From atom at smasher.org Thu Feb 2 02:49:01 2006 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 2 03:48:33 2006 Subject: key signing article in 2600 Message-ID: <20060202014905.76793.qmail@smasher.org> the current issue of 2600 (winter 05/06) has an article i wrote, titled "pgp Key Signing Observations - Overlooked Social and Technical Considerations". it should be of interest to many on this list. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We must have strong minds, ready to accept facts as they are." -- President Harry Truman "I don't care what the facts are." -- President George H.W. Bush, 1988 From enediel at hotmail.com Sat Feb 4 03:23:47 2006 From: enediel at hotmail.com (enediel gonzalez) Date: Sat Feb 4 04:48:28 2006 Subject: gpg on cron task In-Reply-To: Message-ID: Hello: I use debian sarge and I need to encrypt and decrypt automatically backup files using gpg I create a php script will the whole procedure, which include the following declaration enediel@hotmail.com is included into the trusted chain for the root user. When I execute the script manually as root, I obtain the encrypted file, but if I put the same script as a cron's task, the whole script works perfectly except the encryption process, and I not receive any error. I'll appreciate if somebody help me with that, basically what I need is to encrypt and decrypt specific files automatically using gpg. Thanks in advance for any answer Enediel Linux user 300141 Debian GNU/Linux From atom at smasher.org Sat Feb 4 06:13:45 2006 From: atom at smasher.org (Atom Smasher) Date: Sat Feb 4 06:13:50 2006 Subject: gpg on cron task In-Reply-To: References: Message-ID: <20060204051350.70916.qmail@smasher.org> On Sat, 4 Feb 2006, enediel gonzalez wrote: > References: Message-ID: <20060204081946.GC4304@Update.UU.SE> On Sat, Feb 04, 2006 at 02:23:47AM +0000, enediel gonzalez wrote: > Hello: > I use debian sarge and I need to encrypt and decrypt automatically backup > files using gpg > <<<< Snip >>>> > > When I execute the script manually as root, I obtain the encrypted file, > but if I put the same script as a cron's task, the whole script works > perfectly except the encryption process, and I not receive any error. Have you checked if the script has access to the key? (E.g. Permission or path problems.) HTH //Samuel From enediel at hotmail.com Sat Feb 4 14:41:36 2006 From: enediel at hotmail.com (enediel gonzalez) Date: Sat Feb 4 14:41:04 2006 Subject: gpg on cron task In-Reply-To: <20060204081946.GC4304@Update.UU.SE> Message-ID: Thanks for your attention -root is the owner of the script. -as a root user, if I execute my script manually I obtain what I want -the script was included as a cron task for root -running the same script from a cron task the encrypting process fails because I don't obtain any .gpg file, no error reported. -I know that the script was executed from the cron task because the same script previously created by itself the file I want to encrypt with gpg. -everything is done over /tmp where everybody can write Greeting Enediel Linux user 300141 Debian GNU/Linux >From: samuel@Update.UU.SE (Samuel ]slund) >Reply-To: GnuPG Users >To: GnuPG Users >Subject: Re: gpg on cron task >Date: Sat, 4 Feb 2006 09:19:46 +0100 > >On Sat, Feb 04, 2006 at 02:23:47AM +0000, enediel gonzalez wrote: > > Hello: > > I use debian sarge and I need to encrypt and decrypt automatically >backup > > files using gpg > > ><<<< Snip >>>> > > > > When I execute the script manually as root, I obtain the encrypted file, > > but if I put the same script as a cron's task, the whole script works > > perfectly except the encryption process, and I not receive any error. > >Have you checked if the script has access to the key? >(E.g. Permission or path problems.) > >HTH >//Samuel > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From enediel at hotmail.com Sat Feb 4 16:34:06 2006 From: enediel at hotmail.com (enediel gonzalez) Date: Sat Feb 4 16:33:32 2006 Subject: gpg on cron task In-Reply-To: <20060204081946.GC4304@Update.UU.SE> Message-ID: Thanks Samuel for the answer as you can see on the line I execute, I include the full paths necessary for the execution regarding permissions, this task is a root's task, so, the referenced key ID in included within the trusted chain for root. $str_execute = "cd /tmp/backup && /bin/echo apassword | /usr/bin/gpg -se --passphrase-fd 0 -r enediel@hotmail.com / tmp/backup/$filename"; exec($str_execute); Regards Enediel Linux user 300141 Debian GNU/Linux >From: samuel@Update.UU.SE (Samuel ]slund) >Reply-To: GnuPG Users >To: GnuPG Users >Subject: Re: gpg on cron task >Date: Sat, 4 Feb 2006 09:19:46 +0100 > >On Sat, Feb 04, 2006 at 02:23:47AM +0000, enediel gonzalez wrote: > > Hello: > > I use debian sarge and I need to encrypt and decrypt automatically >backup > > files using gpg > > ><<<< Snip >>>> > > > > When I execute the script manually as root, I obtain the encrypted file, > > but if I put the same script as a cron's task, the whole script works > > perfectly except the encryption process, and I not receive any error. > >Have you checked if the script has access to the key? >(E.g. Permission or path problems.) > >HTH >//Samuel > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From enediel at hotmail.com Mon Feb 6 16:41:03 2006 From: enediel at hotmail.com (enediel gonzalez) Date: Mon Feb 6 16:40:32 2006 Subject: gpg on cron task In-Reply-To: <20060204165030.66836.qmail@smasher.org> Message-ID: I'm sorry Atom for the personal email, I just replied the message without change the address. Following the suggestions I created the script #!/bin/bash cd /tmp/backup && /bin/echo apassword | /usr/bin/gpg -se --passphrase-fd 0 --logger-fd 1 -r enediel@hotmail.com /tmp/backup/backup20060206100521 >> /tmp/debug3.txt Executing it from a cron task I obtained in /tmp/debug3.txt the following line gpg: cannot open `/dev/tty': No such device or address according to this line, it looks line the way I use to pass the password to gpg is incorrect when the script is used on a cron task. ?Could somebody show me an example how to do it in any way? I'm sorry, I searched without find the answer to this question. Thanks in advance for any answer Enediel Linux user 300141 Debian GNU/Linux >From: Atom Smasher >To: enediel gonzalez >Subject: Re: gpg on cron task >Date: Sat, 4 Feb 2006 11:50:26 -0500 (EST) > >On Sat, 4 Feb 2006, enediel gonzalez wrote: > >>This computer is not critical, is a black box containing a specific system >>with a web interface. >> >>I understand your point regarding the password, for the nature of this >>case it's not the most important thing, I gonna save the backup file on an >>external ftp server, where I'll need this protection. >> >>My question is, no matter if I use php or another shell for the scripts, >>why if as root I execute my script and I obtained the .gpg file, and when >>I execute a root's cron task, the same script fails. >===================== > >if your using gpg and php, at least check this out - >http://business-php.com/opensource/gpg_encrypt/ > >i can make a lot of guesses about why it's not working, but the only thing >that will really give me a hint is to know why it's not working. run the >cron job with a verbose flag and record the output to stderr. something >like this, but you'll probably have to modify it based on your particular >script: > { gpg -ea *file* ; } 2>&1 >or add this to the gpg options on the command line: > --logger-fd 1 > >then send us the output and someone here can probably figure it out really >quickly. > > >-- > ...atom > > _________________________________________ > PGP key - http://atom.smasher.org/pgp.txt > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > ------------------------------------------------- > > "Freedom without opportunity is a devil's gift, and the > refusal to provide such opportunities is criminal" > -- Market Democracy in a Neoliberal Order: > Doctrines and Reality, Noam Chomsky > > From hhhobbit7 at netscape.net Tue Feb 7 05:10:23 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Tue Feb 7 05:10:35 2006 Subject: gpg on cron task Message-ID: <5FC7A02F.6C7B4B24.0307202B@netscape.net> "enediel gonzalez" wrote: > Hello: > > I use debian sarge and I need to encrypt and decrypt > automatically backup files using gpg > > I created a php script will the whole procedure, which > includes the following declaration > > ....... > > > $str_execute = "cd /tmp/backup && \ > /bin/echo apassword | /usr/bin/gpg -se \ > --passphrase-fd 0 -r enediel@hotmail.com \ > /tmp/backup/$filename"; > exec($str_execute); > >?> > > enediel@hotmail.com is included into the trusted > chain for the root user. > > When I execute the script manually as root, I > obtain the encrypted file, but if I put the same > script as a cron's task, the whole script works > perfectly except the encryption process, and I not > receive any error. > > I'll appreciate if somebody help me with that, > basically what I need is to encrypt and decrypt > specific files automatically using gpg. > > Thanks in advance for any answer > Enediel > Linux user 300141 > Debian GNU/Linux First, I question why you are doing this as root rather than as a normal user, since you can make it for a normal user to use cron. I also don't like php (would prefer Korn Shell or PERL), but since you say it works interactively we will drop that for a while (we will come back to it). 1. When you do a (without the quotes), "crontab -l" how does the entry show up? What I am getting at is WHERE DOES THE OUTPUT OF STDOUT AND STDERR go? This can reveal a lot. I ALWAYS log the stdout and stderr to cron log file. 2. I am also assuming you have cron turned on. If you do a "ps -eadf | grep cron" and you don't have a crond showing, then cron isn't running. You will have to activate it. More than one version of Linux (I haven't used Debian since it has never installed on my hardware - too new) doesn't have cron on and depends on anacron for everything. 3. Okay, we have come back to it. One of the very first things I do on a Linux box I am setting up is to find all of the dirs in the $PATH, and then I go change /etc/profile to HARD SET the dirs in the $PATH in the order I want them. This always puts the following dirs first: /usr/local/sbin:/usr/local/bin with the other dirs in the order that they should be in. The problem is, a cron'd job invariably does NOT get the full path since /etc/profile is NOT guaranteed to be sourced. Since it looks like your script is using the full path for all of the commands executed this is probably not a problem. I am just warning you - it CAN be a problem. 4. In addition to the PATH environment variable, there are a LOT of other environment variables that frequently don't get set by a cron job, that are set in a shell. A simple shell script that is run interactively, then via cron can show anything that is different by having both doing an env to a file. For that matter, it can show whether or not cron is working (start with something simpler first). You didn't say whether you have tons of other stuff working with cron(I am assuming you do). I still would be a lot happier with either a Bourne shell script (run with either bash or ksh). What I suspect is one of the environment variables that are there in interactive mode are not there in cron. Most notably something that should be specified with the "--homedir ..." option. HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From andza at ikp.liu.se Tue Feb 7 08:09:53 2006 From: andza at ikp.liu.se (Anders Zachrison) Date: Tue Feb 7 09:18:10 2006 Subject: gpg on cron task In-Reply-To: References: <20060204165030.66836.qmail@smasher.org> Message-ID: <20060207070953.GA13239@ikp.liu.se> * enediel gonzalez [060206 16:57]: > #!/bin/bash > cd /tmp/backup && /bin/echo apassword | /usr/bin/gpg -se --passphrase-fd 0 > --logger-fd 1 -r enediel@hotmail.com /tmp/backup/backup20060206100521 >> > /tmp/debug3.txt > Executing it from a cron task I obtained in /tmp/debug3.txt the following > line > gpg: cannot open `/dev/tty': No such device or address As you are going to run gpg from a cron job, ie without any associated tty, have you checked `man gpg`? Especially the options '--batch' and '--no-tty'? You're running gpg as a batch job and from cron, ie no tty available. GPG can in some occasions still print warnings to the tty even though --batch is used as on option. /Anders -- All theoretical chemistry is really physics; and all theoretical chemists know it. -- Richard P. Feynman -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060207/9dbb180a/attachment.pgp From iz0ayv at yahoo.com Wed Feb 1 22:54:42 2006 From: iz0ayv at yahoo.com (Gabriele Alberti) Date: Tue Feb 7 13:34:25 2006 Subject: Password length paranoia Message-ID: <20060201215443.85381.qmail@web50815.mail.yahoo.com> Hello, I am not a crypto expert; i have this paranoia since some time though.. If i use _symmetric_ cyphers (lets say a 256 bit) how long my password has to be? Keeping in mind my password can be composed with all 95 writeable ascii chars, using for example a 15 chars password gives me a "password space" of 95^15, that is 463291230159753366058349609375 passwords..*much* smaller than the 256 bit keyspace (2^256, 115792089237316195423570985008687907853269984665640564039457584007913129639936 keys). With such password, is not easy to bruteforce the password rather than the actual key? To get a bigger password space, such as it is more convenient to attack the key against the password, i computed 95^39, that is 135275954279056171880020500846747996912046843238165820366702973842620849609375, a value just above the 256 bit keyspace..should i really use a 39 chars password to be safe or i am missing something? Thanks in advance, Gabriel ___________________________________ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it From holger.schuettel at googlemail.com Tue Feb 7 14:11:10 2006 From: holger.schuettel at googlemail.com (Holger Schuettel) Date: Tue Feb 7 15:14:34 2006 Subject: how can i sign a complete keyring Message-ID: <43E89C6E.3050807@googlemail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi i've many keys from a keysigning-party in my extra pubring. and now i'll sign the complete keyring. it's possible ? thanks for help please forget my horrible english :-D - -- ________________________________________________________________________________ With best regards, Holger Schuettel E-Mail: holger.schuettel@googlemail.com FAX: + 49 69 13 30 69 12 572 Homepage Gnupg: http://www.gnupg.org/ GnuPG-Key-ID: 0xC956679A http://tinyurl.com/9b4y8 Fingerprint: 96A0 B66D D1B7 620D 9C3D E5F9 8EAA B85E C956 679A Encrypted e-mail preferred. -----BEGIN PGP SIGNATURE----- Comment: With Regards Holger Schuettel Comment: Feel free and mail ! Signed and Encrypted Mail's privileged. Comment: http://www.gswot.org iEYEARECAAYFAkPonGsACgkQjqq4XslWZ5rySACfcPb1cB4I1vFMM9cPnpLKYdpy misAn2wZYKLsCShQR2qvL6U/nqOJODt4 =Bcks -----END PGP SIGNATURE----- From wk at gnupg.org Tue Feb 7 15:22:25 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 7 15:27:00 2006 Subject: Cross compile Error In-Reply-To: <20060119161459.8tx3kissook4kk4c@webmail.slingshot.co.nz> (Paul Blacquiere's message of "Thu, 19 Jan 2006 16:14:59 +1300") References: <20060119161459.8tx3kissook4kk4c@webmail.slingshot.co.nz> Message-ID: <87y80ni6zi.fsf@wheatstone.g10code.de> On Thu, 19 Jan 2006 16:14:59 +1300, Paul Blacquiere said: > Attempting to cross compile libgcrypt results in an error in build cipher in the > test directory, You should tell us a little bit more what you are trying to do. > Hacking the Makefile and adding -lpgp-error and -Lwhere_ever_you_have_it, fixed > it for me. There is something with your cross compile environment not in order. Obviously you need to cross-compile and install libgpg-error first and make sure that the config scripts is found. Checkout autogen.sh for hints on how to cross compiler for Windows. I am not sure whether gnupg 1.9 can be build for windows. Shalom-Salam, Werner From eocsor at gmail.com Tue Feb 7 15:43:11 2006 From: eocsor at gmail.com (Roscoe) Date: Tue Feb 7 16:10:12 2006 Subject: Password length paranoia In-Reply-To: <20060201215443.85381.qmail@web50815.mail.yahoo.com> References: <20060201215443.85381.qmail@web50815.mail.yahoo.com> Message-ID: (I know. We already have lots of threads about the net on password length). Heres my two cents, from someone who has zero security/cryptographic background (: Bruteforcing 256bit keys is on a level of hardness that pretty much renders it impossible. So I wouldn't really bother trying to make a password of similar strength. 128bit keys are still regarded as fine. Even the 112bit of 3DES, which is the only MUST have symmetric cipher in openpgp, is still fine (though not prefered for new applications). And dont forget that generating a key from the password is a lengthy operation, involving hashing thousands of times (how many in gpg?). These Iterations linearly increase the difficulty of a bruteforce attempt. So if you ask me greater than 20 random chars (95^20 > 2^128) is getting a bit excited. I vote 14-20 for a sane range for most people. (14 being people not really concerned with bruteforcing) Add to this my opinion that if someone compromised your system far enough to get your secret key, you have big issues - like them trojaning the gpg binary. (I fully advocate random strings for passwords. The reason being the more you type in any password the better you remember it, and the more annoyed you get at typing in alot of chars. It's also easier to evaluate the password strength - for the whole of this email assume I am talking about random strings (obviously composed of chars on the kb)). On 2/2/06, Gabriele Alberti wrote: > Hello, > I am not a crypto expert; i have this paranoia since some time though.. > If i use _symmetric_ cyphers (lets say a 256 bit) how long my password has to > be? > Keeping in mind my password can be composed with all 95 writeable ascii chars, > using for example a 15 chars password gives me a "password space" of 95^15, > that is 463291230159753366058349609375 passwords..