Message-ID: <200505121435.j4CEZuQg002187@vulcan.xs4all.nl> Charly Avital wrote: >I am a MacUser, I have used PGP since 1994 (version 2.6.x) for Macintosh > Operating System 7.1, then different iterations of PGP for different >Mac operating systems, till the current PGP 9.x for Macintosh. OK, Mac seems to be supported. >I really don't know whether there is a PGP version for Linux, Only 2.x, a buggy 5.0 that has a serious bug in the RNG and should not be used, and I believe a 6.5.1 commandline version that I can't get to compile. >I am sure there is a GnuPG version for Linux, in fact, more than one. Of course. :-) -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu May 12 16:33:11 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu May 12 16:32:05 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade In-Reply-To: <1115845459.5018.7.camel@localhost.localdomain> Message-ID: <200505121433.j4CEXBNn002167@vulcan.xs4all.nl> Erpo wrote: >IIRC, the source to PGP is available, but only for "peer review" >purposes. The license prohibits compiling your own PGP binaries. There's so much forbidden... PGP doesn't seen to act aggressively against people who do, like the person who compiles the CKT versions. >> GnuPG has other advantages, like not being windows-only and a decent >> commandline. >I played with the PGP Desktop trials a while ago, and I have to say that >it was a whole lot easier to use than GPG. If you're on windows perhaps. However, GnuPG is catching up. The 1.0 versions were hardly usable on windows, the 1.2 and 1.4 versions work fine. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From samuel at Update.UU.SE Thu May 12 18:05:08 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Thu May 12 18:59:48 2005 Subject: Add to FAQ! Re: Newbie question : GPgee and GPGshell etc.. In-Reply-To: <4282A84C.1040001@excelcia.org> References: <1115821335.24107.233893827@webmail.messagingengine.com> <4282A84C.1040001@excelcia.org> Message-ID: <20050512160508.GA27600@Update.UU.SE> Hi This seems like a good description of Windows GUI for GnuPG. If I was looking for a GUI this is the information I would like to have. Could someone with access add it to the FAQ? The question could be "Does GnuPG for windows have a GUI?", possibly under the installation heading. //Samuel On Wed, May 11, 2005 at 06:50:20PM -0600, Kurt Fitzner wrote: > gpg.20.subu@spamgourmet.com wrote: > > > which one of these > > - GPGshell > > - WinPT > > - GPGee > > > > is better for a starter with GPG > > First of all, let's get some definitions down because it can become > confusing. WinPT is both an application and a group of tools. The > application, Windows Privacy Tray, sits in the Windows task tray and > gives you a GnuPG interface from there. The group of tools is the tray > application bundled along with GnuPG itself. This distinction will > become important later... for now, though, when I say "WinPT" I mean the > tray application, not the group of tools. > > Now, to answer your question: GPG Shell is an ok program but not really > designed for the GnuPG beginner. What is does when you tell it to do > something is start the GngPG command for you and then dump you into a > command prompt with that GnuPG command running so you can finish it > (answer any questions GnuPG has for you). So, if you want to edit a > key, it doesn't have a GUI mechanism to do so - it drops you into the > GnuPG edit key command and you have to type all the key editing commands > in. For a new person, WinPT will be easier to use. It doesn't expose > quite as much of the inner workings of GnuPG - there are some things you > can't do with it, but what it does do is completely through a GUI. > > Now, as far as GPGee goes, it isn't intended as a "competitor" to WinPT, > but more as a complement. WinPT is a tray application that gives you a > key manager and lets you perform GPG operations on the clipboard and the > current window. GPGee isn't intended to do all that. It is only a > Windows explorer shell extension. It adds GnuPG commands to the windows > explorer right-click context menu. So, if you want to simple sign, > encrypt, or verify one or more files, GPGee makes that very easy. There > is no key management in it at all, so that would be something you would > do through WinPT. > > The reason I made the distinction between the WinPT tray application and > the WinPT group of tools, is that GPGee is going to become one of the > tools included in WinPT. Timo Schulz had a different shell extension > (WinFPSE) that was included in the WinPT bundle, but he wants to focus > more on the tray application, and I will focus on the explorer extension. > > Hopefully once GPGee is in the bundle things will become less confusing > for the new people just looking for a good front end. > > Kurt. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From pt at radvis.nu Thu May 12 20:43:08 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Thu May 12 20:35:35 2005 Subject: How to change trust model In-Reply-To: <20050512122903.GA28699@jabberwocky.com> References: <6.1.2.0.2.20050510173846.03d02c60@localhost> <20050510195137.GA24010@jabberwocky.com> <6.1.2.0.2.20050510234755.02e99428@localhost> <20050510215811.GA24228@jabberwocky.com> <6.1.2.0.2.20050511001159.02d49548@localhost> <20050510222138.GC24228@jabberwocky.com> <6.1.2.0.2.20050511021816.02d49640@localhost> <20050511010015.GA24461@jabberwocky.com> <6.1.2.0.2.20050511215558.03e03dc0@localhost> <20050512122903.GA28699@jabberwocky.com> Message-ID: <6.1.2.0.2.20050512204153.03cf0ed0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 14:29 2005-05-12, David Shaw wrote: >On Wed, May 11, 2005 at 10:05:52PM +0200, Per Tunedal Casual wrote: > >> now I tried: >> 1. Creating one Root-CA, signing a CA-key by: >> gpg --edit-key keyid >> tsign >> with 2 = I trust fully >> and >> depth = 2 >> >> 2. Letting a "user key" sign the Root-CA-key with >> ltsign >> with 2 = I trust fully >> and >> depth = 2 >> >> Result: >> Keys signed by the CA-key are valid for the user. >> >> Questions: >> Please explain the depth i detail. >> >> A. Would it be sufficient to choose depth = 1 for both trust >> signatures above? > >Yes. You only have one link betweeen you and the user: you -> CA -> >user > >Using a depth of 2 here will work, of course, but is overkill. > >> B. What happens if a key signed by the CA signs an other key with >> an >> ordinary exportable signature? > >The usual thing happens, because that signature isn't part of the >trust signature chain. We've already established that the key signed >by the CA is valid, so if you have sufficient ownertrust set, then >this other key would be valid as well. > >> C Why choose depth = 2? A scenario? > >You -> Big CA -> Little CA -> User > >Useful in a company with many subdivisions. You just sign the master >CA with a depth of 2, the master CA signs the various subdivision >keys >with a level of 1, and the subdivision keys sign all the users in >their subdivision. > >End result is that all users become valid to you. > >Signing someone with a level of 2 or greater gives them *a lot* of >power. It basically means that not only are they trusted introducers >for you, but they can grant the ability to be trusted introducers for >you to someone else. > >David > Hi David, thank you very much for your thorough explanation. I finally have grasped it! Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCg6O3pPsTvNtsBX8RAp9/AKCJRpvbhzy3VjabA9ejbCFkkhEDxgCaA3KR nx96w0EhTpHmOjAf4qlagH0= =zjEe -----END PGP SIGNATURE----- From unknown_kev_cat at hotmail.com Thu May 12 03:50:30 2005 From: unknown_kev_cat at hotmail.com (Anonymous) Date: Thu May 12 21:05:15 2005 Subject: [PGP-USERS] PGP Desktop Home - Cost of upgrade References: <200505111321.j4BDL3Hv001419@vulcan.xs4all.nl> <1115845459.5018.7.camel__32432.2298555218$1115847620$gmane$org@localhost.localdomain> Message-ID: > IIRC, the source to PGP is available, but only for "peer review" > purposes. The license prohibits compiling your own PGP binaries. I might > be wrong. It's been a long time since I've read the license. You are almost right. you may make binaries, but not for use, only for testing PGP for exploits. For example if you think you see an exploit in the source, you can compile PGP to test the exploit before reporting it to PCP corp. From angelo at zlogic.co.za Fri May 13 11:56:53 2005 From: angelo at zlogic.co.za (Angelo Zanetti) Date: Fri May 13 12:18:05 2005 Subject: which plugin for Outlook express Message-ID: <428479E5.5030400@zlogic.co.za> Hi all, I have installed GPG and generate the public and private keys. Have encrypted a message and now need to get a plugin for outlook express. So on the gnupg.org site they list two for outlook express GPGOE and the G Data plugin. Well teh GPGOE plugin's site doesnt have the page of the latest download and G Data is in german. I believe they are actually the same product. My question is are these (this) products (s) the correct ones for decrypting messages in the mail client? Or am I on the wrong track? How well are these plugins supported? They dont seem to be that well supported... Please give me advice. thanks in advance -- Angelo Zanetti Z Logic www.zlogic.co.za [c] +27 72 441 3355 [t] +27 21 469 1052 From dshaw at jabberwocky.com Fri May 13 14:31:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri May 13 14:28:06 2005 Subject: Keyserver In-Reply-To: <20050513105527.GF27620@mail.gasops.co.uk> References: <20050513105527.GF27620@mail.gasops.co.uk> Message-ID: <20050513123135.GB31255@jabberwocky.com> On Fri, May 13, 2005 at 11:55:27AM +0100, Shaun Lipscombe wrote: > Which keyserver(s) should I use? I heard that some should not be used. Just > want to know what to put in my conf file. Use subkeys.pgp.net David From wizard at roborooter.com Fri May 13 20:01:08 2005 From: wizard at roborooter.com (Francis Gulotta) Date: Fri May 13 20:49:15 2005 Subject: Keyserver In-Reply-To: <20050513123135.GB31255@jabberwocky.com> References: <20050513105527.GF27620@mail.gasops.co.uk> <20050513123135.GB31255@jabberwocky.com> Message-ID: <4284EB64.6080708@roborooter.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've got keyserver ldap://keyserver.pgp.com in my gpg.conf, but my enigmail has a few listed. random.sks.keyserver.penguin.de pgp.dtype.org keyserver.kjsl.com ldap://certserver.pgp.com It uses random.sks.keyservcer.penguine.de by default. A random keyserver selection seems like the best idea for me (unless you need to hit one specificly) I can't read german but I'd think this one directs you to a random keyserver. Does anyone know? And why would someone use subkeys.pgp.net instead of any of the others I listed? Thank you. - -Francis David Shaw wrote: > On Fri, May 13, 2005 at 11:55:27AM +0100, Shaun Lipscombe wrote: > >>Which keyserver(s) should I use? I heard that some should not be used. Just >>want to know what to put in my conf file. > > > Use subkeys.pgp.net > > David > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFChOtkTJEaZCt0gQsRAgX1AKC2LYzPXi2xffk3a+n7FQiCXloemACcDStN f93vT5wsKx7KGvcM++xwf/A= =uMor -----END PGP SIGNATURE----- From patrick at mozilla-enigmail.org Sat May 14 11:01:57 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Sat May 14 11:58:00 2005 Subject: Enigmail Test Builds for SmartCard Support Message-ID: <4285BE85.9000707@mozilla-enigmail.org> I have implemented support for OpenPGP SmartCards into Enigmail: - set card owner data - key creation - PIN administration - Using the card for message processing (sign/decrypt) Since my usual testers don't have OpenPGP SmartCards, I'm looking for some people who could help me testing the new functionality. The test builds of Enigmail are available for Thunderbird 1.0, and Thunderbird trunk builds on Windows and Linux: http://enigmail.mozdev.org/nightly.html -Patrick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050514/0e407b6f/signature.pgp From mario at codehack.org Sat May 14 14:22:07 2005 From: mario at codehack.org (Mario Fuerderer) Date: Sat May 14 15:18:26 2005 Subject: OpenPG Smartcard and Sylpheed Message-ID: <20050514142207.214cb5a3.mario@codehack.org> Hello everyone, i just got my new smartcard reader and the OpenPGP Crypto Card (*1) today. The installation went quite smooth as well as the personalization of the smartcard itself. So crypting files using the smartcard and GnuPG (version 1.4.1) works just as simple as going the normal way with a locally stored encryption key. But unfortunately sylpheed (version 1.9.10) don't seem to work with this new setup. It just hangs up when i try to sent a crypted/signed mail. A `ps aux | grep gpp` shows the following command, during the hang: gpg --no-sk-comment --status-fd 8 --no-tty --charset utf8 -- enable- progress-filter --command-fd 9 --sign --detach --armor -- textmode Executing gpg manually with these switches gives me the following error: gpg: fatal: can't open fd 8 for status output: Bad file descriptor secmem usage: 0/0 bytes in 0/0 blocks of pool 0/0 I don't know if it's an issue of gpgme (1.0.2), gnupg or sylpheed... Are there any other sylpheed users using the OpenPGP Crypto Card or do have an idea about what could be wrong with my setup? Thank you in advance! mario *1) http://www.g10code.de/p-card.html -- Mario F?rderer From b.buerger at penguin.de Fri May 13 21:28:33 2005 From: b.buerger at penguin.de (Bjoern Buerger) Date: Sat May 14 15:54:17 2005 Subject: Keyserver In-Reply-To: <4284EB64.6080708@roborooter.com> References: <20050513105527.GF27620@mail.gasops.co.uk> <20050513123135.GB31255@jabberwocky.com> <4284EB64.6080708@roborooter.com> Message-ID: <20050513192833.GF1328@penguin.de> * Francis Gulotta (wizard@roborooter.com) [050513 21:10]: > It uses random.sks.keyservcer.penguine.de by default. > > A random keyserver selection seems like the best idea for me (unless you > need to hit one specificly) I can't read german but I'd think this one > directs you to a random keyserver. > > Does anyone know? You are right. random.sks.keyservcer.penguine.de contains all "green" (available) hosts from the sks keyserver map: http://sks.keyserver.penguin.de/graphs/sks_network_today.png You will get one of ~ 15-20 Servers. All of them should be running (checked twice a day) All of them are subkey safe. Greetings, Bj?rn -- There ist no place like ~/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 253 bytes Desc: Digital signature Url : /pipermail/attachments/20050513/ab79b2dd/attachment.pgp From jharris at widomaker.com Sat May 14 16:44:55 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat May 14 16:40:50 2005 Subject: Keyserver In-Reply-To: <20050513192833.GF1328@penguin.de> References: <20050513105527.GF27620@mail.gasops.co.uk> <20050513123135.GB31255@jabberwocky.com> <4284EB64.6080708@roborooter.com> <20050513192833.GF1328@penguin.de> Message-ID: <20050514144454.GP356@wilma.widomaker.com> On Fri, May 13, 2005 at 09:28:33PM +0200, Bjoern Buerger wrote: > * Francis Gulotta (wizard@roborooter.com) [050513 21:10]: > > It uses random.sks.keyservcer.penguine.de by default. > > > > A random keyserver selection seems like the best idea for me (unless you > > need to hit one specificly) I can't read german but I'd think this one > > directs you to a random keyserver. > > > > Does anyone know? > > You are right. random.sks.keyservcer.penguine.de contains all > "green" (available) hosts from the sks keyserver map: > http://sks.keyserver.penguin.de/graphs/sks_network_today.png > > You will get one of ~ 15-20 Servers. > > All of them should be running (checked twice a day) > All of them are subkey safe. Unfortunately, http://213.133.99.198:11371/pks/lookup?op=stats shows linux-geeks.de is currently unsynchronized (missing ~5000 keys). Also, http://67.66.94.243:11371/pks/lookup?op=stats shows dannyj.dynip.com hasn't synchronized for even longer (missing ~25000 keys). (Fortunately, submitting keys/updates to either of these two servers will email them to keyserver.kjsl.com (also subkey safe), which will propagate them to the rest of the keyserver network (without photos).) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050514/7de345ca/attachment.pgp From david69 at charter.net Sun May 15 21:43:38 2005 From: david69 at charter.net (David) Date: Sun May 15 22:17:03 2005 Subject: Difference "gpg --armor --store" Vs. "gpg --enarmor" Message-ID: <4287A66A.6050804@charter.net> Hi List, What is the difference between "gpg --armor --store" and "gpg --enarmor"? Thanks, David -- "The difference between fiction and reality? Fiction has to make sense." - Tom Clancy - From dshaw at jabberwocky.com Sun May 15 22:44:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 15 22:40:47 2005 Subject: Difference "gpg --armor --store" Vs. "gpg --enarmor" In-Reply-To: <4287A66A.6050804@charter.net> References: <4287A66A.6050804@charter.net> Message-ID: <20050515204403.GF2415@jabberwocky.com> On Sun, May 15, 2005 at 12:43:38PM -0700, David wrote: > Hi List, > > What is the difference between "gpg --armor --store" and "gpg --enarmor"? --armor --store creates an armored OpenPGP message: a "literal message", which is unencrypted and unsigned. --enarmor armors whatever you feed it. The result is not an OpenPGP message. David From jharris at widomaker.com Mon May 16 04:21:58 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon May 16 04:18:11 2005 Subject: new (2005-05-15) keyanalyze results (+sigcheck) Message-ID: <20050516022157.GR356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-05-15/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 3371d252fcad8237129a7d85a7935de698b9461c 12044034 preprocess.keys b85e0ea36c3a7cdf710cdcc1c284d1ddc97d9508 7552445 othersets.txt 0afb8843fb7b7a99e3830a63716e84d8ee567165 3037322 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 0befd861a62f171df3eef8f9ce5756eefed22db9 2290 keyring_stats 99aceb2bf8a04bb2ef973b51ca82f835cbcd0b2f 1195613 msd-sorted.txt.bz2 df90b667ed62761d5b5ab4b7e0f8b2cfc3438ec2 26 other.txt 0ea16689035463ed81cd00acca57675f38038207 1624640 othersets.txt.bz2 06bd2c702374cc1f1601a6870dbd7c3e164bca03 4907955 preprocess.keys.bz2 7d1f47d017038197feadb0ff45a93ccf80183a34 12135 status.txt 68ec255abdb429d53365aba1897b400b3867a188 210471 top1000table.html ac659127cf2d5bb391d705cd78ecf239366a6370 30425 top1000table.html.gz e56eee43c3cf3abfd06ecf395f6ec9d6a1dc2e94 10887 top50table.html c386ac676bc0df24f2b7931007bbfc48055d6064 2639 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050515/42848832/attachment.pgp From dscribner at tuxist.org Mon May 16 07:13:28 2005 From: dscribner at tuxist.org (David D. Scribner) Date: Mon May 16 07:44:01 2005 Subject: Add to FAQ! Re: Newbie question : GPgee and GPGshell etc.. In-Reply-To: <20050512160508.GA27600@Update.UU.SE> References: <1115821335.24107.233893827@webmail.messagingengine.com> <4282A84C.1040001@excelcia.org> <20050512160508.GA27600@Update.UU.SE> Message-ID: <20050516051328.GA28897@shortcircuit.lan> Samuel ]slund [samuel@Update.UU.SE] wrote: > Hi > > This seems like a good description of Windows GUI for GnuPG. > If I was looking for a GUI this is the information I would like to have. > Could someone with access add it to the FAQ? > The question could be "Does GnuPG for windows have a GUI?", possibly > under the installation heading. > > //Samuel Hi Samuel! There's actually a very broad list of GUI frontends, with hyperlinks to the product's home page for the various OSes already posted on gnupg.org . However, I think that the mention of this would be good to include in the GnuPG FAQ (something along the lines of "Are there GUI fontends for GnuPG?" perhaps), and including a URL to point the reader to the Frontends page for further information. I'll add this to my (LONG) overdue update to the FAQ. Thanks! Even though the descriptions on the Frontends page are very minimal, it would be very hard to keep it updated with broad or more complete descriptions as the various products change regularly, adding or enhancing their features, etc. It's best to let the project's home page go into more detail about their own product, and mainly point the inquirer to those pages instead. If there are GUIs that are not listed that someone feels *should be* listed, or other suggestions for the Frontends page, I'm sure the page maintainer (Werner) would welcome them. Thanks again for the suggestion to the FAQ! -- David D. Scribner http://www.tuxist.org http://www.gnupg.org - It's your privacy. It's your right! GnuPG/PGP: 3172 7408 58CA D9C2 F697 950F 9DDC 7AC7 91EC 5F06 "The nice thing about Windows is - It does not just crash, it displays a dialog box and lets you press 'OK' first." -- Arno Schaefer's .sig -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : /pipermail/attachments/20050516/93b7955f/attachment-0001.pgp From mailinglists at gkruijer.nl Mon May 16 12:05:56 2005 From: mailinglists at gkruijer.nl (Gerrit Kruijer) Date: Mon May 16 12:01:37 2005 Subject: How to cancel public key Message-ID: <42887084.9090209@gkruijer.nl> Hello Listers, i have a question regarding my public key's. Because there are some email-addresses i don't use anymore i want to update my keys. How can i do that? When i search the server i found three keys. Only one is needed. -- Kind regards, Gerrit From patrick at mozilla-enigmail.org Mon May 16 14:33:07 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon May 16 14:30:05 2005 Subject: How to cancel public key In-Reply-To: <42887084.9090209__18673.6764073887$1116238687$gmane$org@gkruijer.nl> References: <42887084.9090209__18673.6764073887$1116238687$gmane$org@gkruijer.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerrit Kruijer wrote: > Hello Listers, > i have a question regarding my public key's. Because there are some > email-addresses i don't use anymore i want to update my keys. > How can i do that? > When i search the server i found three keys. Only one is needed. You can revoke the keys you don't need anymore. Since you seem to be using Enigmail, the easiest is to open the Enigmail OpenPGP Key Management window, select the key you want to revoke, and choose "Revoke key" from the context menu. Then, you can upload your revoked key to a keyserver. If you just want to revoke a user ID on your key, you can use the function "Manage User IDs" and revoke just the user ID's your not using anymore. Then, you can again upload the modified key to a keyserver. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCiJMC2KgHx8zsInsRAnGhAJsEQ0oApbWaAjBdjAabVgUziPSzqwCg0vY+ qQqbLdzGrne4ar6NA4tuSsE= =aGH4 -----END PGP SIGNATURE----- From gpg.20.subu at spamgourmet.com Wed May 11 13:25:34 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Mon May 16 15:03:58 2005 Subject: Help with Enigmail and other issues Message-ID: <1115810734.3667.233878576@webmail.messagingengine.com> Hi I'm totally new to GPG (I know the concepts behind PGP) I use Win XPP + Mozilla 1.7.7. I've recently downloaded enigmail - If this the correct place to ask questions on Enigmail I have the following questions ---------------------------------------------------- - I opened today's message titled "Re: How to change trust model" from pt_at_radvis_dot_nu and found the message is signed. - I click on the pen ICON to check the signature and get a message public key not found - I proceed to try and download the public key from one of the 4 servers listed ~ defaults as of now in enigmail - I get either a socket error or a key not found error - How do I proceed further ? - Is there a better way to import public keys into enigmail ? - where is the public key ring stored by enigmail ? p.s. - - - If this isn't the right place please suggest the right place to ask questions above TIA From gpg.20.subu at spamgourmet.com Wed May 11 16:22:15 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Mon May 16 15:04:02 2005 Subject: Newbie question : GPgee and GPGshell etc.. Message-ID: <1115821335.24107.233893827@webmail.messagingengine.com> Newbie question ---------------------------- which one of these - GPGshell - WinPT - GPGee is better for a starter with GPG TIA Subu Kurt Fitzner - kfitzner@excelcia.org wrote: >In the belief that GPGee is now ready for production use, I've just >released version 1.0. For those who aren't familliar with it, GPGee is >a Windows explorer shell extension. It adds support for GnuPG to the >right-click context menu in Windows explorer. > >You can download it from the GPGee home page at: http://gpgee.excelcia.org > >GPGee's features include: > > - Sign, sign+encrypt, or encrypt multiple files at once. > - Verify/decrypt multiple files at once - GPGee automatically > detects the GnuPG file type and performs the correct operaation. > - Can configure the location of the gpg.conf, public and secret > keyrings files. Use GPGee with keys stored on usb flash drives. >* - Quick-select encryption key groups. Encrypt to multiple > recipients quickly and easily. >* - Visual indication of the trust level of signatures >* - Compares expiry date of keys against the date signatures were > produced. > - Context-sensitive help > - It's free software, just like GnuPG. Inspect the code for yourself. > >* = New feature for 1.0 > From gpg.20.subu at spamgourmet.com Thu May 12 21:49:47 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Mon May 16 15:04:06 2005 Subject: Help on Enigmail - Mozilla 1.7.7. with Win XPP Message-ID: <1115927387.28607.234011128@webmail.messagingengine.com> Hi Forgive my intrustion into your inbox. What's the correct place to ask questions on Enigmail ? If it is here ....... I have the following ------------------------------- ------------------------------------------------ Hi I'm totally new to GPG (I know the concepts behind PGP) I use Win XPP + Mozilla 1.7.7. I've recently downloaded enigmail to use with Mozilla - as I was advised that Enigmail has most functions for a startup user - Lets say I get a signed message - like the ones from this "gnupg-users" list - I click on the "pen" ICON (displayed by Mozilla) to check the signature - I get a message "public key not found" - I proceed to try and download the public key from one of the 4 servers listed in Enigmail ~ I suppose defaults as of now in Enigmail - I get either a *socket error* or a *key not found error* - How do I proceed further ? - Is there a better way to import public keys into enigmail ? AND - where is the public key ring stored by enigmail ? p.s. - - - If this isn't the right place please suggest the right place to ask questions above TIA Subu p.s. - Forgive my intrustion into your inbox. I've tried asking this question to the list - but guess my membership still awaits moderator approval and so I'm sending this to all of you.. From Rob_Wolters at activa.cc Thu May 12 22:47:15 2005 From: Rob_Wolters at activa.cc (Rob_Wolters@activa.cc) Date: Mon May 16 15:04:09 2005 Subject: importing private keys Message-ID: I currently run pgp 8.1 on my Windows desktop and would like to install gnupg on my Unix server. When I do this, will I be able to import my keypair from PGP into gnupg so that I don't have to create a new private and public key? I've looked through the documentation and can't seem to find an answer. Rob Wolters Activa Benefit Services, LLC 616-787-1245 This message contains information that may be legally confidential and/ or privileged. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited and may be unlawful. If you have received this transmission in error, please reply immediately to the sender that you have received the message in error, and have destroyed the information. From gpg.20.subu at spamgourmet.com Fri May 13 10:45:32 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Mon May 16 15:04:13 2005 Subject: Newbie question : GPgee and GPGshell etc.. In-Reply-To: <1115927723.29500.234011839@webmail.messagingengine.com> References: <1115927723.29500.234011839@webmail.messagingengine.com> Message-ID: <1115973932.30594.234049648@webmail.messagingengine.com> Hi I visited the Win PT link from gnupg.org site. This link http://www.stud.uni-hannover.de/~twoaday/winpt.html has the following 1. http://www.stud.uni-hannover.de/~twoaday/sipfone-exe.zip - Windows binary 2. http://www.equipmente.de/gnupt-int.exe - graphicall installer which seems to have additional stuff + WinPt, but an older version of WinPT 3. and other links ... Now my question ----------------------- - which is the most stable release of WinPT (pl. note I am a newbie) ? - Is it preferable I have the latest release (i.e.) with all loophole plugged http://www.stud.uni-hannover.de/~twoaday/winpt-0.9.92-exe.zip or have the latest stable version which might be something else TIA Kurt Fitzner - kfitzner@excelcia.org wrote: >gpg.20.subu@spamgourmet.com wrote: > >>which one of these >>- GPGshell >>- WinPT >>- GPGee >> >>is better for a starter with GPG > > >First of all, let's get some definitions down because it can become >confusing. WinPT is both an application and a group of tools. The >application, Windows Privacy Tray, sits in the Windows task tray and >gives you a GnuPG interface from there. The group of tools is the tray >application bundled along with GnuPG itself. This distinction will >become important later... for now, though, when I say "WinPT" I mean the >tray application, not the group of tools. > From gpg.20.subu at spamgourmet.com Sat May 14 17:07:36 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Mon May 16 15:04:16 2005 Subject: Keyserver Message-ID: <1116083256.10353.234129317@webmail.messagingengine.com> Hi I use Win XPP + Moz 1.7.8 + Enigmail + GPG I tried verifying the signature your message below with Mozilla mail client + Enigmail i.e. - I download the message from IMAP server - click the pen IKON (with a ?) - I get a Enigmail pop up saying "Unverified signature" etc.. - I click yes button to import signature - I choose keyserver.kjsl.com (I've also tried http://keyserver.kjsl.com) - Every time I get a "socket error : ec = 10054" - I get same results with *some* other keyservers as well Where am I wrong - Is there an easier / better way to retrieve keys once and for all Regards Subu Jason Harris - jharris@widomaker.com wrote: >On Fri, May 13, 2005 at 09:28:33PM +0200, Bjoern Buerger wrote: > >>* Francis Gulotta (wizard@roborooter.com) [050513 21:10]: >> >>>It uses random.sks.keyservcer.penguine.de by default. >>> >>>A random keyserver selection seems like the best idea for me (unless you >>>need to hit one specificly) I can't read german but I'd think this one >>>directs you to a random keyserver. >>> >>>Does anyone know? >> >>You are right. random.sks.keyservcer.penguine.de contains all >>"green" (available) hosts from the sks keyserver map: >>http://sks.keyserver.penguin.de/graphs/sks_network_today.png >> >>You will get one of ~ 15-20 Servers. >> >>All of them should be running (checked twice a day) >>All of them are subkey safe. > > >Unfortunately, http://213.133.99.198:11371/pks/lookup?op=stats shows >linux-geeks.de is currently unsynchronized (missing ~5000 keys). Also, >http://67.66.94.243:11371/pks/lookup?op=stats shows dannyj.dynip.com >hasn't synchronized for even longer (missing ~25000 keys). > >(Fortunately, submitting keys/updates to either of these two servers >will email them to keyserver.kjsl.com (also subkey safe), which will >propagate them to the rest of the keyserver network (without photos).) > From dshaw at jabberwocky.com Mon May 16 15:20:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon May 16 15:16:47 2005 Subject: importing private keys In-Reply-To: References: Message-ID: <20050516132029.GA11602@jabberwocky.com> On Thu, May 12, 2005 at 04:47:15PM -0400, Rob_Wolters@activa.cc wrote: > I currently run pgp 8.1 on my Windows desktop and would like to install > gnupg on my Unix server. When I do this, will I be able to import my > keypair from PGP into gnupg so that I don't have to create a new private > and public key? I've looked through the documentation and can't seem to > find an answer. Short answer: yes. Just export the private key from 8.1, and import it to GnuPG just like you'd export/import a public key. David From vedaal at hush.com Mon May 16 15:37:10 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Mon May 16 15:33:02 2005 Subject: the difference between "gpg --armor --store" and "gpg --enarmor Message-ID: <200505161337.j4GDbDS9082750@mailserver2.hushmail.com> On Sun, 15 May 2005 22:49:01 -0700 gnupg-users-request@gnupg.org wrote: >Message: 7 >Date: Sun, 15 May 2005 16:44:03 -0400 >From: David Shaw >Subject: Re: Difference "gpg --armor --store" Vs. "gpg --enarmor" >--armor --store creates an armored OpenPGP message: a "literal >message", which is unencrypted and unsigned. > >--enarmor armors whatever you feed it. The result is not an >OpenPGP >message. another difference that might be of some practical interest, is that --enarmor does not include a date/time stamp but --armor --store does vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From atom at smasher.org Mon May 16 18:38:19 2005 From: atom at smasher.org (Atom Smasher) Date: Mon May 16 18:34:08 2005 Subject: Difference "gpg --armor --store" Vs. "gpg --enarmor" In-Reply-To: <20050515204403.GF2415@jabberwocky.com> References: <4287A66A.6050804@charter.net> <20050515204403.GF2415@jabberwocky.com> Message-ID: <20050516163820.26445.qmail@smasher.org> On Sun, 15 May 2005, David Shaw wrote: > On Sun, May 15, 2005 at 12:43:38PM -0700, David wrote: >> Hi List, >> >> What is the difference between "gpg --armor --store" and "gpg >> --enarmor"? > > --armor --store creates an armored OpenPGP message: a "literal message", > which is unencrypted and unsigned. > > --enarmor armors whatever you feed it. The result is not an OpenPGP > message. ====================== one could also use base64 to armor a message. what makes enarmor nice for pgp hacking is that it adds a checksum (rfc2440:6) making it radix-64 armored. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I am somehow less interested in the weight and convolutions of Einstein's brain than in the near certainty that people of equal talent have lived and died in cotton fields and sweatshops." -- Stephen Jay Gould From mario at codehack.org Mon May 16 21:27:16 2005 From: mario at codehack.org (Mario Fuerderer) Date: Mon May 16 21:23:42 2005 Subject: OpenPG Smartcard and Sylpheed In-Reply-To: <20050514142207.214cb5a3.mario@codehack.org> References: <20050514142207.214cb5a3.mario@codehack.org> Message-ID: <20050516212716.0cdcb203.mario@codehack.org> For me the whole issue seems to be a problem of gpgme. I came to this view after trying several tools, depending on gpgme. Any application linked against gpgme (sylpheed, gpa, usw.) seems to hang while other applications which speak to gpg "natively" work just like a charm... Other views or ways to solve my little problem are very appreciated, because I can't use sylpheed with encryption currently... Thank you in advance! Mario -- Mario F?rderer From venona at gmx.ch Tue May 17 02:17:07 2005 From: venona at gmx.ch (venona@gmx.ch) Date: Tue May 17 03:13:23 2005 Subject: which plugin for Outlook express In-Reply-To: <428479E5.5030400@zlogic.co.za> References: <428479E5.5030400@zlogic.co.za> Message-ID: <20050517091640.A99A.VENONA@gmx.ch> On Fri, 13 May 2005 11:56:53 +0200 Angelo Zanetti wrote: > Well teh GPGOE plugin's site doesnt have the page of the latest download http://winpt.cityofcambridge.net/gpgoe.html http://winpt.cityofcambridge.net/devel/gpgoe-0.4.1-dll.zip > I believe they are actually the same product. G Data plugin is not the same product as GPGOE. The former is for MS Outlook, which is included in MS Office. From christian.rank at rz.uni-passau.de Tue May 17 08:39:58 2005 From: christian.rank at rz.uni-passau.de (Christian Rank) Date: Tue May 17 08:35:41 2005 Subject: Enigmail Test Builds for SmartCard Support In-Reply-To: <20050516054838.5FD3259F7F@tom.rz.uni-passau.de> References: <20050516054838.5FD3259F7F@tom.rz.uni-passau.de> Message-ID: <428991BE.6000300@rz.uni-passau.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Patrick, > I have implemented support for OpenPGP SmartCards into Enigmail: > - set card owner data > - key creation > - PIN administration > - Using the card for message processing (sign/decrypt) > > Since my usual testers don't have OpenPGP SmartCards, I'm looking for > some people who could help me testing the new functionality. > > The test builds of Enigmail are available for Thunderbird 1.0, and > Thunderbird trunk builds on Windows and Linux: > http://enigmail.mozdev.org/nightly.html I've tested the new version with my OpenPGP Smartcard and Thunderbird 1.0.2. In the function "Manage SmartCard", the fields "Firstname" and "Name" seem to be swapped. The functions "Edit Card Data" and "Change PIN" work perfectly for me, as well as signing operations. I have the following suggestions for improvements: Since accessing the smart card takes a few seconds, it would be nice if during smart card operations an alert box like "accessing smart card, please stand by" would be displayed. If smartcard operations are attempted without a smartcard in the reader, just the gpg error messages are displayed. It would be nice if a prompt like "please insert smartcard" would be displayed. Thanks for developing this great tool which makes encryption and signing of messages really easy! Best regards, Christian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQCVAwUBQomRu02saMZBRtU9AQJbhwQAlRxeufrIOPsP+OkCVR2cmRSdGnpL52cr 9c9jkMSQcPtIHNqssyi96HcUBdSOSkC2jEBaVQV4VPP+ss31EZzN++Z2htOzpFyg ABVg2kyrFd+4HS1ogAjAJyZdmobs99wQvoDRD/IVB+p0aKns+l0u4sxX/DGlcUfA DnmY50dbAuQ= =/1IW -----END PGP SIGNATURE----- From wizard at roborooter.com Tue May 17 09:02:40 2005 From: wizard at roborooter.com (Francis Gulotta) Date: Tue May 17 08:58:31 2005 Subject: How to cancel public key In-Reply-To: References: <42887084.9090209__18673.6764073887$1116238687$gmane$org@gkruijer.nl> Message-ID: <42899710.2020800@roborooter.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How would I revoke a key I no longer have a private key for? I understand I can't do the same thing, but can I do something like the opposite of signing? Signing against a key? - -Francis Patrick Brunschwig wrote: > > You can revoke the keys you don't need anymore. Since you seem to be > using Enigmail, the easiest is to open the Enigmail OpenPGP Key > Management window, select the key you want to revoke, and choose "Revoke > key" from the context menu. Then, you can upload your revoked key to a > keyserver. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCiZcQTJEaZCt0gQsRAusJAJ0dC3QyagqDJPlV1GFb+3yuyjP0WQCfWHrJ DvqbvAAuTyNPTf+s6yzrkRQ= =MK7y -----END PGP SIGNATURE----- From patrick at mozilla-enigmail.org Tue May 17 10:01:23 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Tue May 17 09:57:54 2005 Subject: How to cancel public key In-Reply-To: <42899710.2020800@roborooter.com> References: <42887084.9090209__18673.6764073887$1116238687$gmane$org@gkruijer.nl> <42899710.2020800@roborooter.com> Message-ID: <4289A4D3.3060600@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can't. If you have lost your private key, there's no way you could revoke the public key anymore. That's why it's important to create a revokation certificate and store it safely (and maybe even print it, so that you could type it if all other means fail). - -Patrick Francis Gulotta wrote: > How would I revoke a key I no longer have a private key for? I > understand I can't do the same thing, but can I do something like the > opposite of signing? Signing against a key? > > -Francis > > Patrick Brunschwig wrote: > > >>>You can revoke the keys you don't need anymore. Since you seem to be >>>using Enigmail, the easiest is to open the Enigmail OpenPGP Key >>>Management window, select the key you want to revoke, and choose "Revoke >>>key" from the context menu. Then, you can upload your revoked key to a >>>keyserver. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCiaTS2KgHx8zsInsRAp20AKDiJAktxyabk6SCqgu3j9JsAsmvHACgusT7 8bqbsErnPG9PGMqpMbyze/g= =Crvi -----END PGP SIGNATURE----- From patrick at mozilla-enigmail.org Tue May 17 09:58:23 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Tue May 17 09:58:10 2005 Subject: Enigmail Test Builds for SmartCard Support In-Reply-To: <428991BE.6000300__30713.2750320763$1116312557$gmane$org@rz.uni-passau.de> References: <20050516054838.5FD3259F7F@tom.rz.uni-passau.de> <428991BE.6000300__30713.2750320763$1116312557$gmane$org@rz.uni-passau.de> Message-ID: Christian Rank wrote: > Hello Patrick, > > >>>I have implemented support for OpenPGP SmartCards into Enigmail: >>>- set card owner data >>>- key creation >>>- PIN administration >>>- Using the card for message processing (sign/decrypt) >>> >>>Since my usual testers don't have OpenPGP SmartCards, I'm looking for >>>some people who could help me testing the new functionality. >>> >>>The test builds of Enigmail are available for Thunderbird 1.0, and >>>Thunderbird trunk builds on Windows and Linux: >>>http://enigmail.mozdev.org/nightly.html > > > I've tested the new version with my OpenPGP Smartcard and Thunderbird 1.0.2. > > In the function "Manage SmartCard", the fields "Firstname" and "Name" > seem to be swapped. > > The functions "Edit Card Data" and "Change PIN" work perfectly for me, > as well as signing operations. > > I have the following suggestions for improvements: > > Since accessing the smart card takes a few seconds, it would be nice if > during smart card operations an alert box like "accessing smart card, > please stand by" would be displayed. I couldn't find a way to tell upfront if a smartcard is going to be used (of course except for "true" smartcard operations), so there's not much I could display. > If smartcard operations are attempted without a smartcard in the reader, > just the gpg error messages are displayed. It would be nice if a prompt > like "please insert smartcard" would be displayed. GnuPG does not seem to return a parseable status output, so I just have the option to display the error message from GnuPG (I don't try to interpert error messages because that will fail if GnuPG is used in a localized manner). -Patrick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050517/f487c375/signature.pgp From folkert at vanheusden.com Tue May 17 18:22:53 2005 From: folkert at vanheusden.com (Folkert van Heusden) Date: Tue May 17 18:18:46 2005 Subject: gpgme doesn't seem to return the signatures Message-ID: <20050517162250.GC17168@vanheusden.com> I have the following version: 130 folkert@keetweej:~/Personal/src/gpgstats$ dpkg --list | grep gpgme ii libgpgme11 1.0.2-1 GPGME - GnuPG Made Easy ii libgpgme11-dev 1.0.2-1 GPGME - GnuPG Made Easy ii libgpgme6 0.3.16-2 GPGME - GnuPG Made Easy lrwxrwxrwx 1 root root 18 Apr 14 08:27 /usr/lib/libgpgme.so -> libgpgme.so.11.3.3 lrwxrwxrwx 1 root root 18 Apr 14 08:26 /usr/lib/libgpgme.so.11 -> libgpgme.so.11.3.3 -rw-r--r-- 1 root root 127368 Jan 15 15:27 /usr/lib/libgpgme.so.11.3.3 lrwxrwxrwx 1 root root 17 Apr 3 02:12 /usr/lib/libgpgme.so.6 -> libgpgme.so.6.3.7 -rw-r--r-- 1 root root 99184 May 1 2004 /usr/lib/libgpgme.so.6.3.7 I'm doing: (void)gpgme_check_version(NULL); err = gpgme_new(&ctx); err = gpgme_op_keylist_start (ctx, NULL, 0); err = gpgme_op_keylist_next(ctx, &r_key); gpgme_user_id_t uids = r_key -> uids; ...for each uid... gpgme_key_sig_t sigs = uids -> signatures; Now sigs in this case is *always* NULL! And I've verified (with gpg --list-sigs) that *all* keys have one or more signature. Oh, and do I need to free-up something after I do gpgme_op_keylist_next? Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050517/6570ff28/attachment-0001.pgp From vedaal at hush.com Tue May 17 22:58:34 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Tue May 17 22:54:27 2005 Subject: ? maximal size for armored output ? Message-ID: <20050517205838.AAF68354FF@mailserver5.hushmail.com> have been using gnupg to sign and encrypt a true-crypt container, and have the output as an ascii armored pgp message, so it can be e- mailed/stored online without being sent as an 'attachment' it works fine, is there a size limit on gnupg generated ascii output ? (would like to know, [before trying, ;-) ], if it is possible to do this for a 4 gb true-crypt container for storage on a dvd-rw) tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From kfitzner at excelcia.org Wed May 18 01:38:03 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Wed May 18 01:36:12 2005 Subject: GPGee 1.1 released Message-ID: <428A805B.6050107@excelcia.org> I suppose it was inevitable. I announce to the world that GPGee is ready for production use and a nice big fat bug shows up. A little humility is good for the soul. GPGee version 1.1 has now been released with the following changes: - Duplicate key bug fixed. No more keys showing up twice in your key lists. - Added setting for caching keys. Some people (with many hundreds of keys on their keyrings) were reporting it would take 15 seconds or more for GPGee to activate. Key caching eliminated the need for GPGee to read your keyrings every time it activates. - A progress-bar has been added for the times when GPGee has to (re)create the key cache. - Clearsigned messages can now be verified. - Message digest algorithm is now reported when a signature is verified. As always, GPGee is available from http://gpgee.excelcia.org For those who aren't familliar with it, GPGee is a Windows explorer shell extension. It adds support for GnuPG to the right-click context menu in Windows explorer. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050517/2c1084b6/signature.pgp From wk at gnupg.org Wed May 18 14:51:34 2005 From: wk at gnupg.org (Werner Koch) Date: Wed May 18 14:51:04 2005 Subject: ? maximal size for armored output ? In-Reply-To: <20050517205838.AAF68354FF@mailserver5.hushmail.com> (vedaal@hush.com's message of "Tue, 17 May 2005 13:58:34 -0700") References: <20050517205838.AAF68354FF@mailserver5.hushmail.com> Message-ID: <87u0l0ae95.fsf@wheatstone.g10code.de> On Tue, 17 May 2005 13:58:34 -0700, said: > is there a size limit on gnupg generated ascii output ? No. Salam-Shalom, Werner From wizard at roborooter.com Wed May 18 15:47:00 2005 From: wizard at roborooter.com (Francis Gulotta) Date: Wed May 18 15:42:52 2005 Subject: Key Signing Message-ID: <428B4754.2070009@roborooter.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With all this talk about key signing and trust models, I noticed that I don't trust any of your public keys. I supose I'd have to trust one or two of you first, but how do the key signatures get transfered around? Email? or can you upload the signature to the keyservers? - -Francis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCi0dUTJEaZCt0gQsRApUqAKCtH4Yf7iFxGRR4pkOjbhP/ERXlHwCeIZOY IfBf4C7NQDSBlM5s93sy7a8= =OIvB -----END PGP SIGNATURE----- From shavital at mac.com Wed May 18 19:37:43 2005 From: shavital at mac.com (Charly Avital) Date: Wed May 18 19:33:55 2005 Subject: Key Signing In-Reply-To: <428B4754.2070009@roborooter.com> References: <428B4754.2070009@roborooter.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On May 18, 2005, at 9:47 AM, Francis Gulotta wrote: > With all this talk about key signing and trust models, I noticed that I > don't trust any of your public keys. I supose I'd have to trust one or > two of you first, but how do the key signatures get transfered around? > Email? or can you upload the signature to the keyservers? Before you trust any key, you might want to have a look at Signatures that are exportable (as opposed to "local" signatures) can be uploaded to the keyservers, when you upload the signed keyblock. But please, before you engage in key signing, or trust setting, please check out the above URL. This is *not* a RTFM answer, this is a friendly suggestion. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQot9eG69XHxycyfPAQhe8Q/+Jn4HMx6bExRDj1FFwZrwnP0oHrlcusm+ c8B6CXKe5GiB8EfQGpffRloFSHAehGpunZOfiLXX+2lfxieqlYXxtsUXTBsd20rP CkJaA890bjMJmvT7A6e1BGh9dMnnMFTy/wM/JpgxrTAJT/QRi2AYt9eZPcQzU7j1 RwxLOGWkNK5ySlJfYi0P/t37IpKHhQ22CpCz6I0XPOIzAmZCnL5nm6NL0NbKLql0 hnZotKn06VL+vxAfKISEdpXl0itIN5i3URyHATiwqMHaLa4q7J7+venNWfOyRwuS wNbVEUhpmtWX6sBJrFUHhI5WeRPbBhylLYOC+aVxbPn+IxbEDMkZL8eUwDbXCwZE /c53gWdppKsu9Cb/1gg80TLwakbB0kcrxuNTTK5Ht5xHZ6jKnv8p6qVz4ulbhud6 OTyVbWnByhTVdObiQxwRBj6QvQyMkYhwXW9iGlQO+c9K9aOxi8kVOwdtd7cMHZhO AsqtSU6hs0KEaovvMDg2lgTUVea1NQ1+Qgft05M9kuqlrD5015SCypFUBtdrqTt9 hEck/7ocu6oZZeeljEZDB8E8CBb5I+F5Cbcbzj5J6RqA9uwjFzFsB4akKcHvMAYF hq2Ys78ZKYkc6yRBNvXvpHZkTz3SE0y/AUfPD8ebIbyD7yh5r0h4jvD91hcqPDVk F+3GWE2yWkY= =+mq3 -----END PGP SIGNATURE----- From nsushkin at sushkins.net Wed May 18 21:41:22 2005 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Wed May 18 22:13:56 2005 Subject: Error at "bag.attributes" importing key from freemail cert into gpgsm In-Reply-To: <87r7h5iisq.fsf@wheatstone.g10code.de> References: <200504071615.30963.nsushkin@sushkins.net> <87r7h5iisq.fsf@wheatstone.g10code.de> Message-ID: <200505181541.22485.nsushkin@sushkins.net> Werner, Just to let you know that I was able to import thawte certificate using gnupg-1.9.16. I am writing this using KMail 1.8 compiled with s/mime support. Thanks! On Wednesday 20 April 2005 11:12, Werner Koch wrote: > On Thu, 7 Apr 2005 16:15:30 -0400, Nicholas Sushkin said: > > > gpg-protect-tool: encryptedData error at "bag.attributes", offset 2592 > > gpg-protect-tool: error at "bag.encryptedData", offset 49 > > Thanks for the test data. It is a plain bug, here is patch: > > > > 2005-04-20 Werner Koch > > * minip12.c (parse_bag_encrypted_data): Fix the unpadding hack. > > diff -u -p -r1.5.2.7 minip12.c > --- agent/minip12.c 29 Sep 2004 13:50:31 -0000 1.5.2.7 > +++ agent/minip12.c 20 Apr 2005 15:18:31 -0000 > @@ -587,7 +588,7 @@ parse_bag_encrypted_data (const unsigned > > /* Ugly hack to cope with the padding: Forget about the rest if > that it is less than the cipher's block length. */ > - if (n < 8) > + if (n <= 8) > n = 0; > > /* Skip the optional SET with the pkcs12 cert attributes. */ > @@ -602,7 +603,7 @@ parse_bag_encrypted_data (const unsigned > { /* The optional SET. */ > p += ti.length; > n -= ti.length; > - if (n < 8) > + if (n <= 8) > n = 0; > if (n && parse_tag (&p, &n, &ti)) > goto bailout; > > -- Nick -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1362 bytes Desc: not available Url : /pipermail/attachments/20050518/53f9be37/smime.bin From nsushkin at sushkins.net Wed May 18 23:45:52 2005 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Wed May 18 23:42:08 2005 Subject: Small script to import freemail S/MIME certificate into GPGSM Message-ID: <200505181745.52811.nsushkin@sushkins.net> After reading "Small HowTo on how to import freemail S/MIME certificates into GPGSM" by Matthias Welwarsky mwelwarsky@web.de, I wrote the following BASH script. Save it into a file called import-cert.sh, and execute it using the following syntax: bash import-cert.sh myThawteCertExportedFromMozilla.p12 It works with gpgsm 1.9.16 ----------------CUT HERE-------------------- set -e mozCert="$1" basename=$(basename "$mozCert" .p12) dirname=$(dirname "$mozCert") bundle="$dirname/${basename}.pem" key="$dirname/${basename}.privatekey.p12" echo "Converting p12 certificate to pem bundle" openssl pkcs12 -in "$mozCert" -out "$bundle" -nodes echo "Extracting private key from the pem bundle" openssl pkcs12 -in "$bundle" -export -nocerts -nodes -out "$key" echo "Importing private key into gpgsm" gpgsm --import "$key" rm "$key" certCount=0 inCert=0 cat "$bundle" | while read line; do if [ "$(echo "$line" | tr -d "-")" == "BEGIN CERTIFICATE" ]; then certCount=$((certCount + 1)) cert="$dirname/${basename}.cert${certCount}.txt" inCert=1 echo "Extracting certificate #$certCount from the bundle" : > "$cert" fi if [ $inCert == 1 ]; then echo "$line" >> "$cert" fi if [ "$(echo "$line" | tr -d "-")" == "END CERTIFICATE" ]; then inCert=0 echo "Importing certificate #$certCount into gpgsm" gpgsm --import "$cert" rm "$cert" fi done rm "$bundle" ----------------CUT HERE-------------------- -- Nick From oskar at rbgi.net Thu May 19 10:41:22 2005 From: oskar at rbgi.net (Oskar L.) Date: Thu May 19 12:00:24 2005 Subject: Additional self-signature Message-ID: <1235.213.169.27.119.1116492082.squirrel@mail.rbgi.net> Hello, I'm new on this list. Can anyone tell me why I get a second self-signature when I do this: oskar@MM2:~$ gpg --list-sigs /home/oskar/.gnupg/pubring.gpg ------------------------------ pub 1024D/7EE6D97F 2005-05-18 uid foobar sig 3 7EE6D97F 2005-05-18 foobar sub 4096g/E53284D9 2005-05-18 sig 7EE6D97F 2005-05-18 foobar oskar@MM2:~$ gpg --export -a --output public.asc foobar oskar@MM2:~$ gpg --export-secret-key -a --output secret.asc foobar oskar@MM2:~$ rm -f /home/oskar/.gnupg/* oskar@MM2:~$ gpg --list-sigs gpg: keyring `/home/oskar/.gnupg/pubring.gpg' created gpg: /home/oskar/.gnupg/trustdb.gpg: trustdb created oskar@MM2:~$ gpg --list-sigs oskar@MM2:~$ gpg --import secret.asc gpg: keyring `/home/oskar/.gnupg/secring.gpg' created gpg: key 7EE6D97F: secret key imported gpg: key 7EE6D97F: public key "foobar " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 oskar@MM2:~$ gpg --import public.asc gpg: key 7EE6D97F: "foobar " 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 oskar@MM2:~$ gpg --list-sigs /home/oskar/.gnupg/pubring.gpg ------------------------------ pub 1024D/7EE6D97F 2005-05-18 uid foobar sig 3 7EE6D97F 2005-05-18 foobar sig 3 7EE6D97F 2005-05-18 foobar sub 4096g/E53284D9 2005-05-18 sig 7EE6D97F 2005-05-18 foobar From wk at gnupg.org Thu May 19 13:23:42 2005 From: wk at gnupg.org (Werner Koch) Date: Thu May 19 13:21:10 2005 Subject: Additional self-signature In-Reply-To: <1235.213.169.27.119.1116492082.squirrel@mail.rbgi.net> (Oskar L.'s message of "Thu, 19 May 2005 11:41:22 +0300 (EEST)") References: <1235.213.169.27.119.1116492082.squirrel@mail.rbgi.net> Message-ID: <87oeb75uip.fsf@wheatstone.g10code.de> On Thu, 19 May 2005 11:41:22 +0300 (EEST), Oskar L said: > Hello, I'm new on this list. Can anyone tell me why I get a second > self-signature when I do this: When importing a secret key into a keyring without a public key, a public key is created from the secret key. Due to historic reasons the self-signature on the secret key is a different one than the one created with the public key. How when importing the public key a new signature will be added and gpg is not able to detects this. This won't harm because the signatures are effectively identically although not bit wise. It has been fixed in the CVS when creating new keys. How only one self-signature is created and used verbatim also for the secret key. This will go into 1.4.2. Salam-Shalom, Werner From karl.kashofer at gmx.at Thu May 19 13:33:15 2005 From: karl.kashofer at gmx.at (Karl Kashofer) Date: Thu May 19 14:29:50 2005 Subject: problem with key import Message-ID: <428C797B.8040806@gmx.at> Hi ! Would anyone know why this key can not be imported into GnuPG ? Keyserver: 0x133CC3FD It looks OK to me, imports fine in PGP and the self signature was made one second after the key creation date. No hints in PGPdump either. GnuPG seems to skip the primary UserID and then complains about no valid User ID. The key was created with CryptoEx. Any insight would be higly valued, Thanks, Karl From mus1876 at gmx.info Thu May 19 15:34:28 2005 From: mus1876 at gmx.info (mus1876@gmx.info) Date: Thu May 19 16:30:49 2005 Subject: (no subject) Message-ID: <23460.1116509668@www39.gmx.net> Hi, can anyone tell me why when setting utf-8 for cmd.exe, gpg switches back to its default character set. In cmd.exe I do the follwoing to change the codepage: chcp For Windows XP Pro wiht German locale and True Type Font Lucida Console in cmd.exe set this gives the OEM-Multilingual Latin I charset: Active Codepage: 850. Entering chcp 650001 (which stands for UTF-8) results in: Active Codepage: 65001. I now try for example to clearsign a UTF-8 encoded text file with gpg in verbose mode: gpg -vvv --clearsign test.txt The program's first response is: gpg: conversion from `utf-8' to `CP65001' not available gpg: using character set `iso-8859-1' What kind of setup (charset, file encoding) would you recommend in general. I thougt that gpg fully supports UTF-8. At least according to the manpage. Thank you From scc4fun at spamcop.net Thu May 19 19:28:56 2005 From: scc4fun at spamcop.net (Sean C.) Date: Thu May 19 20:58:14 2005 Subject: problem with key import In-Reply-To: <428C797B.8040806@gmx.at> References: <428C797B.8040806@gmx.at> Message-ID: <20050519132856.z7msiog80og0swwc@webmail.spamcop.net> When I imported it using the webmail service I use it imported "successfully", but showed something strange: Name: Punz, Christian; Z0005K1Y Siemens Key Type: Public Key Key Creation: 10/21/02 Expiration Date: [Never] Key Length: 1024 Bytes Comment: [None] E-Mail: christian.punz@siemens.com Hash-Algorithm: [Unknown] Key Fingerprint: 8CEBF2B3133CC3FD Note that Hash-Algorithm is "Unknown". -- "We must become the change we seek." -- Mohatma Ghandi > ----- Message from karl.kashofer@gmx.at --------- > Date: Thu, 19 May 2005 12:33:15 +0100 > From: Karl Kashofer > Reply-To: Karl Kashofer > Subject: problem with key import > To: gnupg-users@gnupg.org > > Hi ! > > Would anyone know why this key can not be imported into GnuPG ? > > Keyserver: 0x133CC3FD > > It looks OK to me, imports fine in PGP and the self signature was made > one second after the key creation date. No hints in PGPdump either. > > GnuPG seems to skip the primary UserID and then complains about no valid > User ID. The key was created with CryptoEx. > > Any insight would be higly valued, > Thanks, > Karl > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ----- End message from karl.kashofer@gmx.at ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: PGP Digital Signature Url : /pipermail/attachments/20050519/98af4b49/attachment.pgp From radu.gpg at ohmi.org Thu May 19 21:15:19 2005 From: radu.gpg at ohmi.org (Radu Hociung) Date: Thu May 19 21:11:09 2005 Subject: Keyservers and the future Message-ID: <428CE5C7.4050106@ohmi.org> Hello all, I'm researching email authentication, and it looks like there is some promise in using cryptographic signatures. Currently there are hundreds of millions of domain names, and tens of millions of domain name owners. Depending on proposal, email authentication would require between 1 key/domain owner and several keys per domain name (ie, between tens of millions and more than a billion new keys). One email authentication proposal is DomainKeys. There are others as well. DomainKeys stores the needed keys in the DNS system, but the DNS system is spoofable. Also, this key storage architecture does not allow for trust-signatures, as the key could easily grow in size past the maximum size of a DNS reply packet (512 bytes). In fact it appears that the average key length on the keyservers is around 1.2KB. Different proposals seek to authenticate different parts of the mail exchange: - SMTP session - email headers - email body Currently a relatively small population uses PGP to sign the message body (There are currently < 2.2million keys on the public keyservers). If email authentication was implemented, the majority of mail traffic would be signed and verified. This means many more keys need to be stored on the keyservers. Also, it would require billions of queries to keyservers during the verification phase(s). Even with locally cached keys, there would still be lots of queries looking for revocation information. This creates the following questions: 1. If future email authentication standards require use of cryptography (signatures), what is the most scaleable way to distribute and manage keys? Does OpenPGP have a role to play here? 2. If it became standard for email to be authenticated in some manner, would the PGP keyserver or a similar architecture based on synchronization, etc, be a scaleable enough architecture to use? I know there is some work being done on two next generation keyservers, CKS and OpenPKSD, and I would like to ask a second question: 3. What is the state of the art in next-generation keyservers, and how far are we from the 1-billion key capability ? Are the current projects active still? 4. Are the public keyservers even the right place to look for email authentication key storage ? Are there other better ideas that should be explored? Thank you kindly for any input or comments. Radu Hociung. From erwan at rail.eu.org Thu May 19 21:27:52 2005 From: erwan at rail.eu.org (Erwan David) Date: Thu May 19 22:24:40 2005 Subject: Keyservers and the future In-Reply-To: <428CE5C7.4050106@ohmi.org> References: <428CE5C7.4050106@ohmi.org> Message-ID: <428CE8B8.4060102@rail.eu.org> Le 19/05/05 21:15, Radu Hociung a ?crit: > Hello all, > > I'm researching email authentication, and it looks like there is some > promise in using cryptographic signatures. Currently there are hundreds > of millions of domain names, and tens of millions of domain name owners. > > Depending on proposal, email authentication would require between 1 > key/domain owner and several keys per domain name (ie, between tens of > millions and more than a billion new keys). > > One email authentication proposal is DomainKeys. There are others as > well. DomainKeys stores the needed keys in the DNS system, but the DNS > system is spoofable. Also, this key storage architecture does not allow > for trust-signatures, as the key could easily grow in size past the > maximum size of a DNS reply packet (512 bytes). In fact it appears that > the average key length on the keyservers is around 1.2KB. A key is nothing without a way to add a trusted relation between this key and the entity you want to authenticate. So I do not think those "solutions" are worthwile. Either you accept mail only from people you know, or you accept mail only from people who paid some established company you have no other reason to trust than te fact this company is "well known". -- Erwan From radu.gpg at ohmi.org Fri May 20 00:29:30 2005 From: radu.gpg at ohmi.org (Radu Hociung) Date: Fri May 20 00:25:16 2005 Subject: Keyservers and the future In-Reply-To: <428CE8B8.4060102@rail.eu.org> References: <428CE5C7.4050106@ohmi.org> <428CE8B8.4060102@rail.eu.org> Message-ID: <428D134A.90204@ohmi.org> Erwan David wrote: > A key is nothing without a way to add a trusted relation between this > key and the entity you want to authenticate. So I do not think those > "solutions" are worthwile. Either you accept mail only from people > you know, or you accept mail only from people who paid some > established company you have no other reason to trust than te fact > this company is "well known". Trust information is locally and privately established and managed, and thus does not belong on the keyservers. That process of managing trust is not the object of my question. The scalability of trust management is a problem for MTA (mail transport agents) vendors to solve. The object of trust, however, is a key. Without a key there isn't much to be trusted. The question is ... is the PGP architecture suited to a load of hundreds of millions of keys, or even billions? Are CA's and X509 certificates better equipped to handle the load? There are several working groups that are working on email authentication, and they are considering trust. Concepts such as trust, reputation and accreditation, authorization and authentication are used in various combinations. Some are bogus, some are quite solid :) Regards, Radu. From Billt at Mahagonny.com Fri May 20 03:08:01 2005 From: Billt at Mahagonny.com (Bill Thompson) Date: Fri May 20 03:05:13 2005 Subject: Keyservers and the future In-Reply-To: <428D134A.90204@ohmi.org> References: <428CE5C7.4050106@ohmi.org> <428CE8B8.4060102@rail.eu.org> <428D134A.90204@ohmi.org> Message-ID: <20050519180801.0f728b8c@BeBop> On Thu, 19 May 2005 18:29:30 -0400 Radu Hociung wrote: > The object of trust, however, is a key. Without a key there isn't much > to be trusted. The question is ... is the PGP architecture suited to a > load of hundreds of millions of keys, or even billions? > > Are CA's and X509 certificates better equipped to handle the load? I think that the PGP "web of trust" may be better suited to this that X509/CA's due to the fact that many signatures can be added to one key. In the CA model, there is one authority that all certificates refer to. In the PGP model, a single key can be signed by several local authorities, one of which should be close enough to the key owner for them to trust the validation. I know that the next step in the argument is how can you trust the chain? If I sign Alice's key, and she signs Bob's key, does that mean I now trust everything signed by Bob? Due to the way trust is established with PGP, this is not necessarily so. Each key can be assigned a level of trust, so that I can designate Alice's as fully trusted, and validate Bob's key, but I can set my trust preference for Bob at a lower level so that I do not automatically trust a key he has signed. This is quite a bit of work for the end user and would probably lead to people trusting a key that they shouldn't, but that is where we are now with CA's. At least with the PGP model, the user can personally validate sections of the trust chain and has some control over the degree of trust they put into sections of the chain they have not personally valdated, unlike the single authority x509/CA model. -- Bill Thompson BillT@Mahagonny.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050519/fe394793/attachment.pgp From radu.gpg at ohmi.org Fri May 20 05:27:58 2005 From: radu.gpg at ohmi.org (Radu Hociung) Date: Fri May 20 05:23:50 2005 Subject: Keyservers and the future In-Reply-To: <20050519180801.0f728b8c@BeBop> References: <428CE5C7.4050106@ohmi.org> <428CE8B8.4060102@rail.eu.org> <428D134A.90204@ohmi.org> <20050519180801.0f728b8c@BeBop> Message-ID: <428D593E.3010902@ohmi.org> Bill Thompson wrote: > On Thu, 19 May 2005 18:29:30 -0400 > Radu Hociung wrote: > > >>The object of trust, however, is a key. Without a key there isn't much >>to be trusted. The question is ... is the PGP architecture suited to a >>load of hundreds of millions of keys, or even billions? >> >>Are CA's and X509 certificates better equipped to handle the load? > > > I think that the PGP "web of trust" may be better suited to this that > X509/CA's due to the fact that many signatures can be added to one key. It is exactly this argument that makes me believe PGP to be a better mechanism. A few other advantages also. > I know that the next step in the argument is how can you trust the chain? > If I sign Alice's key, and she signs Bob's key, does that mean I now trust > everything signed by Bob? Perhaps I should explain at least one of the email authentication protocols: DomainKeys, for instance, works at the transport level. Somewhat like SSH, where the client and server use one key to encrypt the datastream, but a different key is used by the user to actually authenticate and log in. DomainKeys does not encrypt the channel, but it only signs it (it signs a subset of the message headers as well as the body of the message). If a recipient domain trusts Yahoo's keys, he can assert that the mail really came from the Yahoo domain. This is a per-domain signature, not per-user. Once a domain (bob.com) trusts that the signing key belongs to the other domain (alice.com), then it can identify email that genuinely comes from alice.com. This does nothing more than prevent domain forgeries, as an attacker forging the alice.com domain. So, while Charlie@alice.com and David@bob.com don't know or trust each other, they can be sure that the mail they received really came from the alice.com domain or the bob.com domain. And it really is the two mail servers that trust each other, while the users of each domain trusts that the mail they receive will not be impersonating a different domain. In this way, DomainKeys-type of technology can ensure that domain name forgeries do not happen. It would eliminate phishing attacks from paypal.com and the banks. Of course, how bob.com came to trust alice.com's domain key is still a problem. Perhaps a trust broker will be proposed. The problem of trust management may not be as insurmountable as the problem of reliably detecting spam and phishing attacks with 100% accuracy. As the name implied, DomainKeys provides domain-to-domain authentication, as opposed to applications like Enigmail which provide user-to-user authentication. It works out that domain-to-domain forgeries make up a large amount of the current spam and fishing problem that we're encountering. I'm not claiming that DomainKeys is the best, but it shows one valid way that email authentication could be done. Better protocols are in the pipeline, but sooner or later they all need to publish a key. Also, there is no claim that DomainKeys eliminates spam. A spammer domain could have a trusted domain key. Or, mail send by a Yahoo (main DomainKeys proponent) user could be spam. Mail authentication only allows one to pinpoint exactly where the spam or ham is coming from, instead of guessing as is done currently. Thus it is hoped that email authentication will bring a significant improvement in spam detection accuracy rates. That's why I am asking the question: could PGP cope if all, or a significant proportion of all domains were to enable some kind of email transport authentication? Also, there are some competing standards being discussed, each with their own advantages and disadvantages, and it is likely that a domain may support one or several mail authentication methods, and perhaps require several public keys. I agree that there are challenges to implementing any kind of email authentication standard, but I would like to find out the extent to which key storage and distribution is one of those challenges. PGP is a possible solution, but the PGP keyserver seems to not be as scalable as necessary to be specified as supporting technology for something as widespread as email. So the question is... can PGP be a viable support technology, and/or is the development of it heading in a direction that makes it a candidate for email authentication? I have also noticed that while there was a surge of PGP keys in the 90's, there are comparatively few keys being uploaded to the public servers in recent years. I do wonder why? Thanks, Radu. From linux at codehelp.co.uk Fri May 20 11:15:35 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri May 20 11:11:34 2005 Subject: Keyservers and the future In-Reply-To: <428CE5C7.4050106@ohmi.org> References: <428CE5C7.4050106@ohmi.org> Message-ID: <200505201015.39191.linux@codehelp.co.uk> On Thursday 19 May 2005 8:15 pm, Radu Hociung wrote: > Depending on proposal, email authentication would require between 1 > key/domain owner Is that a completely different key to another domain used by the same owner? I've got many domains but I only want one main key. If someone trusts codehelp.co.uk does that mean they also trust dcglug.org.uk just because I've got both in the UID's of my key? There are lots of keys with multiple UID's across disparate domains - like debian.org. Are you proposing a completely new key per domain that is "less secure" than the personal key because it's per domain and not per user? Who controls such domain keys? Is this just another "corporate" key? What about domains that have millions of users (like aol.com)? I may trust one or two individuals with AOL accounts, there is NO way I'm going to trust everything from AOL! > If email authentication was implemented, the majority of mail traffic > would be signed and verified. You're just verifying that the signature is good, not that the key is trusted? That's reasonable. How do you guarantee that From: cannot be spoofed - it sounds like you are delegating that to the individual ISP / domain holder. I'm concerned that the domain is too blunt as an instrument against spam and that it will remain easy to send spam from: aol.com and hotmail.com. Even if someone does compromise the AOL terms and conditions, users cannot ignore all email from that domain - it's simply too large - so I could not set the aol.com key to be untrusted or unwanted. This could prejudice small domains, userspace domains, unfairly. The big domains would trivialise the signature because you could not discriminate between your AOL friends and the AOL spammers. If a particular domain holder with lots of accounts is tardy or just inefficient in booting off people who abuse their terms, the user is left with a useless "validation" because the user cannot distinguish between users at the domain. > DomainKeys, for instance, works at the transport level. Somewhat like > SSH, where the client and server use one key to encrypt the datastream, > but a different key is used by the user to actually authenticate and log > in. DomainKeys does not encrypt the channel, but it only signs it (it > signs a subset of the message headers as well as the body of the > message). If a recipient domain trusts Yahoo's keys, he can assert that > the mail really came from the Yahoo domain. This is a per-domain > signature, not per-user. Where does the secret key reside? Who controls the signing? What happens with the existing signature? Are you using MIME to achieve this - what are you going to do about broken email clients like OE that hide the message when receiving PGP/MIME - the message body is displayed as an attachment. What about other clients (like some webmail) that cannot yet cope with PGP/MIME? -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050520/33e9bbc8/attachment.pgp From mwood at IUPUI.Edu Fri May 20 16:21:36 2005 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri May 20 16:17:32 2005 Subject: Keyservers and the future In-Reply-To: <428D593E.3010902@ohmi.org> References: <428CE5C7.4050106@ohmi.org> <428CE8B8.4060102@rail.eu.org> <428D134A.90204@ohmi.org> <20050519180801.0f728b8c@BeBop> <428D593E.3010902@ohmi.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 19 May 2005, Radu Hociung wrote: [snip] > That's why I am asking the question: could PGP cope if all, or a > significant proportion of all domains were to enable some kind of email > transport authentication? I don't see any connection. PGP is a sublayer of the application layer. Transport-layer trust is a separate issue. PGP takes no notice of transport mechanisms. If I receive a message with an invalid PGP signature, or an unsigned message from someone who habitually signs messages, I don't care how many MTAs swear that the address is trustworthy; the *message* still appears to be a forgery. Transport authentication and message authentication address different problems. The only effect of widespread transport authentication on PGP ought to be a small decline in use of PGP by people who don't understand the distinction and are enjoying a false sense of security. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFCjfJzs/NR4JuTKG8RAsz+AJ9+TOxmCVpeckFiobDu2wkttPL/3QCePsfN LPwR0LQpeDMaagviTdS0HzA= =JW+d -----END PGP SIGNATURE----- From scc4fun at spamcop.net Fri May 20 16:22:24 2005 From: scc4fun at spamcop.net (Sean C.) Date: Fri May 20 16:18:18 2005 Subject: Keyservers and the future In-Reply-To: <200505201015.39191.linux@codehelp.co.uk> References: <428CE5C7.4050106@ohmi.org> <200505201015.39191.linux@codehelp.co.uk> Message-ID: <20050520102224.rerswcocswcss80s@webmail.spamcop.net> > ----- Message from munged@codehelp.co.uk --------- > Date: Fri, 20 May 2005 10:15:35 +0100 > From: Neil Williams > Reply-To: Neil Williams > Subject: Re: Keyservers and the future > To: gnupg-users@gnupg.org > > Are you proposing a completely new key per domain that is "less secure" than > the personal key because it's per domain and not per user? Who controls such > domain keys? Is this just another "corporate" key? > > What about domains that have millions of users (like aol.com)? > > I may trust one or two individuals with AOL accounts, there is NO way I'm > going to trust everything from AOL! > > > If email authentication was implemented, the majority of mail traffic > > would be signed and verified. > > You're just verifying that the signature is good, not that the key is > trusted? > That's reasonable. > > How do you guarantee that From: cannot be spoofed - it sounds like you are > delegating that to the individual ISP / domain holder. I'm concerned that the > domain is too blunt as an instrument against spam and that it will remain > easy to send spam from: aol.com and hotmail.com. Even if someone does > compromise the AOL terms and conditions, users cannot ignore all email from > that domain - it's simply too large - so I could not set the aol.com key to > be untrusted or unwanted. Neil, The idea is not that *you* as a user of email trust that email from an entire domain is from a particular person or even that it is not spam. But that the email can be verified when the receving server gets it that it really did come from that domain claimed in the From: header. It would work at the domain level between SMTP servers that send and receive mail between domains. The sending server would have a key that corresponds to the domain(s) and then signs the "primary" headers and message body and includes the signature as an additional header. > > This could prejudice small domains, userspace domains, unfairly. The big > domains would trivialise the signature because you could not discriminate > between your AOL friends and the AOL spammers. If a particular domain holder > with lots of accounts is tardy or just inefficient in booting off people who > abuse their terms, the user is left with a useless "validation" because the > user cannot distinguish between users at the domain. This would not be the end-all be-all of anti-spam tools. It would just be a method to authenticate mail as really originating from a particular domain. You would still use other tools (eg SpamAssassin, Norton, etc.) to figure out if the sender is a known spammer/open relay or if the content is (like) spam. > > > DomainKeys, for instance, works at the transport level. Somewhat like > > SSH, where the client and server use one key to encrypt the datastream, > > but a different key is used by the user to actually authenticate and log > > in. DomainKeys does not encrypt the channel, but it only signs it (it > > signs a subset of the message headers as well as the body of the > > message). If a recipient domain trusts Yahoo's keys, he can assert that > > the mail really came from the Yahoo domain. This is a per-domain > > signature, not per-user. > > Where does the secret key reside? The sending SMTP server? > > Who controls the signing? The sending SMTP server? > > What happens with the existing signature? > > Are you using MIME to achieve this - what are you going to do about broken > email clients like OE that hide the message when receiving PGP/MIME - the > message body is displayed as an attachment. No, it would be a header like DomainKeys: RealLylOngStrInGoFLEtTerSanD902348529304850932478509238475 > > What about other clients (like some webmail) that cannot yet cope with > PGP/MIME? It would use a header. Also, it would be implemented at the server level not the client level. > > -- > > Neil Williams > ============= > http://www.data-freedom.org/ > http://www.nosoftwarepatents.com/ > http://www.linux.codehelp.co.uk/ > ----- End message from munged@codehelp.co.uk ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: PGP Digital Signature Url : /pipermail/attachments/20050520/58300d03/attachment.pgp From david.t.kerns at us.hsbc.com Fri May 20 17:03:32 2005 From: david.t.kerns at us.hsbc.com (David T Kerns) Date: Fri May 20 18:01:37 2005 Subject: Keyservers and the future Message-ID: >Neil Williams writes: >How do you guarantee that From: cannot be spoofed - it sounds like you are >delegating that to the individual ISP / domain holder. I'm concerned that the >domain is too blunt as an instrument against spam and that it will remain >easy to send spam from: aol.com and hotmail.com. Even if someone does >compromise the AOL terms and conditions, users cannot ignore all email from >that domain - it's simply too large - so I could not set the aol.com key to >be untrusted or unwanted. > >This could prejudice small domains, userspace domains, unfairly. The big >domains would trivialise the signature because you could not discriminate >between your AOL friends and the AOL spammers. If a particular domain holder >with lots of accounts is tardy or just inefficient in booting off people who >abuse their terms, the user is left with a useless "validation" because the >user cannot distinguish between users at the domain. I don't mean to butt into the conversation, but it sounds like you're missing the whole point. The whole purpose of this is that it eliminates spoofing of the domain name. It doesn't matter if there's 1 user or 1 billion users behind aol.com (or johndoe.org) if the mail says it's the from domain xxx.org you can be sure it IS from xxx.org not 11.22.33.44 spoofing to be xxx.org (apologies to the holder of that IP address, as this is a purely hypothetical example) Radu's question is then, "will the keyserver model scale to hold keys for X billion domain names?" ----------------------------------------- ************************************************************************ This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************************ From radu.gpg at ohmi.org Fri May 20 20:45:22 2005 From: radu.gpg at ohmi.org (Radu Hociung) Date: Fri May 20 20:41:14 2005 Subject: Keyservers and the future In-Reply-To: <20050520102224.rerswcocswcss80s@webmail.spamcop.net> References: <428CE5C7.4050106@ohmi.org> <200505201015.39191.linux@codehelp.co.uk> <20050520102224.rerswcocswcss80s@webmail.spamcop.net> Message-ID: <428E3042.4050203@ohmi.org> Sean C. wrote: [snip] > This would not be the end-all be-all of anti-spam tools. It would just be a > method to authenticate mail as really originating from a particular domain. You > would still use other tools (eg SpamAssassin, Norton, etc.) to figure out if the > sender is a known spammer/open relay or if the content is (like) spam. > > >>>DomainKeys, for instance, works at the transport level. Somewhat like >>>SSH, where the client and server use one key to encrypt the datastream, >>>but a different key is used by the user to actually authenticate and log >>>in. DomainKeys does not encrypt the channel, but it only signs it (it >>>signs a subset of the message headers as well as the body of the >>>message). If a recipient domain trusts Yahoo's keys, he can assert that >>>the mail really came from the Yahoo domain. This is a per-domain >>>signature, not per-user. >> >>Where does the secret key reside? > > > The sending SMTP server? > > >>Who controls the signing? > > > The sending SMTP server? Thanks Sean for your explanations. They are in exact agreement with what email authentication wants to be. I would like to add another note on the the number of total keys that may be required. This will also answer Neil's other question: Neil Williams wrote: > I've got many domains but I only want one main key. > > If someone trusts codehelp.co.uk does that mean they also trust dcglug.org.uk > just because I've got both in the UID's of my key? The fewest number of keys is needed if the scheme allows each domain owner to use 1 key. A domain owner is the person who has one or more domains. At a minimum, there would be as many keys as there are people who own internet real-estate (domain names). If you own 100 domains, you can of course use 1 key. As for the maximum number of keys needed: Private key distribution remains a problem. DomainKeys has a solution to this problem: With DomainKeys as used by yahoo.com, each mail server machine has its own private key. This avoids the need to copy a master key to all mail servers, which are deployed world wide possibly. So there are a multitude of keys that each domain signs with. There is an additional practical issue of hardware failures. When a hard-disk fails, the machine is sent to the technical support department, who replace the failed disk with a new one. However, if the private key is stored on the hard disk, it must now be revoked, as the technicians have access to extract it. This problem can be solved in one of thee ways: 1. Store the key on the hard-disk, but revoke old keys when hard-disks are replaced (due to failure or pre-emptive maintenance). 2. Do not store the key on the hard-disk, but generate it in memory every time the machine is rebooted. 3. Use a security storage device in each machine. Keys need to be revoked when machines are retired. Any one of these models will see many keys in use for each domain. After a few years, the majority of keys will be revoked and expired keys. There is also another issue of Public Relations: Some domain owners own many domains and run their own servers, as Neil pointed out. In this case, one key is sufficient for many domains. However, many domain owners get their ISP to run the mail servers, in exchange for a monthly due. When an ISP handles several domains, the respective domain owners would not want their domain's mail to be signed with the same key as another domain that the ISP may be hosting. So each of the ISP's mail server machines may at any one time host hundreds of domains, and need to maintain a separate private key for each of those domains. If you combine the security issues outlined for DomainKey with the PR issues of ISPs hosting multiple domains, the maximum number of keys required globally to implement email authentication may be much larger than the number of domain names actually registered. I think at a minimum we're talking tens of millions of keys, and at maximum we're talking tens of billions of keys. I understand that due to the security issues, a revoked key cannot be deleted before its expiration date. This would imply that at any one time, the cost of email authentication will be about double the number of active keys at any one time. The key deletion feature does not exist in the current keyserver, as far as I can tell. Regards, Radu. From hawke at hawkesnest.net Fri May 20 20:50:22 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Fri May 20 20:50:37 2005 Subject: 2 noob problems In-Reply-To: <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> Message-ID: Neil Williams wrote: > Keyservers don't delete signatures so every time you self-sign, it remains on > the keyserver. Deleting the signature once a key has been sent to a keyserver > is pointless because refreshing the key will always import all the old > signatures. > What's the reasoning behind this? Would it not be possible/logical for the keyserver, or gpg's import process, to simply discard all but the most recent signature from any single key? -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050520/50912d78/signature.pgp From linux at codehelp.co.uk Fri May 20 23:30:16 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri May 20 23:26:17 2005 Subject: 2 noob problems In-Reply-To: References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> Message-ID: <200505202230.20235.linux@codehelp.co.uk> On Friday 20 May 2005 7:50 pm, Alex Mauer wrote: > Neil Williams wrote: > > Keyservers don't delete signatures so every time you self-sign, it > > remains on the keyserver. Deleting the signature once a key has been sent > > to a keyserver is pointless because refreshing the key will always import > > all the old signatures. > > What's the reasoning behind this? Would it not be possible/logical for > the keyserver, or gpg's import process, to simply discard all but the > most recent signature from any single key? As far as self-signatures go, these are an important part of key maintenance and key integrity. If a key has changed, there needs to be a verification that the change is tied to the secret key. If you add a UID or change the key behaviour in other ways, the key should be verified and the different components of the key "tied" together with a new self-signature. It's just like the tie on a bag - if you add another bag, you need another tie. If you use just the latest tie to secure everything in one go, you lose the ability to trace the management of the key. If you're thinking of the other signatures, consider that people spend a lot of time and travel large distances to gain signatures on their keys - why should that be wiped out arbitrarily? Even if the key that made the signature is out of use, the signature itself is still valid - it testifies that the owner of the key was verified on the date shown by the person named in the signing key. Why is a new signature (of either type) more important than an old one? -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050520/e24d40fd/attachment-0001.pgp From s_protsman at yahoo.com Sat May 21 01:48:57 2005 From: s_protsman at yahoo.com (Shawn Protsman) Date: Sat May 21 01:45:19 2005 Subject: gpg: Sorry, no terminal at all requested - can't get input Message-ID: <20050520234857.5194.qmail@web31404.mail.mud.yahoo.com> I've searched via Google the above message and found one post that said to remove the "--no-tty" from the gpg.conf file. Well, I don't have a line with that parameter in the file. Ideas? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dshaw at jabberwocky.com Sat May 21 02:26:54 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat May 21 02:23:19 2005 Subject: problem with key import In-Reply-To: <428C797B.8040806@gmx.at> References: <428C797B.8040806@gmx.at> Message-ID: <20050521002654.GB28168@jabberwocky.com> On Thu, May 19, 2005 at 12:33:15PM +0100, Karl Kashofer wrote: > Hi ! > > Would anyone know why this key can not be imported into GnuPG ? > > Keyserver: 0x133CC3FD > > It looks OK to me, imports fine in PGP and the self signature was made > one second after the key creation date. No hints in PGPdump either. > > GnuPG seems to skip the primary UserID and then complains about no valid > User ID. The key was created with CryptoEx. This is a known problem with CryptoEx. I believe they've fixed it already. Basically, CryptoEx didn't always calculate the key ID properly, so self-signatures didn't verify. PGP will import a key with a bad self-signature, so it works in PGP. GnuPG won't import such a key, but you can override this with --allow-non-selfsigned-uid Better to get an updated CryptoEx though. David From karl.kashofer at gmx.at Sat May 21 02:34:49 2005 From: karl.kashofer at gmx.at (Karl Kashofer) Date: Sat May 21 02:31:19 2005 Subject: problem with key import In-Reply-To: <20050521002654.GB28168@jabberwocky.com> References: <428C797B.8040806@gmx.at> <20050521002654.GB28168@jabberwocky.com> Message-ID: <428E8229.2030707@gmx.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks everyone who took the time to answer my question ! It was more an academic question, as the key has been decommissioned anyway. We just wondered what the problem was. Cheers, Karl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCjoIpyD2v/adjdKMRAtfkAJ9o1N5TnGzv82ZEIum18XEEG2SgBgCbBsaZ yf30KHUGD3xoQMT8GTKvJCY= =yyns -----END PGP SIGNATURE----- From mus1876 at gmx.info Sat May 21 09:21:01 2005 From: mus1876 at gmx.info (mus1876@gmx.info) Date: Sat May 21 09:17:11 2005 Subject: UTF-8 support References: <23460.1116509668@www39.gmx.net> Message-ID: <25355.1116660061@www56.gmx.net> Hi, can anyone tell me why when setting utf-8 for cmd.exe, gpg switches back to its default character set. In cmd.exe I do the follwoing to change the codepage: chcp For Windows XP Pro wiht German locale and True Type Font Lucida Console in cmd.exe set this gives the OEM-Multilingual Latin I charset: Active Codepage: 850. Entering chcp 650001 (which stands for UTF-8) results in: Active Codepage: 65001. I now try for example to clearsign a UTF-8 encoded text file with gpg in verbose mode: gpg -vvv --clearsign test.txt The program's first response is: gpg: conversion from `utf-8' to `CP65001' not available gpg: using character set `iso-8859-1' What kind of setup (charset, file encoding) would you recommend in general. I thougt that gpg fully supports UTF-8. At least according to the manpage. Thank you From samuel at Update.UU.SE Sat May 21 09:52:28 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Sat May 21 09:48:28 2005 Subject: UTF-8 support In-Reply-To: <25355.1116660061@www56.gmx.net> References: <23460.1116509668@www39.gmx.net> <25355.1116660061@www56.gmx.net> Message-ID: <20050521075228.GA2180@Update.UU.SE> On Sat, May 21, 2005 at 09:21:01AM +0200, mus1876@gmx.info wrote: > Hi, > > can anyone tell me why when setting utf-8 for cmd.exe, gpg switches back to > its default character set. In cmd.exe I do the follwoing to change the > codepage: > > chcp > > For Windows XP Pro wiht German locale and True Type Font Lucida Console in > cmd.exe set this gives the OEM-Multilingual Latin I charset: > > Active Codepage: 850. > > Entering chcp 650001 (which stands for UTF-8) results in: > > Active Codepage: 65001. > > I now try for example to clearsign a UTF-8 encoded text file with gpg in > verbose mode: > > gpg -vvv --clearsign test.txt > > The program's first response is: > > gpg: conversion from `utf-8' to `CP65001' not available > gpg: using character set `iso-8859-1' > > What kind of setup (charset, file encoding) would you recommend in general. > I thougt that gpg fully supports UTF-8. At least according to the manpage. From hawke at hawkesnest.net Sat May 21 17:53:12 2005 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Sat May 21 17:50:11 2005 Subject: 2 noob problems In-Reply-To: <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> Message-ID: Yep, I understand the purposes of key signatures. But (unlike with your bag/tie analogy), two signatures from the same key don't make a key twice as valid. If only the most recent one is kept, that should be sufficient. If you add a new uid, only that uid needs to be signed, there's no need to add another signature to all of them. > If you're thinking of the other signatures, consider that people spend a lot > of time and travel large distances to gain signatures on their keys - why > should that be wiped out arbitrarily? Because it's redundant. If I have two signatures on my key from someone, either one of them is equally valid. No need to keep two. > > Even if the key that made the signature is out of use, the signature itself is > still valid - it testifies that the owner of the key was verified on the date > shown by the person named in the signing key. Yep, and I'm not proposing discarding arbitrary signatures. But if there's two signatures from a key, regardless of whether it's out of use, you don't need to keep them both. Does it testify that the owner of the key was verified once, and then again on another date? If so, what reason is there to keep both signatures? If I sign a contract, does signing it twice make it more valid/enforcable/something? On the other hand, if the signature has expired, since it becomes meaningless there's no reason to keep it. Look at the PGP Global Directory key for an example of where this could become a problem. It re-signs the keys every two weeks, with a signature that is valid for two weeks. This builds up pretty quickly. > Why is a new signature (of either type) more important than an old one? It's not, but defining a specific behaviour is generally a good idea when talking about how computers should behave. Defining this would tell the keyservers what to do when syncronising, which I've heard as the reason it retains all keys+sigs forever. In fact ... now that I think about it, if this were done, it would be possible for the keyservers to handle that better too: It could retain only the most recent signature for a key on each uid, and only give out the keys if the most recent self-signature is not a revokation signature. But, it could still hang on to all keys for comparison, so that when syncronization rolls around it doesn't just treat it as a new key. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050521/df449841/signature.pgp From linux at codehelp.co.uk Sat May 21 21:32:34 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat May 21 21:28:32 2005 Subject: 2 noob problems In-Reply-To: References: <1115089586.7258.10.camel@localhost.mdke> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> Message-ID: <200505212032.37541.linux@codehelp.co.uk> On Saturday 21 May 2005 4:53 pm, Alex L. Mauer wrote: > Yep, I understand the purposes of key signatures. But (unlike with your > bag/tie analogy), two signatures from the same key don't make a key > twice as valid. If the signature expired, the new signature is needed. However, the *expired* signature is still useful too as it tells others that the key was also valid at the earlier date. Often, an expired signature only exists because the key originally had an expiry date. Self-signatures are the only ones that are repeated on a key without an expiry. > If only the most recent one is kept, that should be > sufficient. If you add a new uid, only that uid needs to be signed, > there's no need to add another signature to all of them. That leaves the new UID dangling - it's not "tied" into the rest of the key in the same way as all the other UID's. > > If you're thinking of the other signatures, consider that people spend a > > lot of time and travel large distances to gain signatures on their keys - > > why should that be wiped out arbitrarily? > > Because it's redundant. If I have two signatures on my key from > someone, either one of them is equally valid. No need to keep two. I don't see how you would get two signatures from someone else on any one key, except because of an expiry. If I try to sign any key that I've already signed, I get an error. > > Even if the key that made the signature is out of use, the signature > > itself is still valid - it testifies that the owner of the key was > > verified on the date shown by the person named in the signing key. > > Yep, and I'm not proposing discarding arbitrary signatures. But if > there's two signatures from a key, regardless of whether it's out of > use, you don't need to keep them both. Does it testify that the owner > of the key was verified once, and then again on another date? If so, > what reason is there to keep both signatures? If I sign a contract, > does signing it twice make it more valid/enforcable/something? No, but signing it one year and then signing it the next year does indicate that the contract runs over both years. It's a bad analogy because a key signature is a single point in time, a contract is generally intended to run over a period of time. > On the other hand, if the signature has expired, since it becomes > meaningless there's no reason to keep it. It's not meaningless - it still means that the key in question was verified by the signer on that date. The expiry of that signature is separate. It is a snapshot - a single point in time. > Look at the PGP Global > Directory key for an example of where this could become a problem. Simple answer there is that the GD is a bad design and nobody is forced to use it. That argument was played out on this list when GD was launched. > It > re-signs the keys every two weeks, with a signature that is valid for > two weeks. This builds up pretty quickly. Then don't allow your keys onto the GD. Simple. It also means that the GD will ultimately fail to be global - it's subkeys.pgp.net that is most likely to be termed a global keyserver as it handles all keys without breaking them, like the older ones, and without allowing / encouraging other keys *not* to use it, like the GD. > > Why is a new signature (of either type) more important than an old one? > > It's not, but defining a specific behaviour is generally a good idea > when talking about how computers should behave. Of course, I'm well used to writing and rationalising API's / ABI's. > Defining this would > tell the keyservers what to do when syncronising, which I've heard as > the reason it retains all keys+sigs forever. I don't see that this is actually much of a problem. So it adds a few bytes to a public key - is that REALLY such a problem? -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050521/2b3955d9/attachment.pgp From dshaw at jabberwocky.com Sun May 22 00:15:09 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 22 00:11:34 2005 Subject: 2 noob problems In-Reply-To: <200505212032.37541.linux@codehelp.co.uk> References: <1115089586.7258.10.camel@localhost.mdke> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> <200505212032.37541.linux@codehelp.co.uk> Message-ID: <20050521221509.GD28168@jabberwocky.com> On Sat, May 21, 2005 at 08:32:34PM +0100, Neil Williams wrote: > On Saturday 21 May 2005 4:53 pm, Alex L. Mauer wrote: > > Yep, I understand the purposes of key signatures. But (unlike with your > > bag/tie analogy), two signatures from the same key don't make a key > > twice as valid. > > If the signature expired, the new signature is needed. However, the > *expired* signature is still useful too as it tells others that the > key was also valid at the earlier date. Often, an expired signature > only exists because the key originally had an expiry date. How useful is that, really? Seriously - an expired signature may be interesting to someone who can infer from it that a key was valid earlier, but that doesn't really have any connection to the important question of is the key valid *now*. I'd be quite content if useless signatures were stripped from my key. David From dshaw at jabberwocky.com Sun May 22 00:25:23 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 22 00:21:40 2005 Subject: 2 noob problems In-Reply-To: References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> Message-ID: <20050521222523.GE28168@jabberwocky.com> On Sat, May 21, 2005 at 10:53:12AM -0500, Alex L. Mauer wrote: > On the other hand, if the signature has expired, since it becomes > meaningless there's no reason to keep it. Look at the PGP Global > Directory key