*much* smaller than the 256 > bit keyspace (2^256, > 115792089237316195423570985008687907853269984665640564039457584007913129639936 > keys). With such password, is not easy to bruteforce the password rather than > the actual key? To get a bigger password space, such as it is more convenient > to attack the key against the password, i computed 95^39, that is > 135275954279056171880020500846747996912046843238165820366702973842620849609375, > a value just above the 256 bit keyspace..should i really use a 39 chars > password to be safe or i am missing something? > > Thanks in advance, > > Gabriel > > > > > > > > ___________________________________ > Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB > http://mail.yahoo.it > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From oskar at rbgi.net Tue Feb 7 16:34:12 2006 From: oskar at rbgi.net (Oskar L.) Date: Tue Feb 7 19:18:17 2006 Subject: Password length paranoia In-Reply-To: <20060201215443.85381.qmail@web50815.mail.yahoo.com> References: <20060201215443.85381.qmail@web50815.mail.yahoo.com> Message-ID: <1837.213.169.28.144.1139326452.squirrel@mail.rbgi.net> "Gabriele Alberti" wrote: > Keeping in mind my password can be composed with all 95 writeable ascii > chars, > using for example a 15 chars password gives me a "password space" of > 95^15, > that is 463291230159753366058349609375 passwords..*much* smaller than the > 256 > bit keyspace (2^256, This is of course only true if the attacker knows it is exactly 15 characters long. If not, then it should be calculated like this: 95^1 + 95^2 + 95^3 + ... + 95^15. Oskar From mlisten at hammernoch.net Tue Feb 7 20:14:29 2006 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Tue Feb 7 21:14:03 2006 Subject: Password length paranoia In-Reply-To: <1837.213.169.28.144.1139326452.squirrel@mail.rbgi.net> References: <20060201215443.85381.qmail@web50815.mail.yahoo.com> <1837.213.169.28.144.1139326452.squirrel@mail.rbgi.net> Message-ID: <43E8F195.7080100@hammernoch.net> Hi, On 07.02.2006 20:05 Uhr, Oskar L. wrote: > This is of course only true if the attacker knows it is exactly 15 > characters long. If not, then it should be calculated like this: 95^1 + > 95^2 + 95^3 + ... + 95^15. Right, this gives exactly 95^16 - 1. This is not a dramatic improvement compared to 2^256. Ludwig From linux at codehelp.co.uk Tue Feb 7 22:45:46 2006 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Feb 7 22:45:14 2006 Subject: how can i sign a complete keyring In-Reply-To: <43E89C6E.3050807@googlemail.com> References: <43E89C6E.3050807@googlemail.com> Message-ID: <200602072145.49893.linux@codehelp.co.uk> On Tuesday 07 February 2006 1:11 pm, Holger Schuettel wrote: > Hi > i've many keys from a keysigning-party in my extra pubring. and now > i'll sign the complete keyring. it's possible ? There are keysigning tools that can do this - in association with something like gpg-agent that caches your passphrase for a few seconds. If you're using Debian, there are tools you can use: http://packages.debian.org/unstable/misc/signing-party http://pgp-tools.alioth.debian.org/ Including: caff -- CA - fire and forget caff is a script that helps you in keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so that you can sign it. It then mails each key to all its email addresses - only including the one UID that we send to in each mail. (Note, it's better to retrieve the keys from a keyserver immediately prior to signing rather than to use a local (stale) keyring - just in case someone has revoked their key between the event and the signing.) -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060207/fc936791/attachment.pgp From roam at ringlet.net Tue Feb 7 21:32:02 2006 From: roam at ringlet.net (Peter Pentchev) Date: Tue Feb 7 23:48:05 2006 Subject: Password length paranoia In-Reply-To: <43E8F195.7080100@hammernoch.net> References: <20060201215443.85381.qmail@web50815.mail.yahoo.com> <1837.213.169.28.144.1139326452.squirrel@mail.rbgi.net> <43E8F195.7080100@hammernoch.net> Message-ID: <20060207203202.GA771@straylight.m.ringlet.net> On Tue, Feb 07, 2006 at 08:14:29PM +0100, Ludwig H?gelsch?fer wrote: > Hi, > > On 07.02.2006 20:05 Uhr, Oskar L. wrote: > > > This is of course only true if the attacker knows it is exactly 15 > > characters long. If not, then it should be calculated like this: 95^1 + > > 95^2 + 95^3 + ... + 95^15. > > Right, this gives exactly 95^16 - 1. Errr... only for very small values of 95, I'd say ;) Namely, only if 95 equals 2... which it doesn't quite seem to :) Oh, ooookay, so it's more like (95^16 - 1^16) / (95 - 1), which is only 94 times less than your bid. But still... :) > This is not a dramatic improvement compared to 2^256. Errrrrr... what?! Straight from bc's mouth: (95^16-1)/(95-1) 468219860267835848675991626496 2^256 115792089237316195423570985008687907853269984665640564039457584007913129639936 Okay, so it might not be quite in the feasible range - I'll leave that for others to judge - but it does seem pretty dramatic to me. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20060207/9e42b614/attachment.pgp From alex at bofh.net.pl Wed Feb 8 10:43:34 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Feb 8 13:48:08 2006 Subject: gpg on cron task In-Reply-To: <20060204051350.70916.qmail@smasher.org> References: <20060204051350.70916.qmail@smasher.org> Message-ID: <20060208094334.GK6674@hell.pl> On Sat, Feb 04, 2006 at 12:13:45AM -0500, Atom Smasher wrote: > On Sat, 4 Feb 2006, enediel gonzalez wrote: > > > =============== > > why are you using php for a cron job? many people deploy PHP cron scripts because thats the only language they know (which is probably the case) on one of such occassions I've been asked if cron jobs are allowed to run longer than 30 seconds (standard Apache subprocess time limit) sigh a. From wk at gnupg.org Thu Feb 9 13:14:14 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 9 13:17:01 2006 Subject: Random seed for symetric encryption In-Reply-To: <87k6cxlwyy.fsf@nokile.rath.org> (Nikolaus Rath's message of "Wed, 18 Jan 2006 10:13:57 +0100") References: <19D178EC.402BEE66.0307202B@netscape.net> <8764ojb4vp.fsf@nokile.rath.org> <877j8z5e3r.fsf@wheatstone.g10code.de> <87k6cxlwyy.fsf@nokile.rath.org> Message-ID: <87bqxgd90p.fsf@wheatstone.g10code.de> On Wed, 18 Jan 2006 10:13:57 +0100, Nikolaus Rath said: >> The solution is to take a file lock; I don't want to do this always >> but I see your problem and may be a new option can be used to lock >> reandom-seed access. I have just implemented that. It is in the current SVN (rev 3999); if you have problems accessing or building it, I can send you a patch against 1.4.2. Shalom-Salam, Werner From vedaal at hush.com Thu Feb 9 17:43:11 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Feb 9 17:42:57 2006 Subject: password paranoia Message-ID: <20060209164314.E3BC433C5B@mailserver5.hushmail.com> Gabriele Alberti wrote on Wed Feb 1 22:54:42 CET 2006: ] i have this paranoia since some time though.. If i use _symmetric_ cyphers (lets say a 256 bit) how long my password has to be? Keeping in mind my password can be composed with all 95 writeable ascii chars, using for example a 15 chars password gives me a "password space" of 95^15, that is 463291230159753366058349609375 passwords..*much* smaller than the 256 bit keyspace (2^256, 2^256 ~= 1.1579 x 10^77 diceware ( http://world.std.com/~reinhold/diceware.html ) uses words for the passphrase and is much easier to remember (but much harder to type when you don't see the passphrase as you are typing it in ;-) ) there are 7776 diceware words, 7776^20 ~= 6.5331 x 10^77 > 2^256 so it would need 20 diceware words to get a passphrase that would be as difficult to break, as brute forcing the keyspace of the symmetrical cipher *but* in gnupg, unless you _actively_ choose otherwise, by using the option of 's2k-cipher algo twofish' or 's2k-cipher algo aes256' your secret key is, by default, encrypted with CAST5 which is only 128 bit vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From og at pre-secure.de Fri Feb 10 10:28:20 2006 From: og at pre-secure.de (Olaf Gellert) Date: Fri Feb 10 13:18:09 2006 Subject: gpg on cron task In-Reply-To: <20060207070953.GA13239@ikp.liu.se> References: <20060204165030.66836.qmail@smasher.org> <20060207070953.GA13239@ikp.liu.se> Message-ID: <43EC5CB4.4050800@pre-secure.de> Anders Zachrison wrote: > * enediel gonzalez [060206 16:57]: > >> #!/bin/bash >> cd /tmp/backup && /bin/echo apassword | /usr/bin/gpg -se --passphrase-fd 0 >> --logger-fd 1 -r enediel@hotmail.com /tmp/backup/backup20060206100521 >> >> /tmp/debug3.txt You should be aware that any user on the system who can run "ps" might see the password while your commands are running... >> Executing it from a cron task I obtained in /tmp/debug3.txt the following >> line >> gpg: cannot open `/dev/tty': No such device or address > > As you are going to run gpg from a cron job, ie without any associated > tty, have you checked `man gpg`? Especially the options '--batch' and > '--no-tty'? > > You're running gpg as a batch job and from cron, ie no tty available. > GPG can in some occasions still print warnings to the tty even though > --batch is used as on option. And even when "--no-tty" and "--batch" are given on the commandline, GPG may ask questions, if I remember correctly. For encrpytion it should work anyway, without questions. Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From geo at dod9.net Fri Feb 10 15:01:29 2006 From: geo at dod9.net (Geo (DoD9)) Date: Sat Feb 11 03:18:11 2006 Subject: Bad key - decrypting armoured symmetric message Message-ID: <43EC9CB9.2080105@dod9.net> GPG does not decrypt my armoured symmetric messages from STDIN it gives 'Bad key' error, but it decrypts the same message if supplied from a file, is there a problem here or a reason why I cannot input an armoured symmetric message on the STDIN and provide a password and get back cleartext? It seems the erronous scenario does not have the extra :compressed packet and :literal data packet log messages, what significance this is I am not sure, any help would be appreciated. See below for example (the passphrase is 'a' and the message 'Hello!'): gpg (GnuPG) 1.4.2 Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 C:\data\work\docs>gpg -vvac gpg: using cipher CAST5 gpg: writing to stdout Hello! ^Z -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.2 (MingW32) jA0EAwMCEBfNHm+FYa9gyR4qiZadhiuMYirc+ZtnmjrCx46gWBfcD3bWYl8cE+s= =G4bz -----END PGP MESSAGE----- -NOTE I NOW COPY PGP MESSAGE INTO c.txt (through notepad) C:\data\work\docs>gpg -vva gpg: Go ahead and type your message ... -----BEGIN PGP MESSAGE----- gpg: armor: BEGIN PGP MESSAGE Version: GnuPG v1.4.2 (MingW32) gpg: armor header: Version: GnuPG v1.4.2 (MingW32) jA0EAwMCEBfNHm+FYa9gyR4qiZadhiuMYirc+ZtnmjrCx46gWBfcD3bWYl8cE+s= =G4bz :symkey enc packet: version 4, cipher 3, s2k 3, hash 2 salt 1017cd1e6f8561af, count 96 gpg: CAST5 encrypted data :encrypted data packet: length: 30 gpg: encrypted with 1 passphrase gpg: decryption failed: bad key C:\data\work\docs>gpg -vva -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 reflum, > GPG does not decrypt my armoured symmetric messages from STDIN it gives > 'Bad key' error, but it decrypts the same message if supplied from a > file, is there a problem here or a reason why I cannot input an armoured > symmetric message on the STDIN and provide a password and get back > cleartext? > > It seems the erronous scenario does not have the extra :compressed > packet and :literal data packet log messages, what significance this is > I am not sure, any help would be appreciated. > > See below for example (the passphrase is 'a' and the message 'Hello!'): > > -----BEGIN PGP MESSAGE----- > [...] > -----END PGP MESSAGE----- > > C:\data\work\docs>gpg -vva $ gpg -vva gpg: Go ahead and type your message ... - -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.2 (MingW32) jA0EAwMCEBfNHm+FYa9gyR4qiZadhiuMYirc+ZtnmjrCx46gWBfcD3bWYl8cE+s= =G4bz - -----END PGP MESSAGE----- gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.4.2 (MingW32) :symkey enc packet: version 4, cipher 3, s2k 3, hash 2 salt 1017cd1e6f8561af, count 96 gpg: CAST5 encrypted data :encrypted data packet: length: 30 :compressed packet: algo=1 :literal data packet: mode b, created 1139537370, name="", raw data: 8 bytes gpg: original file name='' Hello! gpg: decryption okay gpg: WARNING: message was not integrity protected for me it works perfect. I think maybe is this a bug(?) depending on window$. Windows have no TTY mengment like UNIX and gpg maybe can not handle the pgp messege and the passphrase on the same filehandle under window$. It tryed out your example on many of my systems an I _allways_ got what I posted above. - --- Philipp. (Rah of PH2) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (NetBSD) iD8DBQFD7dJlMjUtRWf3gmQRAm1eAJ4kJSGRgFA9hrDPD5NhWreL/fNGpgCeOYkG iQbgMYMUksUHFKc3yKiJqjQ= =hXpB -----END PGP SIGNATURE----- From wk at gnupg.org Sat Feb 11 20:16:41 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Feb 11 20:22:15 2006 Subject: gpg on cron task In-Reply-To: <43EC5CB4.4050800@pre-secure.de> (Olaf Gellert's message of "Fri, 10 Feb 2006 10:28:20 +0100") References: <20060204165030.66836.qmail@smasher.org> <20060207070953.GA13239@ikp.liu.se> <43EC5CB4.4050800@pre-secure.de> Message-ID: <87oe1dk8o6.fsf@wheatstone.g10code.de> On Fri, 10 Feb 2006 10:28:20 +0100, Olaf Gellert said: > And even when "--no-tty" and "--batch" are given on the > commandline, GPG may ask questions, if I remember correctly. No, there shall be no interactive input with --batch. If you noticed such a case, it is a bug and should be reported. Salam-Shalom, Werner From wk at gnupg.org Sun Feb 12 12:18:32 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Feb 12 12:22:15 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: (Georg C. F. Greve's message of "Sun, 12 Feb 2006 12:05:24 +0100") References: Message-ID: <87oe1cj053.fsf@wheatstone.g10code.de> Hi, just let me add that there are still a couple of problems with removing and re-inserting a card. I am working on this but a final solution will need a few more days of wall time. Shalom-Salam, Werner From unknown_kev_cat at hotmail.com Sun Feb 12 18:16:29 2006 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Sun Feb 12 18:16:48 2006 Subject: only decrypting signed files? References: <1137424787.43cbb993d585d@webmail.tiscali-business.at> <87fynl26fc.fsf@wheatstone.g10code.de> Message-ID: "Werner Koch" wrote: > On Mon, 16 Jan 2006 16:19:47 +0100, websites said: > >> Is it possible to tell gpg to only decrypt signed files? > > --skip-verify I parsed that question as the same as the last one, namely decrypt the file if it is signed, don't if it is not. You apparently read it as: decrypt the files, rather than the normal function of decrypt and verify. The poster could have made my interpretation clearer by transposing 'only' and 'decrypt'. From kcollins at klcollins.org Sun Feb 12 17:33:10 2006 From: kcollins at klcollins.org (Kevin L. Collins) Date: Sun Feb 12 19:18:05 2006 Subject: Migrate from gnupg/Linux to gnupg/win32 Message-ID: <43EF6346.8030001@klcollins.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Due to reasons that I do not wish to go into, I've been forced to move from Linux to Windows. I've made the translation with one exception...encryption. Following a Mozilla guide, I tried to move my gpg keyrings to the CLI of gpg for windows. This was done so that I could get Thunderbird signing and encrypting my e-mails. Apparently my secret key mae in just fine, as I can at least sign outgoing e-mails. But my public keyring is hosed. Here's what I get when I run 'gpg --list-keys': gpg: checking the trustdb gpg: mpi larger than indicated length (2 bytes) gpg: keyring_get_keyblock: read error: invalid packet gpg: keyring_get_keyblock failed: invalid keyring gpg: failed to rebuild keyring cache: invalid keyring gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: mpi larger than indicated length (2 bytes) gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring gpg: validate_key_list failed C:/Documents and Settings/kcollins/Application Data/gnupg\pubring.gpg - --------------------------------------------------------------------- pub 1024D/12BFE79A 2003-07-23 [expires: 2006-10-01] uid Kevin L. Collins (General Purpose Key) uid Kevin L. Collins (Home E-Mail) uid Kevin L. Collins (Home Address) uid Kevin L. Collins (Laptop E-Mail) uid Kevin L. Collins (General Purpose Key) uid Kevin L. Collins (Laptop E-Mail) uid Kevin L. Collins (Work Address) sub 1024g/36DBE858 2003-07-23 pub 1024D/9992ADFC 2001-05-30 uid Jeff McAdams (General purpose key) uid Jeff McAdams uid Jeff McAdams sub 2048g/83F16B78 2001-05-30 gpg: mpi larger than indicated length (2 bytes) gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring My public ring has nearly a hundred other keys that I have trusted and signed. The kicker is that both the private and public keys work fine on my Linux machines. So my question is how can I move my keys so that they work fine on Windows? - -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD72NGBJfVkRK/55oRAv3fAJ9aobtqUgqNtJKkR0+chzHEh2W6XwCggsec UBALxeLaZa4Od9Gd5OxwF/w= =NMFd -----END PGP SIGNATURE----- From linux at codehelp.co.uk Sun Feb 12 19:49:06 2006 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Feb 12 19:49:06 2006 Subject: Migrate from gnupg/Linux to gnupg/win32 In-Reply-To: <43EF6346.8030001@klcollins.org> References: <43EF6346.8030001@klcollins.org> Message-ID: <200602121849.10225.linux@codehelp.co.uk> On Sunday 12 February 2006 4:33 pm, Kevin L. Collins wrote: > Apparently my secret key mae in just fine, That's all that really matters. > My public ring has nearly a hundred other keys that I have trusted and > signed. If you've still got a working GNU/Linux system, you can retrieve the list of keys, if not just get them from a keyserver. All your signatures should be on the keyserver. (Unless you're using lots of local signatures). The important point is the ownertrust which is not stored within the public keyring - so once the keys are imported from a keyserver, you may still have a usable ownertrust database. > The kicker is that both the private and public keys work fine on my > Linux machines. > > So my question is how can I move my keys so that they work fine on Windows? Get the keys themselves from keyservers. (Always better than stale keys from a keyring file). Copy the ownertrust or just re-run gpg --update-trustdb. It doesn't take too long for gpg to calculate who you can trust from your signatures and show you which keys you need to update. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060212/d9aa70d2/attachment.pgp From kcollins at klcollins.org Sun Feb 12 22:45:44 2006 From: kcollins at klcollins.org (Kevin L. Collins) Date: Sun Feb 12 22:45:53 2006 Subject: Migrate from gnupg/Linux to gnupg/win32 In-Reply-To: <200602121849.10225.linux@codehelp.co.uk> References: <43EF6346.8030001@klcollins.org> <200602121849.10225.linux@codehelp.co.uk> Message-ID: <43EFAC88.7070107@klcollins.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/12/2006 1:49 PM Neil Williams wrote: >> So my question is how can I move my keys so that they work fine on Windows? > > Get the keys themselves from keyservers. (Always better than stale keys from a > keyring file). > > Copy the ownertrust or just re-run gpg --update-trustdb. It doesn't take too > long for gpg to calculate who you can trust from your signatures and show you > which keys you need to update. As it turns out, there was _one_ bad key in my keyring. I was able to successfully pull the remaining keys from the keyservers. I recreated the trustdb with no problems. Thanks for all the help, I think I'm back in business now. - -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD76yIBJfVkRK/55oRAratAJ9KgOSORD61fz0PjrDUAe4qXXGu0QCfUX+Q JyNSMVRL7KrMgSIH5Kc8jHA= =9Gwz -----END PGP SIGNATURE----- From felix.klee at inka.de Sun Feb 12 20:55:19 2006 From: felix.klee at inka.de (Felix E. Klee) Date: Sun Feb 12 22:48:04 2006 Subject: gpg: OpenPGP card not available: Assuan server fault Message-ID: <87ek28wdw8.wl%felix.klee@inka.de> Today, I tried out GnuPG 1.9.21 (from CVS) and GnuPG 1.9.20, in order to access OpenPGP cards with my SPR532 card reader, but without success - see below. Any idea what I may be doing wrong? I tried it out with two different cards, at least one of which is yet unused. As I'm at it, a minor complaint: In order to get the gpg2 binary, I had to do: gnupg-1.9.20/g10# make gnupg-1.9.20/g10# make install It was not sufficient to do: gnupg-1.9.20# make gnupg-1.9.20# make install AFAICS, the above additional step is not documented anywhere. Details: * Messages with 1.9.20: # gpgsm --learn-card gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory scdaemon[13949]: NOTE: this is a development version! scdaemon[13949]: reading public key failed: Missing item in object scdaemon[13949]: reading public key failed: Missing item in object scdaemon[13949]: reading public key failed: Missing item in object gpg-agent[13948]: card has S/N: D2760001240101010001000005B60000 # scdaemon[13949]: scdaemon (GnuPG) 1.9.20 stopped # gpg2 --card-edit gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[13961]: NOTE: this is a development version! scdaemon[13961]: reading public key failed: Missing item in object scdaemon[13961]: reading public key failed: Missing item in object scdaemon[13961]: reading public key failed: Missing item in object gpg-agent[13960]: card has S/N: D2760001240101010001000005B60000 Application ID ...: D2760001240101010001000005B60000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000005B6 Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Command> scdaemon[13961]: updating status of slot 0 to 0x0007 scdaemon[13961]: client pid is 13960, sending signal 12 scdaemon[13961]: scdaemon (GnuPG) 1.9.20 stopped gpg: OpenPGP card not available: Assuan server fault * Messages with 1.9.21 from CVS: # gpgsm --learn-card gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory scdaemon[15326]: NOTE: this is a development version! scdaemon[15326]: reading public key failed: Missing item in object scdaemon[15326]: reading public key failed: Missing item in object scdaemon[15326]: reading public key failed: Missing item in object gpg-agent[15325]: card has S/N: D2760001240101010001000005B60000 # scdaemon[15326]: scdaemon (GnuPG) 1.9.21-cvs3973 stopped # gpg2 --card-edit gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[15355]: NOTE: this is a development version! scdaemon[15355]: reading public key failed: Missing item in object scdaemon[15355]: reading public key failed: Missing item in object scdaemon[15355]: reading public key failed: Missing item in object gpg-agent[15354]: card has S/N: D2760001240101010001000005B60000 Application ID ...: D2760001240101010001000005B60000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000005B6 Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Command> scdaemon[15355]: updating status of slot 0 to 0x0007 scdaemon[15355]: client pid is 15354, sending signal 12 scdaemon[15355]: scdaemon (GnuPG) 1.9.21-cvs3973 stopped gpg: OpenPGP card not available: Assuan server fault * Auxiliary packages: libgpg-error 1.1 libgcrypt 1.2.2 libassuan 0.6.10 libksba 0.9.13 pth 2.0.6 -- Felix E. Klee From schiessle at fsfe.org Sun Feb 12 23:33:22 2006 From: schiessle at fsfe.org (Bjoern Schiessle) Date: Mon Feb 13 00:48:03 2006 Subject: gnupg cryptocard and cardman4040 Message-ID: <1139783602.4994.15.camel@localhost.localdomain> Hello, i have some problems with my gnupg cryptocard and pcmcia cardman4040. Currently i'm using gnupg 1.4.2, but patched with the new driver for my pcmcia card[0]. So i think the gnupg version should be ok for my needs. If i try to decrypt a file without inserting the cryptocard i get a message to insert the card. But after i have insert the card and proceed i got this message: $ gpg -d foo.gpg gpg: anonymous recipient; trying secret key BD609BA5 ... gpg: apdu_send_simple(0) failed: no card Please insert the card and hit return or enter 'c' to cancel: gpg: pcsc_connect failed: unknown reader (0x80100009) gpg: card reader not available *** glibc detected *** corrupted double-linked list: 0xb7e9b938 *** Aborted $ As far as i know this occurs because pcscd is running. So i have stopped the service and tried it again. Without pcsd i get this message after i have insert the card: $ gpg -d foo.gpg gpg: anonymous recipient; trying secret key BD609BA5 ... gpg: apdu_send_simple(0) failed: no card Please insert the card and hit return or enter 'c' to cancel: gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: anonymous recipient; trying secret key CDBCD48F ... gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: anonymous recipient; trying secret key C6109924 ... gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: encrypted with ELG-E key, ID 00000000 gpg: encrypted with RSA key, ID 00000000 gpg: decryption failed: secret key not available $ Everything stops before i get a chance to insert the PIN. If i insert the card before trying to encrypt the file i can insert at least my PIN but also than i can't decrypt the file: $ gpg -d kernel2.6.15.cardreader.gpg gpg: anonymous recipient; trying secret key BD609BA5 ... gpg: anonymous recipient; trying secret key CDBCD48F ... gpg: anonymous recipient; trying secret key C6109924 ... PIN gpg: okay, we are the anonymous recipient. gpg: encrypted with ELG-E key, ID 00000000 gpg: encrypted with RSA key, ID 00000000 Feb 11 21:23:12 localhost udevd[1028]: udevd.c: udevd event message received Feb 11 21:23:12 localhost udevd[1028]: udevd.c: seq 1011 queued, devpath '/devices/pci0000:00/0000:00:1e.0/0000:02:00.1/1.0' Feb 11 21:23:12 localhost udevd[1028]: udevd.c: seq 1011 forked, pid 4699, 0 seconds old Feb 11 21:23:12 localhost cardmgr[4036]: unsupported card in socket 1 Feb 11 21:23:12 localhost udevd[1028]: udevd.c: seq 1011 exit, 0 seconds old Feb 11 21:23:12 localhost cardmgr[4036]: product info: "OMNIKEY", "CardMan 4040" Feb 11 21:23:12 localhost cardmgr[4036]: manfid: 0x0223, 0x0200 $ What's going wrong? Any hints? Thanks! Bjoern [0] https://www.fsfe.org/en/fellows/greve/files/gnupg_1_4_2_4_i386_deb From jharris at widomaker.com Mon Feb 13 03:10:44 2006 From: jharris at widomaker.com (Jason Harris) Date: Mon Feb 13 03:10:31 2006 Subject: new (2006-02-05) keyanalyze results (+sigcheck) Message-ID: <20060213021043.GA1164@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-02-05/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: aee4a9ee330d67620a767524ee877169b2db4fa8 13301622 preprocess.keys a75eb37f6632261d5b2bc568f875661b78cd7332 8029212 othersets.txt ca406e46c30963610153f6c59ddcfc78b9949c68 3280864 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html 09fa393c97c6bcdc4516a26d9a3eaeec2707ec1e 2291 keyring_stats ddb297fda28ba11bc5a9c34b8db7b472eaf6a90e 1289412 msd-sorted.txt.bz2 9a4795a5afa2baa4113761c255c2f462f1784384 26 other.txt 4083566541ae1d193e38f1677158e98762dca25f 1736245 othersets.txt.bz2 0a01d654afe6686d6b2ca815942977a971632d0a 5393173 preprocess.keys.bz2 bad7310fd22e757989f31db85c0a448e9fa6c380 13497 status.txt 5b76af12f29a42b2c37600d3302f2ca6f045beb0 209913 top1000table.html fab0c3335f83206022071e4482de5070bf8dd464 29975 top1000table.html.gz 71fa5ae45b87e106e6d9de00f5312d2c005d485f 10771 top50table.html 007a8942805745092c82693fb77682f470d5599e 2494 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20060212/8a5dfd5f/attachment.pgp From JPClizbe at comcast.net Mon Feb 13 03:20:22 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Feb 13 03:23:47 2006 Subject: Migrate from gnupg/Linux to gnupg/win32 In-Reply-To: <43EF6346.8030001@klcollins.org> References: <43EF6346.8030001@klcollins.org> Message-ID: <43EFECE6.2060604@comcast.net> Kevin L. Collins wrote: > Due to reasons that I do not wish to go into, I've been forced to move > from Linux to Windows. I've made the translation with one > exception...encryption. > > Following a Mozilla guide, I tried to move my gpg keyrings to the CLI of > gpg for windows. This was done so that I could get Thunderbird signing > and encrypting my e-mails. > > Apparently my secret key mae in just fine, as I can at least sign > outgoing e-mails. But my public keyring is hosed. Here's what I get > when I run 'gpg --list-keys': > > gpg: mpi larger than indicated length (2 bytes) > gpg: keyring_get_keyblock: read error: invalid packet > gpg: keydb_get_keyblock failed: invalid keyring > > My public ring has nearly a hundred other keys that I have trusted and > signed. > > The kicker is that both the private and public keys work fine on my > Linux machines. > > So my question is how can I move my keys so that they work fine on Windows? There was some amount of trouble with zero-length MPI packets when 1.4.2 was introduced. So long as you have all the *.gpg files from your Linux box, you should be OK (just keep a pristine backup copy close). You may wish to try either GnuPG 1.4.1 or 1.4.3-cvs. When I had this problem, I found the error didn't occur in 1.4.1. It is supposed to be fixed in 1.4.3. I found that by alternating versions, I was able to clean my keyring so that it would work with 1.4.2. Copy/rename the GnuPG directory under \Program Files\Gnu to GnuPG-1.4.2 and try the 1.4.1 build. Try --list-keys with 1.4.1. If it work OK, you can use both versions to identify/remove the troublesome keys. Write me off-list for more details or if you wish to try a 1.4.3-cvs build. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 671 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060212/3d17cb3b/signature.pgp From greve at fsfeurope.org Sun Feb 12 12:05:24 2006 From: greve at fsfeurope.org (Georg C. F. Greve) Date: Mon Feb 13 10:40:37 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader Message-ID: Hi all, this is more a "fyi notice" than anything else: Thanks to the efforts of Werner Koch, Harald Welte, Nils F?rber and myself, last week I finally managed to solve two major problems for my personal use of smart cards / OpenPGP crypto cards, such as the Fellowship crypto card [1], that might be bothering others as well. * 100% Free Software PCMCIA smart card reader Problem one was to find a PCMCIA smart card reader that could be used under GNU/Linux with 100% Free Software. Most PCMCIA readers under GNU/Linux seem to use proprietary libraries, which is unacceptable. From a security viewpoint, I also consider it self-defeating: Obviously the security of the system is only as strong as the security of the non-freelayer and all its maintaining infrastructure at the producing company, which the user has no control over. Thanks to Werner, Harald and Nils, it is now possible to use the Omnikey CardMan 4040 exclusively with Free Software under GNU/Linux. You will find more information here: http://www.fsfe.org/fellows/greve/freedom_bits/fellowship_crypto_card_the_cool_way * Remote SSH logins with crypto card authentication Problem two was to do remote logins via SSH with authentication through the smart card. There was a problem with the gpg-agent that did not do PIN caching, and thus was somewhat annoying to use in real life. Werner just addressed this problem, and now it works rather flawlessly. The gpg-agent replaces the ssh-agent for authentication, and it is possible to do remote securely authenticated OpenSSH logins. You can find information here: http://www.fsfe.org/fellows/greve/freedom_bits/authenticating_ssh_logins_with_the_fellowship_crypto_card So I hope this will help others with similar problems to solve them. If anyone feels like playing with it, adding to it, making it easier to use, or GUIfying it, that would be great. It would be good to see the technology improve and spread. Also, if people were to join the Fellowship (and such contribute to the work of FSFE) in order to have play with the cards and find more applications of it that are both fun and useful, that would be great. Regards, Georg [1] http://www.fsfe.org/card/ -- Georg C. F. Greve Free Software Foundation Europe (http://fsfeurope.org) Join the Fellowship and protect your freedom! (http://www.fsfe.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available Url : /pipermail/attachments/20060212/e3ce298f/attachment.pgp From tmz at pobox.com Sun Feb 12 20:19:19 2006 From: tmz at pobox.com (Todd Zullinger) Date: Mon Feb 13 10:40:41 2006 Subject: Migrate from gnupg/Linux to gnupg/win32 In-Reply-To: <43EF6346.8030001@klcollins.org> References: <43EF6346.8030001@klcollins.org> Message-ID: <20060212191919.GE3026@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin L. Collins wrote: > Following a Mozilla guide, I tried to move my gpg keyrings to the > CLI of gpg for windows. This was done so that I could get > Thunderbird signing and encrypting my e-mails. > > Apparently my secret key mae in just fine, as I can at least sign > outgoing e-mails. But my public keyring is hosed. Here's what I > get when I run 'gpg --list-keys': Any pointers as to what Mozilla guide and how it instructed you to move the keyrings? Maybe that'd make it easier for someone to spot why your pubring didn't get imported properly. Here's how I'd try this (not tested since I'm fortunate enough to not have a windows box handy): # export gpg --export > public-keys.gpg gpg --export-secret-keys > secret-keys.gpg gpg --export-ownertrust > ownertrust.gpg # import gpg --import public-keys.gpg secret-keys.gpg gpg --import-ownertrust ownertrust.gpg - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkPvijYmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pDqQCgjb/fqmA7vnKEHuoHwwcFKqmtozoAn36KAbQ/ 9s0i1CXFSnPVo/lesE+p =12Hu -----END PGP SIGNATURE----- From greve at fsfeurope.org Mon Feb 13 10:15:08 2006 From: greve at fsfeurope.org (Georg C. F. Greve) Date: Mon Feb 13 10:40:46 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <87oe1cj053.fsf@wheatstone.g10code.de> (Werner Koch's message of "Sun, 12 Feb 2006 12:18:32 +0100") References: <87oe1cj053.fsf@wheatstone.g10code.de> Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available Url : /pipermail/attachments/20060213/0f1d4630/attachment.pgp From wk at gnupg.org Mon Feb 13 12:13:52 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Feb 13 12:17:17 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: (Georg C. F. Greve's message of "Mon, 13 Feb 2006 10:15:08 +0100") References: <87oe1cj053.fsf@wheatstone.g10code.de> Message-ID: <87k6bzfr4f.fsf@wheatstone.g10code.de> On Mon, 13 Feb 2006 10:15:08 +0100, Georg C F Greve said: > Having a wildcard like "ALL" or "*" for CLEAR_PASSPHRASE might be > good for scripting. kill -HUP $(echo $GPG_AGENT_INFO | awk -F: '{print $2}') or just pkill gpg-agent flushed the passphrase cache Shalom-Salam, Werner From alon.barlev at gmail.com Mon Feb 13 12:04:24 2006 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Feb 13 14:17:58 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: References: Message-ID: <43F067B8.4080504@gmail.com> Georg C. F. Greve wrote: > * Remote SSH logins with crypto card authentication > > Problem two was to do remote logins via SSH with authentication > through the smart card. There was a problem with the gpg-agent that > did not do PIN caching, and thus was somewhat annoying to use in real > life. Werner just addressed this problem, and now it works rather > flawlessly. > > The gpg-agent replaces the ssh-agent for authentication, and it is > possible to do remote securely authenticated OpenSSH logins. You can > find information here: > > http://www.fsfe.org/fellows/greve/freedom_bits/authenticating_ssh_logins_with_the_fellowship_crypto_card > Are you aware of the PKCS#11 for OpenSSH solution (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113977188917865&w=2)? PKCS#11 is a standard interface to access cryptographic tokens, the OpenSSH patch support the use of any PKCS#11 provider with OpenSSH. I just hope that someday OpenPGP card will also have PKCS#11 provider, so it can be used by other applications, and the other way around... gpg will use PKCS#11 providers in order to support many card types. Best Regards, Alon Bar-Lev. From wk at gnupg.org Mon Feb 13 14:38:48 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Feb 13 