for an example of where this could become a problem. > It re-signs the keys every two weeks, with a signature that is valid > for two weeks. This builds up pretty quickly. Yes. This is something I've been playing around with for the next version. I'm not completely decided on how to implement the UI for it. It'll be optional, of course, but the general idea is that people can choose to remove "useless" signatures from their keyring automatically at import or export time, or any time via --edit-key. "useless" in this case means (almost) any signature that is not actually used by GnuPG for the trust calculations. The code in fact is the same as the trust code. So for example, an expired signature would be deleted, along with any signatures that the expired signature superceded. A revoked signature similarly is deleted, and takes out the superceded signatures with it. > In fact ... now that I think about it, if this were done, it would be > possible for the keyservers to handle that better too: It could retain > only the most recent signature for a key on each uid, and only give out > the keys if the most recent self-signature is not a revokation > signature. But, it could still hang on to all keys for comparison, so > that when syncronization rolls around it doesn't just treat it as a new key. There are several reasons why it is a good idea for keyservers to store multiple signatures, but the main one is that they do not currently have any crypto code to actually verify the signatures. Without the ability to know if a given signature is good or bad, the keyservers cannot make any decisions as to what signatures to keep or drop. GnuPG can verify signatures, of course, and so can safely prune them. Incidentally, PGP prunes as well. It's the only way to keep keys to a rational size over a long period of time. David From rlaager at wiktel.com Sun May 22 00:36:37 2005 From: rlaager at wiktel.com (Richard Laager) Date: Sun May 22 00:32:46 2005 Subject: 2 noob problems In-Reply-To: <20050521222523.GE28168@jabberwocky.com> References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> <20050521222523.GE28168@jabberwocky.com> Message-ID: <1116714997.4548.7.camel@localhost> On Sat, 2005-05-21 at 18:25 -0400, David Shaw wrote: > A revoked signature similarly is deleted, and takes out > the superceded signatures with it. You'd leave the signature revocation though, right? That way if the revoked signature was imported from another source that didn't have the signature revocation with it, the signature wouldn't be shown as valid. Richard Laager -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050521/16f9f7f2/attachment.pgp From dshaw at jabberwocky.com Sun May 22 00:44:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 22 00:40:54 2005 Subject: 2 noob problems In-Reply-To: <1116714997.4548.7.camel@localhost> References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> <20050521222523.GE28168@jabberwocky.com> <1116714997.4548.7.camel@localhost> Message-ID: <20050521224430.GA32196@jabberwocky.com> On Sat, May 21, 2005 at 05:36:37PM -0500, Richard Laager wrote: > On Sat, 2005-05-21 at 18:25 -0400, David Shaw wrote: > > A revoked signature similarly is deleted, and takes out > > the superceded signatures with it. > > You'd leave the signature revocation though, right? That way if the > revoked signature was imported from another source that didn't have the > signature revocation with it, the signature wouldn't be shown as valid. Correct. David From sean at tcob1.net Sun May 22 01:25:07 2005 From: sean at tcob1.net (Sean Rima) Date: Sun May 22 02:18:52 2005 Subject: Problem with GPG and TheBat Message-ID: <1871558247.20050522002507@tcob1.net> Hello gnupg-users, I am using gpg 1.41 Windows with TheBat and I get the following trying to retrieve keys: gpg: Signature made 05/21/05 21:52:30 using DSA key ID 6F50DB32 gpg: requesting key 6F50DB32 from hkp server blackhole.pca.dfn.de gpg: renaming `c:/gnupg\pubring.gpg' to `c:/gnupg\pubring.bak' failed: Permission denied gpg: error writing keyring `c:/gnupg\pubring.gpg': file rename error gpg: key 6F50DB32: public key "[User ID not found]" imported gpg: error reading `[stream]': file rename error gpg: Total number processed: 0 gpg: imported: 1 gpg: Can't check signature: public key not found Is there anyway to get around this? Sean -- ICQ: 679813 YAHOO: thecivvie Jabber: thecivvie@jabber.org AIM: tcobone Vodafone +353879120530 Winamp is stopped -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050522/0203d348/attachment.pgp From mnman at pd.jaring.my Sun May 22 07:15:06 2005 From: mnman at pd.jaring.my (omn) Date: Sun May 22 07:45:00 2005 Subject: Problem with GPG and TheBat In-Reply-To: <1871558247.20050522002507@tcob1.net> References: <1871558247.20050522002507@tcob1.net> Message-ID: <584920808.20050522131506@pd.jaring.my> Hi Sean, Sunday, May 22, 2005, 7:25:07 AM, you wrote: > Hello gnupg-users, > I am using gpg 1.41 Windows with TheBat and I get the following trying > to retrieve keys: > gpg: Signature made 05/21/05 21:52:30 using DSA key ID 6F50DB32 > gpg: requesting key 6F50DB32 from hkp server blackhole.pca.dfn.de > gpg: renaming `c:/gnupg\pubring.gpg' to `c:/gnupg\pubring.bak' failed: Permission denied > gpg: error writing keyring `c:/gnupg\pubring.gpg': file rename error > gpg: key 6F50DB32: public key "[User ID not found]" imported > gpg: error reading `[stream]': file rename error > gpg: Total number processed: 0 > gpg: imported: 1 > gpg: Can't check signature: public key not found It was reported in https://www.ritlabs.com/bt/view.php?id=2442&nbn=8 . > Is there anyway to get around this? Insert the following in gpg.conf file. no-default-keyring -- Best regards, omn From pt at radvis.nu Sun May 22 07:31:40 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sun May 22 08:26:03 2005 Subject: Feature request: Add date and time to filename of encrypted file Message-ID: <6.1.2.0.2.20050522023112.03c358d0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again, I just thought of a new feature: Add date and time to filename of encrypted file; this is an option for encrypt-file and encrypt & sign file. Useful when I have made a backup from within some program and want to encrypt the result. Often the backup file has the very same name every time. I must rename them to keep them apart. V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCkBlcpPsTvNtsBX8RAlB3AJ4sqfYpJqvumgHP7VFVUPk1rlRI0ACfW+6W FgzIxiiPgfdCvJ+LlJJ983w= =hvxm -----END PGP SIGNATURE----- From pt at radvis.nu Sun May 22 02:32:37 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sun May 22 08:26:11 2005 Subject: Output file with original filename Message-ID: <6.1.2.0.2.20050522022743.03c78ae0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again, GPG reports original filename when I decrypt a file, but I am not familiar with any option to get the original name on the output. Useful when I have made a backup from within some program and have encrypted the result. I have added date+time to the filename to keep different backups apart. In many programs the backup file has the very same name every time. I must rename them back to the standard name before I can use them for restore. V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCkBlcpPsTvNtsBX8RAuXYAJ9gC9rMUIEKFlLoRhIZIhGsQjzWlACbBD9B qhjbweiHjrVhk4465lTuN/k= =l2oY -----END PGP SIGNATURE----- From pt at radvis.nu Sun May 22 07:30:16 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sun May 22 08:27:28 2005 Subject: How to create only a signing key on card Message-ID: <6.1.2.0.2.20050522073009.03c379b8@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I would like to have only a signing key on my OpenPGP Card. (I find an RSA encryption key of 1024 bits ridiculously short.) The generate command generated three keys. I edited the key and deleted the encryption key, fine. But after that everything went bad: WinPT file manager lets me encrypt to the key! So the encryption key is still present somehow. I got "Unusable keyring" when I tried to sign with EudoraGPG. gpg --card-status gave some strange error messages. Is the only way to create a signing key on a secure computer and import it to the card? What can I do to reset the card? Per Tunedal Keyid: 0xAE053BE0 Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCkBkepPsTvNtsBX8RAlwDAJ9UatuRNFESAke3iijomE5Evky/5wCglRKu Skon+JMdBK5G2kmTSP2iMiY= =V29A -----END PGP SIGNATURE----- From pt at radvis.nu Sun May 22 07:26:54 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sun May 22 08:27:40 2005 Subject: Timing attack against AES Message-ID: <6.1.2.0.2.20050522064327.02dce960@localhost> Hi, Bruce Schneier presented in his blog a few days ago a new attack against AES made by Daniel J. Bernstein. Schneier's blog "AES Timing Attack": http://www.schneier.com/blog/ Bernstein's paper: "Cache timing attacks on AES": http://cr.yp.to/antiforgery/cachetiming-20050414.pdf In short Bernstein has shown that: a) AES is very susceptible to timing attacks, contrary to what was stated in the AES evaluation process. In the AES evaluation process the evaluators made an erroneously statement: "Table lookup: not vulnerable to timing attacks". This lead to the conclusion that Rindael (now AES) had an advantage to it's competitors in this area. b) A simple attack is performed successfully against the OpenSSL implementation of AES. The success is blamed on the design of AES. c) The problem is that certain operations are not made at a constant time, rather they are dependent on the input etc. This opens to timing attacks. d) The attack was performed against a server with a Pentium III CPU and a known plaintext. He outlines attacks agains other processors and other implementations of AES. e) The attack can be improved in several ways and be made on other "leaks" if this one is mended: "it is extremely difficult to write "Constant-time high-speed AES software for general purpose computers". Constant-time = independent of the key and input. f) The problem is the heavy dependence on S-boxes. g) It is easy to write slow constant-time software that is immune to this kind of attacks. He makes a demonstration. AES would be extremely slow. My questions: 1) Has anyone looked at the AES implementation in GnuPG in this aspect? 2) Are any other ciphers safer to this kind of attack? What about the ciphers in OpenPGP applications? Other AES candidates? 3) Would it be easier to write a fast implementation of some other cipher that is immune to this kind of timing attacks? 4) What are the plans for GnuPG? Per Tunedal Keyid: 0xAE053BE0 Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0 From sean at tcob1.net Sun May 22 10:07:21 2005 From: sean at tcob1.net (Sean Rima) Date: Sun May 22 10:03:44 2005 Subject: Problem with GPG and TheBat In-Reply-To: <584920808.20050522131506@pd.jaring.my> References: <1871558247.20050522002507@tcob1.net> <584920808.20050522131506@pd.jaring.my> Message-ID: <1739115571.20050522090721@tcob1.net> Hello omn, Sunday, May 22, 2005, 6:15:06 AM, you wrote: > Hi Sean, > Sunday, May 22, 2005, 7:25:07 AM, you wrote: >> Hello gnupg-users, >> I am using gpg 1.41 Windows with TheBat and I get the following trying >> to retrieve keys: >> gpg: Signature made 05/21/05 21:52:30 using DSA key ID 6F50DB32 >> gpg: requesting key 6F50DB32 from hkp server blackhole.pca.dfn.de >> gpg: renaming `c:/gnupg\pubring.gpg' to `c:/gnupg\pubring.bak' failed: Permission denied >> gpg: error writing keyring `c:/gnupg\pubring.gpg': file rename error >> gpg: key 6F50DB32: public key "[User ID not found]" imported >> gpg: error reading `[stream]': file rename error >> gpg: Total number processed: 0 >> gpg: imported: 1 >> gpg: Can't check signature: public key not found > It was reported in > https://www.ritlabs.com/bt/view.php?id=2442&nbn=8 . >> Is there anyway to get around this? > Insert the following in gpg.conf file. > no-default-keyring Added that now, It looks, from my reading, to be a gpg error not a Bat error Sean -- ICQ: 679813 YAHOO: thecivvie Jabber: thecivvie@jabber.org AIM: tcobone Vodafone +353879120530 Winamp is stopped -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050522/f516c553/attachment-0001.pgp From eocsor at gmail.com Sun May 22 11:29:41 2005 From: eocsor at gmail.com (Roscoe) Date: Sun May 22 11:26:01 2005 Subject: Feature request: Add date and time to filename of encrypted file In-Reply-To: <6.1.2.0.2.20050522023112.03c358d0@localhost> References: <6.1.2.0.2.20050522023112.03c358d0@localhost> Message-ID: Well, this is generally what I do to achieve that effect: ... | gpg -r $YOU -o backup.`date +%y%m%d`.cpio.gpg -e On 5/22/05, Per Tunedal Casual wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi again, > I just thought of a new feature: > Add date and time to filename of encrypted file; this is an option for > encrypt-file and encrypt & sign file. > > Useful when I have made a backup from within some program and want to > encrypt the result. Often the backup file has the very same name every > time. I must rename them to keep them apart. > > V?nligen > Per Tunedal > Civ. ing. Civ. ek. > > S:t Mickelsgatan 148 > 129 44 H?gersten > Telefon: 08-646 34 83 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 > Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html > > iD8DBQFCkBlcpPsTvNtsBX8RAlB3AJ4sqfYpJqvumgHP7VFVUPk1rlRI0ACfW+6W > FgzIxiiPgfdCvJ+LlJJ983w= > =hvxm > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Sun May 22 14:35:05 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 22 14:31:36 2005 Subject: Output file with original filename In-Reply-To: <6.1.2.0.2.20050522022743.03c78ae0@localhost> References: <6.1.2.0.2.20050522022743.03c78ae0@localhost> Message-ID: <20050522123505.GB32196@jabberwocky.com> On Sun, May 22, 2005 at 02:32:37AM +0200, Per Tunedal Casual wrote: > Hi again, > > GPG reports original filename when I decrypt a file, but I am not familiar > with any option to get the original name on the output. --use-embedded-filename David From alex at zoosmart.us Mon May 23 00:07:57 2005 From: alex at zoosmart.us (Alex Liberman) Date: Mon May 23 00:07:53 2005 Subject: possible to encrypt message from pubkey gotten from ssl cert? Message-ID: <20050522220757.GA6816@zoosmart.us> Hello, is it possible to extract public key from ssl cert (actually have already got that far), and then use gpg to encrypt message using that public key? THx From alex at zoosmart.us Sun May 22 23:40:31 2005 From: alex at zoosmart.us (Alex Liberman) Date: Mon May 23 00:33:40 2005 Subject: possible to encrypt message from pubkey gotten from ssl cert? Message-ID: <20050522214031.GA6743@zoosmart.us> Hello, is it possible to extract public key from ssl cert (actually have already got that far), and then use gpg to encrypt message using that public key? THx From wk at gnupg.org Mon May 23 09:06:08 2005 From: wk at gnupg.org (Werner Koch) Date: Mon May 23 09:06:04 2005 Subject: Feature request: Add date and time to filename of encrypted file In-Reply-To: <6.1.2.0.2.20050522023112.03c358d0@localhost> (Per Tunedal Casual's message of "Sun, 22 May 2005 07:31:40 +0200") References: <6.1.2.0.2.20050522023112.03c358d0@localhost> Message-ID: <87u0kuxvz3.fsf@wheatstone.g10code.de> On Sun, 22 May 2005 07:31:40 +0200, Per Tunedal Casual said: > Add date and time to filename of encrypted file; this is an option for > encrypt-file and encrypt & sign file. OpenPGP defines a field for storing this information; it is however not well definef and due to the fact that gpg is often used in a pipeline, there is no such information available - we store the current time instead. Anyway, in good old Unix tradition gpg should not do this. There are more attributes to a file than the time (what time: creation, modification, access?) for example the owner, the permissions ACLS and such. Trying to implement this would soon lead to a full archive program. It is better to use tar(1) or one the other archivers for this instead. They have been written for this purpose. Use for example something like: tar cf - filenames | gpg -e ... Salam-Shalom, Werner From kernone at gmx.de Mon May 23 08:39:41 2005 From: kernone at gmx.de (=k3Rn=) Date: Mon May 23 09:35:51 2005 Subject: Specifing Folders for Secret and Public Key Message-ID: <42917AAD.2060805@gmx.de> Hello! I am running GnuPG on Windows XP using Thunderbird and Enigmail. I want to tell GnuPG where it should search my secret-keyring and where to search my public keyring. I am thinking about having my secret-keyring on an usb-stick mounted on let's say y:\, and my public keyring should be stored on my hard disk. I think you can imagine what i wanna do. I just want to know a clean way to do this. Just changing GnuPG's homedir isn't all i want - as far as i understood it. Thanks for any hints concerning this problem! Greets, =k3Rn= From radu at ohmi.org Fri May 20 00:22:58 2005 From: radu at ohmi.org (Radu Hociung) Date: Mon May 23 10:43:13 2005 Subject: Keyservers and the future In-Reply-To: <428CE8B8.4060102@rail.eu.org> References: <428CE5C7.4050106@ohmi.org> <428CE8B8.4060102@rail.eu.org> Message-ID: <428D11C2.9010808@ohmi.org> Erwan David wrote: > A key is nothing without a way to add a trusted relation between this > key and the entity you want to authenticate. So I do not think those > "solutions" are worthwile. Either you accept mail only from people you > know, or you accept mail only from people who paid some established > company you have no other reason to trust than te fact this company is > "well known". Trust information is locally and privately established and managed, and thus does not belong on the keyservers. That process of managing trust is not the object of my question. The scaleability of trust management is a problem for MTA (mail transport agents) vendors to solve. The object of trust, however, is a key. Without a key there isn't much to be trusted. The question is ... is the PGP architecture suited to a load of hundreds of millions of keys, or even billions? Are CA's and X509 certificates better equipped to handle the load? There are several working groups that are working on email authentication, and they are considering trust. Concepts such as trust, reputation and accreditation are used in various combinations. Some are bogus, some are quite solid :) Regards, Radu. From mail at mark-kirchner.de Mon May 23 10:32:49 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Mon May 23 11:09:41 2005 Subject: Specifing Folders for Secret and Public Key In-Reply-To: <42917AAD.2060805@gmx.de> References: <42917AAD.2060805@gmx.de> Message-ID: <1041643064.20050523103249@mark-kirchner.de> Hi, On Monday, May 23, 2005, 8:39:41 AM, =k3Rn= wrote: > I want to tell GnuPG where it should search my secret-keyring and where > to search my public keyring. > I am thinking about having my secret-keyring on an usb-stick mounted on > let's say y:\, and my public keyring should be stored on my hard disk. For that, I have something like this in my gpg.conf: keyring c:\[...]\pubring.gpg secret-keyring y:\[...]\secring.gpg no-default-keyring "no-default-keyring" tells gpg not to use any other keyrings than the ones given by "keyring" and "secret-keyring". Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050523/0db67533/attachment.pgp From ml at charliesangels.biz Mon May 23 11:58:01 2005 From: ml at charliesangels.biz (ml@charliesangels.biz) Date: Mon May 23 12:41:21 2005 Subject: Separate Keyring and config for Script Message-ID: Hello Everyone, I am trying to write a Script that should use a separate keyring and a separate config-file (not of the User, with which the Script is running). Somehow I fail to create a blank new keyring with gpg. Is there any possibility to specify both (Keyring and config) via Command line ? Thanks and regards Sascha From mail at mark-kirchner.de Mon May 23 13:10:44 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Mon May 23 13:11:54 2005 Subject: Separate Keyring and config for Script In-Reply-To: References: Message-ID: <183481597.20050523131044@mark-kirchner.de> Hi, On Monday, May 23, 2005, 11:58:01 AM, ml wrote: > Is there any possibility to specify both (Keyring and config) via > Command line ? Yes, these options do the trick: --options --keyring --secret-keyring --no-default-keyring Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050523/c25e874d/attachment.pgp From ml at charliesangels.biz Mon May 23 16:16:01 2005 From: ml at charliesangels.biz (ml@charliesangels.biz) Date: Mon May 23 16:11:58 2005 Subject: Separate Keyring and config for Script Message-ID: Hi Mark et al, thanks for the Info ! Now when I try to gpg --no-default-keyring --keyring /home/sascha/gpg-skript/auto-gpg-keyring.gpg --options /dev/null --no-secmem-warning --charset utf-8 --import /my/path/*.asc it works for about 500 files - followed by: gpg: keys 12345: public key "Some Name " imported gpg: can't create `/home/sascha/gpg-skript/auto-gpg-keyring.gpg.tmp': Too many open files gpg: DBG: error opening lockfile `/home/sascha/gpg-skript/auto-gpg-keyring.gpg.lock': Too many open files gpg: release_dotlock: lockfile error gpg: can't unlock `/home/sascha/gpg-skript/auto-gpg-keyring.gpg' Any ideas ? Thanks and regards Sascha Mark Kirchner schrieb am 23.05.2005, 13:10:44: > From mail at mark-kirchner.de Mon May 23 16:53:33 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Mon May 23 16:49:24 2005 Subject: Separate Keyring and config for Script In-Reply-To: References: Message-ID: <926390387.20050523165333@mark-kirchner.de> On Monday, May 23, 2005, 4:16:01 PM, ml wrote: > Now when I try to > > gpg --no-default-keyring --keyring > /home/sascha/gpg-skript/auto-gpg-keyring.gpg --options /dev/null > --no-secmem-warning --charset utf-8 --import /my/path/*.asc > > it works for about 500 files - followed by: > > [Error "Too many open files"] Hm, not sure about that error, but you can probably work around it by doing something like find /my/path/ -name "*.asc" -exec gpg --no-default-keyring --keyring /home/sascha/gpg-skript/auto-gpg-keyring.gpg --options /dev/null --no-secmem-warning --charset utf-8 --import {} \; That way, gpg is called for each .asc file separately. Might be slower, I don't know. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050523/e5fe488e/attachment.pgp From telegraph at gmx.net Mon May 23 16:49:28 2005 From: telegraph at gmx.net (Gregor Zattler) Date: Mon May 23 17:45:45 2005 Subject: Separate Keyring and config for Script In-Reply-To: References: Message-ID: <20050523144928.GD22628@pit.ID-43118.user.dfncis.de> Hi Sascha,, * ml@charliesangels.biz [23. Mai. 2005]: > gpg --no-default-keyring --keyring > /home/sascha/gpg-skript/auto-gpg-keyring.gpg --options /dev/null > --no-secmem-warning --charset utf-8 --import /my/path/*.asc > > it works for about 500 files - followed by: > > gpg: keys 12345: public key "Some Name " imported > gpg: can't create `/home/sascha/gpg-skript/auto-gpg-keyring.gpg.tmp': > Too many open files > gpg: DBG: error opening lockfile > `/home/sascha/gpg-skript/auto-gpg-keyring.gpg.lock': Too many open > files > gpg: release_dotlock: lockfile error > gpg: can't unlock `/home/sascha/gpg-skript/auto-gpg-keyring.gpg' > > Any ideas ? You hit the limit of concurrently open files. Give "ulimt -a" a try, it shows the limits of your shell (see bash (1)). A way to circumvent this limit is: find /my/path/*.asc -print0|xargs -0 -r -n 0 gpg \ --no-default-keyring --keyring \ /home/sascha/gpg-skript/auto-gpg-keyring.gpg --options /dev/null \ --no-secmem-warning --charset utf-8 --import This invokes one gpg process for each file: one after another. This may be slow, try --no-auto-check-trustdb as an additional gpg command line option. Ciao, Gregor From atom at smasher.org Mon May 23 17:53:09 2005 From: atom at smasher.org (Atom Smasher) Date: Mon May 23 17:48:57 2005 Subject: 2 noob problems In-Reply-To: <200505202230.20235.linux@codehelp.co.uk> References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> <200505202230.20235.linux@codehelp.co.uk> Message-ID: <20050523155310.75356.qmail@smasher.org> On Fri, 20 May 2005, Neil Williams wrote: > Why is a new signature (of either type) more important than an old one? ===================== in many respects, a new self-sig is meant to replace and supersede an older self-sig, not augment it. although it can be argued that old self-sigs serve a historical purpose, i would argue that they just take up space and rarely serve any useful purpose. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Those who profess to favor freedom, and yet deprecate agitation, are men who want rain without thunder and lightning. They want the ocean without the roar of its many waters." -- Frederick Douglass From kernone at gmx.de Mon May 23 18:37:12 2005 From: kernone at gmx.de (=k3Rn=) Date: Mon May 23 18:33:28 2005 Subject: Separate Keyring and config for Script In-Reply-To: <183481597.20050523131044@mark-kirchner.de> References: <183481597.20050523131044@mark-kirchner.de> Message-ID: <429206B8.9020208@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! Mark Kirchner wrote: > Hi, > > On Monday, May 23, 2005, 11:58:01 AM, ml wrote: > >> Is there any possibility to specify both (Keyring and config) via >> Command line ? > > > Yes, these options do the trick: > > --options --keyring --secret-keyring > --no-default-keyring > Thanx a lot, i think think thats just what i was searching for! Where do i have to put that gpg.conf file (does it get created by gpg when using the command line options and if so where?) And what about the two other files random_seed and trusted.db - where should i store them and how can i specify their path? Thanx in advance, Greetings =k3Rn= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCkga4pWixXvnN1p8RAsRhAJ487ObEHqAzxqjid8dSAtRFsljQwwCdFprr 8UxytypsQewH83KvsQZs5z4= =rVYs -----END PGP SIGNATURE----- From mail at mark-kirchner.de Mon May 23 19:22:39 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Mon May 23 19:18:17 2005 Subject: Separate Keyring and config for Script In-Reply-To: <429206B8.9020208@gmx.de> References: <183481597.20050523131044@mark-kirchner.de> <429206B8.9020208@gmx.de> Message-ID: <1792037936.20050523192239@mark-kirchner.de> On Monday, May 23, 2005, 6:37:12 PM, =k3Rn= wrote: >>> Is there any possibility to specify both (Keyring and config) via >>> Command line ? >> >> >> Yes, these options do the trick: >> >> --options --keyring --secret-keyring >> --no-default-keyring >> > Thanx a lot, i think think thats just what i was searching for! > Where do i have to put that gpg.conf file (does it get created by gpg > when using the command line options and if so where?) As far as I know, it will be created (in the default home directory). The default home directory "gnupg" will be created under the "application data" directory of the user. Under WinXP (German version) that will be something like c:\Dokumente und Einstellungen\USERNAME\Anwendungsdaten\gnupg > And what about the two other files random_seed and trusted.db - where > should i store them Wherever you like. The default (= home directory) seems to be a likely choice. > and how can i specify their path? --trustdb-name for trustdb.gpg --no-random-seed-file prevents generation of the random_seed file I don't think that the random_seed file can be relocated, at least I haven't found any option to do this in the man-page. And while I'm at it: You could have looked all that stuff up there. *hint* You'll find the Windows-version of the man-page file "gpg.man" in the "docs" directory below the gpg installation directory (= NOT the home directory). Regards, Mark Kirchner -- _____________________________________________________________ Key (0x172C073C): http://www.mark-kirchner.de/keys/key-mk.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050523/8fa41b45/attachment.pgp From rmalayter at bai.org Mon May 23 20:20:17 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Mon May 23 20:16:35 2005 Subject: Timing attack against AES Message-ID: <792DE28E91F6EA42B4663AE761C41C2A04249A51@cliff.bai.org> [Per Tunedal Casual] > 2) Are any other ciphers safer to this kind of attack? What about the > ciphers in OpenPGP applications? Other AES candidates? From kernone at gmx.de Tue May 24 02:33:19 2005 From: kernone at gmx.de (=k3Rn=) Date: Tue May 24 02:29:38 2005 Subject: Separate Keyring and config for Script In-Reply-To: <1792037936.20050523192239@mark-kirchner.de> References: <183481597.20050523131044@mark-kirchner.de> <429206B8.9020208@gmx.de> <1792037936.20050523192239@mark-kirchner.de> Message-ID: <4292764F.3050604@gmx.de> Thanks alot for your help! I am quite sure i get it done now - will test it now. And i'll lookup the commands in the man page again. Best regards, Markus -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050524/9361ee74/signature.pgp From kernone at gmx.de Tue May 24 03:27:36 2005 From: kernone at gmx.de (=k3Rn=) Date: Tue May 24 03:23:47 2005 Subject: Specifing Folders for Secret and Public Key In-Reply-To: <1041643064.20050523103249@mark-kirchner.de> References: <42917AAD.2060805@gmx.de> <1041643064.20050523103249@mark-kirchner.de> Message-ID: <42928308.2000101@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks again Mark! I just tested it, and it's all working as i wanted!! I did set up a Windows system-variable GNUPGHOME pointing to my homedir, there i have my gpg.conf with the following lines : >keyring c:\[...]\pubring.gpg >secret-keyring y:\[...]\secring.gpg >no-default-keyring Great! Regards, =k3Rn= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCkoMIpWixXvnN1p8RAq3aAJ45XwV/j83bd7fEYWb05OrM4LXEtQCaApM6 zpEnbUuV7fNIqyjYdj8G5CU= =QnI1 -----END PGP SIGNATURE----- From pt at radvis.nu Tue May 24 04:42:28 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Tue May 24 04:37:18 2005 Subject: Show digest-algo at signature checking Message-ID: <6.1.2.0.2.20050524043752.02dcf658@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, today when SHA-1 is questioned and some people use other digest-algos like RIPEMD160 or even SHA256 it would be appropriate if the digest algo was displayed when I check a signature. I haven't find any way to do this with detached signatures or inlined signatures. V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCkpSjpPsTvNtsBX8RAodnAJ4mR2R8/rHN/hwjfQ6j4tYhCp+BIQCaA1SK SFQFGDEQaWmWC8LDqnb+VQM= =qWZC -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue May 24 04:57:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue May 24 04:54:19 2005 Subject: Show digest-algo at signature checking In-Reply-To: <6.1.2.0.2.20050524043752.02dcf658@localhost> References: <6.1.2.0.2.20050524043752.02dcf658@localhost> Message-ID: <20050524025759.GA5440@jabberwocky.com> On Tue, May 24, 2005 at 04:42:28AM +0200, Per Tunedal Casual wrote: > Hi, > today when SHA-1 is questioned and some people use other digest-algos like > RIPEMD160 or even SHA256 it would be appropriate if the digest algo was > displayed when I check a signature. I haven't find any way to do this with > detached signatures or inlined signatures. "gpg -v" shows the hash used. David From chris at fsfe.org Tue May 24 06:41:24 2005 From: chris at fsfe.org (Chris) Date: Tue May 24 08:09:59 2005 Subject: KMail and smartcard Message-ID: <200505240641.24941.chris@fsfe.org> I have just installed a smartcard reader and set it up. I can successfully read the information on it and managed to generate a new key on it (gpg --card-list / gpg ---card-edit). How can I use the smartcard in KMail? I cannot choose its keys in the Identity management. Using a key from the harddrive does work without problems. Any help is highly appreciated! Thanks, Chris From wk at gnupg.org Tue May 24 09:55:09 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 24 09:56:31 2005 Subject: KMail and smartcard In-Reply-To: <200505240641.24941.chris@fsfe.org> (chris@fsfe.org's message of "Tue, 24 May 2005 06:41:24 +0200") References: <200505240641.24941.chris@fsfe.org> Message-ID: <87oeb1ukgy.fsf@wheatstone.g10code.de> On Tue, 24 May 2005 06:41:24 +0200, Chris said: > How can I use the smartcard in KMail? I cannot choose its keys in the Identity > management. Does "gpg -K" list your key? This is what Kmail displays. You are using a decent Kmail (with all the crypto tabs in the configuration dialog and the requirement for gpg-agent)? > Using a key from the harddrive does work without problems. For gpg it makes no difference whether the key is on the disk or on the card. This is because we create a "stub"- secret key for every card key. gpg -K will show you the serial number of the cards associated with that secret key. If you generated the card key on another machine, please run "gpg --card-status" once on the new machine to create such a stub key. Shalom-Salam, Werner From wk at gnupg.org Tue May 24 10:26:52 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 24 10:26:03 2005 Subject: Timing attack against AES In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A04249A51@cliff.bai.org> (Ryan Malayter's message of "Mon, 23 May 2005 13:20:17 -0500") References: <792DE28E91F6EA42B4663AE761C41C2A04249A51@cliff.bai.org> Message-ID: <87fywduj03.fsf@wheatstone.g10code.de> Hi! Ryan, thanks for explaining this. I agree with you. Let me add that this is a classical type of side-channel attack and nothing really new. It is a general problem to hide things from other processes when sharing hardware. It is possible to make it hard but there won't never be perfect solution on a general purpose computer. Disallowing access to fine grained timing facilities will somewhat help but is inconvenient for other applications. If one really cares about security, running any unrelated process to the encrytion software is dangerous as it opens a lot channels to snoop keys. For public key encryption it is in most cases not that critical because only the session keys are at stake and there are easier ways to get to the plaintext. Using private keys (i.e. decrypting or signing messages) on a multi-user box is something one should avoid under all cases because a compromise is not limited to one or several sessions but extends to the past and future use of that key. If you have really valuable things, better use dedicated hardware hardened to protect keys. Today this may even require changes at the lowest levels to replace the simple true/false logic elements. There are many papers on how to harden smartcards and HSMs against side channel attacks and those techniques are already in use. One interesting question with the recent AES and Hyperthreading RSA attacks is whether they can be used to poke holes into forthcoming Digital Restriction Management systems (TCPA et al.). The Fritz chip might be up to what the card industry has learned the hard way but those systems also need to do many crypto things by "trusted" software on a general purpose CPU. Shalom-Salam, Werner From wk at gnupg.org Tue May 24 10:38:12 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 24 10:36:03 2005 Subject: possible to encrypt message from pubkey gotten from ssl cert? In-Reply-To: <20050522220757.GA6816@zoosmart.us> (Alex Liberman's message of "Sun, 22 May 2005 15:07:57 -0700") References: <20050522220757.GA6816@zoosmart.us> Message-ID: <87br71uih7.fsf@wheatstone.g10code.de> On Sun, 22 May 2005 15:07:57 -0700, Alex Liberman said: > is it possible to extract public key from ssl cert (actually have > already got that far), and then use gpg to encrypt message using > that public key? THx Yes. It is whoever some work. With the integration of ssh keys, X.509 certs and smartcards in the GnuPG 1.9 CVS, most code snippets should be available. However they are not connected in a way to allow what you want to do. BTW, Hal Finney posted a description on how PGP Corp. does this to the OpenPGP WG (ietf-openpgp at imc.org) on 2005-04-12. My plans actually head into the other direction: Take an OpenPGP key and create an X.509 certificate from it. This is easier because OpenPGP has that feature of subkeys and thus it is better suited to act as a general type of key repository. Salam-Shalom, Werner From jdbeyer at exit109.com Tue May 24 12:55:06 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Tue May 24 12:51:05 2005 Subject: Timing attack against AES In-Reply-To: <87fywduj03.fsf@wheatstone.g10code.de> References: <792DE28E91F6EA42B4663AE761C41C2A04249A51@cliff.bai.org> <87fywduj03.fsf@wheatstone.g10code.de> Message-ID: <4293080A.1070806@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aside from the necessity to compromise the machine running gpg to get the timing data for this attack, just how much data can a timing attack retrieve from a multiprogramming system, such as UNIX, Linux, etc., anyway, since all the other processes running at the same time, which could include web servers, file servers, database servers, name servers, mail servers, etc., would really add a lot of noise to the data obtained? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 06:50:00 up 4 days, 6:48, 4 users, load average: 4.20, 4.22, 4.13 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCkwgKPtu2XpovyZoRAi8+AJ9mN5HgiPkGWroUamo8v10EOu6yeQCfbgtS 5JAjWZfw/+TwLIcG6Fl5Opo= =jk9b -----END PGP SIGNATURE----- From pt at radvis.nu Tue May 24 12:08:13 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Tue May 24 13:03:31 2005 Subject: Max compression Message-ID: <6.1.2.0.2.20050524120615.02dcf790@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, what are the maximum values for compression for zip, zlib and bzip2? The default is 6 for zlib according to the manpage. I would like to set a somewhat higher compression with: - --compress-level V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCkv0mpPsTvNtsBX8RAl/3AJ0Z2Q/2hIR0XH6D8H4dqb7eGr3MFQCfUEuz 2dp0tMMFPTxy4sJEDONctEw= =gV/o -----END PGP SIGNATURE----- From atom at smasher.org Tue May 24 16:57:04 2005 From: atom at smasher.org (Atom Smasher) Date: Tue May 24 16:52:55 2005 Subject: Max compression In-Reply-To: <6.1.2.0.2.20050524120615.02dcf790@localhost> References: <6.1.2.0.2.20050524120615.02dcf790@localhost> Message-ID: <20050524145705.56575.qmail@smasher.org> On Tue, 24 May 2005, Per Tunedal Casual wrote: > what are the maximum values for compression for zip, zlib and bzip2? The > default is 6 for zlib according to the manpage. > > I would like to set a somewhat higher compression with: --compress-level ============== the range is 1-9. 1 is the fastest, 9 is the best compression. from the gzip man page: Regulate the speed of compression using the specified digit #, where -1 or --fast indicates the fastest compression method (less compression) and -9 or --best indicates the slowest compression method (best compression). The default compression level is -6 (that is, biased towards high compression at expense of speed) and bzip2: Set the block size to 100 k, 200 k .. 900 k when compressing. Has no effect when decompressing. See MEMORY MANAGEMENT below. The --fast and --best aliases are primarily for GNU gzip compatibility. In particular, --fast doesn't make things significantly faster. And --best merely selects the default behavior. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The proper time to influence the character of a child is about a hundred years before he's born." -- William R. Inge (1913-1973) From rmalayter at bai.org Tue May 24 18:49:29 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Tue May 24 18:45:45 2005 Subject: Timing attack against AES Message-ID: <792DE28E91F6EA42B4663AE761C41C2A04249C2E@cliff.bai.org> [Jean-David Beyer] > Aside from the necessity to compromise the machine running > gpg to get the > timing data for this attack, > just how much data can a timing attack retrieve from a > multiprogramming > system, such as UNIX, Linux, etc., anyway, since all the > other processes > running at the same time, which could include web servers, > file servers, > database servers, name servers, mail servers, etc., would > really add a lot > of noise to the data obtained? In the attack, signal-processing techniques were used to remove or smooth the noise in the timing data. In fact, the demonstration server he "attacked" was running OpenSSH on Linux, meaning it was servicing hardware interrupts and the like, adding at least some noise to the data collected. I presume that more noise in the system means more data collection is needed to find "accurate" timings and therefore extract the key, but I know just a tiny bit about signal processing from one college class, so I am no authority on the matter. Regards, Ryan From hawke at hawkesnest.net Tue May 24 19:18:53 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Tue May 24 19:18:57 2005 Subject: 2 noob problems In-Reply-To: <20050521222523.GE28168__21403.1974938282$1116714462$gmane$org@jabberwocky.com> References: <1115089586.7258.10.camel@localhost.mdke> <200505030900.28847.linux__20912.3117187575$1115107279$gmane$org@codehelp.co.uk> <200505202230.20235.linux__17723.9720164382$1116624878$gmane$org@codehelp.co.uk> <20050521222523.GE28168__21403.1974938282$1116714462$gmane$org@jabberwocky.com> Message-ID: David Shaw wrote: > On Sat, May 21, 2005 at 10:53:12AM -0500, Alex L. Mauer wrote: > There are several reasons why it is a good idea for keyservers to > store multiple signatures, but the main one is that they do not > currently have any crypto code to actually verify the signatures. > Without the ability to know if a given signature is good or bad, the > keyservers cannot make any decisions as to what signatures to keep or > drop. Aha, it makes sense now. I had assumed that the keyservers were able to verify signatures. > > GnuPG can verify signatures, of course, and so can safely prune them. > Incidentally, PGP prunes as well. It's the only way to keep keys to a > rational size over a long period of time. Then I guess I hope this feature will come along at some point. -Alex Mauer "Hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050524/b0a9fcdb/signature.pgp From greg.reaume at gmail.com Tue May 24 18:53:07 2005 From: greg.reaume at gmail.com (Greg Reaume) Date: Tue May 24 19:49:27 2005 Subject: JavaCard Implementation of OpenPGP Card 1.1 Spec Message-ID: <2c9261b105052409534516b1f2@mail.gmail.com> Hi Everyone, I am interested in using a smartcard for OpenPGP and am happy to see that a spec has been developed (thanks to g10code) for this purpose implemented on a native card OS. What I'm looking for though, is an implementation of this spec (compatible with GPG) for the JavaCard OS. I already carry a smartcard for my X.509 S/MIME certs and would like to combine the two applications on one JavaCard. I searched the mailing list archive and came up with an individual that has attempted this: http://www.core-dump.com.hr/index.pl?lastnode_id=404&node_id=421 Could anyone provide any information on feedback you've heard about this implementation and/or any other implementations that you're aware of? I appreciate your time. Thanks everyone! GR From kernone at gmx.de Tue May 24 20:06:41 2005 From: kernone at gmx.de (=k3Rn=) Date: Tue May 24 20:02:52 2005 Subject: KMail and smartcard In-Reply-To: <200505240641.24941.chris@fsfe.org> References: <200505240641.24941.chris@fsfe.org> Message-ID: <42936D31.50808@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey, Chris wrote: > I have just installed a smartcard reader and set it up. I can successfully > read the information on it and managed to generate a new key on it (gpg > --card-list / gpg ---card-edit). What is the real advantage of a smartcard? I have stored my secret-keyring on an usb-stick at the moment. How could i improve security further more? I am just reading about encrypting the filesystem on the stick using 'truecrypt' - is that a good idea / nice solution? Regards, =k3Rn= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCk20xpWixXvnN1p8RAgTDAJ0dybK9I9gegSihsfDwos6CqMCFlwCeNEYd NuXRGazrz1JETdugm6zh+KE= =p3Bf -----END PGP SIGNATURE----- From zvrba at globalnet.hr Tue May 24 20:23:10 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue May 24 21:08:57 2005 Subject: JavaCard Implementation of OpenPGP Card 1.1 Spec In-Reply-To: <2c9261b105052409534516b1f2@mail.gmail.com> References: <2c9261b105052409534516b1f2@mail.gmail.com> Message-ID: <4293710E.5000909@globalnet.hr> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Greg Reaume wrote: | | I searched the mailing list archive and came up with an individual | that has attempted this: | http://www.core-dump.com.hr/index.pl?lastnode_id=404&node_id=421 | I am that individual :) I managed to get it generate the keys and even sign something. Only in emulation, though. I've had access to Schlumberger Cyberflex card, managed to download the applet but got exception on applet instantiation. With no meaningful error indication. Works fine in Sun's cref. However, several things have discouraged me from further development: - - discrepancy between OpenPGP card spec, the JavaCard docs and what the JavaCard simulator really does when signing/decrypting - - insufficient support from the Sun's cref (i.e. no RAW RSA methods, just those with padding) I've got a hint where to buy cheap java cards and dev kit, however I have no time to pursue this further. Maybe sometime in the future.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCk3EOFtofFpCIfhMRA63zAJ9x/TmVdB+Z7YeT5r3EF3VN0rIpWwCfduko mgfAvyXyBqf2IELhdl/HjP8= =z1c9 -----END PGP SIGNATURE----- From scc4fun at spamcop.net Tue May 24 21:40:35 2005 From: scc4fun at spamcop.net (Sean C.) Date: Tue May 24 21:36:21 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions Message-ID: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> http://tinyurl.com/dljdm See comment at bottom. Business/Financial Desk; SECTCTECHNOLOGY I.B.M. Software Aims to Provide Security Without Sacrificing Privacy By STEVE LOHR 624 words 24 May 2005 The New York Times Late Edition - Final 4 English Copyright 2005 The New York Times Company. All Rights Reserved. International Business Machines is introducing software today that is intended to let companies share and compare information with other companies or government agencies without identifying the people connected to it. Security specialists familiar with the technology say that, if truly effective, it could help tackle many security and privacy problems in handling personal information in fields like health care, financial services and national security. ''There is real promise here,'' said Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University. ''But we'll have to see how well it works in all kinds of settings.'' The technology for anonymous data-matching has been under development by S.R.D. (Systems Research and Development), a start-up company that I.B.M. acquired this year. Much of the company's early financial backing came from In-Q-Tel, a venture capital firm financed by the Central Intelligence Agency that invests in companies whose technologies have government security uses. S.R.D., now I.B.M.'s Entity Analytics unit, has worked for years on specialized software for quickly detecting relationships within vast storehouses of data. Its early market was in Las Vegas, where casinos used the company's technology to help prevent fraud or employee theft. The matching software might sift through databases of known felons, for example, to find any links to casino employees. By the late 1990's, United States intelligence agencies had discovered S.R.D. and the potential to use its technology for winnowing leads in pursuing terrorists or spies. After 9/11, the government's interest increased, and today most of the company's business comes from government contracts. The new product goes beyond finding relationships in different sets of data. The software, which I.B.M. calls DB2 Anonymous Resolution, enables companies or government agencies to share personal information on customers or citizens without identifying them. For example, say the government were looking for suspected terrorists on cruise ships. The government had a ''watch list,'' but it did not want to give that list to a cruise line, fearing it might leak out. Similarly, the cruise lines did not want to hand over their entire customer lists to the government, out of privacy concerns. The I.B.M. software would convert data on a person into a string of seemingly random characters, using a technique known as a one-way hash function. No names, addresses or Social Security numbers, for example, would be embedded within the character string. The strings would be fed through a program to detect a matching pattern of characters. In the case of the cruise line and the government, an alert would be sent to both sides that a match had been detected. ''But what you get is a message that there is a match on record Number 678 or whatever, and then the government can ask the cruise line for that specific record, not a whole passenger list,'' explained Jeff Jonas, the founder of S.R.D. and now chief scientist of I.B.M.'s Entity Analytics unit. ''What you get is discovery without disclosure.'' To date, the software for anonymously sharing and matching data has been tested in a few projects, but I.B.M. is aiming for day-to-day use in several industries. In health care, for example, more secure and anonymous handling of patient information could alleviate privacy concerns in the shift to electronic health records, potentially increasing efficiency and reducing costs, analysts said. The technology, specialists noted, could also reduce the risk of identity theft, especially if personal data held by companies were made anonymous. Document NYTF000020050524e15o001dj ? 2005 Dow Jones Reuters Business Interactive LLC (trading as Factiva). All rights reserved. I'm confused though. I just read this article from the New York Times. As a newbie to encryption and hash algorithms I thought the idea behind hashes was that you couldn't reconstruct the data from the hash. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: PGP Digital Signature Url : /pipermail/attachments/20050524/5732fa9d/attachment.pgp From alex_box at web.de Tue May 24 22:10:04 2005 From: alex_box at web.de (Alexander Hoffmann) Date: Tue May 24 22:05:17 2005 Subject: RC2 Message-ID: <42938A1C.1040005@web.de> Hello, i don't know if it is the best place to ask this type of questions, but if i'm wrong here could you tell me a right mailing list fot it. I want to decrypt rrc2 encrypted mails and use libgcrypt for this purpose. As i know the RC2 algorithm is implemented in libgcrypt (rfc2268.c), but it will not be compiled (i concluded it from "libgcrypt-config --algorithms" output). What should i do to get the RC2 algorithm compiled? I use libgcrypt-1.2.1 Thanks in advans -- Alexander Hoffmann From hawke at hawkesnest.net Tue May 24 22:34:05 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Tue May 24 22:32:02 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions In-Reply-To: <20050524154035.yskc0wk0ckws0cwo__46199.5598547675$1116963793$gmane$org@webmail.spamcop.net> References: <20050524154035.yskc0wk0ckws0cwo__46199.5598547675$1116963793$gmane$org@webmail.spamcop.net> Message-ID: Sean C. wrote: > I'm confused though. > I just read this article from the New York Times. As a newbie to encryption and > hash algorithms I thought the idea behind hashes was that you couldn't > reconstruct the data from the hash. You can't. But you can use the hash as a key to cross-reference information. For example, if they were using full names to generate the hash: Watch list contains: "Alex Mauer" -> foo "Billy Z Williamson" -> bar "Corgi McCorkerton" -> baz Passenger list contains: "Billy Z. Williamson" -> xyzzy "Alex Mauer" -> foo "Fenster LeCrab" -> baz ...they only need to compare the hashes, for the cruise ship company to see that "Alex Mauer" should not be allowed to board, and the government to see that "Alex Mauer" attempted to board a cruise ship. The government doesn't need to reveal their watch list to the cruise ship company, and vice versa. This also illustrates some problems with the system, namely hash collisions (two people generate the hash "baz") and the fact that slight changes in data will lead to totally different hashes (added period after middle initial). -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050524/52c7c3a0/signature.pgp From chris at fsfe.org Tue May 24 22:36:13 2005 From: chris at fsfe.org (Chris) Date: Tue May 24 22:32:10 2005 Subject: KMail and smartcard In-Reply-To: <87oeb1ukgy.fsf@wheatstone.g10code.de> References: <200505240641.24941.chris@fsfe.org> <87oeb1ukgy.fsf@wheatstone.g10code.de> Message-ID: <200505242236.14075.chris@fsfe.org> On Tuesday 24 May 2005 09:55, Werner Koch wrote: > On Tue, 24 May 2005 06:41:24 +0200, Chris said: > > How can I use the smartcard in KMail? I cannot choose its keys in the > > Identity management. > > Does "gpg -K" list your key? This is what Kmail displays. No, gpg -K does not list anything. I have removed the ~/.gnupg directory and issued "gpg --card-status" again. "gpg -K" does still not list anyting... > > You are using a decent Kmail (with all the crypto tabs in the > configuration dialog and the requirement for gpg-agent)? I am using KMail 1.7.2. > > > Using a key from the harddrive does work without problems. > > For gpg it makes no difference whether the key is on the disk or on > the card. This is because we create a "stub"- secret key for every > card key. gpg -K will show you the serial number of the cards > associated with that secret key. > > If you generated the card key on another machine, please run "gpg > --card-status" once on the new machine to create such a stub key. > > > Shalom-Salam, > > Werner What am I doing wrong? Any help is highly appreciated! Best regards, Chris From dave at adboyd.com Tue May 24 22:43:41 2005 From: dave at adboyd.com (J. David Boyd) Date: Tue May 24 23:09:00 2005 Subject: Help with Enigmail and other issues References: <1115810734.3667.233878576__46590.0804535069$1116249434$gmane$org@webmail.messagingengine.com> Message-ID: gpg.20.subu@spamgourmet.com wrote in news:1115810734.3667.233878576__ 46590.0804535069$1116249434$gmane$org@webmail.messagingengine.com: > > - How do I proceed further ? > Turn on debugging in enigmail. It's the last tab under preferences. This will show you what errors you are getting. > - Is there a better way to import public keys into enigmail ? I do it this way all the time. > - where is the public key ring stored by enigmail ? That's up to you. I have a variable set in my system, GNUPGHOME, that sets the directory for gpg to use. If you don't have one of these set, I believe that it defaults to the directory that it is run from, but I could be wrong. I also have the following line in a batch file that I use to locate keys: gpg --search-keys --keyserver pgp.mit.edu %1 So you can try it manually and see if the key is locatable. Note that this means that gpg has to be in the PATH. Dave From bzag0 at yahoo.com Tue May 24 22:44:24 2005 From: bzag0 at yahoo.com (Robert Zagarello) Date: Tue May 24 23:40:39 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using HashFunctions Message-ID: <20050524204424.50091.qmail@web53808.mail.yahoo.com> Great example, Alex !... BZAG =============================== Sean C. wrote: > I'm confused though. > I just read this article from the New York Times. As a newbie to encryption and > hash algorithms I thought the idea behind hashes was that you couldn't > reconstruct the data from the hash. You can't. But you can use the hash as a key to cross-reference information. For example, if they were using full names to generate the hash: Watch list contains: "Alex Mauer" -> foo "Billy Z Williamson" -> bar "Corgi McCorkerton" -> baz Passenger list contains: "Billy Z. Williamson" -> xyzzy "Alex Mauer" -> foo "Fenster LeCrab" -> baz ...they only need to compare the hashes, for the cruise ship company to see that "Alex Mauer" should not be allowed to board, and the government to see that "Alex Mauer" attempted to board a cruise ship. The government doesn't need to reveal their watch list to the cruise ship company, and vice versa. This also illustrates some problems with the system, namely hash collisions (two people generate the hash "baz") and the fact that slight changes in data will lead to totally different hashes (added period after middle initial). -Alex Mauer "hawke" From imacat at mail.imacat.idv.tw Wed May 25 07:57:15 2005 From: imacat at mail.imacat.idv.tw (imacat) Date: Wed May 25 08:46:39 2005 Subject: Secret Key UID Missing Message-ID: <20050525135637.1141.IMACAT@mail.imacat.idv.tw> Dear all, I have got into trouble. Here is my key now: imacat@rinse ~ % gpg --edit imacat gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> toggle sec 1024D/30B94B5C created: 2002-07-04 expires: never ssb 4096g/266EF40E created: 2002-07-04 expires: never (1) ??? (imacat) Command> quit imacat@rinse ~ % One of my UID is missing in the secret key ring. I was editing my keys, revoking UIDs with non-UTF8 comment and adding UTF-8 UIDs. Maybe it's lost during some export/import. The missing 2nd UID is my company e-mail. I can't sign my mails without it at my office. This is really strange. What can I do about it? Do I have to revoke my office UID and create new again? :( I'd just wrote several mails to my frieds to sign my new UIDs, and I have to revoke it now? That's not reasonable. I can't find a way to manage my secret key UIDs. Why can public key UIDs not matching secret key UIDs? Is there any way I can synchronize my public key UID with my secret key UID, or simply help me add that missing one? Thank you for your time and patience. -- imacat ^_*' imacat@mail.imacat.idv.tw PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt Tavern IMACAT's http://www.imacat.idv.tw/ Woman's Voice http://www.wov.idv.tw/ TLUG List Manager http://www.linux.org.tw/mailman/listinfo/tlug -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : /pipermail/attachments/20050525/d660e72c/attachment-0001.pgp From gpg.20.subu at spamgourmet.com Wed May 25 10:15:24 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Wed May 25 10:11:14 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Message-ID: <5c7cd52105052501155b9f7868@mail.gmail.com> Hi > >This also illustrates some problems with the system, namely hash >collisions (two people generate the hash "baz") > I thought that two *non* identical names - as in case below will *not* create the same hash If it will, what is the probability ? Thanks Subu Alex Mauer - hawke@hawkesnest.net wrote: [............] >Watch list contains: > >"Alex Mauer" -> foo >"Billy Z Williamson" -> bar >"Corgi McCorkerton" -> baz > >Passenger list contains: >"Billy Z. Williamson" -> xyzzy >"Alex Mauer" -> foo >"Fenster LeCrab" -> baz [.........] >This also illustrates some problems with the system, namely hash >collisions (two people generate the hash "baz") and the fact that slight >changes in data will lead to totally different hashes (added period >after middle initial). > >-Alex Mauer "hawke" > From gpg.20.subu at spamgourmet.com Wed May 25 10:29:40 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Wed May 25 10:25:31 2005 Subject: Help with Enigmail and other issues Message-ID: <5c7cd52105052501293df4759d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi David Thanks for replying to my message As of now I'e progressed a little bit and Enigmail is working fine I've got the following on my gpg.onf file which greatly improve enigmail's ability to search for keys (my copy at least !) keyserver random.sks.keyserver.penguin.de keyserver-options auto-key-retrieve include-revoked include-subkeys keyserver-options honor-http-proxy Thanks for replying Subu J. David Boyd - dave@adboyd.com wrote: >gpg.20.subu@spamgourmet.com wrote in news:1115810734.3667.233878576__ >46590.0804535069$1116249434$gmane$org@webmail.messagingengine.com: > >>- How do I proceed further ? >> > >Turn on debugging in enigmail. It's the last tab under preferences. >This will show you what errors you are getting. > >>- Is there a better way to import public keys into enigmail ? > > >I do it this way all the time. > > > >>- where is the public key ring stored by enigmail ? > > >That's up to you. I have a variable set in my system, GNUPGHOME, that >sets the directory for gpg to use. If you don't have one of these set, I >believe that it defaults to the directory that it is run from, but I >could be wrong. > >I also have the following line in a batch file that I use to locate keys: > >gpg --search-keys --keyserver pgp.mit.edu %1 > >So you can try it manually and see if the key is locatable. Note that >this means that gpg has to be in the PATH. > >Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: key : http://www.geocities.com/mail_to_subu/pubkey.txt Comment: key : http://maniams2.tripod.com/Sign/pubkey.txt iD8DBQFClFD5aCYR2jv7Mt0RAiX4AJ95QDH5J9oYHF91qmoyT8BeJtxUXACfUdZi 1GzYmBnbLnf63WqqXoMjrpM= =0v34 -----END PGP SIGNATURE----- From gpg.20.subu at spamgourmet.com Wed May 25 11:13:29 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Wed May 25 11:11:23 2005 Subject: KMail and smartcard - what is a "stub" secret key ? In-Reply-To: <1117007975.22626.234904667@webmail.messagingengine.com> (gpg.20.subu@spamgourmet.com's message of "Wed, 25 May 2005 00:59:35 -0700") References: <1117007975.22626.234904667@webmail.messagingengine.com> Message-ID: <87acmjr7ly.fsf@wheatstone.g10code.de> On Wed, 25 May 2005 00:59:35 -0700, gpg 20 subu said: > I thought that If I keep my keyring on a USB drive, there would be *no > trace of it* on the Hard Disk I was talking about smart cards and not about USB drives. They have nothing in common. Shalom-Salam, Werner From wk at gnupg.org Wed May 25 11:52:08 2005 From: wk at gnupg.org (Werner Koch) Date: Wed May 25 11:51:11 2005 Subject: KMail and smartcard - what is a "stub" secret key ? In-Reply-To: <87acmjr7ly.fsf@wheatstone.g10code.de> (gpg.20.subu@spamgourmet.com's message of "Wed, 25 May 2005 11:13:29 +0200") References: <1117007975.22626.234904667@webmail.messagingengine.com> <87acmjr7ly.fsf@wheatstone.g10code.de> Message-ID: <87hdgrpr93.fsf@wheatstone.g10code.de> Hi! Please immediately stop rewritting my address to "gpg.20.subu@spamgourmet.com" and thus assigning me a different identity. Shalom-Salam, Werner From gpg.20.subu at spamgourmet.com Wed May 25 11:52:08 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Wed May 25 11:51:22 2005 Subject: KMail and smartcard - what is a "stub" secret key ? In-Reply-To: <87acmjr7ly.fsf@wheatstone.g10code.de> (gpg.20.subu@spamgourmet.com's message of "Wed, 25 May 2005 11:13:29 +0200") References: <1117007975.22626.234904667@webmail.messagingengine.com> <87acmjr7ly.fsf@wheatstone.g10code.de> Message-ID: <87hdgrpr93.fsf@wheatstone.g10code.de> Hi! Please immediately stop rewritting my address to "gpg.20.subu@spamgourmet.com" and thus assigning me a different identity. Shalom-Salam, Werner From wk at gnupg.org Wed May 25 11:57:10 2005 From: wk at gnupg.org (Werner Koch) Date: Wed May 25 11:56:04 2005 Subject: RC2 In-Reply-To: <42938A1C.1040005@web.de> (Alexander Hoffmann's message of "Tue, 24 May 2005 22:10:04 +0200") References: <42938A1C.1040005@web.de> Message-ID: <87d5rfpr0p.fsf@wheatstone.g10code.de> On Tue, 24 May 2005 22:10:04 +0200, Alexander Hoffmann said: > Hello, > i don't know if it is the best place to ask this type of questions, but > if i'm wrong here could you tell me a right mailing list fot it. > I want to decrypt rrc2 encrypted mails and use libgcrypt for this > purpose. As i know the RC2 algorithm is implemented in libgcrypt > (rfc2268.c), but it will not be compiled (i concluded it from > "libgcrypt-config --algorithms" output). What should i do to get the RC2 $ libgcrypt-config --algorithms Symmetric cipher algorithms: arcfour blowfish cast5 des aes twofish serpent rfc2268 I can see rfc2268 in the list of supported algorithms. /* rfc2268.c - The cipher described in rfc2268; aka Ron's Cipher 2. Salam-Shalom, Werner From wk at gnupg.org Wed May 25 11:59:53 2005 From: wk at gnupg.org (Werner Koch) Date: Wed May 25 11:56:13 2005 Subject: KMail and smartcard In-Reply-To: <200505242236.14075.chris@fsfe.org> (chris@fsfe.org's message of "Tue, 24 May 2005 22:36:13 +0200") References: <200505240641.24941.chris@fsfe.org> <87oeb1ukgy.fsf@wheatstone.g10code.de> <200505242236.14075.chris@fsfe.org> Message-ID: <878y23pqw6.fsf@wheatstone.g10code.de> On Tue, 24 May 2005 22:36:13 +0200, Chris said: > I have removed the ~/.gnupg directory and issued "gpg --card-status" again. > "gpg -K" does still not list anyting... What version of gpg are you using? Shalom-Salam, Werner From chris at fsfe.org Wed May 25 12:51:34 2005 From: chris at fsfe.org (Chris) Date: Wed May 25 12:47:36 2005 Subject: KMail and smartcard In-Reply-To: <878y23pqw6.fsf@wheatstone.g10code.de> References: <200505240641.24941.chris@fsfe.org> <200505242236.14075.chris@fsfe.org> <878y23pqw6.fsf@wheatstone.g10code.de> Message-ID: <200505251251.34609.chris@fsfe.org> I am using: gpg (GnuPG) 1.4.0 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Maybe this is too old then? It comes off Mandriva LE 2005... Best regards, Chris On Wednesday 25 May 2005 11:59, Werner Koch wrote: > On Tue, 24 May 2005 22:36:13 +0200, Chris said: > > I have removed the ~/.gnupg directory and issued "gpg --card-status" > > again. "gpg -K" does still not list anyting... > > What version of gpg are you using? > > > Shalom-Salam, > > Werner From sk at intertivity.com Wed May 25 13:30:22 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Wed May 25 13:26:18 2005 Subject: Unicode support Message-ID: <429461CE.7070905@intertivity.com> Hi list, Assume, i have a mail text body; it's charset is something other than us-ascii. Does it work (have not tried it yet) to convert the data to utf-8 and then signing it armored? Regards, --esskar From wk at gnupg.org Wed May 25 13:39:07 2005 From: wk at gnupg.org (Werner Koch) Date: Wed May 25 13:36:04 2005 Subject: KMail and smartcard In-Reply-To: <200505251251.34609.chris@fsfe.org> (chris@fsfe.org's message of "Wed, 25 May 2005 12:51:34 +0200") References: <200505240641.24941.chris@fsfe.org> <200505242236.14075.chris@fsfe.org> <878y23pqw6.fsf@wheatstone.g10code.de> <200505251251.34609.chris@fsfe.org> Message-ID: <87oeazo7qc.fsf@wheatstone.g10code.de> On Wed, 25 May 2005 12:51:34 +0200, Chris said: > gpg (GnuPG) 1.4.0 Noteworthy changes in version 1.4.1 (2005-03-15) ------------------------------------------------ * When running a --card-status or --card-edit and a public key is available, missing secret key stubs will be created on the fly. Details of the key are listed too. Shalom-Salam, Werner From fw at deneb.enyo.de Wed May 25 13:28:12 2005 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed May 25 14:09:31 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions In-Reply-To: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> (Sean C.'s message of "Tue, 24 May 2005 15:40:35 -0400") References: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> Message-ID: <87oeazlf3n.fsf@deneb.enyo.de> * Sean C.: > The I.B.M. software would convert data on a person into a string of seemingly > random characters, using a technique known as a one-way hash function. No > names, addresses or Social Security numbers, for example, would be embedded > within the character string. For most applications, this is just a speed bump because the search space is rather small. It's even worse for the no-fly list because you have to apply some data reduction first (think SOUNDEX): a lot of the names on them have varying transliteration. From johanw at vulcan.xs4all.nl Wed May 25 11:25:50 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed May 25 17:06:47 2005 Subject: RC2 In-Reply-To: <42938A1C.1040005@web.de> Message-ID: <200505250925.j4P9PokT001839@vulcan.xs4all.nl> Alexander Hoffmann wrote: >purpose. As i know the RC2 algorithm is implemented in libgcrypt >(rfc2268.c), but it will not be compiled (i concluded it from >"libgcrypt-config --algorithms" output). What should i do to get the RC2 >algorithm compiled? >I use libgcrypt-1.2.1 I don't know libgcrypt, but it is probably a compile option. Check the configure scripts and/or the Makefile. This is sometimes done because RC2 is patented in some countries. I had to change the Slackware configure scripts for OpenSSL and recompile for the same reason. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From hawke at hawkesnest.net Wed May 25 18:20:36 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed May 25 18:21:13 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash In-Reply-To: <5c7cd52105052501155b9f7868__49811.292862478$1117009245$gmane$org@mail.gmail.com> References: <5c7cd52105052501155b9f7868__49811.292862478$1117009245$gmane$org@mail.gmail.com> Message-ID: gpg.20.subu@spamgourmet.com wrote: > I thought that two *non* identical names - as in case below will *not* > create the same hash > If it will, what is the probability ? The probability of this happening is extremely low. For a 128-bit hash, such as md5, the probability is 1 in 2^128 (1 in 340,282,366,920,938,463,463,374,607,431,768,211,456) For a 160-bit hash, such as sha-1 which PGP uses, the probability is 1 in 2^160, 1 in 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976). "If the hash algorithm is properly designed and distributes the hashes uniformly over the output space, 'finding a hash collision' by random guessing is exceedingly unlikely (it's more likely that a million people will correctly guess all the California Lottery numbers every day for a billion trillion years). Other hashes have even more bits: the SHA-1 algorithm generates 160 bits, whose output space is four billions times larger than that produced by MD5's 128 bits." (from "An Illustrated Guide to Cryptographic Hashes"[1]) Of course, this only applies to a random method, but that is pretty much all peoples' names are going to give you. Recommended reading: MD5 (http://en.wikipedia.org/wiki/MD5) SHA-1 (http://en.wikipedia.org/wiki/SHA-1) Birthday Attack (http://en.wikipedia.org/wiki/Birthday_attack) Meet-in-the-Middle Attack (http://en.wikipedia.org/wiki/Meet-in-the-middle_attack) [1] http://www.unixwiz.net/techtips/iguide-crypto-hashes.html#collisions -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050525/aab7492c/signature.pgp From kernone at gmx.de Wed May 25 19:43:25 2005 From: kernone at gmx.de (=k3Rn=) Date: Wed May 25 19:39:35 2005 Subject: Help with Enigmail and other issues In-Reply-To: <5c7cd52105052501293df4759d@mail.gmail.com> References: <5c7cd52105052501293df4759d@mail.gmail.com> Message-ID: <4294B93D.1080908@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! > As of now I'e progressed a little bit and Enigmail is working fine > > I've got the following on my gpg.onf file which greatly improve > enigmail's ability to search for keys (my copy at least !) > > keyserver random.sks.keyserver.penguin.de > keyserver-options auto-key-retrieve include-revoked include-subkeys > keyserver-options honor-http-proxy What does these options really have to do with Enigmail's work? Does this auto-key-retrieve have any effect on Enigmail? regards, =k3Rn= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFClLk9pWixXvnN1p8RAoDiAKCUBGn2tfBuP6Dr9e4hREDy/eRLqgCgmIni uUSbjooUXKitz/8J+LtO7Ho= =uYGL -----END PGP SIGNATURE----- From hawke at hawkesnest.net Wed May 25 20:04:04 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed May 25 20:05:41 2005 Subject: Help with Enigmail and other issues In-Reply-To: <4294B93D.1080908__37420.6654415049$1117043141$gmane$org@gmx.de> References: <5c7cd52105052501293df4759d@mail.gmail.com> <4294B93D.1080908__37420.6654415049$1117043141$gmane$org@gmx.de> Message-ID: =k3Rn= wrote: > What does these options really have to do with Enigmail's work? Does > this auto-key-retrieve have any effect on Enigmail? It allows Engimail to import the key used to sign a mail without prompting. -Alex Mauer "Hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050525/982c44a3/signature.pgp From imacat at mail.imacat.idv.tw Wed May 25 20:23:49 2005 From: imacat at mail.imacat.idv.tw (imacat) Date: Wed May 25 21:08:13 2005 Subject: Secret Key UID Missing In-Reply-To: <20050525135637.1141.IMACAT@mail.imacat.idv.tw> References: <20050525135637.1141.IMACAT@mail.imacat.idv.tw> Message-ID: <20050526022159.D55C.IMACAT@mail.imacat.idv.tw> Well, after some hacking, I think I'd found the answer to manuplate the secret key UID now. I think this worths sharing. It may not be the intension of the authors, but at the meanwhile while secret key UID management is not available, this should provide some solution. This method should work for people want to add a secret key UID, delete a secret key UID, or bla bla bla. Though, GnuPG itself should provide some way to synchronize the secret key UID with the public key UID, or drop the secret key UID completely. I got the idea from this article: http://lists.gnupg.org/pipermail/gnupg-devel/2000-January/016247.html > The user IDs are actually not needed in the secret key but they are > normally created to make the listening easier. If the secret key UID is "only" created to make the listening easier, I can reasonably assume that it is irrevelent to the corresponding public key UID. Then, if I backup and drop the original public key UID that has many signatures, create a new dummy public/secret key UID pair with exactly the same name, e-mail and comment, and replace the dummy new public key UID with my original, backuped one, the new secret key UID should be paired with the original, signed public key UID. Then, I'll have a new secret key UID to use. This works. Here is the actual steps involved. ==================================== imacat@rinse ~ % gpg --edit 30B94B5C gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> check uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao Command> toggle sec 1024D/30B94B5C created: 2002-07-04 expires: never ssb 4096g/266EF40E created: 2002-07-04 expires: never (1) ??? (imacat) Command> toggle pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> quit imacat@rinse ~ % cp .gnupg/pubring.gpg .gnupg/pubring.gpg-bak imacat@rinse ~ % gpg --edit 30B94B5C gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> check uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao Command> toggle sec 1024D/30B94B5C created: 2002-07-04 expires: never ssb 4096g/266EF40E created: 2002-07-04 expires: never (1) ??? (imacat) Command> toggle pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> uid 2 pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2)* ??? (imacat) Command> deluid Really remove this user ID? (y/N) y pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) Command> check uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao Command> toggle sec 1024D/30B94B5C created: 2002-07-04 expires: never ssb 4096g/266EF40E created: 2002-07-04 expires: never (1) ??? (imacat) Command> toggle pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) Command> adduid Real name: ??? Email address: imacat@pristine.com.tw Comment: imacat You are using the `utf-8' character set. You selected this USER-ID: "??? (imacat) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a passphrase to unlock the secret key for user: "??? (imacat) " 1024-bit DSA key, ID 30B94B5C, created 2002-07-04 pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> check uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao uid ??? (imacat) sig!3 30B94B5C 2005-05-25 [self-signature] Command> toggle sec 1024D/30B94B5C created: 2002-07-04 expires: never ssb 4096g/266EF40E created: 2002-07-04 expires: never (1) ??? (imacat) (2) ??? (imacat) Command> toggle pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> save imacat@rinse ~ % cp .gnupg/pubring.gpg-bak .gnupg/pubring.gpg cp: overwrite `.gnupg/pubring.gpg'? y imacat@rinse ~ % gpg --edit 30B94B5C gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 45 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 45 signed: 0 trust: 5-, 0q, 0n, 40m, 0f, 0u gpg: next trustdb check due at 2005-10-22 pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> check uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao uid ??? (imacat) sig!3 30B94B5C 2005-05-16 [self-signature] sig! 11C02382 2005-05-25 Ying-Chieh Liao Command> toggle sec 1024D/30B94B5C created: 2002-07-04 expires: never ssb 4096g/266EF40E created: 2002-07-04 expires: never (1) ??? (imacat) (2) ??? (imacat) Command> toggle pub 1024D/30B94B5C created: 2002-07-04 expires: never usage: CS trust: ultimate validity: ultimate sub 4096g/266EF40E created: 2002-07-04 expires: never usage: E [ultimate] (1). ??? (imacat) [ultimate] (2) ??? (imacat) Command> quit imacat@rinse ~ % -- Best regards, imacat ^_*' PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt <> News: http://www.wov.idv.tw/ Tavern IMACAT's: http://www.imacat.idv.tw/ TLUG List Manager: http://www.linux.org.tw/mailman/listinfo/tlug -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : /pipermail/attachments/20050526/018b1569/attachment.pgp From shatadal at vfemail.net Wed May 25 23:11:33 2005 From: shatadal at vfemail.net (Shatadal) Date: Thu May 26 00:07:29 2005 Subject: Minnesota court takes dim view of encryption Message-ID: <4294EA05.2010605@vfemail.net> From http://news.com.com/Minnesota+court+takes+dim+view+of+encryption/2100-1030_3-5718978.html "A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent." From bzag0 at yahoo.com Thu May 26 00:40:30 2005 From: bzag0 at yahoo.com (Robert Zagarello) Date: Thu May 26 00:36:57 2005 Subject: Minnesota court takes dim view of encryption In-Reply-To: 6667 Message-ID: <20050525224031.89492.qmail@web53802.mail.yahoo.com> What? You expect the age of enlightenment? You forget who's President. Usually when the head stinks the fish is not far behind. BZAG =========================== --- Shatadal wrote: > From > http://news.com.com/Minnesota+court+takes+dim+view+of+encryption/2100-1030_3-5718978.html > > "A Minnesota appeals court has ruled that the > presence of encryption > software on a computer may be viewed as evidence of > criminal intent." > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From hawke at hawkesnest.net Thu May 26 02:19:46 2005 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Thu May 26 02:17:00 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions In-Reply-To: <87oeazlf3n.fsf__24607.9461802312$1117023403$gmane$org@deneb.enyo.de> References: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> <87oeazlf3n.fsf__24607.9461802312$1117023403$gmane$org@deneb.enyo.de> Message-ID: Florian Weimer wrote: > * Sean C.: > > >>The I.B.M. software would convert data on a person into a string of seemingly >>random characters, using a technique known as a one-way hash function. No >>names, addresses or Social Security numbers, for example, would be embedded >>within the character string. > > > For most applications, this is just a speed bump because the search > space is rather small. It's even worse for the no-fly list because > you have to apply some data reduction first (think SOUNDEX): a lot of > the names on them have varying transliteration. Can you expand on this? How could the Name/address/ssn be retrieved from a hash of the same? How would data reduction be necessary? Couldn't everything be represented in Unicode? Of course, that doesn't solve the transliteration problem, but then again it's no different than the status quo in that respect ("Alex Mauer" != "Aleks Mauer") -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050525/c5d23eea/signature.pgp From brunij at earthlink.net Thu May 26 04:11:44 2005 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Thu May 26 04:07:36 2005 Subject: Minnesota court takes dim view of encryption In-Reply-To: <20050525224031.89492.qmail@web53802.mail.yahoo.com> References: <20050525224031.89492.qmail@web53802.mail.yahoo.com> Message-ID: Last time I checked, the President doesn't appoint judges in Minnesota, the Governor does. On May 25, 2005, at 3:40 PM, Robert Zagarello wrote: > What? You expect the age of enlightenment? You > forget who's President. Usually when the head stinks > the fish is not far behind. > From bzag0 at yahoo.com Thu May 26 04:18:35 2005 From: bzag0 at yahoo.com (Robert Zagarello) Date: Thu May 26 04:14:49 2005 Subject: Minnesota court takes dim view of encryption In-Reply-To: 6667 Message-ID: <20050526021835.86517.qmail@web53803.mail.yahoo.com> So? Minnesota isn't undergoing the same nonsense as the rest of the country? You underestimate your red state colleagues' influence in ANY state. --- Joseph Oreste Bruni wrote: > Last time I checked, the President doesn't appoint > judges in > Minnesota, the Governor does. > > > > On May 25, 2005, at 3:40 PM, Robert Zagarello wrote: > > > What? You expect the age of enlightenment? You > > forget who's President. Usually when the head > stinks > > the fish is not far behind. > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu May 26 04:25:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu May 26 04:22:11 2005 Subject: Unicode support In-Reply-To: <429461CE.7070905@intertivity.com> References: <429461CE.7070905@intertivity.com> Message-ID: <20050526022543.GA16716@jabberwocky.com> On Wed, May 25, 2005 at 01:30:22PM +0200, Sascha Kiefer wrote: > Hi list, > > Assume, i have a mail text body; it's charset is something other than > us-ascii. > Does it work (have not tried it yet) to convert the data to utf-8 and > then signing it armored? GPG doesn't really care very much about the format of the data you give it to sign. If you put in UTF-8, you'll get a signature over UTF-8. If you put in something else, you'll get a signature over something else. David From erpo41 at hotpop.com Thu May 26 10:27:33 2005 From: erpo41 at hotpop.com (Erpo) Date: Thu May 26 10:23:33 2005 Subject: Minnesota court takes dim view of encryption In-Reply-To: <4294EA05.2010605@vfemail.net> References: <4294EA05.2010605@vfemail.net> Message-ID: <1117096053.5427.38.camel@localhost.localdomain> On Wed, 2005-05-25 at 16:11 -0500, Shatadal wrote: > From > http://news.com.com/Minnesota+court+takes+dim+view+of+encryption/2100-1030_3-5718978.html > > "A Minnesota appeals court has ruled that the presence of encryption > software on a computer may be viewed as evidence of criminal intent." That bit from the article appears to disagree with, or at least highly exaggerate, what it says later on: Levie's conviction was based on the in-person testimony of the girl who said she was paid to pose nude, coupled with the history of searches for "Lolitas" in Levie's Web browser. I think this is the core of the decision: Ari David Levie [...] argued on appeal that the PGP encryption utility on his computer was irrelevant and should not have been admitted as evidence during his trial. [...] "We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3. It sounds like they're arguing over whether or not the prosecution is allowed to tell the jury that Levie had cryptography software on his computer, rather than whether or not that fact "may be used as evidence of criminal intent." Then again, I'm not a lawyer. Here's my favorite part: The court didn't say [...] how it would view the use of standard software like OS X's FileVault. I think that's the clearest, most compact set of instructions for success to the cryptography community I've ever seen. Right now, the use of crytpography by regular desktop users is almost so uncommon that someone who has an encryption program or who transfers encrypted data might as well be shouting out, "I'm doing something I don't want other people to know about." Cryptographic capabilities must be integrated into every popular OS and application in such a way as to make it automatic and easy to encrypt everything, no matter how mundane, from IMs to downloaded device drivers. Once everyone is doing it, the people who really need privacy can have it. At the same time, there's a warning about a conflict between two important social values. The first is the high priority given to preserving free speech and, by necessity, anonymous and private speech. The second is the disapproval directed at people who think, do, or say certain things that aren't a component of "normal" behavior. Both values have their place, but the cryptography promoter must take care to note that while "preserving free speech in all its forms" and "preventing people from posessing or trading child pornography" are mutually exclusive goals, "preserving free speech in all its forms" and "prosecuting sexual abuse" are certainly not. My two bits, Eric From markus at breitlander.com Tue May 24 05:52:37 2005 From: markus at breitlander.com (=?ISO-8859-15?Q?Markus_Breitl=E4nder?=) Date: Thu May 26 10:27:46 2005 Subject: Filesystem Encrytion with GnuPG ?! Message-ID: <4292A505.2030500@breitlander.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey, is it possible to use GnuPG for filesystem encryption? I am thinking about having a directory tree o your hard disk that is encrypted using GnuPG PKI - only accessible with once secret-key + mantra. Are there solutions like that for Windows? I read about implementations on Linux using 'cryptloop'. Greetings, =k3Rn= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCkqUFyvnXaATkR5IRAj1fAJ47/kygU4C+thU78yba7pmXfiAjjwCePqun jLe+c3gzBuQCVF0wP/raXhk= =HJlN -----END PGP SIGNATURE----- From youssef.aoun at gmail.com Wed May 25 19:29:41 2005 From: youssef.aoun at gmail.com (Youssef Aoun) Date: Thu May 26 10:27:50 2005 Subject: Choice of Algorithm Message-ID: <4294B605.1000008@gmail.com> Hello everyone, How should I choose an algorithm for my key. Since ElGamal is able to make signatures and encryption... why do we have other alternatives? Does it help to have multiple key?? Sincerely yours Youssef Aoun From alex_box at web.de Tue May 24 18:35:45 2005 From: alex_box at web.de (Alexander Hoffmann) Date: Thu May 26 10:27:54 2005 Subject: RC2 Message-ID: <429357E1.8090800@web.de> Hello, i don't know if it is the best place to ask this type of questions, but if i'm wrong here could you tell me a right mailing list fot it. I want to decrypt rrc2 encrypted mails and use libgcrypt for this purpose. As i know the RC2 algorithm is implemented in libgcrypt (rfc2268.c), but it will not be compiled (i concluded it from "libgcrypt-config --algorithms" output). What should i do to get the RC2 algorithm compiled? I use libgcrypt-1.2.1 From gpg.20.subu at spamgourmet.com Wed May 25 09:59:35 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Thu May 26 10:27:59 2005 Subject: KMail and smartcard - what is a "stub" secret key ? Message-ID: <1117007975.22626.234904667@webmail.messagingengine.com> Hi I'm new here Sorry to butt in > >For gpg it makes no difference whether the key is on the disk or on >the card. This is because we create a "stub"- secret key for every >card key. gpg -K will show you the serial number of the cards >associated with that secret key. > what is a "stub" secret key ? I thought that If I keep my keyring on a USB drive, there would be *no trace of it* on the Hard Disk Somehow your answer seems to imply that the Hard Disk has some info about keys on other drives TIA Subu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Werner Koch - wk@gnupg.org wrote: >On Tue, 24 May 2005 06:41:24 +0200, Chris said: > >>How can I use the smartcard in KMail? I cannot choose its keys in the Identity >>management. > > >Does "gpg -K" list your key? This is what Kmail displays. > >You are using a decent Kmail (with all the crypto tabs in the >configuration dialog and the requirement for gpg-agent)? > >>Using a key from the harddrive does work without problems. > > >For gpg it makes no difference whether the key is on the disk or on >the card. This is because we create a "stub"- secret key for every >card key. gpg -K will show you the serial number of the cards >associated with that secret key. > >If you generated the card key on another machine, please run "gpg >--card-status" once on the new machine to create such a stub key. > > >Shalom-Salam, > > Werner > > From fd0man at gmail.com Wed May 25 09:22:43 2005 From: fd0man at gmail.com (Michael B. Trausch) Date: Thu May 26 10:28:03 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions In-Reply-To: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> References: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> Message-ID: <429427C3.5070501@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Sean C. wrote: > > I'm confused though. > I just read this article from the New York Times. As a newbie to encryption and > hash algorithms I thought the idea behind hashes was that you couldn't > reconstruct the data from the hash. > You can't, but if you have matching data, the hash will match. For example: List A: - Item 234 sample hash: asdfsdd - Bubble 332 sample hash: ef2342h - Wonky 093 sample hash: 23jasld List B: - Item 324 sample hash: eja8357 - Silly 325 sample hash: aj3hht5 - Item 234 sample hash: asdfsdd That would be the "match", then they can ask for the data behind the match to be revealed. - -- Michael B. Trausch Website: http://fd0man.chadeux.net/ Jabber: mtrausch@jabber.com Phone: +1-(678)-522-7934 FAX (US Only): 1-866-806-4647 =================================================================== Do you have PGP or GPG? Key at pgp.mit.edu, Please Encrypt E-Mail! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFClCfDPXInbkqM7nwRAyCtAJ9HVOy087Fsk+ZU3BBbqEu4XtkGTQCbB/kt bL7t6HAeYG73GwwweHB0sMo= =h0H5 -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Thu May 26 08:12:32 2005 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu May 26 10:28:08 2005 Subject: Feature request: Add date and time to filename of encrypted file In-Reply-To: References: <1116931926.15224.11.camel@gandalf.hydrathink.org> Message-ID: <1117087953.6375.92.camel@gandalf.hydrathink.org> On Tue, 2005-05-24 at 21:07 +0930, Roscoe wrote: > Hmmm, out of curiosity did you intend to send that to the list? Nope. And although I am sending this one to the list, it is for PRIVATE distribution and discussion only. I don't think it is of general interest. Then again, I could be wrong...it has happened lots of times before now. > I probably should use 4 digits for the year, no point in perpetuating > y2k-like bugs. > The reasoning behind putting the year first, then the month, then the > day is that its in order of significance. If a list of files named > according to $STR.%Y%m%d is put in alphabetical order, then obviously > they'll also be in chronological order, which is somewhat handy at > times :). I agree. You may be better off with underscores between the year, month, and day, with the month being numerical. That makes it handy to feed into sort. Then again, I have had so many problems with the REGEXP in sort I have written my own sort utility. Basically, my ssort uses a highly modified heap sort that does no REGEXP at all. Yes, it runs faster than the generic qsort() function. That is why I wrote it. I write C code faster than I can write shell (sh) scripts. > While I'm not honestly sure what intentions the gnupg team have for > gnupg, I've always thought it was very much a *nix type app. > >From the FAQ: They have now finally totally automated the install of GnuPG on Windows, including writing in the proper registry settings. In other words, they are NOT ignoring Window's presence, and GnuPG integrates very well with Enigmail / Thunderbird, including the automatic importation of keys on Windows. In fact the whole installation is pretty much point and click now. I do not consider that to be indicative that the GnuPG camp is ignoring the Microsoft Windows platform. I do wish they would NOT auto generate the keys at install time, since I import mine from the Linux platform (JUST COPY THEM INTO PLACE). > "1.1) What is GnuPG? > > GnuPG stands for GNU Privacy Guard and is GNU's tool for secure > communication and data storage...." > > "1.3) Is GnuPG free to use for personal or commercial use? > > Yes. GnuPG is part of the GNU family of tools and applications built > and provided in accordance with the Free Software Foundation (FSF) > General Public License (GPL)..." > > By reading that it kind of feels as if the purpose of gnupg is to > serve as a tool in the GNU OS (using your choice of kernel which at > present appears to only be kFreeBSD and Linux. Hurd's usable [just, > and not for much], though gnupg won't run [out of the box, at least]). > So while Windows is has most of the desktop market share, I typically > answer questions regarding gnupg under the assumption that the user is > using gnupg in a GNU or close to userland. > As far as feature additions go, my opinion of them is that if theres a > feature lacking, then it should be implemented. In this case theres > not, as date and the shell provide such functionality [which are part > of any functioning GNU userland]. > > (That said, I'm sure theres a Windows equivalent of a similar command > that has the some outcome though knowledge of how to use Windows is > beyond me, I've asked those immediately near me that use that OS as to > what a possible solution is but no ones answered :(, yet?) There isn't a 'Nix DATE equivalent on Windows (something that you would use inside a Windows Shell Script) unless you install CygWin, MKS, or similar Unix utilities. With CygWin you get bash and the whole enchilada. The TIME and DATE commands provided by Microsoft do NO formatting. If you type them without an argument, they will prompt you for the argument which is either the date or the time respectively you want to reset the machine to. If you intend to use them and assign them to a variable in Windows Shell Scripting, it gets really messy. Trust me on this one - I have been there and I am not going that way again! You have to create a file with an empty line to redirect into the date or time command to get rid of the nasty query for the set parameter! Windows Shell Scripting is nothing more than batch, updated badly. For the life of me, I don't understand how they could do things so badly. No wonder David Korn roasted them. That leaves us with Windows Script Host, with Microsoft providing JScript (derived from JavaScript but meant for local, not network use) and VBScript (derived from Visual Basic). The DATE object is available in JScript, but I can find no reference to it in VBScript. I would like to say it is there, but I don't know whether it is or not. Every time you execute a JScript or VBScript script (actually a Windows Script Host script which can mix not only JScript and VBScript but ActivePython, PerlScript, and Object REXX all in the same script - well, sort of) in cmd.exe and want to force the run time execution environment you have to type either: REM To execute inside the cmd window itself cscript NAME_OF_SCRIPT REM - or - to execute in a GUI wscript NAME_OF_SCRIPT wscript is the default (the default can easily be changed to cscript, then back to wscript if desired). If you just double click on the script, you get the default. cscript runs in a cmd.exe (Command Prompt), whereas wscript is a GUI kind of like TK/TCL (GTK). The problem is, it just isn't as simple to do the date on Windows as it is with the 'Nix date command in a shell script. YOU HAVE TO WRITE A WHOLE STINKING SCRIPT JUST TO DO THE DATE! Also, there is no such thing as a backquote. Yep, you have to write the stuff into a file, or go through a lot of messy crap just to get the string that you want! Complicating matters even further, I still don't know how to access the environment variables in either JScript or VBScript. I am sure you MUST be able to do it. In other words, I am in a learning process on all of this right now. It took me MONTHS to write the gvimc.bat command to delete my _viminfo file, no matter who I am logged in as. I usually do NOT want to go back exactly to where ever I was in a given file when I edit it again. I also don't want it remembering my searches, etc. Here is my gvimc.bat file that lets me start clean: @echo off if "%1" == "" goto instruct if exist "%USERPROFILE%\_viminfo" del "%USERPROFILE%\_viminfo" gvim %* goto :EOF :instruct Echo "Usage: gvimc file1 [file2] [file3] ..." Try as I might, I still don't know how to access the %USERPROFILE% from JScript (I prefer it to VBScript because it has more of the options I use). I am pretty sure you can, but I have waded through an entire book and never found it. Now that you have said this, I need to move on to another thick book that covers ONLY JScript and VBScript in more detail. The thicker book is ignoring Windows Shell Scripting. I HAVE NO IDEA HOW IMPORTANT THIS IS TO WINDOWS PEOPLE! If it is important, I think Werner, Atom Smasher, and others may want to reconsider this. Without input from Windows people (I work on Linux, OpenBSD, FreeBSD, MS Windows, Sun Solaris, and IBM AIX in that order in terms of frequency) that work ONLY on Windows, we are in the dark. I suspect Werner is right. It is a non issue with Windows users since they probably use GnuPG just for signing and encrypting email. Now you know why I didn't send it to the list. This note is NOT of general interest, and the added functionality requested may not be important. Then again, maybe it is. Henry Hertz Hobbit -- Key Name: "Henry Hertz Hobbit" pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 From hhhobbit at securemecca.net Thu May 26 09:08:00 2005 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu May 26 10:28:13 2005 Subject: Minnesota court takes dim view of encryption Message-ID: <1117091280.6558.24.camel@gandalf.hydrathink.org> --- Shatadal wrote: > From > http://news.com.com/Minnesota+court+takes+dim+view+of +encryption/2100-1030_3-5718978.html > > "A Minnesota appeals court has ruled that the > presence of encryption software on a computer may be > viewed as evidence of criminal intent." > Then I must be one terrible criminal! I do LOTS of research into Porn sites (to block them). But then again, they are some of the worst offenders at implanting spies (it is good I do most of my research from 'nix) which I also work at ferreting out and containing in one way or another. The only files that are encrypted on my machine are the ones I don't want some hacker to get because the AV vendors failed to discover the Trojan Horse I had for 1-3 months (the one month before discovery was guaranteed). Yes, it really happened to me! Believe it or not, the Trojan was implanted in some Security tools for Windows - thank goodness I have a waiting period for software I download from questionable sources before I put them into use. If I had ran the programs, there is no telling how much information the Trojan would have siphoned off. Given the fact that it was encrypted, it wouldn't have been very useful to them... All I use encryption for is to protect my personal data (financial and other stuff), and signing messages. The latter is EXTREMELY important. I have had too many wormers pretending to be somebody else that have sent me messages that ostensibly came from somebody else. The FBI must have sent them. There is more truth in that phrase than most people would ever realize. Anybody know of a good country I can move to? The Fascist States of America is getting pretty bad... For heaven's sake, NO I am not in favor of the activity the person was engaged in! But since PGP was not used to hide the evidence and the idiot didn't even clean out his browser history - what can you say? Wouldn't it be interesting to discover that the version of PGP he was using was over seven years old and had never been used? Henry Hertz Hobbit -- Key Name: "Henry Hertz Hobbit" pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 From alex_box at web.de Thu May 26 14:12:06 2005 From: alex_box at web.de (Alexander Hoffmann) Date: Thu May 26 14:07:14 2005 Subject: RC2 Message-ID: <4295BD16.8090601@web.de> Hi Johan, you may be right. I tried it with ./configure --enable-ciphers="aes,...,rfc2268" und after that found in Makefile rfc2268 among the algorithms to be compiled, but after installation rfc2268 is still missed in output "libgcrypt-config --algorithms" Johan Wevers wrote: >> Alexander Hoffmann wrote: >> >> > >>>>purpose. As i know the RC2 algorithm is implemented in libgcrypt >>>>(rfc2268.c), but it will not be compiled (i concluded it from >>>>"libgcrypt-config --algorithms" output). What should i do to get the RC2 >>>>algorithm compiled? >>>>I use libgcrypt-1.2.1 > >> >> >> I don't know libgcrypt, but it is probably a compile option. Check the >> configure scripts and/or the Makefile. This is sometimes done because >> RC2 is patented in some countries. I had to change the Slackware >> configure scripts for OpenSSL and recompile for the same reason. From mwood at IUPUI.Edu Thu May 26 16:34:07 2005 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu May 26 16:29:59 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions In-Reply-To: References: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> <87oeazlf3n.fsf__24607.9461802312$1117023403$gmane$org@deneb.enyo.