14:42:05 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <43F067B8.4080504@gmail.com> (Alon Bar-Lev's message of "Mon, 13 Feb 2006 13:04:24 +0200") References: <43F067B8.4080504@gmail.com> Message-ID: <87k6bze5uf.fsf@wheatstone.g10code.de> On Mon, 13 Feb 2006 13:04:24 +0200, Alon Bar-Lev said: > Are you aware of the PKCS#11 for OpenSSH solution > (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113977188917865&w=2)? Well, I know. However you know my point of view: pkcs#11 is a "standard" too complex to implement correctly and even with a lot of important things left out. It is only required (and that complex) to let one proprietary software speak to another proprietary one. Things can be much easier with FS. Why support proprietary stuff? > I just hope that someday OpenPGP card will also have PKCS#11 > provider, so it can be used by other applications, and the Please write one; gpg-agent provides all you need to do that. It may actually be useful for use with Mozilla.. > other way around... gpg will use PKCS#11 providers in order > to support many card types. No, we won't do that. Shalom-Salam, Werner From wk at gnupg.org Mon Feb 13 14:41:43 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Feb 13 14:47:04 2006 Subject: only decrypting signed files? In-Reply-To: (Joe Smith's message of "Sun, 12 Feb 2006 12:16:29 -0500") References: <1137424787.43cbb993d585d@webmail.tiscali-business.at> <87fynl26fc.fsf@wheatstone.g10code.de> Message-ID: <87fymne5pk.fsf@wheatstone.g10code.de> On Sun, 12 Feb 2006 12:16:29 -0500, Joe Smith said: > I parsed that question as the same as the last one, namely decrypt the file > if it is signed, don't if it is not. For standard use of OpenPGP you won't know wether an encrypted message is signed unless you decrypt it first. Salam-Shalom, Werner From wk at gnupg.org Mon Feb 13 14:47:51 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Feb 13 14:52:07 2006 Subject: gpg: OpenPGP card not available: Assuan server fault In-Reply-To: <87ek28wdw8.wl%felix.klee@inka.de> (Felix E. Klee's message of "Sun, 12 Feb 2006 20:55:19 +0100") References: <87ek28wdw8.wl%felix.klee@inka.de> Message-ID: <87bqxbe5fc.fsf@wheatstone.g10code.de> On Sun, 12 Feb 2006 20:55:19 +0100, Felix E Klee said: > As I'm at it, a minor complaint: In order to get the gpg2 binary, I had > to do: You shall not build gpg2. Configure does not enable this option for a reason. Use gpg 1.4.2 (or the cvs version) for OpenPGP. This is stated at several places. > Details: > * Messages with 1.9.20: > gpgsm: can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory Your agent is not running, better install it first. > scdaemon[13949]: NOTE: this is a development version! > scdaemon[13949]: reading public key failed: Missing item in object Well, gpgsm does not yet support the OpenPGP card. > # gpg2 --card-edit Don't use gpg2 - use gpg! > gpg: WARNING: This version of gpg is not very matured and > gpg: WARNING: only intended for testing. Please keep using > gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP Is this warning still not clear enough? How should I rephrase it? Shalom-Salam, Werner From wk at gnupg.org Mon Feb 13 14:51:47 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Feb 13 14:57:06 2006 Subject: gnupg cryptocard and cardman4040 In-Reply-To: <1139783602.4994.15.camel@localhost.localdomain> (Bjoern Schiessle's message of "Sun, 12 Feb 2006 23:33:22 +0100") References: <1139783602.4994.15.camel@localhost.localdomain> Message-ID: <877j7ze58s.fsf@wheatstone.g10code.de> On Sun, 12 Feb 2006 23:33:22 +0100, Bjoern Schiessle said: > Please insert the card and hit return or enter 'c' to cancel: > gpg: pcsc_connect failed: unknown reader (0x80100009) Stop pcscd and make sure that gpg has been build with libusb support. Using the option --debug-ccid-driver might be helpful. > gpg: card reader not available > *** glibc detected *** corrupted double-linked list: 0xb7e9b938 *** pcsclite problem. > As far as i know this occurs because pcscd is running. So i have stopped > the service and tried it again. Without pcsd i get this message after i Good. > have insert the card: > $ gpg -d foo.gpg > gpg: anonymous recipient; trying secret key BD609BA5 ... > gpg: apdu_send_simple(0) failed: no card > Please insert the card and hit return or enter 'c' to cancel: Use --debug-ccid-driver and if this does not give any insight, strace is your friend (grep for /dev/cmx0). There are still a few problems, but they are only related to reinserting a card. Salam-Shalom, Werner From kcollins at klcollins.org Mon Feb 13 15:06:43 2006 From: kcollins at klcollins.org (Kevin L. Collins) Date: Mon Feb 13 15:06:50 2006 Subject: Migrate from gnupg/Linux to gnupg/win32 In-Reply-To: <20060212191919.GE3026@psilocybe.teonanacatl.org> References: <43EF6346.8030001@klcollins.org> <20060212191919.GE3026@psilocybe.teonanacatl.org> Message-ID: <43F09273.1070109@klcollins.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/12/2006 2:19 PM Todd Zullinger wrote: > Kevin L. Collins wrote: >>> Following a Mozilla guide, I tried to move my gpg keyrings to the >>> CLI of gpg for windows. This was done so that I could get >>> Thunderbird signing and encrypting my e-mails. >>> >>> Apparently my secret key mae in just fine, as I can at least sign >>> outgoing e-mails. But my public keyring is hosed. Here's what I >>> get when I run 'gpg --list-keys': > > Any pointers as to what Mozilla guide and how it instructed you to > move the keyrings? Maybe that'd make it easier for someone to spot > why your pubring didn't get imported properly. For the record, the guide I followed was this one: http://enigmail.mozdev.org/gpgconf.html. I was setting up 'enigmail' for Thunderbird. I have my keys rings working now...with the exception of one key, that appears to be malformed. I'm going to contact my fried who owns that key to day and see if he has had any problems with it. BTW, the key in question, can't even be imported from a key server without gpg complaining. > Here's how I'd try this (not tested since I'm fortunate enough to not > have a windows box handy): > > # export > gpg --export > public-keys.gpg > gpg --export-secret-keys > secret-keys.gpg > gpg --export-ownertrust > ownertrust.gpg > > # import > gpg --import public-keys.gpg secret-keys.gpg > gpg --import-ownertrust ownertrust.gpg This is good information. I may backup and try this later tonight as I still have a pristine copy of the gpg stuff on a Linux box at home. - -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD8JJzBJfVkRK/55oRAi10AKCwDJ6LBnBLI1PWgwxE92NV+unTcwCeJfjc z/F4D8/7yj6iP4NOWDWda64= =VlzV -----END PGP SIGNATURE----- From alon.barlev at gmail.com Mon Feb 13 18:32:12 2006 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Feb 13 19:35:22 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <87k6bze5uf.fsf@wheatstone.g10code.de> References: <43F067B8.4080504@gmail.com> <87k6bze5uf.fsf@wheatstone.g10code.de> Message-ID: <43F0C29C.1020403@gmail.com> Hello Werner, Werner Koch wrote: > On Mon, 13 Feb 2006 13:04:24 +0200, Alon Bar-Lev said: > >> Are you aware of the PKCS#11 for OpenSSH solution >> (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113977188917865&w=2)? > > Well, I know. However you know my point of view: pkcs#11 is a > "standard" too complex to implement correctly and even with a lot of > important things left out. It is only required (and that complex) to > let one proprietary software speak to another proprietary one. Well... We discussed that in the past... I don't think so... Let's say it is too complex... But if you look at this from the user point of view, there is no logic to reinvent the wheel for each application. But we discussed this in the past. > Things can be much easier with FS. Why support proprietary stuff? No proprietary... Only a standard interface. The user may select the proper implementation, let's say OpenPGP PKCS#11 Provider, which is a complete open-source GPLed implementation. >> I just hope that someday OpenPGP card will also have PKCS#11 >> provider, so it can be used by other applications, and the > > Please write one; gpg-agent provides all you need to do that. It may > actually be useful for use with Mozilla.. This should be your interest... If you do that, user will be able to use your card with may PKCS#11 aware applications. I don't use/recommend OpenPGP card since it has too many limitations. >> other way around... gpg will use PKCS#11 providers in order >> to support many card types. > > No, we won't do that. I know you have a licensing problem... I've been in touch with FSF in order to provide you with the tools needed for implementation. I get one reply every two months... So the process is not over yet. But it seems like we reach into the following conclusion: If GPLed application is written in a way that it work with a standard free interface plug-in (like PKCS#11) and it is not depended on a specific implementation (Compile time, features), then there is no GPL violation if the user chooses to use none GPLed plug-ins. I've written the PKCS#11 support for OpenVPN and OpenSSH, I will gladly add this support to gpg as well... This of course depends on your decision. From og at pre-secure.de Tue Feb 14 09:38:09 2006 From: og at pre-secure.de (Olaf Gellert) Date: Tue Feb 14 09:38:04 2006 Subject: gpg on cron task In-Reply-To: <87oe1dk8o6.fsf@wheatstone.g10code.de> References: <20060204165030.66836.qmail@smasher.org> <20060207070953.GA13239@ikp.liu.se> <43EC5CB4.4050800@pre-secure.de> <87oe1dk8o6.fsf@wheatstone.g10code.de> Message-ID: <43F196F1.8090509@pre-secure.de> Hi Werner, Werner Koch wrote: > On Fri, 10 Feb 2006 10:28:20 +0100, Olaf Gellert said: > >> And even when "--no-tty" and "--batch" are given on the >> commandline, GPG may ask questions, if I remember correctly. > > No, there shall be no interactive input with --batch. If you noticed > such a case, it is a bug and should be reported. We found such a case some time ago: Signing a key non- interactively. When the key to be signed had an expiry date, gpg asked for how long the signature should be valid (even when --no-tty and --batch and --yes were specified). I tested last week and this bug is obviously gone, so I do not know of any other issue like that. Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From berland at gmail.com Tue Feb 14 22:34:38 2006 From: berland at gmail.com (Jim Berland) Date: Wed Feb 15 00:18:04 2006 Subject: Necessity of GPG when using SSL Message-ID: <796EC281-DDD9-41B8-A245-238B45546851@gmail.com> Hi everybody, I understand the use of GPG end-to-end-encryption and use it with a few of my contacts. What I want to make sure is the following. I am going to move to China for some time. My email ISP is located outside China and I connect to it via SSL. So if I am only concerned about the Chinese (whatever the reason; maybe my doubts are unreasonable?) and not about the complete end-to-end-encryption of GPG, the SSL encryption alone will do the job. Is that correct? Thank you From robert.wenner at atsec.com Wed Feb 15 00:11:47 2006 From: robert.wenner at atsec.com (Robert Wenner) Date: Wed Feb 15 01:48:04 2006 Subject: gpgsm doesn't import SMIME key from browser (no error message) Message-ID: <200602141711.48221.robert.wenner@atsec.com> Hi, I followed the steps described in http://www.gnupg.org/aegypten/development.en.html#howto_import_external_certs to import my private Thwate S/MIME key into ?gypten for use in KMail. Everything seemed fine, but the new key is not shown in the list from gpgsm -K. It shows only the old (expired) key. I get no error message on importing and $? is 0, though. If I move my existing keys from /home/robert/.gnupg/private-keys-v1.d/ before importing, gpgsm -K shows no keys at all. Below is what I did and version information of the programs. What am I missing here? Cheers, Robert --- cut here --- robert@sauerbraten:~> openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes Enter Import Password: MAC verified OK robert@sauerbraten:~> openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes Enter Export Password: Verifying - Enter Export Password: robert@sauerbraten:~> gpgsm --call-protect-tool --p12-import --store certkey.p12 gpg-protect-tool: 2584 bytes of RC2 encrypted text -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- gpg-protect-tool: 1224 bytes of 3DES encrypted text gpg-protect-tool: keygrip: C9B644CD7A2326E1199D386A84A59AD557901F83 gpg-protect-tool: secret key stored as `/home/robert/.gnupg/private-keys-v1.d/C9B644CD7A2326E1199D386A84A59AD557901F83.key' robert@sauerbraten:~> gpgsm -K gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! /home/robert/.gnupg/pubring.kbx ------------------------------- gpgsm: DBG: connection to agent established Serial number: 0DC685 Issuer: /CN=Thawte Personal Freemail Issuing CA/O=Thawte Consulting (Pty) Ltd./C=ZA Subject: /CN=Thawte Freemail Member/EMail=robert.wenner@atsec.com aka: robert.wenner@atsec.com validity: 2005-01-10 17:14:40 through 2006-01-10 17:14:40 key type: 2048 bit RSA fingerprint: DC:84:69:6E:58:AB:11:41:8C:F3:DD:B4:39:99:78:A2:E7:94:5A:38 secmem usage: 0/16384 bytes in 0 blocks --- cut here --- robert@sauerbraten:~> gpgsm --version gpgsm (GnuPG) 1.9.14 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: robert@sauerbraten:~> gpg --version gpg (GnuPG) 1.4.2 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 robert@sauerbraten:~> gpg-agent --version gpg-agent (GnuPG) 1.9.14 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. From atom at smasher.org Wed Feb 15 09:06:12 2006 From: atom at smasher.org (Atom Smasher) Date: Wed Feb 15 09:05:56 2006 Subject: bad keysigning by Geotrust Message-ID: <20060215080622.16051.qmail@smasher.org> this is what happens when someone signs a key that shouldn't be signed. it's based on an x.509 (hierarchical) trust model, not a pgp (distributed) trust model, but the consequences are the same: a certification signature that should not have been issued was issued. this is basically "mallory" collecting a good signature on a fraudulent key. Now here's where it gets really interesting. The phishing site... is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. The New Face of Phishing http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- A student asked his old Sufi Master if he should tie up his camel for the night, so that it wouldn't wander away while they were sleeping or if doing so was an insult to God. Should he leave the camel untied to show his trust in God that the camel wouldn't run away? The Master replied "Trust God AND tie up your camel." From wk at gnupg.org Wed Feb 15 08:49:25 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 15 09:06:34 2006 Subject: [Announce] False positive signature verification in GnuPG Message-ID: <87u0b1xdru.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From hhhobbit7 at netscape.net Wed Feb 15 09:22:18 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Wed Feb 15 09:22:14 2006 Subject: Necessity of GPG when using SSL Message-ID: <3D8EF107.54A453E5.0307202B@netscape.net> Jim Berland wrote: >Hi everybody, > >I understand the use of GPG end-to-end-encryption and use it with a >few of my contacts. What I want to make sure is the following. > >I am going to move to China for some time. My email ISP is located >outside China and I connect to it via SSL. So if I am only concerned >about the Chinese (whatever the reason; maybe my doubts are >unreasonable?) and not about the complete end-to-end-encryption of >GPG, the SSL encryption alone will do the job. Is that correct? In short, SSL is not a complete solution and there is a need for GPG or some other OpenPGP solution. Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an "http://" rather than the "https://" you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. Actually, you should have done some initial research with Google. You may have found that it is illegal for you to use GPG or PGP (strong encryption) while in China. I don't know if they would have prevented you from taking it into China, but the less said about it the better. Too late for that now, isn't it? It is best to go under the radar screen. Primarily, what you would want encrypted is your financial information anyway, or at least that is what I would want encrypted. So, just take the CD with GnuPG precompiled with you (you did do a "make install > INSTALL.LOG \ 2>&1" didn't you?) AND your keyrings and trusted DB files. I can't assume that you will even have access to a compiler where you are going. On the other hand you didn't say whether or not you are using MS Windows (makes the install even easier). I do assume that you will have access to tar and gzip where you are going. So, I reiterate - SSL is not enough. Most POP / IMAP mailers in the United States and Europe don't have you make the initial connection encrypted. By that I mean it isn't even possible to protect your initial connection and your login password is sent in clear text. SSL is designed and used for only critical short periods of time. Ciao HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From alex at bofh.net.pl Wed Feb 15 12:11:31 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Feb 15 12:11:13 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <796EC281-DDD9-41B8-A245-238B45546851@gmail.com> References: <796EC281-DDD9-41B8-A245-238B45546851@gmail.com> Message-ID: <20060215111131.GB28397@hell.pl> On Tue, Feb 14, 2006 at 10:34:38PM +0100, Jim Berland wrote: > Hi everybody, > > I understand the use of GPG end-to-end-encryption and use it with a > few of my contacts. What I want to make sure is the following. > > I am going to move to China for some time. My email ISP is located > outside China and I connect to it via SSL. So if I am only concerned > about the Chinese (whatever the reason; maybe my doubts are > unreasonable?) and not about the complete end-to-end-encryption of > GPG, the SSL encryption alone will do the job. Is that correct? You haven't specified your threat model precisely enough, for the vague one you presented the answer is both yes and no. SSL webmail and GPG protect against different things. Yes - because SSL webmail access is good enough to prevent the operators of great chinese firewall of snooping into what do you do on your mailbox. No - because SSL protects only against eavesdropping of mailbox access. It doesn't protect your email in transit from server to server (unless all the servers in the way support SMTP/TLS and you trust the operators of the servers). For example, if you write from your SSL webmail to someone in .cn, the contentrs of the mail can be observed by the operatros of said firewall. Alex From ralf.cordes at gmx.com Tue Feb 14 18:20:46 2006 From: ralf.cordes at gmx.com (Ralf Cordes) Date: Wed Feb 15 17:10:03 2006 Subject: SmartCard and Keypad Message-ID: <43F2116E.6080200@gmx.com> Hi, is there a possibility to tell gpg to use the keypad of my Cardreader for the Card-PIN? In this way everything would even be more safe. Greetings Ralf Cordes From lionel at mamane.lu Wed Feb 15 21:07:02 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Wed Feb 15 21:06:21 2006 Subject: OpenPGP smartcard: addcardkey fails In-Reply-To: <20060215185017.GA20490@capsaicin.mamane.lu> References: <20060215185017.GA20490@capsaicin.mamane.lu> Message-ID: <20060215200702.GA21129@capsaicin.mamane.lu> On Wed, Feb 15, 2006 at 07:50:17PM +0100, Lionel Elie Mamane wrote: > Hi, > > I'm trying to generate an authentication subkey (tied to my main > OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / > SSH use), but can't get it to work. gpg --edit-card and --card-status > works like a charm. I tried with the built-in ccid driver, same result: Command> addcardkey gpg: DBG: ccid-driver: sending 6F 09 00 00 00 00 14 04 00 00 00 00 05 00 CA 00 6E 00 A1 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 00 CB 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 03 9D 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 5E 07 6C 6D 61 6D 61 6E 65 90 00 F3 gpg: DBG: ccid-driver: sending 6F 09 00 00 00 00 15 04 00 00 00 40 05 00 CA 00 C4 00 4B gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 40 09 00 FE FE FE 03 03 03 90 00 24 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: DBG: ccid-driver: sending 6F 0A 00 00 00 00 16 04 00 00 00 00 06 00 DA 00 C4 01 01 18 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 00 02 90 00 92 Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error gpg: DBG: ccid-driver: sending 6F 0A 00 00 00 00 17 04 00 00 00 40 06 00 DA 00 C4 01 00 59 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 40 02 90 00 D2 -- Lionel From lionel at mamane.lu Wed Feb 15 19:50:17 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Wed Feb 15 22:18:07 2006 Subject: OpenPGP smartcard: addcardkey fails Message-ID: <20060215185017.GA20490@capsaicin.mamane.lu> Hi, I'm trying to generate an authentication subkey (tied to my main OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / SSH use), but can't get it to work. gpg --edit-card and --card-status works like a charm. Command> addcardkey gpg: detected reader `SCM SCR 335 (60600ad9) 00 00' Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN PIN Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error Running with --debug 2048 Command> addcardkey gpg: DBG: send apdu: c=00 i=CA p0=00 p1=6E lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 6E 00 gpg: DBG: response: sw=9000 datalen=201 gpg: DBG: dump: 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 03 9D 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 5E 07 6C 6D 61 6D 61 6E 65 gpg: DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 C4 00 gpg: DBG: response: sw=9000 datalen=7 gpg: DBG: dump: 00 FE FE FE 03 03 03 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: DBG: send apdu: c=00 i=DA p0=00 p1=C4 lc=1 le=-1 gpg: DBG: PCSC_data: 00 DA 00 C4 01 01 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error gpg: DBG: send apdu: c=00 i=DA p0=00 p1=C4 lc=1 le=-1 gpg: DBG: PCSC_data: 00 DA 00 C4 01 00 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: Running pcscd in debug mode gives: ccid_usb.c:375:OpenUSBByName() Found Vendor/Product: 04E6/5115 (SCM SCR 335) ccid_usb.c:377:OpenUSBByName() Using USB bus/device: 002/007 ccid_usb.c:720:get_data_rates() IFD does not support GET_DATA_RATES request: Broken pipe ifdhandler.c:250:IFDHGetCapabilities() lun: 0, tag: 0xFAE ifdhandler.c:292:IFDHGetCapabilities() Reader supports 1 slots ifdhandler.c:725:IFDHPowerICC() lun: 0 Card ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 winscard_msg_srv.c:203:SHMProcessEventsServer() Common channel packet arrival winscard_msg_srv.c:212:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 7 pcscdaemon.c:151:SVCServiceRunLoop() A new context thread creation is requested: 7 winscard_svc.c:136:ContextThread() Thread is started: 7 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard_svc.c:178:ContextThread() Client is protocol version 2:0 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:159:SCardEstablishContext() Establishing Context: 17033377 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:213:SCardConnect() Attempting Connect to SCM SCR 335 (60600ad9) 00 00 using protocol: 3 prothandler.c:130:PHSetProtocol() Attempting PTS to T=1 ifdhandler.c:375:IFDHSetProtocolParameters() lun: 0, protocol T=1 ifdhandler.c:1171:extra_egt() Extra EGT patch applied winscard.c:323:SCardConnect() Active Protocol: T=1 winscard.c:333:SCardConnect() hCard Identity: 18d6c winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 And then a lot of: winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1464:SCardTransmit() Send Protocol: T=1 ifdhandler.c:831:IFDHTransmitToICC() lun: 0 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1464:SCardTransmit() Send Protocol: T=1 ifdhandler.c:831:IFDHTransmitToICC() lun: 0 Any clue? Thanks in advance. -- Lionel From lionel at mamane.lu Wed Feb 15 19:55:46 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Wed Feb 15 22:18:26 2006 Subject: OpenPGP smartcard: addcardkey fails In-Reply-To: <20060215185017.GA20490@capsaicin.mamane.lu> References: <20060215185017.GA20490@capsaicin.mamane.lu> Message-ID: <20060215185546.GA20608@capsaicin.mamane.lu> On Wed, Feb 15, 2006 at 07:50:17PM +0100, Lionel Elie Mamane wrote: > I'm trying to generate an authentication subkey (tied to my main > OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / > SSH use), but can't get it to work. gpg --edit-card and --card-status > works like a charm. Forgot to mention: master@bagnat:~$ gpg --version gpg (GnuPG) 1.4.2 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 master@bagnat:~$ /usr/sbin/pcscd --version pcsc-lite version 1.2.9-beta10. Copyright (C) 1999-2002 by David Corcoran . Copyright (C) 2001-2005 by Ludovic Rousseau . Copyright (C) 2003-2004 by Damien Sauveron . Report bugs to . With an SCR335 reader from http://www.kernelconcepts.de/products/security.shtml -- Lionel From alphasigmax at gmail.com Thu Feb 16 04:29:57 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Feb 16 04:30:44 2006 Subject: OpenPGP smartcard: addcardkey fails In-Reply-To: <20060215185017.GA20490@capsaicin.mamane.lu> References: <20060215185017.GA20490@capsaicin.mamane.lu> Message-ID: <43F3F1B5.8070903@gmail.com> Lionel Elie Mamane wrote: > Hi, > > I'm trying to generate an authentication subkey (tied to my main > OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / > SSH use), but can't get it to work. gpg --edit-card and --card-status > works like a charm. > > > Command> addcardkey > gpg: detected reader `SCM SCR 335 (60600ad9) 00 00' > Signature key ....: [none] > Encryption key....: [none] > Authentication key: [none] > > Please select the type of key to generate: > (1) Signature key > (2) Encryption key > (3) Authentication key > Your selection? 3 > gpg: 3 Admin PIN attempts remaining before card is permanently locked > > Admin PIN > > PIN > Key is protected. > gpg: secret key parts are not available > gpg: Key generation failed: general error > > > Any clue? Thanks in advance. > Is the secret part of the primary key available in your local keyring? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060216/744c05dd/signature.pgp From lionel at mamane.lu Thu Feb 16 09:59:40 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Thu Feb 16 09:59:05 2006 Subject: OpenPGP smartcard: addcardkey fails In-Reply-To: <43F3F1B5.8070903@gmail.com> References: <20060215185017.GA20490@capsaicin.mamane.lu> <43F3F1B5.8070903@gmail.com> Message-ID: <20060216085940.GA27269@capsaicin.mamane.lu> On Thu, Feb 16, 2006 at 01:59:57PM +1030, Alphax wrote: > Lionel Elie Mamane wrote: >> I'm trying to generate an authentication subkey (tied to my main >> OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / >> SSH use), but can't get it to work. gpg --edit-card and >> --card-status works like a charm. >> Command> addcardkey >> gpg: detected reader `SCM SCR 335 (60600ad9) 00 00' >> (3) Authentication key >> Your selection? 3 >> gpg: 3 Admin PIN attempts remaining before card is permanently locked >> Admin PIN >> PIN >> Key is protected. >> gpg: secret key parts are not available >> gpg: Key generation failed: general error >> Any clue? Thanks in advance. > Is the secret part of the primary key available in your local > keyring? No. I was so intent on looking at the smartcard side of things that I missed this. I took the "secret key parts are not available" to refer to the _new_ key and thought "duh, obviously it isn't available: it is locked away on the smartcard". Thanks. -- Lionel From dshaw at jabberwocky.com Fri Feb 17 04:44:02 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 17 04:43:46 2006 Subject: [Announce] First release candidate for 1.4.3 available Message-ID: <20060217034402.GA18494@jabberwocky.com> We are pleased to announce the availability of the first release candidate for the forthcoming 1.4.3 version of GnuPG: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2 (2.9M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2.sig SHA-1 checksums for the above files are: 6c2d5f65c2acde6eaeb1ae3a4bc9ae971f942126 gnupg-1.4.3rc1.tar.bz2 62f13c67d5a32bb9747db0da667e420e5391f1e7 gnupg-1.4.3rc1.tar.bz2.sig Note that this is only a release candidate, and as such is not intended for use on production systems. If you are inclined to help test, however, we would appreciate you trying this new version and reporting any problems. Noteworthy changes since 1.4.2: * If available, cURL-based keyserver helpers are built that can retrieve keys using HKP or any protocol that cURL supports (HTTP, HTTPS, FTP, FTPS, etc). If cURL is not available, HKP and HTTP are still supported using a built-in cURL emulator. To force building the old pre-cURL keyserver helpers, use the configure option --enable-old-keyserver-helpers. Note that none of this affects finger or LDAP support, which are unchanged. Note also that a future version of GnuPG will remove the old keyserver helpers altogether. * Implemented Public Key Association (PKA) trust sub model. This is an optional trust model on top of the standard ones. It make use of special DNS records and notation data to associate a mail address with an OpenPGP key. It is by default not used. To use it you need to set the new option --allow-pka-lookup and an appropriate trust-model. Also added new keyserver option auto-pka-retrieve which is enabled by default but only working if --allow-pka-lookup is also used. * When exporting subkeys, those specified with a key ID or fingerpint and the '!' suffix are now merged into one keyblock. * Added "gpg-zip", a program to create encrypted archives that can interoperate with PGP Zip. * Added support for signing subkey "back signatures". Requiring back signatures to be present is currently off by default, but will be changed to on by default in the future, once more keys contain the back signature. A new "backsign" command in the --edit-key menu can be used to update signing subkeys with back signatures. * The key cleaning options for --import-options and --export-options have been further polished. "import-clean" and "export-clean" replace the older import-clean-sigs/import-clean-uids and export-clean-sigs/export-clean-uids option pairs. * New "minimize" command in the --edit-key menu removes everything that can be removed from a key, rendering it as small as possible. There are corresponding "export-minimal" and "import-minimal" commands for --export-options and --import-options. * New --fetch-keys command to retrieve keys by specifying a URI. This allows direct key retrieval from a web page or other location that can be specified in a URI. Available protocols are HTTP and finger, plus anything that cURL supplies, if built with cURL support. Happy Hacking, David, Timo, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20060216/6c151e4c/attachment.pgp From shavital at mac.com Fri Feb 17 05:55:14 2006 From: shavital at mac.com (Charly Avital) Date: Fri Feb 17 05:55:01 2006 Subject: [Announce] First release candidate for 1.4.3 available In-Reply-To: <20060217034402.GA18494@jabberwocky.com> References: <20060217034402.GA18494@jabberwocky.com> Message-ID: <43F55732.2020202@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Compiled with idea.c for MacOS X 10.4.5 for CPU Type:PowerPC G4 (1.1). Running fine. Thanks. Charly David Shaw wrote the following on 2/16/06 10:44 PM: > We are pleased to announce the availability of the first release > candidate for the forthcoming 1.4.3 version of GnuPG: > [...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc1 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBQ/VXKG69XHxycyfPAQhCnw//b3OA2eQb2WEhDjKVOGHoR+QuOHEoczIp eL2yoXC0t3yCFaXG2GAOK+L3A0P/iTduAJG50/LcVZd6qAVTT6KU/fRmre9/DtIy 9osCWPzBTVLMrYd/eiYK14GZNyPS3CdEJw+XY6Q9fS6EeJDPiR0E7nuXiAwkszvV +fpM8atyoE0YyAAMWqU7yYQWfjn003PvcV/9infL6F756U+VGvGw9SQjOBCNzotD dnDI5NJ/2RDtusr4tOh0tyEv9fx98S0D25WQ7wgM2R0La+ZoD9IyrzdiEcBw2kdT XP2e4A/IMo3UWQOwlAdMc9ieg4PdjhOvn+oyeoqjScEnrLfkhwdcnrYxktt6e2LY 7leP459PCG1Dfkyj8jeKhQoz3NUIU3VU1bWzRu13Sq1rSqhiwwr9UP8N4sCSu2w7 Ozix0aatmKCRKbtmLqNUE7FE0LHhY4IcEEE4k6y7vb+die5RRemZEd4RINMRkYyo dN42tIBlr2KkSddhipafCmaU6J5/qiPgR0K2K9oSDgBNv5O+N5NET18isFSFxKV3 anDxeSFyt/oiQAxSXksZWw5y25of3/KPE5Gku96rywN2yiZxwsuuDE6Myz0A+mTO iuOuHj2LmV6Aou6n+3zK4ocBl6El6W0Nn1IgLiEnaPakIWdtis0TuV00gGQTqrmX VWEov50AbzY= =cRly -----END PGP SIGNATURE----- From enathanson at cccis.com Thu Feb 16 21:27:00 2006 From: enathanson at cccis.com (Elliot Nathanson) Date: Fri Feb 17 10:36:26 2006 Subject: sporatic decryption issue Message-ID: <43F4E014.2060104@cccis.com> All: I'm having a really frustrating problem, whereby I'm encrypting files for a client and they are *occasionally* unable to decrypt a file. The failure rate could be about 1/100; one e-mail said they processed 400 transactions without a problem. The process goes like this. We sign and encrypt the files via gpg and send them to an FTPS server. The client fetches the data from the FTPS server and decrypts them. I am using GPG v1.0.7 on Solaris 8. The client is using WSFTPPRO on Windows; I'm not sure what version. I tried the both default encryption as well as the OpenPGP flag; both produce sporatic decryption issues. Some of the errors the client has reported include: Unknown OpenPGP packet (xx) and Invalid Signature. Of course we are having difficulty reproducing the problem and the client is having problems trying to decrypt the files via GPG. Any suggestions? Thanks, Elliot -- Elliot Nathanson CCC Information Services, Inc. (312) 229-3465 enathanson@cccis.com "Guilt like garlic needs to sautee with cream, butter, and wine. I could eat your words." - Patricia Barber From mixmaster at remailer.privacy.at Thu Feb 16 22:11:17 2006 From: mixmaster at remailer.privacy.at (privacy.at Anonymous Remailer) Date: Fri Feb 17 10:36:29 2006 Subject: new version of gnupg signed with different key? Message-ID: gnupg-1.4.2.tar.bz2.sig was signed with key 0x57548DCD but gnupg-1.4.2.1.tar.bz2.sig is signed with 0x1CE0C630, which is not in turned signed with the old key. Why? How do we verify it's trustworthy? Thanks! From pt at radvis.nu Fri Feb 17 12:47:05 2006 From: pt at radvis.nu (Per Tunedal Casual) Date: Fri Feb 17 14:49:05 2006 Subject: iconv.dll is missing Message-ID: <6.2.1.2.2.20060217124405.03a51060@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I noticed that the iconv.dll is missing in the latest Win32 GnuPG-installer. Work around: install the previous version first and then the latest version. V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFD9betpPsTvNtsBX8RAoDtAKCQrxQMabMpsFAq+WgEUirlKo91KwCfX218 zsqpzQbvUd2mgkP/a69SLBg= =gDwV -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Feb 17 15:07:55 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 17 15:07:20 2006 Subject: sporatic decryption issue In-Reply-To: <43F4E014.2060104@cccis.com> References: <43F4E014.2060104@cccis.com> Message-ID: <20060217140755.GB18594@jabberwocky.com> On Thu, Feb 16, 2006 at 02:27:00PM -0600, Elliot Nathanson wrote: > All: > > I'm having a really frustrating problem, whereby I'm encrypting > files for a client and they are *occasionally* unable to decrypt > a file. The failure rate could be about 1/100; one e-mail said > they processed 400 transactions without a problem. > > The process goes like this. We sign and encrypt the files via > gpg and send them to an FTPS server. The client fetches the > data from the FTPS server and decrypts them. I am using GPG > v1.0.7 on Solaris 8. The client is using WSFTPPRO on Windows; > I'm not sure what version. I tried the both default encryption > as well as the OpenPGP flag; both produce sporatic decryption > issues. > > Some of the errors the client has reported include: Unknown OpenPGP > packet (xx) and Invalid Signature. > > Of course we are having difficulty reproducing the problem and > the client is having problems trying to decrypt the files via > GPG. The first thing to do is establish whether this is an encryption problem or transport problem. You say you encrypt the files, and transfer them to a FTPS server, where the client fetches them via FTPS. Space allowing, try keeping the originals on the encrypt box for a while. If and when the client has a problem with a file, compare a hash of the local copy with the one the client has. That is, both you and the client run "gpg --print-md sha1 (thefile)" and verify it matches. If it doesn't match, you have a transport problem. If it does match, you may have an encryption software problem. This can chop the possible problem space way down. Right now, there are too many variables. David From joerg at schmitz-linneweber.de Fri Feb 17 13:12:30 2006 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Fri Feb 17 15:18:07 2006 Subject: new version of gnupg signed with different key? In-Reply-To: References: Message-ID: <200602171312.30429.joerg@schmitz-linneweber.de> Hi! Am Donnerstag, 16. Februar 2006 22:11 schrieb privacy.at Anonymous Remailer: > gnupg-1.4.2.tar.bz2.sig was signed with key 0x57548DCD > but > gnupg-1.4.2.1.tar.bz2.sig is signed with 0x1CE0C630, which is not in > turned signed with the old key. Why? How do we verify it's > trustworthy? Werner? What happend? I saw it's tagged as a "(dist sig) " but why did you changed your policy? [Are you on ham radio btw. :-) ?] I did a short review on the diff from 1.4.2 and it seems there are only the changes regarding the mentioned vuln. and I think Werner (et.al) switched from CVS to Subversion.... :-) Right? Salut, Joerg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 ?7e8b fcf4 2053 d7fa 4512 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060217/b3b839b8/attachment.pgp From johnmoore3rd at joimail.com Fri Feb 17 16:34:13 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Feb 17 16:33:40 2006 Subject: new version of gnupg signed with different key? In-Reply-To: <200602171312.30429.joerg@schmitz-linneweber.de> References: <200602171312.30429.joerg@schmitz-linneweber.de> Message-ID: <43F5ECF5.80202@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Joerg Schmitz-Linneweber wrote: > [Are you on ham radio btw. :-) ?] > > I did a short review on the diff from 1.4.2 and it seems there are only the > changes regarding the mentioned vuln. and I think Werner (et.al) switched > from CVS to Subversion.... :-) Right? There are also 'diffs' regarding Keyserver handling. (i.e. cURL) gpg.zip has been added. allow-pka-lookup *added*. 