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 25 May 2005, Alex L. Mauer wrote: > Florian Weimer wrote: > > * Sean C.: > >>The I.B.M. software would convert data on a person into a string of seemingly > >>random characters, using a technique known as a one-way hash function. No > >>names, addresses or Social Security numbers, for example, would be embedded > >>within the character string. > > For most applications, this is just a speed bump because the search > > space is rather small. It's even worse for the no-fly list because > > you have to apply some data reduction first (think SOUNDEX): a lot of > > the names on them have varying transliteration. > > Can you expand on this? > > How could the Name/address/ssn be retrieved from a hash of the same? Organization A know a name and the hash they calculated from it. Organization B know a name and the hash they calculated from it. If the hashes match, either A or B can request from B resp. A the plaintext corresponding to the ordinal of the hash record that matched, to verify the hit. Now A and B share the plaintext. The plaintext is not recovered from the hash; it's requested from the entity which has it, using the hash to find it. The whole point of using a hash is to make it extremely unlikely that either party could recover the plaintext unilaterally. It's like having a vault with two different locks, and giving the keys to two different people, to make abuse more difficult by requiring collusion for a successful penetration. > How would data reduction be necessary? Couldn't everything be > represented in Unicode? Of course, that doesn't solve the > transliteration problem, but then again it's no different than the > status quo in that respect ("Alex Mauer" != "Aleks Mauer") It's worse than that. I don't know of anybody who spells his name "Aleks", but both "Yuri" and "Yuriy" are in use, not to mention (usually from another part of the world) "Uri". Likewise both "Mark" and "Marc" are common. It doesn't have to be an error to be a false mismatch. If I understand what e.g. Soundex does, it should be possible to compare hashes of Soundex-coded strings in order to reduce the incidence of false mismatches. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFCld5is/NR4JuTKG8RAqsqAKCXvFZw/mOM8GgknyYoUjSGl9CQWACfd19L j0DKGl/aUDNSQbJPKifORzQ= =Ebbn -----END PGP SIGNATURE----- From rmalayter at bai.org Thu May 26 18:52:28 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Thu May 26 18:48:46 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions Message-ID: <792DE28E91F6EA42B4663AE761C41C2A0424A202@cliff.bai.org> [Alex L. Mauer] > Can you expand on this? > > How could the Name/address/ssn be retrieved from a hash of the same? > The data can be recovered from the hash because search space is small. Say you are looking for the SSN of a John Smith. Every large DB is bound to have someone named John Smith. If you have access to the hash DB, all you need to do is calculate the hash of "John/Smith/000-00-0000", "John/Smith/000-00-0001", etc. until you find a matching hash. Iterating through all the SSN possibility, that's only a 30-bit search space, and can probably be handled by a modern CPU in a few minutes. Once you find a match, you know James's SSN. Things get much easier if you know a particular person is in the DB, or know more about them to remove certain variables that might be in the hash. Even adding the home address to the hash isn't useful, because there are 400 MB files that contain every street address in the US available on the market. From atom at smasher.org Thu May 26 19:14:34 2005 From: atom at smasher.org (Atom Smasher) Date: Thu May 26 19:10:25 2005 Subject: Minnesota court takes dim view of encryption In-Reply-To: <1117096053.5427.38.camel@localhost.localdomain> References: <4294EA05.2010605@vfemail.net> <1117096053.5427.38.camel@localhost.localdomain> Message-ID: <20050526171438.96153.qmail@smasher.org> On Thu, 26 May 2005, Erpo wrote: > Cryptographic capabilities must be integrated into every popular OS and > application in such a way as to make it automatic and easy to encrypt > everything, no matter how mundane, from IMs to downloaded device > drivers. Once everyone is doing it, the people who really need privacy > can have it. ======================== one would have to go out of their way to find a current web browser that doesn't support SSL/TLS. it could then be argued (by aspiring dictators) that anyone with a current web browser has intent to commit a crime... or intent to make a purchase... or intent to check their bank statement... or intent to log into their office securely... but probably (in the eyes of some) they're plotting the revolution. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Those who profess to favor freedom, and yet deprecate agitation, are men who want rain without thunder and lightning. They want the ocean without the roar of its many waters." -- Frederick Douglass From cedar at 3web.net Thu May 26 17:34:05 2005 From: cedar at 3web.net (C. D. Rok) Date: Thu May 26 19:23:00 2005 Subject: Filesystem Encrytion with GnuPG ?! In-Reply-To: <4292A505.2030500@breitlander.com> References: <4292A505.2030500@breitlander.com> Message-ID: <4295EC6D.1060902@3web.net> Markus Breitl?nder wrote: > is it possible to use GnuPG for filesystem encryption? > I am thinking about having a directory tree o your hard disk that is > encrypted using GnuPG PKI - only accessible with once secret-key + mantra. > Are there solutions like that for Windows? I read about implementations > on Linux using 'cryptloop'. Perfectly good, - better than 'cryptlooop', open source solution for Windows already exists, see: http://www.truecrypt.org/ (Linux port has been promised by the developers). cdrok From atom at smasher.org Thu May 26 19:48:29 2005 From: atom at smasher.org (Atom Smasher) Date: Thu May 26 19:44:09 2005 Subject: Filesystem Encrytion with GnuPG ?! In-Reply-To: <4295EC6D.1060902@3web.net> References: <4292A505.2030500@breitlander.com> <4295EC6D.1060902@3web.net> Message-ID: <20050526174829.12079.qmail@smasher.org> speaking of encrypted file-systems, does anyone know what happened to rubberhose.org? -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "When I give food to the poor, they call me a saint. When I ask why the poor have no food, they call me a communist." -- Dom Helder Camara From youssef.aoun at gmail.com Thu May 26 20:12:30 2005 From: youssef.aoun at gmail.com (Youssef Aoun) Date: Thu May 26 20:08:36 2005 Subject: Choice of Algorithm Message-ID: <4296118E.4020804@gmail.com> Hello everyone, How should I choose an algorithm for my key. Since ElGamal is able to make signatures and encryption... why do we have other alternatives? Does it help to have multiple key?? Sincerely yours Youssef Aoun From sohailm01 at gmail.com Thu May 26 19:31:48 2005 From: sohailm01 at gmail.com (Sohail Mamdani) Date: Thu May 26 20:28:05 2005 Subject: PGP 8.1 message Message-ID: <38b7866705052610316505cce7@mail.gmail.com> Hello, I am having some problems with messages and keys created/encrypted using PGP 8.1. I was, for example, sent a public key block exported from PGP 8.1 and gnupg refused to import that key into my keyring, giving me the message "gpg: no valid OpenPGP data found". I had to install PGP 9.0, import the keys into that, export them from PGP 9.0 and then was able to import it into gnupg. Similarly, for the message sent by the same user, I got an error saying "gpg: no valid OpenPGP data found.gpg: decrypt_message failed: eof" when I tried to decrypt a text file he had sent to me containt an ASCII-armored PGP 8.1 message. I'm running GNUPG 1.4.1 on Mac OS X. Appreciate the help... SOhail From hawke at hawkesnest.net Thu May 26 20:33:51 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu May 26 20:32:48 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions In-Reply-To: References: <20050524154035.yskc0wk0ckws0cwo@webmail.spamcop.net> <87oeazlf3n.fsf__24607.9461802312$1117023403$gmane$org@deneb.enyo.de> Message-ID: Mark H. Wood wrote: > The whole point of using a hash is to make it extremely unlikely that > either party could recover the plaintext unilaterally. It's like having a > vault with two different locks, and giving the keys to two different > people, to make abuse more difficult by requiring collusion for a > successful penetration. Sure, I understand the purpose. But Florian seemed to be saying that it would be simple to retrieve the plaintext, "because the search space is so small". Ryan M. covered that a bit, but mostly from the perspective of guarding against identity theft. It would only protect somewhat against that (making it harder is at least a good start, I'd say)...but unless I'm missing something big it would protect against any party retrieving the entire plaintext passenger list (or whatever it may be) or the entire plaintext watch list. > It's worse than that. I don't know of anybody who spells his name > "Aleks", I don't either personally, but Google says it's pretty common. > but both "Yuri" and "Yuriy" are in use, not to mention (usually > from another part of the world) "Uri". Likewise both "Mark" and "Marc" > are common. It doesn't have to be an error to be a false mismatch. No, but with that level of false negatives you might as well not even bother with the system in the first place. > If I understand what e.g. Soundex does, it should be possible to compare > hashes of Soundex-coded strings in order to reduce the incidence of false > mismatches. And with that level of false positives ... http://www.highprogrammer.com/alan/numbers/soundex.html explains how soundex works, and from that it should be obvious that soundex would be a *horrible* choice for this application. Which is not of course to say that it's an unlikely choice. :-D -Alex Mauer "Hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 264 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050526/d7211cdd/signature.pgp From scc4fun at spamcop.net Thu May 26 22:28:19 2005 From: scc4fun at spamcop.net (Sean C.) Date: Thu May 26 22:24:08 2005 Subject: PGP 8.1 message In-Reply-To: <38b7866705052610316505cce7@mail.gmail.com> References: <38b7866705052610316505cce7@mail.gmail.com> Message-ID: <20050526162819.97ow08oc4o4sk48c@webmail.spamcop.net> Perhaps the problem is that the sender is enclosing the public key block in an inline signed portion of the email. When that happens the sending system will modify the headers of the block by adding a hyphen and space "- " before the other dashes. e.g.: - -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: Key stored at www.biglumber.com Comment: id=8FAAD9B9 mQGiBEHgYRwRBAD7WqGwrIa14m2COdkFi8rKLIQiz/WfzWWehtwpKhqq2eohlD24 ... =PX1l - -----END PGP PUBLIC KEY BLOCK----- It does this so as not to confuse the receiving system when trying to check the signature. I'm sure others here can tell you how to get around this depending on what mail program you use. -- "We must become the change we seek." -- Mohatma Ghandi > ----- Message from sohailm01@gmail.com --------- > Date: Thu, 26 May 2005 13:31:48 -0400 > From: Sohail Mamdani > Reply-To: Sohail Mamdani > Subject: PGP 8.1 message > To: General discussion and help forum for GnuPG > > Hello, > > I am having some problems with messages and keys created/encrypted > using PGP 8.1. I was, for example, sent a public key block exported > from PGP 8.1 and gnupg refused to import that key into my keyring, > giving me the message "gpg: no valid OpenPGP data found". I had to > install PGP 9.0, import the keys into that, export them from PGP 9.0 > and then was able to import it into gnupg. > > Similarly, for the message sent by the same user, I got an error > saying "gpg: no valid OpenPGP data found.gpg: decrypt_message failed: > eof" when I tried to decrypt a text file he had sent to me containt an > ASCII-armored PGP 8.1 message. > > I'm running GNUPG 1.4.1 on Mac OS X. > > Appreciate the help... > > > SOhail > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ----- End message from sohailm01@gmail.com ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: PGP Digital Signature Url : /pipermail/attachments/20050526/c7fb8ccd/attachment.pgp From oskar at rbgi.net Fri May 27 01:07:27 2005 From: oskar at rbgi.net (Oskar L.) Date: Fri May 27 01:03:47 2005 Subject: Additional self-signature In-Reply-To: <87oeb75uip.fsf@wheatstone.g10code.de> References: <1235.213.169.27.119.1116492082.squirrel@mail.rbgi.net> <87oeb75uip.fsf@wheatstone.g10code.de> Message-ID: <1348.213.169.30.166.1117148847.squirrel@mail.rbgi.net> Werner wrote: > When importing a secret key into a keyring without a public key, a > public key is created from the secret key. Due to historic reasons > the self-signature on the secret key is a different one than the one > created with the public key. How when importing the public key a new > signature will be added and gpg is not able to detects this. This > won't harm because the signatures are effectively identically although > not bit wise. So why do I also get a second self-signature when I first import the public key and then the secret key? Surely some kind of secret key can't be created from the public key? Also, when I delete secring.gpg, why is it recreated when I import a pubic key? Oskar From dshaw at jabberwocky.com Fri May 27 02:01:44 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri May 27 01:58:00 2005 Subject: Additional self-signature In-Reply-To: <1348.213.169.30.166.1117148847.squirrel@mail.rbgi.net> References: <1235.213.169.27.119.1116492082.squirrel@mail.rbgi.net> <87oeb75uip.fsf@wheatstone.g10code.de> <1348.213.169.30.166.1117148847.squirrel@mail.rbgi.net> Message-ID: <20050527000144.GA22983@jabberwocky.com> On Fri, May 27, 2005 at 02:07:27AM +0300, Oskar L. wrote: > Werner wrote: > > When importing a secret key into a keyring without a public key, a > > public key is created from the secret key. Due to historic reasons > > the self-signature on the secret key is a different one than the one > > created with the public key. How when importing the public key a new > > signature will be added and gpg is not able to detects this. This > > won't harm because the signatures are effectively identically although > > not bit wise. > > So why do I also get a second self-signature when I first import the > public key and then the secret key? Surely some kind of secret key can't > be created from the public key? No, it's the other way around. The public key can be created from the secret key. What you are seeing with the second self-signature is a historical oddity. In the past, keys were generated with two different self-signatures - one on the secret key and one on the public key. You are just seeing them both. Newer keys are generated with a single self signature so you only see one. > Also, when I delete secring.gpg, why is it recreated when I import a > pubic key? It's recreated empty as a placeholder. David From oskar at rbgi.net Fri May 27 09:06:12 2005 From: oskar at rbgi.net (Oskar L.) Date: Fri May 27 09:02:31 2005 Subject: Additional self-signature In-Reply-To: <20050527000144.GA22983@jabberwocky.com> References: <1235.213.169.27.119.1116492082.squirrel@mail.rbgi.net><87oeb75uip.fsf@wheatstone.g10code.de><1348.213.169.30.166.1117148847.squirrel@mail.rbgi.net> <20050527000144.GA22983@jabberwocky.com> Message-ID: <1127.213.169.26.20.1117177572.squirrel@mail.rbgi.net> "David Shaw" wrote: > No, it's the other way around. The public key can be created from the > secret key. What you are seeing with the second self-signature is a > historical oddity. In the past, keys were generated with two > different self-signatures - one on the secret key and one on the > public key. You are just seeing them both. Newer keys are generated > with a single self signature so you only see one. Thanks for your anwser, but I'm a bit confused now about what exactly you mean by "in the past" and "newer keys", since this is happening even though I'm using the current version (1.4.1, Debian package), and the keypair was also generated using the same version. "Werner Koch" wrote: > It has been fixed in the CVS when creating new keys. How only one > self-signature is created and used verbatim also for the secret key. > This will go into 1.4.2. Will 1.4.2 also be able to fix the signatures on older keys? Oskar From kernone at gmx.de Fri May 27 09:32:02 2005 From: kernone at gmx.de (=k3Rn=) Date: Fri May 27 09:35:02 2005 Subject: Filesystem Encrytion with GnuPG ?! In-Reply-To: <4295EC6D.1060902@3web.net> References: <4292A505.2030500@breitlander.com> <4295EC6D.1060902@3web.net> Message-ID: <4296CCF2.3090903@gmx.de> Hey, C. D. Rok schrieb am 26.05.2005 17:34: > Markus Breitl?nder wrote: > >> is it possible to use GnuPG for filesystem encryption? >> I am thinking about having a directory tree o your hard disk that is >> encrypted using GnuPG PKI - only accessible with once secret-key + >> mantra. >> Are there solutions like that for Windows? I read about implementations >> on Linux using 'cryptloop'. > > > Perfectly good, - better than 'cryptlooop', open source solution for > Windows already exists, see: > > http://www.truecrypt.org/ I am using TrueCrypt now, i made a filebased encrypted filesystem on my usb-stick, that gets mounted as partition and i am using that to store my gpg secret-keyring. It's all working very well, i am only a little concerned about the protection against bruteforce attacks - as TC uses symmetrically encryption. Is it possible to specify a min password length (maybe entropie) from that on the password can be considered 'safe' against bruteforcing? I think i gotta read/think a little more about the whole security issue around it. Regards, =k3Rn= -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050527/2b702b88/signature.pgp From erpo41 at hotpop.com Fri May 27 11:51:51 2005 From: erpo41 at hotpop.com (Erpo) Date: Fri May 27 11:48:20 2005 Subject: Choice of Algorithm In-Reply-To: <4296118E.4020804@gmail.com> References: <4296118E.4020804@gmail.com> Message-ID: <1117187511.6329.2.camel@localhost.localdomain> On Thu, 2005-05-26 at 20:12 +0200, Youssef Aoun wrote: > How should I choose an algorithm for my key. Unless you really know what you're doing, go with the default. > Since ElGamal is able to make signatures and encryption... why do we > have other alternatives? > Does it help to have multiple key?? It helps to have multiple algorithms in that there is a backup if one of them is broken. ElGamal isn't used for signing because DSA is The Standard. Eric From dshaw at jabberwocky.com Fri May 27 14:45:55 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri May 27 14:42:13 2005 Subject: Additional self-signature In-Reply-To: <1127.213.169.26.20.1117177572.squirrel@mail.rbgi.net> References: <20050527000144.GA22983@jabberwocky.com> <1127.213.169.26.20.1117177572.squirrel@mail.rbgi.net> Message-ID: <20050527124555.GB23129@jabberwocky.com> On Fri, May 27, 2005 at 10:06:12AM +0300, Oskar L. wrote: > "David Shaw" wrote: > > No, it's the other way around. The public key can be created from the > > secret key. What you are seeing with the second self-signature is a > > historical oddity. In the past, keys were generated with two > > different self-signatures - one on the secret key and one on the > > public key. You are just seeing them both. Newer keys are generated > > with a single self signature so you only see one. > > Thanks for your anwser, but I'm a bit confused now about what exactly you > mean by "in the past" and "newer keys", since this is happening even > though I'm using the current version (1.4.1, Debian package), and the > keypair was also generated using the same version. "Newer keys" is 1.4.2 and later. I'm sorry I didn't make that clear. > "Werner Koch" wrote: > > It has been fixed in the CVS when creating new keys. How only one > > self-signature is created and used verbatim also for the secret key. > > This will go into 1.4.2. > > Will 1.4.2 also be able to fix the signatures on older keys? There is no need to. The extra signature is harmless (it's a signature issued by you, on your own key after all). If it really bothers you, you can use --edit-key and 'delsig' to delete one of them (it doesn't matter which one). I'm working on a general solution for extra signatures and what to do with them, but it's important to note that this is mainly an aesthetic problem. The key will work just fine, and there is no weakness in having extra signatures. Some people just don't like extra signatures, and when you get into things like the Global Directory, you can have a LOT of extra signatures. David From atom at smasher.org Fri May 27 16:53:04 2005 From: atom at smasher.org (Atom Smasher) Date: Fri May 27 16:48:50 2005 Subject: Choice of Algorithm In-Reply-To: <1117187511.6329.2.camel@localhost.localdomain> References: <4296118E.4020804@gmail.com> <1117187511.6329.2.camel@localhost.localdomain> Message-ID: <20050527145306.83019.qmail@smasher.org> On Fri, 27 May 2005, Erpo wrote: > On Thu, 2005-05-26 at 20:12 +0200, Youssef Aoun wrote: >> Since ElGamal is able to make signatures and encryption... why do we >> have other alternatives? Does it help to have multiple key?? > > It helps to have multiple algorithms in that there is a backup if one of > them is broken. ElGamal isn't used for signing because DSA is The > Standard. ==================== elgamal isn't used because the implementation was broken. as far as DSA being "The Standard" i don't think it's any more standard than RSA, although it is more common. the common and widespread use of DSA instead of RSA for signatures seems to be a historical artifact of RSAs patent which, until it expired, forced open source crypto applications to use something else. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The shepherd drives the wolf from the sheep's for which the sheep thanks the shepherd as his liberator, while the wolf denounces him for the same act as the destroyer of liberty. Plainly, the sheep and the wolf are not agreed upon a definition of liberty." -- Abraham Lincoln From rmalayter at bai.org Fri May 27 20:16:22 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Fri May 27 20:12:41 2005 Subject: Filesystem Encrytion with GnuPG ?! Message-ID: <792DE28E91F6EA42B4663AE761C41C2A0424A641@cliff.bai.org> =k3Rn= wrote: > Is it possible to specify a min password length (maybe > entropie) from that on the password can be considered 'safe' against > bruteforcing? The password length has little to do with the amount of entropy it contains. See this old thread: http://lists.gnupg.org/pipermail/gnupg-users/2004-October/023554.html From pt at radvis.nu Sat May 28 00:10:19 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sat May 28 00:05:42 2005 Subject: Feature request: Add date and time to filename of encrypted file In-Reply-To: <1117087953.6375.92.camel@gandalf.hydrathink.org> References: <1116931926.15224.11.camel@gandalf.hydrathink.org> <1117087953.6375.92.camel@gandalf.hydrathink.org> Message-ID: <6.2.1.2.2.20050527235940.039028b0@localhost> At 08:12 2005-05-26, you wrote: --snipped--- >I HAVE NO IDEA HOW IMPORTANT THIS IS TO WINDOWS PEOPLE! If it is >important, I think Werner, Atom Smasher, and others may want to >reconsider this. Without input from Windows people (I work on >Linux, OpenBSD, FreeBSD, MS Windows, Sun Solaris, and IBM AIX >in that order in terms of frequency) that work ONLY on Windows, >we are in the dark. I suspect Werner is right. It is a non issue >with Windows users since they probably use GnuPG just for signing >and encrypting email. Now you know why I didn't send it to the >list. This note is NOT of general interest, and the added >functionality requested may not be important. Then again, maybe >it is. > >Henry Hertz Hobbit >-- >Key Name: "Henry Hertz Hobbit" >pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] >Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users Thank you for your very thorough answer! I am a windows user and do a lot of backups etc with gnupg. I have so far only managed to make some batch files that simplify my daily work - scripting has been unsuccessful. I have interpreted Werners answer this way: 1) Use an archiver as a temporary solution. (I can always store the encrypted file, that is without compression, and add the date and time to the output file.) 2) This important feature is not for GnuPG, but it can be implemented in frontends for Windows. I have so far suggested it to GPGee (the Explorer extensions). It could just as well be implemented in other frontends, like WinPT. My recent hope is that the very nice GPGee will make some of my batch files unnecessary. Per Tunedal From pt at radvis.nu Fri May 27 23:46:22 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sat May 28 00:05:48 2005 Subject: RSA encrypt och sign key Message-ID: <6.2.1.2.2.20050527234218.038fb438@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, is there any drawback using an RSA encrypt och sign key? If I only have a single key there isn't any problem to tie an encryption key to the signature key; it's the same key. This would be fine in these days when hash-algos are falling around us. Of course the self signature is still a problem, but the problems would still be smaller when SHA-1 falls. V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCl5trpPsTvNtsBX8RAn0QAJ9i5BydizW9nwPN6tg82Q+JN5xxtgCfcehd QM7m4SiwHgew7bSI+5eRf/w= =ugkX -----END PGP SIGNATURE----- From pt at radvis.nu Sat May 28 10:12:20 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Sat May 28 10:05:48 2005 Subject: passphrase or random characters the safest Message-ID: <6.2.1.2.2.20050528091042.0390bbc0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I once again ponder over wether a passphrase is safer than a string of random characters. It's easy to compute the strength of a random string of characters. About 20 - 25 characters (a-z, A-Z, 0-9 and special characters) would correspond to a 128-bit symmetric key. But what about a passphrase. Many people argue that a random looking password of the initials in a passphrase is fairly safe: Byu!IAiw?Tai42 . But it could be attacked with a dictionary attack, "because it comes from real words". How safe is it then? A plain text sentence would be worse, because it would be more easily attacked, some people argue. But I read a discussion about TrueCrypt and someone argued: "You could create a "real sentence" from ANY randomly generated password, since any letter in the password could be the first letter of literally *thousands* of words. So how could a dictionary attack differentiate between the password mentioned above, and a truely random one?" I would argue that: 1. Five (5) random words would be safer than a random string of 20 characters. There are far more words than there are characters. The entropy for each word would be about 12.9 bits according to the diceware page www.diceware.com . A character would have an entropy of 1.9. 2. In an ordinary sentence, each word would have an entropy of 1-1.4 bits. If we set the entropy to 1.2 we would need approximately 38.53/1.2 words = 32 Words, if the entropy is 1.4 only 27 words! Why so many words? Because words are easy to guess with help of the context. A passphrase of 10 words would be OK if the entropy was 3.9 - it must seem fairly random then. An entropy of 7.7 would make 5 words sufficient. I prefer passphrases because they are easier to remember than 20 random characters. True random words are slightly harder to remember than a phrase. Questions: How to make a short passphrase look random enough? How can I compute the strength (entropy)? Is experiments with live persons guessing passphrases the only way to compute the strength? Do you know of any such experiment? Or can you set up one at your university? It would be very interesting to compare different strategies of randomising the passphrase. V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCmCgBpPsTvNtsBX8RAiFDAJ499TQghIEUbyR+ww1cMD2hozAUjgCfQ5uN LGFCDsvnFCGsmfD3AfGHSaQ= =YjoZ -----END PGP SIGNATURE----- From eocsor at gmail.com Sat May 28 13:42:39 2005 From: eocsor at gmail.com (Roscoe) Date: Sat May 28 13:38:59 2005 Subject: passphrase or random characters the safest In-Reply-To: <6.2.1.2.2.20050528091042.0390bbc0@localhost> References: <6.2.1.2.2.20050528091042.0390bbc0@localhost> Message-ID: Well, A 128bit key has 340282366920938463463374607431768211456 possible combinations Lets say there are about 100000 words in your dictionary. Lets also say there are about 100 different characters on your keyboard. Now for password of random characters we would need: log(340282366920938463463374607431768211456)/log(100) = 20 chars. For a password of random words we would need: log(340282366920938463463374607431768211456)/log(100000) = 8 words. So I'm going to have to disagree with your 5 words is better then 20 letters[1]. Even if we use a 500000 word dictionary (eg: the number in the OED) then thats still 7 words. Now, thats with randomly picked words. If you want to have some coherence to your string of words then thats only going to increase the number of words needed. [1]: This is all pretty arbitary though, I mean your dictionary size and number of keys on keyboard may well be different to mine so while I disagree I'm not going to say I'm more right then you or that you are wrong. On 5/28/05, Per Tunedal Casual wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > I once again ponder over wether a passphrase is safer than a string of > random characters. > > It's easy to compute the strength of a random string of characters. About > 20 - 25 characters (a-z, A-Z, 0-9 and special characters) would correspond > to a 128-bit symmetric key. > > But what about a passphrase. Many people argue that a random looking > password of the initials in a passphrase is fairly safe: Byu!IAiw?Tai42 . > But it could be attacked with a dictionary attack, "because it comes from > real words". How safe is it then? > > A plain text sentence would be worse, because it would be more easily > attacked, some people argue. > > But I read a discussion about TrueCrypt and someone argued: > "You could create a "real sentence" from ANY randomly generated password, > since any letter in the password could be the first letter of literally > *thousands* of words. So how could a dictionary attack differentiate > between the password mentioned above, and a truely random one?" > > I would argue that: > > 1. Five (5) random words would be safer than a random string of 20 > characters. There are far more words than there are characters. The entropy > for each word would be about 12.9 bits according to the diceware page > www.diceware.com . A character would have an entropy of 1.9. > > 2. In an ordinary sentence, each word would have an entropy of 1-1.4 bits. > If we set the entropy to 1.2 we would need approximately 38.53/1.2 words = > 32 Words, if the entropy is 1.4 only 27 words! > Why so many words? Because words are easy to guess with help of the context. > > A passphrase of 10 words would be OK if the entropy was 3.9 - it must seem > fairly random then. An entropy of 7.7 would make 5 words sufficient. > > I prefer passphrases because they are easier to remember than 20 random > characters. True random words are slightly harder to remember than a phrase. > > Questions: > How to make a short passphrase look random enough? > How can I compute the strength (entropy)? > > Is experiments with live persons guessing passphrases the only way to > compute the strength? Do you know of any such experiment? Or can you set up > one at your university? It would be very interesting to compare different > strategies of randomising the passphrase. > > V?nligen > Per Tunedal > Civ. ing. Civ. ek. > > S:t Mickelsgatan 148 > 129 44 H?gersten > Telefon: 08-646 34 83 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 > Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html > > iD8DBQFCmCgBpPsTvNtsBX8RAiFDAJ499TQghIEUbyR+ww1cMD2hozAUjgCfQ5uN > LGFCDsvnFCGsmfD3AfGHSaQ= > =YjoZ > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From alex_box at web.de Sat May 28 19:07:24 2005 From: alex_box at web.de (Alexander Hoffmann) Date: Sat May 28 19:02:35 2005 Subject: rfc2268 Message-ID: <4298A54C.6080300@web.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, to be able to use Ron's Cipher 2 i try to configure libgcrypt with parameter --enable-ciphers $ ./configure --enable-ciphers="arcfour,...,rfc2268" and it runs perfect, but $ libgcrypt-config --algorithms issues always Symmetric cipher algorithms: arcfour blowfish cast5 des aes twofish serpent without rfc2268 (RC2). I'm not blind, but for sure i make something wrong. Can it depend on my computer or linux distibutive (suse 9.1) or may be i have to use another versin of libgcrypt (i use libgcrypt-1.2.1)? Thanks in advance -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCmKVMdk38ahFd2RgRAoVDAJ0WZZc1c7QxOC8LClbYBVcNnuKx7wCfWu6M +DX8+as51Eup3y6DvzZH6jA= =EfPz -----END PGP SIGNATURE----- From bebop33 at gmx.de Sun May 29 10:16:27 2005 From: bebop33 at gmx.de (bebop33@gmx.de) Date: Tue May 31 14:34:00 2005 Subject: chrooting gnupg Message-ID: <200505291014.23107.bebop33@gmx.de> Hi list, does anyone here know by chance, what I have to provide to gnupg in order to run in a chrooted environment? Providing the libs obviously is not enough. I'm suspecting /dev/random or /dev/urandom or sth. the like, but in my tests it did not work properly (hangs) - due to entropy, I'd assume? Got no clue, how entropy is handled in a chroot, nor if this IS the problem. I'd appreciate any hints. Cheers, Christian From jharris at widomaker.com Mon May 30 02:08:35 2005 From: jharris at widomaker.com (Jason Harris) Date: Tue May 31 14:34:14 2005 Subject: new (2005-05-29) keyanalyze results (+sigcheck) Message-ID: <20050530000835.GB356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-05-29/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 0a04ce624b0815a465e0586da4a71acb94f5070d 12095316 preprocess.keys cdcb73d2eca38c54dbcfde4e3f4d2c10ed473c8c 7590001 othersets.txt a0d67c42d58ba9fe89f9bf792682b37b72dbf23b 3049460 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html b9f9c6d608db72bf639b104da3b7f86c8ee20ccb 2291 keyring_stats 8c35a9e4efbc5ba6f52ae2f98f4092ce3a0c16da 1200222 msd-sorted.txt.bz2 6d4203c3c759654cdfd93e832731ea200af051b8 26 other.txt ed5d73dae33399152b621458952ca1062d2837e8 1632788 othersets.txt.bz2 8eaf5e7f9554929377542b026480c46be74c7150 4932315 preprocess.keys.bz2 d19879b231dc5e51b30e9e46aa55f94f25a1f2d8 12231 status.txt 64c0ee6e7111465ddbc9008aac806a33c4d87ed1 210373 top1000table.html 092024e4e842f9e07f99b49fe2f631bea8aa7783 30334 top1000table.html.gz fad88de3dde4b0a9900dbdea30fb55f89d531783 10893 top50table.html c168ccca8e2a13c85ffb8e7e2cd4ff00a07ad013 2599 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050529/5e64dc89/attachment.pgp From sk at intertivity.com Mon May 30 12:22:01 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Tue May 31 14:34:47 2005 Subject: Signing and Encrypting of attachments with Content-Type: message/rfc822 Message-ID: <429AE949.3060902@intertivity.com> Hi. what is best practice to encode (sign and/or encrypt) Messages which have attachment of Content-Type: message/rfc822? The easiest way is to use PGP/Mime? But is it decodeable by anybody? Are there other ways? Thanks a lot. Regards, --sk From wk at gnupg.org Mon May 30 17:42:04 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:35:02 2005 Subject: RC2 In-Reply-To: <429357E1.8090800@web.de> (Alexander Hoffmann's message of "Tue, 24 May 2005 18:35:45 +0200") References: <429357E1.8090800@web.de> Message-ID: <87y89w7mb7.fsf@wheatstone.g10code.de> On Tue, 24 May 2005 18:35:45 +0200, Alexander Hoffmann said: > (rfc2268.c), but it will not be compiled (i concluded it from > "libgcrypt-config --algorithms" output). What should i do to get the RC2 There might be a bug in libgcrypt-config --algorithms. However there is no need to do any special. A plain ./configure && make will build the rfc2268 cipher - gnutls actually depends on it. Salam-Shalom, Werner From wk at gnupg.org Mon May 30 19:48:42 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:35:10 2005 Subject: Separate Keyring and config for Script In-Reply-To: (ml@charliesangels.biz's message of "Mon, 23 May 2005 16:16:01 +0200") References: Message-ID: <87u0kk7gg5.fsf@wheatstone.g10code.de> On Mon, 23 May 2005 16:16:01 +0200, said: > gpg: keys 12345: public key "Some Name " imported > gpg: can't create `/home/sascha/gpg-skript/auto-gpg-keyring.gpg.tmp': > Too many open files > gpg: DBG: error opening lockfile I tried that with the current CVS version as well as with 1.2.7 and was not able to replicate this using ~800 key files while also having reduced the maximum number of open files to 300. Shalom-Salam, Werner From wk at gnupg.org Mon May 30 19:56:38 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:35:18 2005 Subject: Choice of Algorithm In-Reply-To: <20050527145306.83019.qmail@smasher.org> (Atom Smasher's message of "Fri, 27 May 2005 10:53:04 -0400 (EDT)") References: <4296118E.4020804@gmail.com> <1117187511.6329.2.camel@localhost.localdomain> <20050527145306.83019.qmail@smasher.org> Message-ID: <87psv87g2x.fsf@wheatstone.g10code.de> On Fri, 27 May 2005 10:53:04 -0400 (EDT), Atom Smasher said: > elgamal isn't used because the implementation was broken. as far as Nope: Elgamal signatures are really hard to get right and safe. They are a relict form the very early days of GnuPG when I did not knew about the OpenPGP WG. > DSA being "The Standard" i don't think it's any more standard than > RSA, although it is more common. DSS (DSA+SHA1) is the FIPS standard for digital signatures. > the common and widespread use of DSA instead of RSA for signatures No. DSA has a couple of advantages of RSA: It is a different algorithm using another problem than RSA and the signatures creates are much smaller than RSA signatures. Salam-Shalom, Werner From oskar at rbgi.net Mon May 30 20:58:05 2005 From: oskar at rbgi.net (Oskar L.) Date: Tue May 31 14:35:22 2005 Subject: passphrase or random characters the safest In-Reply-To: References: <6.2.1.2.2.20050528091042.0390bbc0@localhost> Message-ID: <1159.213.169.31.94.1117479485.squirrel@mail.rbgi.net> "Roscoe" wrote: > Lets say there are about 100000 words in your dictionary. Lets also > say there are about 100 different characters on your keyboard. > > Now for password of random characters we would need: > log(340282366920938463463374607431768211456)/log(100) 20 chars. > > For a password of random words we would need: > log(340282366920938463463374607431768211456)/log(100000) 8 words. > > So I'm going to have to disagree with your 5 words is better then 20 > letters[1]. Even if we use a 500000 word dictionary (eg: the number in > the OED) then thats still 7 words. > > Now, thats with randomly picked words. If you want to have some > coherence to your string of words then thats only going to increase > the number of words needed. If you want to use words, then I would suggest that you select them from different languages. Then the attacker will have to use a very large dictionary, one containing all words from all languages, if she or he don't know or can't guess from witch languages you have selected your words. This kind of passphrase will still be relatively vulnerable to a brute force attack, since the attacker can limit the characters used in the attack to letters, so throwing in a few special characters between the words is a good idea. Oskar From oskar at rbgi.net Mon May 30 22:59:20 2005 From: oskar at rbgi.net (Oskar L.) Date: Tue May 31 14:35:37 2005 Subject: KMail and smartcard In-Reply-To: <42936D31.50808@gmx.de> References: <200505240641.24941.chris@fsfe.org> <42936D31.50808@gmx.de> Message-ID: <1337.213.169.31.94.1117486760.squirrel@mail.rbgi.net> "=k3Rn=" wrote: > What is the real advantage of a smartcard? I have stored my > secret-keyring on an usb-stick at the moment. How could i improve > security further more? I am just reading about encrypting the filesystem > on the stick using 'truecrypt' - is that a good idea / nice solution? It's hard to say what is the best solution for someone, without knowing in what kind of situation that person is. The more security you have, the more inconvenience it will cause you. You need to find a balance that is right for you. The secret key is already encrypted, that's why it needs to be decrypted (using the passphrase) whenever it is needed. I would think that this is enough security for most people. To encrypt it once more is really only necessary if a person want to hide the fact that it is a secret key. Personally I keep my secret key on my hard disk, because I find it more likely that I will be arrested and have my USB-stick confiscated, than that my computer will be hacked. Oskar From atom at smasher.org Tue May 31 03:52:53 2005 From: atom at smasher.org (Atom Smasher) Date: Tue May 31 14:35:43 2005 Subject: Choice of Algorithm In-Reply-To: <87psv87g2x.fsf@wheatstone.g10code.de> References: <4296118E.4020804@gmail.com> <1117187511.6329.2.camel@localhost.localdomain> <20050527145306.83019.qmail@smasher.org> <87psv87g2x.fsf@wheatstone.g10code.de> Message-ID: <20050531015252.68987.qmail@smasher.org> On Mon, 30 May 2005, Werner Koch wrote: > On Fri, 27 May 2005 10:53:04 -0400 (EDT), Atom Smasher said: > >> DSA being "The Standard" i don't think it's any more standard than RSA, >> although it is more common. > > DSS (DSA+SHA1) is the FIPS standard for digital signatures. ============= DSA is "a" standard, but by no means "the" standard. >> the common and widespread use of DSA instead of RSA for signatures > > No. DSA has a couple of advantages of RSA: It is a different algorithm > using another problem than RSA and the signatures creates are much > smaller than RSA signatures. ============== i suspect that DSA would not have been pushed along nearly as far as it has if not for the patent on RSA. of course, if they wait much longer before updating DSA to officially support larger keys and hashes we'll start seeing more and more use of RSA with larger keys and hashes... if that happens, DSA will become a much less relevant standard. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Juridically they are both equal [the worker and capitalist]; but economically the worker is the serf of the capitalist... thereby the worker sells his person and his liberty for a given time. The worker is in the position of a serf because this terrible threat of starvation which daily hangs over his head and over his family, will force him to accept any conditions imposed by the gainful calculations of the capitalist, the industrialist, the employer... The worker always has the right to leave his employer, but has he the means to do so? No, he does it in order to sell himself to another employer. He is driven to it by the same hunger which forces him to sell himself to the first employer. Thus the worker's liberty... is only a theoretical freedom, lacking any means for its possible realization, and consequently it is only a fictitious liberty, an utter falsehood. The truth is that the whole life of the worker is simply a continuous and dismaying succession of terms of serfdom -- voluntary from the juridical point of view but compulsory from an economic sense -- broken up by momentarily brief interludes of freedom accompanied by starvation; in other words, it is real slavery." -- Mikhail Bakunin From wk at gnupg.org Tue May 31 12:17:14 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:36:00 2005 Subject: Filesystem Encrytion with GnuPG ?! In-Reply-To: <4295EC6D.1060902@3web.net> (C. D. Rok's message of "Thu, 26 May 2005 15:34:05 +0000") References: <4292A505.2030500@breitlander.com> <4295EC6D.1060902@3web.net> Message-ID: <87br6r66ol.fsf@wheatstone.g10code.de> On Thu, 26 May 2005 15:34:05 +0000, C D Rok said: > Perfectly good, - better than 'cryptlooop', open source solution for > Windows already exists, see: > http://www.truecrypt.org/ That is one of the problems with the term "open source": It does not tell you whether it is Free Software. TrueCrypt for example is not FS because you need to send all changes back to the authors. I have not looked closer at the terms but that requirement alone is sufficient to mark it as non-free. Frankly, I don't understand why the authors go this way. Salam-Shalom, Werner From sk at intertivity.com Tue May 31 14:45:05 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Tue May 31 14:40:51 2005 Subject: Signing and Encrypting of attachments with Content-Type: message/rfc822 Message-ID: <429C5C51.8080702@intertivity.com> Hi. what is best practice to encode (sign and/or encrypt) Messages which have attachment of Content-Type: message/rfc822? The easiest way is to use PGP/Mime? But is it decodeable by anybody? Are there other ways? Thanks a lot. Regards, --sk From wk at gnupg.org Tue May 31 14:54:26 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:51:05 2005 Subject: Signing and Encrypting of attachments with Content-Type: message/rfc822 In-Reply-To: <429C5C51.8080702@intertivity.com> (Sascha Kiefer's message of "Tue, 31 May 2005 14:45:05 +0200") References: <429C5C51.8080702@intertivity.com> Message-ID: <87u0kj4ku5.fsf@wheatstone.g10code.de> On Tue, 31 May 2005 14:45:05 +0200, Sascha Kiefer said: > have attachment of Content-Type: message/rfc822? > The easiest way is to use PGP/Mime? But is it decodeable by anybody? Are MS Outlook can't cope with it. Every other MTA with a full MIME implementation should be able to handle it. Shalom-Salam, Werner From wk at gnupg.org Tue May 31 14:27:33 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:55:16 2005 Subject: [Announce] First release candidate for GnuPG 1.4.2 available Message-ID: <873bs360ne.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue May 31 14:56:42 2005 From: wk at gnupg.org (Werner Koch) Date: Tue May 31 14:55:57 2005 Subject: chrooting gnupg In-Reply-To: <200505291014.23107.bebop33@gmx.de> (bebop33@gmx.de's message of "Sun, 29 May 2005 10:16:27 +0200") References: <200505291014.23107.bebop33@gmx.de> Message-ID: <87psv74kqd.fsf@wheatstone.g10code.de> On Sun, 29 May 2005 10:16:27 +0200, bebop33@gmx de said: > Got no clue, how entropy is handled in a chroot, nor if this IS the problem. > I'd appreciate any hints. Create the device files for /dev/random and /dev/urandom in your chrooted tree and it will work. If those files don't exist GnuPG tries to run dozens of standard utilities to gather random - but weell, in a chrooted tree it won't find many of them thus it will basically hang. Salam-Shalom, Werner From gr at eclipsed.net Tue May 31 14:58:46 2005 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Tue May 31 15:46:49 2005 Subject: chrooting gnupg In-Reply-To: <200505291014.23107.bebop33@gmx.de> References: <200505291014.23107.bebop33@gmx.de> Message-ID: <20050531125846.GN12179@uriel.eclipsed.net> On Sun, May 29, 2005 at 10:16:27AM +0200, bebop33@gmx.de wrote: > does anyone here know by chance, what I have to provide to gnupg in order to > run in a chrooted environment? Providing the libs obviously is not enough. > I'm suspecting /dev/random or /dev/urandom or sth. the like, but in my tests > it did not work properly (hangs) - due to entropy, I'd assume? > > Got no clue, how entropy is handled in a chroot, nor if this IS the problem. > I'd appreciate any hints. Have you considered running gpg under a syscall tracer to find out? (truss, struss, strace, tusc... depends on your OS.) -- gabriel rosenkoetter gr@eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20050531/9ab099ab/attachment.pgp From shavital at mac.com Tue May 31 16:30:30 2005 From: shavital at mac.com (Charly Avital) Date: Tue May 31 16:26:35 2005 Subject: [Announce] First release candidate for GnuPG 1.4.2 available In-Reply-To: <873bs360ne.fsf@wheatstone.g10code.de> References: <873bs360ne.fsf@wheatstone.g10code.de> Message-ID: <854135AE-A7A1-4714-A8C2-71FCE6E847E2@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, configured 1.4.2rc1 with --with-libcurl on Powerbook CPU PowerPC G4 (1.1), under Mac OS X 10.4.1 (code named Tiger), Darwin (powerpc- apple-darwin8.1.0), including idea.c. No problems while compiling. Running fine. MacGPG (GnuPG for the Mac project) applications (GPGMail d43, GPGPreferences 1.2, GPG Keychain Access 0.7.0.1) also working fine. Thanks to the GnuPG and MacGPG teams for their work Charly On May 31, 2005, at 8:27 AM, Werner Koch wrote: > Hi! > > We are pleased to announce the availability of a release candidate for > the forthcoming 1.4.2 version of gnupg: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.2rc1.tar.bz2 > (2808k) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.2rc1.tar.bz2.sig [...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2rc1 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQpx1E269XHxycyfPAQhvBw//d95QQzyu0MxFUKuMsUxXd/iLKcbjViQV F+lU5l6/IVX95X9F+kwmPze79EgVsy2q1MIFMHD8ZSzm/XzYjkqBxsGFWkmpO+Ek KmZ9Ny4rnr7i1Ox/8p3W2OhIUonz2dmO7gZr1SSO8dVDTxoYmmdB2vAQeh/3fULg YGNPUd0DhaeBMUlSRB+puI6FdavT9GZ2Ccz9az3jDLmLSLOmghXETF4DrD75/JmT S6YkQ4jUaeIpLIs9GUsizj2bTISozGYAFJKKKMxpNoiP62yR5jYCSPR25pXXEglK wMM+3qyGVhTOxcijpoZ1XgfNOoI5/KFcXZqFTUjahsB3qgsxgRHouxnWj/tGsmCB Qw2hlft/UAnyt2rVBfR2FnTfQ1B3RqO0w1ZSa+NqXPaX7tyUoZCicHCvdKBEmf0S SxiWWKvSvoGRWOLI4xCLYEz45OvFk86QxcmGghgRH9x4tClKiLlTOcdb+89mz4mw zR3tfelr65vtPgGX7thxJavG0ru9T+j310h7Ug5YiD1s+J4xA4Lx7o7Hb39DjOJk 47aHkhoivJ7rVJfjAz8U0BPHidMPFOy17Li1lhxa0rRwTHn+ZmbxSE/KX14PrPw7 QOM45SGq8TYRbA/Zu+OO/R8proZbNffHFk5IbJHe/Q9Dy0wKn3DZd/1he7wLZbIA hUIaiDG0wOo= =9Nh0 -----END PGP SIGNATURE----- From rmalayter at bai.org Tue May 31 18:09:36 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Tue May 31 18:06:02 2005 Subject: passphrase or random characters the safest Message-ID: <792DE28E91F6EA42B4663AE761C41C2A042F614B@cliff.bai.org> Just to inject some practicality into the discussion, a pass phrase with more than 64 bits of entropy is probably safe from all non-governmental attackers. After all, it took distributed.net five years to crack 64-bit RC5 using tens of thousands of machines. Beyond 64 bits, attacks against the endpoint computers (keyboard sniffers, etc.) and the key holder's body will be far more cost-effective and attractive. The pass phrase would certainly not be the weakest link in the security chain. Using a 2311000-word Oxford English Dictionary (the latest count I found on their web site), that's CEILING(64/log2(231100)) = 4 randomly selected English words. Much easier to remember, and those four words would actually provide 71+ bits of entropy. As 9/11 taught us, it's pointless to build ever-stronger defenses against attacks we already know how to defeat. Our bomb-sniffing and X-ray machines failed us when faced with a few fanatics carrying box-cutters. It is the *new* avenues of attack that we must think about and guard against. A 256-bit-strong OpenPGP pass phrase is pointless when used on a machine compromised by a keyboard sniffer, or when used to hide secrets from an attacker that is willing to torture the key owner. I recommend Bruce Schneier's latest books, _Secrets and Lies_ and _Beyond Fear_, which have great discussions of *practical* security. -Ryan- From cedar at 3web.net Tue May 31 20:14:09 2005 From: cedar at 3web.net (C. D. Rok) Date: Tue May 31 20:10:40 2005 Subject: Filesystem Encrytion with GnuPG ?! In-Reply-To: <87br6r66ol.fsf@wheatstone.g10code.de> References: <4292A505.2030500@breitlander.com> <4295EC6D.1060902@3web.net> <87br6r66ol.fsf@wheatstone.g10code.de> Message-ID: <429CA971.4050407@3web.net> Werner Koch wrote: > On Thu, 26 May 2005 15:34:05 +0000, C D Rok said: >>... open source solution for Windows already exists, see: >>http://www.truecrypt.org/ > > That is one of the problems with the term "open source": It does not > tell you whether it is Free Software. TrueCrypt for example is not FS > because you need to send all changes back to the authors. I have not > looked closer at the terms but that requirement alone is sufficient to > mark it as non-free. Agreed, TC is not FS. I use "open source" as a colloquial term and not as a designation of a particular application distribution licensing model. In this case it satisfies the most important "open source" test: a user can build his executable from the inspected source in his possession. *This* is a "sine qua non" for any crypto application; all other rights are - for the vast majority of users - of lesser consequence. > Frankly, I don't understand why the authors go this way. I believe I do, but it's not for me speculate in public. As long as the above condition is met, the authors of any crypto application should be free to opt for whatever licensing model ~they~ feel will provide the best solution for ~their~ application. CD Rok From pt at radvis.nu Tue May 31 23:13:56 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Tue May 31 23:07:10 2005 Subject: passphrase or random characters the safest Message-ID: <6.2.1.2.2.20050531231240.032c9068@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 20:58 2005-05-30, you wrote: >"Roscoe" wrote: > >> Lets say there are about 100000 words in your dictionary. Lets also >> say there are about 100 different characters on your keyboard. >> >> Now for password of random characters we would need: >> log(340282366920938463463374607431768211456)/log(100) 20 chars. >> >> For a password of random words we would need: >> log(340282366920938463463374607431768211456)/log(100000) 8 words. >> >> So I'm going to have to disagree with your 5 words is better then 20 >> letters[1]. Even if we use a 500000 word dictionary (eg: the number in >> the OED) then thats still 7 words. >> >> Now, thats with randomly picked words. If you want to have some >> coherence to your string of words then thats only going to increase >> the number of words needed. > >If you want to use words, then I would suggest that you select them from >different languages. Then the attacker will have to use a very large >dictionary, one containing all words from all languages, if she or he >don't know or can't guess from witch languages you have selected your >words. This kind of passphrase will still be relatively vulnerable to a >brute force attack, since the attacker can limit the characters used in >the attack to letters, so throwing in a few special characters between the >words is a good idea. > >Oskar > Thank you Oskar for this idea - it's new to me. Increasing the search space by using several languages is a very easy way to improve the security of a passphrase or a collection of random words. Some one who wants to do some calculations? What about say 1, 2, 3, 4 and 5 languages. How many random words are needed to match a 128 bit key? Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959 Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCnNOwpPsTvNtsBX8RAnBAAJ0dz2yUa69nJZPvinUqdJj2D1yzpwCeO2cX 8jhYR3PFYtGpkBcbDFwkX2w= =gn9N -----END PGP SIGNATURE----- From gpg.20.subu at spamgourmet.com Fri May 27 21:55:59 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Fri Jun 3 14:18:03 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Message-ID: <1117223759.19372.235125242@webmail.messagingengine.com> Hi Alex Thanks for your good, informative reply I'll try and catch up with the recommended reading Subu Alex Mauer - hawke@hawkesnest.net wrote: >gpg.20.subu@spamgourmet.com wrote: > >>I thought that two *non* identical names - as in case below will *not* >>create the same hash >>If it will, what is the probability ? > > >The probability of this happening is extremely low. > >For a 128-bit hash, such as md5, the probability is 1 in 2^128 (1 in >340,282,366,920,938,463,463,374,607,431,768,211,456) > >For a 160-bit hash, such as sha-1 which PGP uses, the probability is 1 >in 2^160, 1 in >1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976). > [.............] From gpg.20.subu at spamgourmet.com Fri May 27 21:53:15 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Fri Jun 3 14:18:15 2005 Subject: Version 1.4.2. for Win XPP ? / was Re: Additional self-signature Message-ID: <1117223595.19213.235125119@webmail.messagingengine.com> David Shaw - dshaw@jabberwocky.com wrote: > >"Newer keys" is 1.4.2 and later. I'm sorry I didn't make that clear. > Is the above version released for Win XPP as well ? Any URL ? TIA Subu From gpg.20.subu at spamgourmet.com Fri May 27 21:44:48 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Fri Jun 3 14:18:27 2005 Subject: Problems when trying to create a second keyring Message-ID: <1117223088.18539.235124606@webmail.messagingengine.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I wish to create a second keyring on my machine to avoid crowding and to manage yagoo groups keys on independent keyrings Problems when trying to create a second keyring $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ~ I'm trying to create a second keyring - for PGPNET members' keys ~ My pubring.gpg is in the directory c:\Documents and Settings\user\Application Data\gnupg\ ~ My gpg.conf is located in the same directory c:\Documents and Settings\user\Application Data\gnupg ~ I have added the following to my gpg.conf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ secret-keyring c:\documents and settings\user\application data\gnupg\secring.gpg keyring c:\documents and settings\user\application data\gnupg\pubring.gpg keyring c:\documents and settings\user\application data\gnupg\pgpnet.gpg ~ I have administrator rights on my machine - So rights / permissions to create files are NOT a problem. ~ I had installed GnuPG using the same login etc. on this machine, again user rights is not the issue ~ Neither winPT nor Enigmail are running now ~ Other normal gpg commands like --Decrypt etc are working from command prompt ~ Now when I try to import PGPNET_Keys.asc into the second keyring "pgpnet.gpg" with the command "gpg --import PGPNET_Keys.asc" I get the following errors =============== start of command line output ================= C:\gpg --import PGPNET_Keys.asc gpg: keyblock resource `c:\documents and settings\user\application data\gnupg\pgpnet.gpg': file open error gpg: key 01C3E2A9: "Jeff Allen " not changed gpg: renaming `C:/Documents and Settings/user/Application Data/gnupg\pubring.gpg ' to `C:/Documents and Settings/user/Application Data/gnupg\pubring.bak' failed: Permission denied gpg: error writing keyring `C:/Documents and Settings/user/Application Data/gnupg\pubring.gpg': file rename error gpg: key E65CF0EE: public key "[User ID not found]" imported gpg: error reading `PGPNET_Keys.asc': file rename error gpg: no valid OpenPGP data found. gpg: import from `PGPNET_Keys.asc' failed: file rename error gpg: Total number processed: 1 gpg: imported: 1 gpg: unchanged: 1 ============= end of command line output ======================= Where am I going wrong ? Any help is appreciated TIA subu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: key : http://www.geocities.com/mail_to_subu/pubkey.txt Comment: key : http://maniams2.tripod.com/Sign/pubkey.txt iD8DBQFCl5HraGzRyAvkb6IRAtIvAKC3ps4ToJbXxx/jrGwT71EBreHzLQCgxuEp +Ggro5yo98w8mEnZ5370OlQ= =21VA -----END PGP SIGNATURE----- From gpg.20.subu at spamgourmet.com Fri May 27 21:56:15 2005 From: gpg.20.subu at spamgourmet.com (gpg.20.subu@spamgourmet.com) Date: Fri Jun 3 14:18:32 2005 Subject: IBM to Provide Security w/o Sacrificing Privacy Using Hash Message-ID: <1117223775.19405.235125242@webmail.messagingengine.com> Hi Alex Thanks for your good, informative reply I'll try and catch up with the recommended reading Subu Alex Mauer - hawke@hawkesnest.net wrote: >gpg.20.subu@spamgourmet.com wrote: > >>I thought that two *non* identical names - as in case below will *not* >>create the same hash >>If it will, what is the probability ? > > >The probability of this happening is extremely low. > >For a 128-bit hash, such as md5, the probability is 1 in 2^128 (1 in >340,282,366,920,938,463,463,374,607,431,768,211,456) > >For a 160-bit hash, such as sha-1 which PGP uses, the probability is 1 >in 2^160, 1 in >1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976). > [.............] From harob02 at earthlink.net Sun May 29 02:09:19 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Fri Jun 3 14:18:36 2005 Subject: (no subject) Message-ID: <4299082F.2020709@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hey everyone, just letting you all know i'm new to mailing lists. by the way, here's my public key. make sure to sign it! Public key for 0x4DB6E71B8061A830 - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (MingW32) mQGiBEJuhSERBADLM03wfD19tlfpwGCFhb3oHgLe/9Z2d9N9rLRNk77ISV3w9SgM P07W3x43EeM5K9rz55Islvgoa9tE1CBTzkZCxFndhsmPOUEfd4uSl/Qo+vScpEcS 3da6NkMUCx9lRv94pibTriAtqhZN37zGNtJyGHQvlGJsGfv8DK9NU3OwUwCg/5ul 8aj3sOYsPUW0hzismDMJZakD/jxeH1j3uYMSJ+TtEPiUJFysRbQ4EHA3yjlI79QM /Hn9bnTg0JXWAsMOPNr+xrCkLryYHZILfN/duVBGic7lESqWuhl19MR2hDt4yO/9 boY1q1wzDs5AkWgmSdwFdNzQcDB5xCDssjBTsL1b2zyiUOJlsntVVwHCqROyP4O3 44veA/96VlcH7B2N1YOqlgjXWTJgRqBJQaR7k6LnQTyOf4/qVyOLSiNsauZJYz2f dgqNJC3VWLG1A8zi1tp7NoKO5B6yTSVfMJcS2U/12WZBRjeNftZ8rvT9H2bnbJss 5WqcPPB6N3oMJ5T5S6XG6+eulaE5crNUnDw1anKzJlsDeE1clLQ2RGFuIE11bmR5 ICgqKipPRkZJQ0lBTCBLRVkqKiopIDxoYXJvYjAyQGVhcnRobGluay5uZXQ+iF4E ExECAB4FAkKY/RgCGyMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQTbbnG4BhqDDE CgCg+NN6isy3sMZOPLAqrTHF3ZkWo1wAoLTuZY5QEsiMjZABxq2p+DO/Z71ZtCFE YW4gTXVuZHkgPGhhcm9iMDJAZWFydGhsaW5rLm5ldD6IYQQTEQIAIQIbIwYLCQgH AwIDFQIDAxYCAQIeAQIXgAUCQpj9MQIZAQAKCRBNtucbgGGoMMO8AKDxFvBYtSlR Eefa+nuLIj47ZllZ5wCgt6KW/sDN1UIj9fRTCdK2WwGrw1WITgQQEQIADgUCQm6F IQQLAwIBAhkBAAoJEE225xuAYagw8vYAn1JGybSIfAWKCJStY+frSLHP7wsvAKC7 urTW7U9Hsruay5DDah9l0RAhT4heBBMRAgAeBQJCmOuHAhsjBgsJCAcDAgMVAgMD FgIBAh4BAheAAAoJEE225xuAYagwYq0An1KwFc5F/i7sw1aRex6tp0QL1MhVAJ0S WpzHgow1ALW0t7R27jm38yM637RBRGFuIE11bmR5ICgqVVNFIFRISVMgS0VZIEZP UiBFTkNSWVBUSU9OKikgPGhhcm9iMDJAZWFydGhsaW5rLm5ldD6IXgQTEQIAHgUC QpjqjQIbIwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRBNtucbgGGoMHZkAKCMfyRk r9z5u0HaYKSTmGUnvlrF4ACfZUsVVhBo2qdtMlPMO3JlH3JS8QC5AQ0EQm6FIxAE AOSh51rPgOHTzqrpTVw3cdQTl6TzdcsQgZMU9/3QgPnpmq7ae9zT/H8hfVQilCQE BH8t6gk8k7Y+ycBp/6XYbncIOnwDHHNMYe4nC/Ftsn7PwCnJ/JpLby9eOlB8zozn IJFAR8vM57Qp6xHMvppTHfyXUBki7vtU+rKTLJgFs7mxAAICA/4j68fmXRRhygBA S2GPKdUXHlPHgKoAkdbIOfuQBM86W9NKNi3L/h65iLFltvz0C1/yVdfbfRVqTJw1 KXSH25qutCdfnPxURMeL24VgX58z2/FLnlb/5yt/MNpMJPgFF3hTe/019bA8dxWU qIk4pJXMBseXqXissalCw6tvOWKyEIhGBBgRAgAGBQJCboUjAAoJEE225xuAYagw eWwAnjo+g9fNx0n3SBAXiHdUAvpFtI/QAKCkfao662U4NTZt5DDeTaim39tk3Q== =LLgi - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCmQgrTbbnG4BhqDARAo3oAJ9GrFLwwwrr1h/uUSGtJaMCVELCsACbBV6t bD3Fx7AW6bJfxaGX8gkUbBQ= =bvJM -----END PGP SIGNATURE----- From harob02 at earthlink.net Sun May 29 14:49:59 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Fri Jun 3 14:18:40 2005 Subject: How to install your GPG keys to a USB dongle for Windows Message-ID: <4299BA77.6010308@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i had just the opposite problem. i can't find any kind of a linux driver for my USB drive. but i quickly figured out how to set this up in windows without regedit. here's what you do. 1. open gpg.conf (located in your "application data" folder) 2. add the following lines (without quotes) after your keyserver-options line: "keyring x:\keys\pubring.gpg secret-keyring x:\keys\secring.gpg no-default-keyring" x:\ is your USB drive and \keys\ is your keyring folder. 3. from your "application data" folder, copy "pubring.gpg" and "secring.gpg" to x:\keys\. that is all you have to do. and it won't mess up your registry if you make a typo. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCmbptTbbnG4BhqDARAukTAJ455C//sAT3SyyrcuXK0UQJp/qpywCgnQ2G hAevnwg0Ex3rwDrOzpyL6IY= =2xi3 -----END PGP SIGNATURE----- From harob02 at earthlink.net Sun May 29 16:05:29 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Fri Jun 3 14:18:43 2005 Subject: Help on Enigmail - Mozilla 1.7.7. with Win XPP Message-ID: <4299CC29.5050005@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > - Lets say I get a signed message - like the ones from this > "gnupg-users" list - I click on the "pen" ICON (displayed by > Mozilla) to check the signature - I get a message "public key not > found" - I proceed to try and download the public key from one of > the 4 servers listed in Enigmail ~ I suppose defaults as of now in > Enigmail - I get either a *socket error* or a *key not found error* > > > - How do I proceed further ? > > - Is there a better way to import public keys into enigmail ? make sure enigmail is set up correctly. in mozilla mail, go to Enigmail->Preferences. make sure this is set correctly: "Basic" tab: GnuPG executable path: x:\\gpg.exe where x:\ is your gpg install path. there are better ways to import keys into enigmail: 1. type "gpg --keyserver --recv-keys " at a command prompt. - ---OR--- 1. go to a keyserver with a search engine (i.e. http://pgp.mit.edu:11371) and search for the name of the owner of the key you want. 2. when the results come up, look for the key you want and click on the key id 3. the pgp public key block will come up. copy that into notepad and save it as a .gpg or .asc file. 4. type "gpg --import x:\xxx\xxx.gpg" at a command prompt. > - where is the public key ring stored by enigmail ? Enigmail takes its keyring from gpg's public keyring. it is located at x:\\pubring.gpg i hope this helps, and good luck with enigmail! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCmcwfTbbnG4BhqDARAqw3AKDyvaThXtGITJ/cj/Se6fY6UA5+wQCfQpyp T8HPPyd0ZTlQpQaII3bqZcQ= =P6mF -----END PGP SIGNATURE----- From jsl at eibport.de Tue May 31 14:54:58 2005 From: jsl at eibport.de (Joerg Schmitz-Linneweber) Date: Fri Jun 3 14:18:47 2005 Subject: chrooting gnupg In-Reply-To: <200505291014.23107.bebop33@gmx.de> References: <200505291014.23107.bebop33@gmx.de> Message-ID: <429C5EA2.7040708@eibport.de> Hi Christian! bebop33@gmx.de wrote: > ... > does anyone here know by chance, what I have to provide to gnupg in order to > run in a chrooted environment? Providing the libs obviously is not enough. > I'm suspecting /dev/random or /dev/urandom or sth. the like, but in my tests > it did not work properly (hangs) - due to entropy, I'd assume? > > Got no clue, how entropy is handled in a chroot, nor if this IS the problem. > I'd appreciate any hints. What does "strace gpg_chroot --version_or_anything" reveal on this chroot-ed binary? Salut, J?rg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 From mune72 at tiscali.it Tue May 31 17:31:29 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Fri Jun 3 14:18:51 2005 Subject: SmartCard + Evolution Message-ID: <1117553488.4616.5.camel@lello.munet.org> Il sab, 2005-05-28 alle 10:47, Matthias Kirschner ha scritto: > Hi Fede, > sorry in taking so long in writing. > > * Federico Munerotto [2005-05-22 19:11:49 +0200]: > > > OK. I'll be tester. > > Thank you. If it's ok I would like to move this discussion to > , as there are also other people who are probably > able to help you. > > Can you please resent it to this list? > > Thank you very much, > Matze Just wait for a little bit more. In the past days I have been busy in syncronizing palm device/PC/mobile (I lost all my mobile contacts!). I still haven't tryed with evolution, yet. I think that the files in /etc/hotplug/usb/ (to see the USB smartcard reader) fight with my USB bluetooth dongle, but it a first impression I will dig on it more (in the worst case i'll avoid to plug the two things in the same time). -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html _________________________________________________________________________ You are sick, twisted and perverted. I like that in a person. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050531/0b0f2787/attachment.pgp From bogus@does.not.exist.com Tue May 31 14:33:46 2005 From: bogus@does.not.exist.com () Date: Sat Jun 18 12:32:16 2005 Subject: No subject Message-ID: tell you what I do in Enigmail. For attachments, I'm looking at the content-type (application/pgp-*) and for the file name extension. If the filename extension is *.asc, *.pgp or *.gpg I try to decrypt the file. I have so far not tried to verify signatures of attachments; I plan to implement this in one of the next releases. Once I'll try to verify signatures of attachments, I'll first look for a similar file name (e.g. without .asc); if not found I'll try to get the original file name from the signature. I don't assume binary or ascii armored files, I simply pipe the whole file to gpg. For the mail body, I'm looking for ---- BEGIN PGP (.*) and if found for ---- END PGP (.*) If both are found, I decrypt or verify according to (.*), or let the user know that a key is available. There are a few pitfalls, like message decoding (base64, quoted-printable). Furthermore, the character set of an encrypted mail body is often set to US-ASCII, even if the content is e.g. UTF-8 HTH -Patrick