'backsig' support now included. The above, along with some other minor tweaks make 1.4.3 much more 'nimble' than 1.4.2. Rather than continue, I heartily suggest giving 1.4.3rc1 a through 'try-out'! Er, what is your Amateur Radio status wk? A GnuPG Net would be quite convenient. Even if we couldn't _use_ encryption on the air, it would provide a casual forum for spreading knowledge. JOHN ;) Timestamp: Friday 17 Feb 2006, 10:33 --500 (Eastern Standard Time) -- You don't have to wine and dine beer. -- Women vs. Beer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc1: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJD9ezwAAoJEBCGy9eAtCsPE/QH/R949cXUzThHQ0EhDRfr63iF gGMl/ed3cDjlMi7YEgtLY8HaFFREA1H85KfOkyZPYxXKz8XV69+vDd8tNybJdZ1+ cnVqrCPscAo/M+QJDdiT7kCiM6PflGLjy1/LByucvrEVtIaJMF6zttS3crE4ZPFN nIP90EsXGLSTAv/TLqo31uKE348atzqYugRHrYCekDZquWeXnof8HLLdBfC/DKHy 6Onc2Ub7S4xwMTYa4fHtQl8vIvEe6OBoClZcNH7ulF3mmRmD7JIpkbLaq5LLVyvt BH7aLloCU7vIxJTUKucy+4LDU5Aauh2BTjVDT/rUAErLMgWJoxAz6lhmnifYn+4= =oNTx -----END PGP SIGNATURE----- From malte.gell at gmx.de Fri Feb 17 16:18:17 2006 From: malte.gell at gmx.de (Malte Gell) Date: Fri Feb 17 18:18:51 2006 Subject: [Announce] First release candidate for 1.4.3 available In-Reply-To: <20060217034402.GA18494@jabberwocky.com> References: <20060217034402.GA18494@jabberwocky.com> Message-ID: <200602171618.18586.malte.gell@gmx.de> On Friday 17 February 2006 04:44, David Shaw wrote: > * Added support for signing subkey "back signatures". Requiring > back signatures to be present is currently off by default, but > will be changed to on by default in the future, once more keys > contain the back signature. A new "backsign" command in the > --edit-key menu can be used to update signing subkeys with back > signatures. Is the backsign command of 1.4.3rc1 stable enough to provide existing keys with a back signature? Are there any PGP implementations that have problems with keys containing such a signature? Thanx Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 400 bytes Desc: not available Url : /pipermail/attachments/20060217/d4a0b3e0/attachment.pgp From dshaw at jabberwocky.com Fri Feb 17 18:26:09 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 17 18:25:43 2006 Subject: Back signatures (was Re: [Announce] First release candidate for 1.4.3 available) In-Reply-To: <200602171618.18586.malte.gell@gmx.de> References: <20060217034402.GA18494@jabberwocky.com> <200602171618.18586.malte.gell@gmx.de> Message-ID: <20060217172609.GD20125@jabberwocky.com> On Fri, Feb 17, 2006 at 04:18:17PM +0100, Malte Gell wrote: > On Friday 17 February 2006 04:44, David Shaw wrote: > > > * Added support for signing subkey "back signatures". Requiring > > back signatures to be present is currently off by default, but > > will be changed to on by default in the future, once more keys > > contain the back signature. A new "backsign" command in the > > --edit-key menu can be used to update signing subkeys with back > > signatures. > > Is the backsign command of 1.4.3rc1 stable enough to provide existing > keys with a back signature? Yes. > Are there any PGP implementations that have problems with keys > containing such a signature? I don't know of one. Any PGP program that doesn't ignore unknown noncritical signature subpackets would be pretty broken. David From minnesotan at runbox.com Fri Feb 17 17:25:03 2006 From: minnesotan at runbox.com (Randy Burns) Date: Fri Feb 17 19:47:57 2006 Subject: new version of gnupg signed with different key? In-Reply-To: Message-ID: <20060217162503.74837.qmail@web512.biz.mail.mud.yahoo.com> This includes the intermediate key: -----BEGIN PGP PUBLIC KEY BLOCK----- mQCOBEO3+scBBADQmRl6K1zJAyqTbEZ3/mYahzj5g3BCjw5KZXAi9jxQAje0GiuE XqFr2eJqplTi92V1OdcxTSPWg9yQCE6BE9o69oRmFhRMXQX/XmmIAXl2RlDp2yZd VSQ81gxlOmRzacD4gAIGI6bKAYGQsW5e8dFbWLpI3PbyJEf9RlxguL/aIQAggVZQ mbQmV2VybmVyIEtvY2ggKGRpc3Qgc2lnKSA8ZGQ5am5AZ251Lm9yZz6JALwEEwEC ACYFAkO3+sgCGwMFCQWjmoAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBTtiDQ HODGMHmjBACHQw7SS5DuEzoAqPxgrhtEZqkcGZ4ieJp6v1jq/BeASt8NRyLsFRBP FegUVOAocfMHPf1vN5K3JCBObmmUZo4QlwlrIivTsNp4G1wL90yhVQmzDJsowW0/ t9TPTk9EqMKG/GtbOF79ifoECY8X7pjFCjZb3yvOrRMdLnAomNeYfIkARgQQEQIA BgUCQ7gRQwAKCRBd4kmWWwNYopHmAJ92KI2MZ2P3+YxquJThye5KZo9AiQCeP7Nb 1/1nYzQrav6CV0QLYTDbJOWZAaIENu1I6REEAJRGEqcYgXJch5frUYBj2EkDkWAb hRqVXnmiF3PjCEGAPMMYsTddiU7wcKfiCAqKWWXow7BjTJl6Do8RT1jdKpPOlBJX qqPYzsyBxLzE6mLps0K7SLJlSKTQqSVRcx0jx78JWYGlAlP0Kh9sPV2w/rPh0LrP eOKXT7lZt/DrIhfPAKDL/sVqCrmY3QfvrT8kSKJcgtLWfQP/cfbqVNrGjW8am631 N3UVA3tWfpgM/T9OjmKmw44NE5XfPJTAXlCV5j7zNMUkDeoPkrFF8DvbpYQs4XWY HozDjhR2Q+eI6gZ0wfmhLHqqc2eVVkEG7dT57Wp9DAtCMe7RZfhnarTQMqlYtOEa /suiHk0qLo59NsyF8eh68IDNCeYD/Apzonwaq2EQ1OEpfFlp6LcSnS34+UGZtTO4 BgJdmEjr/QrIPp6bJDstgho+/2oR8yQwuHGJwbS/8ADA4IFEpLduSpzrABho7RuN Qcm96bceRY+7Hza3zf7pg/JGdWOb+bC3S4TIpK+3sx3YNWs7eURwpGREeJi5/Sei c+GXlGzltBpXZXJuZXIgS29jaCA8d2tAZ251cGcub3JnPokAWwQTEQIAGwUCNxrP kAUJDMl8gAMLCgMDFQMCAxYCAQIXgAAKCRBd4kmWWwNYol3CAJ47+zjeQIsMwiwc JvYfcsLn1yULlQCfUTKupaT6pw5culAis/pBrdBKZciJAEYEEBECAAYFAjca0T0A CgkQbH7huGIcwBOF9ACeNwO8G2G0ei03z0g/n3QZIpjbzvEAnRaEqX2PuBbClWoI P6h9yrRlAEbUiQBGBBARAgAGBQI3GtGjAAoJEGi3q4lXVI3NLfgAoISt+x9r02Hl 14njSfGmZIjyUrXuAJ9FhxTqLUHU1uDZmSSvlKpOcG1pYJkBogQ1oh4eEQQA/pdK 4Oafa1uDN7Cr5nss4bNpg8YUSg01VVJ08KTCEdpCAPaU+NzaP3KD2ow74WU2gzP7 0s9uSGQ2Vie4BLvOkaaBHba/3ivBrg3ILFrxbOfmKQg8Fhtncd/TBOwzfkkbxBNc VJuBPRtjZ3dlDbS4IPNsIIv2SuCIfQmA8qNGvWsAoIrJ90b2fzERCZkKtfkoyYA8 fnNrBADhJ8RmIrKiCnDk3Tzk04nu6O8fp3ptrmnO7jluvDfsEVsYRjyMbDnbnjCG u1PeFoP2HZ+H9lp4CaQbyjWh2JlvI9UOc72V16SFkV0r8k0euNQXHhhzXWIkfz4g wSbBkN2nO5+6cIVeKnsdyFYkQyVs+Q86/PMfjo7utyrcWLq1CAQAou3da1JR6+KJ O4gUZVh2F1NoaVCEPAvlDhNV10/hwe5mS0kTjUJ1jMl56mwAFvhFFF9saW+eAnrw IOHjopbdHrPBmTJlOnNMHVLJzFlqjihwRRZQyL8iNu2mfarn9Mr28ut5BQmp0CnN EJ6hl0Cs7l2xagWFtlEK2II144vK3fG0J1dlcm5lciBLb2NoIChnbnVwZyBzaWcp IDxkZDlqbkBnbnUub3JnPokARgQQEQIABgUCNaInPAAKCRBsfuG4YhzAE37WAJ9X zmig1DrfnUt/KwfgidkPohJViQCg0T6afKuRspWzPAz5TKQpVjd02KmJAEYEEBEC AAYFAjbtTmwACgkQXeJJllsDWKJqtgCffmpTdk6VUQIQsT/dXqr3xDfR4BoAoK07 6VpwfRCrUTq/gE//3LoygsiGiQBdBBMRAgAdAwsEAwUVAwIGAQMWAgECF4AFAj/p gnMFCQwzI8sACgkQaLeriVdUjc2CugCfZn7gqBWjafNbvZOAInCQA/Rw5zYAnRky KWw5abGYQboHiwcwuQHiKvgY =uhcA -----END PGP PUBLIC KEY BLOCK----- --- "privacy.at Anonymous Remailer" wrote: > > gnupg-1.4.2.tar.bz2.sig was signed with key 0x57548DCD > but > gnupg-1.4.2.1.tar.bz2.sig is signed with 0x1CE0C630, which is not in > turned signed with the old key. Why? How do we verify it's > trustworthy? > > Thanks! > From wk at gnupg.org Fri Feb 17 20:11:59 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 17 23:08:12 2006 Subject: new version of gnupg signed with different key? In-Reply-To: <200602171312.30429.joerg@schmitz-linneweber.de> (Joerg Schmitz-Linneweber's message of "Fri, 17 Feb 2006 13:12:30 +0100") References: <200602171312.30429.joerg@schmitz-linneweber.de> Message-ID: <87y809vlz4.fsf@wheatstone.g10code.de> On Fri, 17 Feb 2006 13:12:30 +0100, Joerg Schmitz-Linneweber said: > Werner? What happend? I saw it's tagged as a "(dist sig) " but why > did you changed your policy? [Are you on ham radio btw. :-) ?] The new key is as the old one signed by my real key 5b0358a2 and that one is very well connected in the WoT. The new key is further on a dedicated smartcard and thus RSA based. My rig is currently just an old TS120V and there is no real aerial (although I have al the space for a long wire). VHF stuff is mostly disassembled. Obviously I don't power it on very often ;-) > I did a short review on the diff from 1.4.2 and it seems there are only the > changes regarding the mentioned vuln. and I think Werner (et.al) switched > from CVS to Subversion.... :-) Right? Yeah, we are using Subversion for quite some time now. The URL is svn://cvs.gnupg.org/gnupg/trunk . Salam-Shalom, Werner From wk at gnupg.org Fri Feb 17 20:20:28 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 17 23:08:22 2006 Subject: SmartCard and Keypad In-Reply-To: <43F2116E.6080200@gmx.com> (Ralf Cordes's message of "Tue, 14 Feb 2006 18:20:46 +0100") References: <43F2116E.6080200@gmx.com> Message-ID: <87u0axvlkz.fsf@wheatstone.g10code.de> On Tue, 14 Feb 2006 18:20:46 +0100, Ralf Cordes said: > is there a possibility to tell gpg to use the keypad of my Cardreader Not yet. I am working on it. The basic code is there but the user interface (pinentry) needs to be changes. > for the Card-PIN? In this way everything would even be more safe. That depends on your threat model. The host may still use the card for signing after you have entered the PIN for signing the first document. Shalom-Salam, Werner From wk at gnupg.org Fri Feb 17 20:28:55 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 17 23:08:41 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <43F0C29C.1020403@gmail.com> (Alon Bar-Lev's message of "Mon, 13 Feb 2006 19:32:12 +0200") References: <43F067B8.4080504@gmail.com> <87k6bze5uf.fsf@wheatstone.g10code.de> <43F0C29C.1020403@gmail.com> Message-ID: <87psllvl6w.fsf@wheatstone.g10code.de> On Mon, 13 Feb 2006 19:32:12 +0200, Alon Bar-Lev said: > I know you have a licensing problem... I've been in touch No I don't have a licensing problem. What I am saying is that pcksc#11 is not needed in the Free Software world. If you want to enable OpenPGP card support for Mozilla it may be worth writing a small pkcs#11 thingie using gpg-agent/scdaemon as backend. > I've written the PKCS#11 support for OpenVPN and OpenSSH, I > will gladly add this support to gpg as well... This of > course depends on your decision. I am using OpenSSH with smartcards for quite some time now. For Belgian people it is even possible to use their id card's key as an ssh key without much trouble. Other cards may be used as well. If you want an alternative support for OpenVPN, just add it - it is just a matter of talking to gpg-agent. You may even script this using gpg-connect-agent. Salam-Shalom, Werner From alon.barlev at gmail.com Fri Feb 17 23:33:03 2006 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Feb 17 23:31:58 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <87psllvl6w.fsf@wheatstone.g10code.de> References: <43F067B8.4080504@gmail.com> <87k6bze5uf.fsf@wheatstone.g10code.de> <43F0C29C.1020403@gmail.com> <87psllvl6w.fsf@wheatstone.g10code.de> Message-ID: <43F64F1F.4000101@gmail.com> Werner Koch wrote: > On Mon, 13 Feb 2006 19:32:12 +0200, Alon Bar-Lev said: > >> I know you have a licensing problem... I've been in touch > > No I don't have a licensing problem. What I am saying is that > pcksc#11 is not needed in the Free Software world. Hello, This is not what I understood from our last thread... So I bothered FSF for nothing. Well... I wish you good-luck in convincing all that you own the enlightenment, you are the only one who know how to integrate crypto tokens and applications... I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, S/MIME and more... Why don't you invent some replacements for these too? All people need to adjust their software to your proprietary solutions... Well, I won't. I believe the free software world is about providing user with a choices, and not eliminate them. I do as much as I can in order to provide these choices. Standards are at the base of this belief, without standards, there can be no choice. Now, when understanding your attitude, I will stop bothering you with this issue. Best Regards, Alon Bar-Lev. From lionel at mamane.lu Sat Feb 18 07:25:46 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Sat Feb 18 07:25:16 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <43F64F1F.4000101@gmail.com> References: <43F067B8.4080504@gmail.com> <87k6bze5uf.fsf@wheatstone.g10code.de> <43F0C29C.1020403@gmail.com> <87psllvl6w.fsf@wheatstone.g10code.de> <43F64F1F.4000101@gmail.com> Message-ID: <20060218062546.GB9241@capsaicin.mamane.lu> On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: > I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, > S/MIME and more... Why don't you invent some replacements for these > too? Big news for you: We are here precisely because we prefer OpenPGP to S/MIME. And *I* certainly don't use S/MIME. I use X.509 when really, really forced to (for TLS/SSL HTTP, jabber, POP3, IMAP4, ... servers), and then usually in a "flat" mode (self-signed certs, my own CA, ...). I don't even know what CMC is, and in the PKCS#n galaxy, which one n=1 and n=8 refer to. Maybe I use them without knowing it? -- Lionel From lionel at mamane.lu Sat Feb 18 07:28:10 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Sat Feb 18 07:27:27 2006 Subject: new version of gnupg signed with different key? In-Reply-To: <87y809vlz4.fsf@wheatstone.g10code.de> References: <200602171312.30429.joerg@schmitz-linneweber.de> <87y809vlz4.fsf@wheatstone.g10code.de> Message-ID: <20060218062810.GC9241@capsaicin.mamane.lu> On Fri, Feb 17, 2006 at 08:11:59PM +0100, Werner Koch wrote: > Yeah, we are using Subversion for quite some time now. But http://www.gnupg.org/(en)/download/cvs_access.html is still there, linked from http://www.gnupg.org/, and giving false information under the seal of "official". Please update it. -- Lionel From walter.haidinger at gmx.at Sat Feb 18 17:37:52 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Sat Feb 18 19:18:07 2006 Subject: OpenLDAP schema to store OpenPGP keys? Message-ID: <43F74D60.8010908@gmx.at> Hi! Quoting from the GnuPG-1.4.0 announcement: "The LDAP keyserver helper now supports storing, retrieving, and searching for keys in both the old NAI "LDAP keyserver" as well as the more recent method to store OpenPGP keys in standard LDAP servers." Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for use with GnuPG). Please note that I already have a working OpenLDAP server, so I'd only need to add schema, acls and keys, of course. Btw, can GnuPG also store secret keys in the keyserver? However, I was unable to find any schema definiton... Extracting it from gpgkeys_ldap.c would be quite tedious, since you only get the attribute names but no Syntax, what to index, etc. Don't the GnuPG developers have an OpenLDAP server running to test the functionality of the announcement above? If so, why is the used schema not documented anywhere? Searching the mailing-list only turned up posts from 2003/2004, like: http://marc.theaimsgroup.com/?l=gnupg-devel&m=104899753523804&w=2 Unfortunately PGP support (www.pgpsupport.com) seems to be closed to licensed customers of PGP Corp. Finally, maybe this question is better suited for the gnupg-devel list. If so, please tell me! Regards, Walter From redondos at gmail.com Sat Feb 18 18:49:46 2006 From: redondos at gmail.com (redondos) Date: Sat Feb 18 20:48:06 2006 Subject: Alternative keyserver for auto-fetching keys Message-ID: <20060218174946.GA25823@refinery> Hello, there. I spent some time reading the man page and several HOWTOs on the web, but couldn't find anything that would suggest that this exists. I would like to have gnupg try fetching public keys from an alternate (keywords: secondary, alternative, different) HKP server if the same operation failed on the primary one. Is this possible? I' assuming it isn't. Do you think it's a good idea? I know, it could lag your mail browsing a lot, but it could be a toggable feature. It would be even better if it let you have a list of keyservers it should look for keys on, not just two. Thanks in advance. -- redondos -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060218/abf2c78a/attachment.pgp From johnmoore3rd at joimail.com Sat Feb 18 21:01:05 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Sat Feb 18 21:00:32 2006 Subject: Alternative keyserver for auto-fetching keys In-Reply-To: <20060218174946.GA25823@refinery> References: <20060218174946.GA25823@refinery> Message-ID: <43F77D01.1080403@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 redondos wrote: > I spent some time reading the man page and several HOWTOs on the web, > but couldn't find anything that would suggest that this exists. I would > like to have gnupg try fetching public keys from an alternate (keywords: secondary, alternative, different) HKP server if the same operation failed on the primary one. Is this possible? I' assuming it isn't. Do you think it's a good idea? I know, it could lag your mail browsing a lot, but it could be a toggable feature. It would be even better if it let you have a list of keyservers it should look for keys on, not just two. Try switching to GnuPG 1.4.3rc1. The much improved Keyserver 'fetch' Help is a vast improvement. JOHN ;) Timestamp: Saturday 18 Feb 2006, 15:00 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc1: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJD93z/AAoJEBCGy9eAtCsPweIH/2ZjwQMrk2CbG+YKyCaIBrJc l37hD6DetkARXGxFS/okba7TycI9xeRzQfVJMi8vU9YhhmpSSZuHNWevVGLKoeti QTt/11/jk0/4aYydt+pSq/i/dHhkPajHeNgo+qFqhxc5w17s1Z59ESTI9h7RSiDR Psz71Nks8IpK82PZEfBdkW1VAdqkDqZ7RarLicga9kkibkyXoGyzgBk7ypvvDb60 iCfZSFv7Nd9OJjZMxilRJIR91jO5C4/+PjepTxDvlWwnwfUttF46w9VotXsigSYH xowLtzIa5MkA8xwh7/h4YsgB+QbDocckrWBSCkpUzQvIvCHJD9CN0ycW+S16fjE= =3N0u -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sun Feb 19 06:39:32 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Feb 19 06:40:31 2006 Subject: cURL keyserver handlers broken Message-ID: <43F80494.90501@gmail.com> Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver handlers to function correctly. For example, using the following command: gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax I get the error: ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error Using a 1.4.2 build (which doesn't use the cURL handlers): c:\gnupg\142\gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax I am presented with some results. I'm running Windows 2000 and AFAICT I'm not behind a firewall. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/015306b5/signature.pgp From dshaw at jabberwocky.com Sun Feb 19 06:52:50 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Feb 19 06:52:18 2006 Subject: cURL keyserver handlers broken In-Reply-To: <43F80494.90501@gmail.com> References: <43F80494.90501@gmail.com> Message-ID: <20060219055250.GG22845@jabberwocky.com> On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote: > Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver > handlers to function correctly. For example, using the following command: > > gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax > > I get the error: > > ?: localhost: Unable to connect: ec=0 > gpgkeys: HTTP search error 7: couldn't connect: No error Keep in mind 1.4.3rc1 is a development version and hasn't been released yet. gnupg-devel would be a more appropriate place. That said, please run with: --debug 1024 --keyserver-options keep-temp-files added to your command line, and post the results as well as the contents of your tempin.txt file (the location of the tempin.txt file may vary on different systems, but will be shown in the debug output). It looks like you're not talking to sks.keyserver.penguin.de at all. David From alphasigmax at gmail.com Sun Feb 19 07:12:19 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Feb 19 07:12:59 2006 Subject: cURL keyserver handlers broken In-Reply-To: <20060219055250.GG22845@jabberwocky.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> Message-ID: <43F80C43.2000501@gmail.com> David Shaw wrote: > On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote: > >>Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver >>handlers to function correctly. For example, using the following command: >> >>gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax >> >>I get the error: >> >>?: localhost: Unable to connect: ec=0 >>gpgkeys: HTTP search error 7: couldn't connect: No error > > > Keep in mind 1.4.3rc1 is a development version and hasn't been > released yet. gnupg-devel would be a more appropriate place. > > That said, please run with: > > --debug 1024 --keyserver-options keep-temp-files > > added to your command line, and post the results as well as the > contents of your tempin.txt file (the location of the tempin.txt file > may vary on different systems, but will be shown in the debug > output). It looks like you're not talking to sks.keyserver.penguin.de > at all. > Well, I know it exists; the second time I ran it (using an older version of GPG) I *did* get results. ------------8<--------------------- gpg --no-options --debug 1024 --keyserver-options keep-temp-files --keyserver sks.keyserver.penguin.de --search Alphax gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: DBG: expanding string "C:\GnuPG\gpgkeys_hkp.exe -o "%O" "%I"" gpg: DBG: args expanded to "C:\GnuPG\gpgkeys_hkp.exe -o "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempout.txt" "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt"", use 1, keep 1 gpg: DBG: using temp file `C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt' gpg: searching for "Alphax" from hkp server sks.keyserver.penguin.de gpg: DBG: system() command is C:\GnuPG\gpgkeys_hkp.exe -o "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempout.txt" "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt" ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error gpg: key "Alphax" not found on keyserver secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 ------------8<--------------------- Contents of tempin.txt: ------------8<--------------------- # This is a GnuPG 1.4.3rc1: keyserver communications file VERSION 1 PROGRAM 1.4.3rc1: SCHEME hkp HOST sks.keyserver.penguin.de PATH / OPTION include-revoked OPTION include-subkeys OPTION try-dns-srv COMMAND SEARCH Alphax ------------8<--------------------- Contents of tempout.txt: ------------8<--------------------- VERSION 1 PROGRAM 1.4.3rc1: SEARCH Alphax BEGIN SEARCH Alphax FAILED 9 ------------8<--------------------- Thoughts? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/b50bf113/signature-0001.pgp From dshaw at jabberwocky.com Sun Feb 19 07:26:35 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Feb 19 07:26:04 2006 Subject: cURL keyserver handlers broken In-Reply-To: <43F80C43.2000501@gmail.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> <43F80C43.2000501@gmail.com> Message-ID: <20060219062635.GH22845@jabberwocky.com> On Sun, Feb 19, 2006 at 04:42:19PM +1030, Alphax wrote: > David Shaw wrote: > > On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote: > > > >>Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver > >>handlers to function correctly. For example, using the following command: > >> > >>gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax > >> > >>I get the error: > >> > >>?: localhost: Unable to connect: ec=0 > >>gpgkeys: HTTP search error 7: couldn't connect: No error > > > > > > Keep in mind 1.4.3rc1 is a development version and hasn't been > > released yet. gnupg-devel would be a more appropriate place. > > > > That said, please run with: > > > > --debug 1024 --keyserver-options keep-temp-files > > > > added to your command line, and post the results as well as the > > contents of your tempin.txt file (the location of the tempin.txt file > > may vary on different systems, but will be shown in the debug > > output). It looks like you're not talking to sks.keyserver.penguin.de > > at all. > > > > Well, I know it exists; the second time I ran it (using an older version > of GPG) I *did* get results. No question that it exists. Just that gpgkeys wasn't talking to it... The output you sent is helpful. Can you do another run, but add: --keyserver-options verbose verbose verbose (that's 3x verbose) David From JPClizbe at comcast.net Sun Feb 19 07:04:29 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Sun Feb 19 07:40:06 2006 Subject: cURL keyserver handlers broken In-Reply-To: <43F80494.90501@gmail.com> References: <43F80494.90501@gmail.com> Message-ID: <43F80A6D.3000805@comcast.net> Alphax wrote: > Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver > handlers to function correctly. For example, using the following command: > > gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax > > I get the error: > > ?: localhost: Unable to connect: ec=0 > gpgkeys: HTTP search error 7: couldn't connect: No error > > Using a 1.4.2 build (which doesn't use the cURL handlers): > > c:\gnupg\142\gpg --no-options --keyserver sks.keyserver.penguin.de > --search Alphax Try another server, say minsky.surfnet.nl or sks.dnsalias.net. I've seen the same error when the specified server is unreachable. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 436 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/d2aa88dc/signature.pgp From walter.haidinger at gmx.at Sun Feb 19 12:34:14 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Sun Feb 19 12:34:08 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060218211132.GA32475@asteria.noreply.org> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> Message-ID: <43F857B6.5040804@gmx.at> Peter Palfrader schrieb: > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip Thanks! One question, though: Where is this schema from? Is it the "new" one the GnuPG announcement was talking about or is it a schema shipped with with a commercial(?) keyserver? > If you get an LDAP keyserver running please document your steps > somewhere and let us know. I will. Regards, Walter From smurf at smurf.noris.de Sun Feb 19 06:07:56 2006 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Sun Feb 19 13:51:12 2006 Subject: Remote signing? Message-ID: Hello, I need to sign files remotely. They're moderately large, so transmitting them back to my firewalled-off laptop (I'm usually behind a slow line), where the secret key lives, isn't a good idea. Ideas? -- Matthias Urlichs From alphasigmax at gmail.com Sun Feb 19 13:54:40 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Feb 19 13:55:26 2006 Subject: cURL keyserver handlers broken In-Reply-To: <20060219062635.GH22845@jabberwocky.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> <43F80C43.2000501@gmail.com> <20060219062635.GH22845@jabberwocky.com> Message-ID: <43F86A90.3080400@gmail.com> David Shaw wrote: > On Sun, Feb 19, 2006 at 04:42:19PM +1030, Alphax wrote: > >>David Shaw wrote: >> >>>On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote: >>> >>> >>>>Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver >>>>handlers to function correctly. For example, using the following command: >>>> >>>>gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax >>>> >>>>I get the error: >>>> >>>>?: localhost: Unable to connect: ec=0 >>>>gpgkeys: HTTP search error 7: couldn't connect: No error >>> >>> >>>Keep in mind 1.4.3rc1 is a development version and hasn't been >>>released yet. gnupg-devel would be a more appropriate place. >>> >>>That said, please run with: >>> >>> --debug 1024 --keyserver-options keep-temp-files >>> >>>added to your command line, and post the results as well as the >>>contents of your tempin.txt file (the location of the tempin.txt file >>>may vary on different systems, but will be shown in the debug >>>output). It looks like you're not talking to sks.keyserver.penguin.de >>>at all. >>> >> >>Well, I know it exists; the second time I ran it (using an older version >>of GPG) I *did* get results. > > > No question that it exists. Just that gpgkeys wasn't talking to it... > > The output you sent is helpful. Can you do another run, but add: > --keyserver-options verbose verbose verbose > > (that's 3x verbose) > gpg --no-options --debug 1024 --keyserver-options verbose --keyserver-options verbose --keyserver-options verbose --keyserver-options keep-temp-files --keyserver sks.keyserver.penguin.de --search Alphax gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: DBG: expanding string "C:\GnuPG\gpgkeys_hkp.exe -o "%O" "%I"" gpg: DBG: args expanded to "C:\GnuPG\gpgkeys_hkp.exe -o "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempout.txt" "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempin.txt"", use 1, keep 1 gpg: DBG: using temp file `C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempin.txt' gpg: searching for "Alphax" from hkp server sks.keyserver.penguin.de gpg: DBG: system() command is C:\GnuPG\gpgkeys_hkp.exe -o "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempout.txt" "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempin.txt" Host: sks.keyserver.penguin.de Command: SEARCH gpgkeys: HTTP URL is `http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr &search=Alphax' ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error gpg: key "Alphax" not found on keyserver secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 The only difference in tempin.txt was that "OPTION verbose" appeared three times.. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/7cf9daab/signature.pgp From dshaw at jabberwocky.com Sun Feb 19 16:19:13 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Feb 19 16:18:41 2006 Subject: cURL keyserver handlers broken In-Reply-To: <43F86A90.3080400@gmail.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> <43F80C43.2000501@gmail.com> <20060219062635.GH22845@jabberwocky.com> <43F86A90.3080400@gmail.com> Message-ID: <20060219151913.GI22845@jabberwocky.com> On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: > Host: sks.keyserver.penguin.de > Command: SEARCH > gpgkeys: HTTP URL is > `http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr > &search=Alphax' > ?: localhost: Unable to connect: ec=0 > gpgkeys: HTTP search error 7: couldn't connect: No error That looks correct so far. I don't suppose you have an environment variable http_proxy set? David From alphasigmax at gmail.com Sun Feb 19 16:22:40 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Feb 19 16:23:22 2006 Subject: cURL keyserver handlers broken In-Reply-To: <20060219151913.GI22845@jabberwocky.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> <43F80C43.2000501@gmail.com> <20060219062635.GH22845@jabberwocky.com> <43F86A90.3080400@gmail.com> <20060219151913.GI22845@jabberwocky.com> Message-ID: <43F88D40.4050200@gmail.com> David Shaw wrote: > On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: > > >>Host: sks.keyserver.penguin.de >>Command: SEARCH >>gpgkeys: HTTP URL is >>`http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr >>&search=Alphax' >>?: localhost: Unable to connect: ec=0 >>gpgkeys: HTTP search error 7: couldn't connect: No error > > > That looks correct so far. I don't suppose you have an environment > variable http_proxy set? > Yes, but I thought that --no-options would disable it... also, I've tried using an options file without the proxy-enabling options... So that's the problem eh? Any way to get around it? Should I just move all http-proxy stuff to config files? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060220/d42ca852/signature.pgp From dshaw at jabberwocky.com Sun Feb 19 17:24:40 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Feb 19 17:24:05 2006 Subject: cURL keyserver handlers broken In-Reply-To: <43F88D40.4050200@gmail.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> <43F80C43.2000501@gmail.com> <20060219062635.GH22845@jabberwocky.com> <43F86A90.3080400@gmail.com> <20060219151913.GI22845@jabberwocky.com> <43F88D40.4050200@gmail.com> Message-ID: <20060219162440.GJ22845@jabberwocky.com> On Mon, Feb 20, 2006 at 01:52:40AM +1030, Alphax wrote: > David Shaw wrote: > > On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: > > > > > >>Host: sks.keyserver.penguin.de > >>Command: SEARCH > >>gpgkeys: HTTP URL is > >>`http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr > >>&search=Alphax' > >>?: localhost: Unable to connect: ec=0 > >>gpgkeys: HTTP search error 7: couldn't connect: No error > > > > > > That looks correct so far. I don't suppose you have an environment > > variable http_proxy set? > > > > Yes, but I thought that --no-options would disable it... also, I've > tried using an options file without the proxy-enabling options... > > So that's the problem eh? Any way to get around it? Should I just move > all http-proxy stuff to config files? If you set "keyserver-option no-http-proxy", the proxy will be disabled, even if you have the environment variable set. David From eocsor at gmail.com Sun Feb 19 18:26:20 2006 From: eocsor at gmail.com (Roscoe) Date: Sun Feb 19 18:25:56 2006 Subject: Remote signing? In-Reply-To: References: Message-ID: Seeing as a detached sig is just a signed hash, you could hash the file remotely then copy the hash over and construct a detached sig from that. I imagine no current app supports that kind of thing(??) so that might involve X amount of pissing about coding your own solution. Many folk just run sha1sum and sign the output of that. It's requires a extra command to be run to verify but nothing major. On 2/19/06, Matthias Urlichs wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. > > Ideas? > > -- > Matthias Urlichs > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From alex at bofh.net.pl Sun Feb 19 20:04:39 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Sun Feb 19 20:47:57 2006 Subject: Remote signing? In-Reply-To: References: Message-ID: <20060219190439.GO23968@hell.pl> On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. create (and rotate frequently) a signing subkey and export it where the files live & sign there a From dshaw at jabberwocky.com Sun Feb 19 21:19:30 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Feb 19 21:19:00 2006 Subject: Remote signing? In-Reply-To: References: Message-ID: <20060219201930.GK22845@jabberwocky.com> On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. You have two good options. Which is the best option depends on your exact circumstances. The first option is to hash the files remotely, with something like: gpg --print-md sha256 (thefile) and then make a text file of hashes on your local laptop and sign that text file. This option presumes that the link between the remote machine and your local machine is secure so that someone replacing the hash between the remote and local machine is not a risk. The other option is to make a new key (or new subkey) that can live on the remote machine. This key would be signed with your main key so there is a chain of trust. The disadvantage here is that if the remote machine (and thus the key living there) is compromised, the attacker may issue signatures using that key. You can revoke the key, of course, but this assumes that the recipients can get the revocation. David From johanw at vulcan.xs4all.nl Mon Feb 20 22:14:46 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Feb 19 22:14:31 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <3D8EF107.54A453E5.0307202B@netscape.net> Message-ID: <200602202114.k1KLEkqL001501@vulcan.xs4all.nl> Henry Hertz Hobbit wrote: >Usually, if you are using a web interface to access your email, only the >initial authentication is done via SSL. After that if your URL address >shifts to using an "http://" rather than the "https://" you made your >initial connection with means that your communication just shifted from SSL >(weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From nsushkin at sushkins.net Sun Feb 19 20:54:13 2006 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Sun Feb 19 22:17:59 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card =?iso-8859-1?q?=26=A0100=25_Free_Software_PCMCIA?= reader In-Reply-To: <20060219061418.D9CC344C003@gate8.r3.iad.emailsrvr.com> References: <20060219061418.D9CC344C003@gate8.r3.iad.emailsrvr.com> Message-ID: <200602191454.18946.nsushkin@sushkins.net> On Sunday 19 February 2006 01:14, gnupg-users-request@gnupg.org wrote: > On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: > > I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, > > S/MIME and more... Why don't you invent some replacements for these > > too? > > Big news for you: We are here precisely because we prefer OpenPGP to > S/MIME. And *I* certainly don't use S/MIME. I use X.509 when really, > really forced to (for TLS/SSL HTTP, jabber, POP3, IMAP4, ... servers), > and then usually in a "flat" mode (self-signed certs, my own CA, > ...). Realistically speaking, when free software does not interoperate with the commercial software with a large mindshare, it's the free software loss. On the other hand, the Samba project that enabled interoperation enjoyed tremendous support and success. -- Nick -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1362 bytes Desc: not available Url : /pipermail/attachments/20060219/a25f1b43/smime.bin From reinhold at kainhofer.com Sun Feb 19 22:35:13 2006 From: reinhold at kainhofer.com (Reinhold Kainhofer) Date: Mon Feb 20 00:18:00 2006 Subject: Using an official Austrian key on a smartcard with OpenPG Message-ID: <200602192235.21285.reinhold@kainhofer.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I have a key on an official Austrian banking card (the operating system of the card is ACOS, the company that provides the keys is a-trust). How can I use this card with my Reiner SCT CyberJack card reader to sign mails using gnupg? The card's OS is proprietary (it also doesn't seem to be a pkcs#15 card), but a PKCS#11 library for mozilla is provided. This works just fine in mozilla, however, I want to sign mails in kmail, which only uses gnupg. gpg --card-status doesn't seem to detect the card. Cheers, Reinhold - -- - ------------------------------------------------------------------ Reinhold Kainhofer, Vienna, Austria email: reinhold@kainhofer.com, http://reinhold.kainhofer.com/ * Financial and Actuarial Mathematics, TU Wien, http://www.fam.tuwien.ac.at * K Desktop Environment, http://www.kde.org/, KOrganizer maintainer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD+OSZTqjEwhXvPN0RAqVOAKCOFN5ZlUSmpUVL/xjK2+tFBCvnfgCgvfov FMxAmwFv5eCdTkddciksRoo= =92NM -----END PGP SIGNATURE----- From JPClizbe at comcast.net Mon Feb 20 01:14:05 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Feb 20 01:14:04 2006 Subject: Using an official Austrian key on a smartcard with OpenPG In-Reply-To: <200602192235.21285.reinhold@kainhofer.com> References: <200602192235.21285.reinhold@kainhofer.com> Message-ID: <43F909CD.4040903@comcast.net> Reinhold Kainhofer wrote: > Hi all, > I have a key on an official Austrian banking card (the operating system of the > card is ACOS, the company that provides the keys is a-trust). How can I use > this card with my Reiner SCT CyberJack card reader to sign mails using gnupg? > > The card's OS is proprietary (it also doesn't seem to be a pkcs#15 card), but > a PKCS#11 library for mozilla is provided. This works just fine in mozilla, > however, I want to sign mails in kmail, which only uses gnupg. Hi Reinhold, There is at present no PKCS#11 support in GnuPG that I know of. The only smartcard support I'm aware of is the OpenPGP card. And since it works with Mozilla, I suspect your banking card is using a X.509 certificate not a PGP key. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 457 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/7f690e8d/signature.pgp From b.buerger at penguin.de Sun Feb 19 14:56:17 2006 From: b.buerger at penguin.de (Bjoern Buerger) Date: Mon Feb 20 01:17:55 2006 Subject: Remote signing? In-Reply-To: References: Message-ID: <43F87901.7010904@penguin.de> Matthias Urlichs wrote: > I need to sign files remotely. They're moderately large > Ideas? Use md5sum|sha1sum|[...] and sign the resulting file. Ciao, Bj?rn From JPClizbe at comcast.net Mon Feb 20 01:16:14 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Feb 20 01:36:52 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <200602202114.k1KLEkqL001501@vulcan.xs4all.nl> References: <200602202114.k1KLEkqL001501@vulcan.xs4all.nl> Message-ID: <43F90A4E.8090204@comcast.net> Johan Wevers wrote: > Henry Hertz Hobbit wrote: > >>Usually, if you are using a web interface to access your email, only the >>initial authentication is done via SSL. After that if your URL address >>shifts to using an "http://" rather than the "https://" you made your >>initial connection with means that your communication just shifted from SSL >>(weak encryption) to NO encryption. That is the norm. > > Strange, I've never seen that happen. All webmail from Dutch providers that > I've accessed (my own and some for people with problems where I accessed the > mail to dump mails with large attachments that took too long to download) > were https all the way. > OF three major US providers I have experience with: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated Comcast starts with a HTTP page, posts the info to a https URL to set a cookie then returns to http. Not a very good implementation. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 457 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/45e10e1e/signature.pgp From alphasigmax at gmail.com Mon Feb 20 04:07:40 2006 From: alphasigmax at gmail.com (Alphax) Date: Mon Feb 20 04:08:38 2006 Subject: cURL keyserver handlers broken In-Reply-To: <20060219162440.GJ22845@jabberwocky.com> References: <43F80494.90501@gmail.com> <20060219055250.GG22845@jabberwocky.com> <43F80C43.2000501@gmail.com> <20060219062635.GH22845@jabberwocky.com> <43F86A90.3080400@gmail.com> <20060219151913.GI22845@jabberwocky.com> <43F88D40.4050200@gmail.com> <20060219162440.GJ22845@jabberwocky.com> Message-ID: <43F9327C.5070403@gmail.com> David Shaw wrote: > On Mon, Feb 20, 2006 at 01:52:40AM +1030, Alphax wrote: > >>David Shaw wrote: >> >>>That looks correct so far. I don't suppose you have an environment >>>variable http_proxy set? >>> >> >>Yes, but I thought that --no-options would disable it... also, I've >>tried using an options file without the proxy-enabling options... >> >>So that's the problem eh? Any way to get around it? Should I just move >>all http-proxy stuff to config files? > > > If you set "keyserver-option no-http-proxy", the proxy will be > disabled, even if you have the environment variable set. > Thanks, works like a charm. Added to my config file. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060220/9e5010ab/signature-0001.pgp From lionel at mamane.lu Mon Feb 20 06:39:42 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Mon Feb 20 06:39:14 2006 Subject: On protocols [was: =?iso-8859-15?q?Finally=3A_Login_via_SSH_authe?= =?iso-8859-15?q?ntication_with_OpenPGP_smart_card_=26=A0100=25?= Free Software PCMCIA reader] In-Reply-To: <200602191454.18946.nsushkin@sushkins.net> References: <20060219061418.D9CC344C003@gate8.r3.iad.emailsrvr.com> <200602191454.18946.nsushkin@sushkins.net> Message-ID: <20060220053942.GB7565@capsaicin.mamane.lu> On Sun, Feb 19, 2006 at 02:54:13PM -0500, Nicholas Sushkin wrote: > On Sunday 19 February 2006 01:14, gnupg-users-request@gnupg.org wrote: >> On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: >>> I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, >>> S/MIME and more... Why don't you invent some replacements for >>> these too? >> Big news for you: We are here precisely because we prefer OpenPGP >> to S/MIME. And *I* certainly don't use S/MIME. I use X.509 when >> really, really forced to (for TLS/SSL HTTP, jabber, POP3, IMAP4, >> ... servers), and then usually in a "flat" mode (self-signed certs, >> my own CA, ...). > Realistically speaking, when free software does not interoperate > with the commercial software with a large mindshare, it's the free > software loss. You seem to use "commercial" antagonistically to "free". A software can be both free (as in freedom) and commercial (that is, written in the goal of earning money). Realistically, in the crowds I hang out with, it is OpenPGP that has the mindshare. So even if I would prefer S/MIME, I'd be forced to use OpenPGP by the network effect. Other crowds force you to use S/MIME through the network effect. That's the nature of social crowds. And AFAIK, there is free software that supports S/MIME, isn't there? I have never tried to use them (by lack of any necessity or usefulness: nobody to communicate _with_), but I'm not hearing that they don't work or don't interoperate with proprietary implementations. -- Lionel From lionel at mamane.lu Mon Feb 20 07:10:46 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Mon Feb 20 07:10:06 2006 Subject: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader In-Reply-To: <20060218062546.GB9241@capsaicin.mamane.lu> References: <43F067B8.4080504@gmail.com> <87k6bze5uf.fsf@wheatstone.g10code.de> <43F0C29C.1020403@gmail.com> <87psllvl6w.fsf@wheatstone.g10code.de> <43F64F1F.4000101@gmail.com> <20060218062546.GB9241@capsaicin.mamane.lu> Message-ID: <20060220061046.GC7565@capsaicin.mamane.lu> On Sat, Feb 18, 2006 at 07:25:46AM +0100, Lionel Elie Mamane wrote: > On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: >> I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, >> S/MIME and more... Why don't you invent some replacements for these >> too? > Big news for you: We are here precisely because we prefer OpenPGP to > S/MIME. And isn't PGP like waaaaay older than S/MIME anyway? The release of PGP 1.0 was in 1991. (Not that we are still interoperable with it. Comparing with PGP 2 would probably be more fair... I dunno when that is, but PGP 2.6.2 is 1994.) S/MIME seems to be born with RFC 1847, October 1995. -- Lionel From bdesham at gmail.com Mon Feb 20 05:50:17 2006 From: bdesham at gmail.com (Benjamin Esham) Date: Mon Feb 20 07:47:59 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <43F90A4E.8090204@comcast.net> References: <200602202114.k1KLEkqL001501@vulcan.xs4all.nl> <43F90A4E.8090204@comcast.net> Message-ID: <06A8132A-DBC9-4970-BCC8-70B5249EF48D@gmail.com> John Clizbe wrote: >> Henry Hertz Hobbit wrote: >> >>> Usually, if you are using a web interface to access your email, >>> only the >>> initial authentication is done via SSL. After that if your URL >>> address >>> shifts to using an "http://" rather than the "https://" you made >>> your >>> initial connection with means that your communication just >>> shifted from SSL >>> (weak encryption) to NO encryption. That is the norm. > > OF three major US providers I have experience with: > > Earthlink and Google's GMail use https on their signin page then > then switch > over to http once authenticated I saw a neat trick somewhere online... if you use "https:// mail.google.com" as your login page for Gmail, the entire session is encrypted. I haven't used the normal method since I learned how to do this. I hope someone finds this helpful! :-) Cheers, -- Benjamin D. Esham bdesham@gmail.com | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia ? http://en.wikipedia.org -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060219/9eb0b934/PGP.pgp From lusfert at gmail.com Mon Feb 20 08:00:03 2006 From: lusfert at gmail.com (lusfert) Date: Mon Feb 20 08:01:35 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <06A8132A-DBC9-4970-BCC8-70B5249EF48D@gmail.com> References: <200602202114.k1KLEkqL001501@vulcan.xs4all.nl> <43F90A4E.8090204@comcast.net> <06A8132A-DBC9-4970-BCC8-70B5249EF48D@gmail.com> Message-ID: <43F968F3.5010205@gmail.com> Benjamin Esham wrote on 20.02.2006 7:50: > John Clizbe wrote: >> Earthlink and Google's GMail use https on their signin page then then >> switch >> over to http once authenticated > > I saw a neat trick somewhere online... if you use > "https://mail.google.com" as your > login page for Gmail, the entire session is encrypted. I haven't used > the normal > method since I learned how to do this. I hope someone finds this > helpful! :-) > This is even included in Gmail help and recommended by Google: https://mail.google.com/support/bin/answer.py?answer=8155 I don't understand why it isn't enabled by default. For example, at https://www.safe-mail.net/ you can use web-interface only via https:// -- Regards OpenPGP Key ID: 0x9E353B56500B8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060220/011ec35b/signature.pgp From reinhold at kainhofer.com Mon Feb 20 09:18:44 2006 From: reinhold at kainhofer.com (Reinhold Kainhofer) Date: Mon Feb 20 09:18:12 2006 Subject: Using an official Austrian key on a smartcard with OpenPG In-Reply-To: <43F909CD.4040903@comcast.net> References: <200602192235.21285.reinhold@kainhofer.com> <43F909CD.4040903@comcast.net> Message-ID: <200602200918.53150.reinhold@kainhofer.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Thanks for the answer. Am Montag, 20. Februar 2006 01:14 schrieb John Clizbe: > Reinhold Kainhofer wrote: > > Hi all, > > I have a key on an official Austrian banking card (the operating system > > of the card is ACOS, the company that provides the keys is a-trust). How > > can I use this card with my Reiner SCT CyberJack card reader to sign > > mails using gnupg? > > > > The card's OS is proprietary (it also doesn't seem to be a pkcs#15 card), > > but a PKCS#11 library for mozilla is provided. This works just fine in > > mozilla, however, I want to sign mails in kmail, which only uses gnupg. > > Hi Reinhold, > > There is at present no PKCS#11 support in GnuPG that I know of. Yes, I saw that in the archives. > The only smartcard support I'm aware of is the OpenPGP card. However, Werner said in several mails that all that smartcard support that was in opensc is now also added to gnupg. He also said that all other cards are supported by custom code, so I wanted to know how I can use this non-OpenPGP card with openpgp. > And since it works with Mozilla, I suspect your banking card is using a > X.509 certificate not a PGP key. Probably. However, I still need to sign mails with this smartcard, so is there still a way to use this card with the X.509 certificates with kmail / gnupg? For official documents I'll sooner or later need to sign with this card. Cheers, Reinhold - -- - ------------------------------------------------------------------ Reinhold Kainhofer, Vienna, Austria email: reinhold@kainhofer.com, http://reinhold.kainhofer.com/ * Financial and Actuarial Mathematics, TU Wien, http://www.fam.tuwien.ac.at * K Desktop Environment, http://www.kde.org/, KOrganizer maintainer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD+XttTqjEwhXvPN0RAhZ/AKDHEA72XfmANWFJoqf2OHh0A6jPpgCglphv dJUQ3cVA9SqtSw9yc5zG6YY= =LlvB -----END PGP SIGNATURE----- From smurf at smurf.noris.de Mon Feb 20 10:14:53 2006 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Mon Feb 20 10:15:16 2006 Subject: Remote signing? References: Message-ID: Hello, I wrote: > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. > > Ideas? What happens if you have a smartcard, anyway -- doesn't the gpg agent tunnel these requests? Using standard gpg as the back end shouldn't be too much of a stretch then..? From peter at palfrader.org Sat Feb 18 22:11:32 2006 From: peter at palfrader.org (Peter Palfrader) Date: Mon Feb 20 10:56:32 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <43F74D60.8010908@gmx.at> References: <43F74D60.8010908@gmx.at> Message-ID: <20060218211132.GA32475@asteria.noreply.org> Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for > use with GnuPG). Please note that I already have a working OpenLDAP > server, so I'd only need to add schema, acls and keys, of course. > > Btw, can GnuPG also store secret keys in the keyserver? > > However, I was unable to find any schema definiton... http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip If you get an LDAP keyserver running please document your steps somewhere and let us know. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From peter at palfrader.org Sun Feb 19 18:41:09 2006 From: peter at palfrader.org (Peter Palfrader) Date: Mon Feb 20 10:56:39 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <43F857B6.5040804@gmx.at> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <43F857B6.5040804@gmx.at> Message-ID: <20060219174109.GB8443@asteria.noreply.org> Walter Haidinger schrieb am Sonntag, dem 19. Feber 2006: > Peter Palfrader schrieb: > > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip > > Thanks! One question, though: Where is this schema from? > Is it the "new" one the GnuPG announcement was talking about or > is it a schema shipped with with a commercial(?) keyserver? It's from some version of PGP Universal, I think. And yes, it's the new thing the announcement was mentioning. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From thomas.kuehne at gmx.li Sun Feb 19 22:12:23 2006 From: thomas.kuehne at gmx.li (=?ISO-8859-1?Q?Thomas_K=FChne?=) Date: Mon Feb 20 10:56:41 2006 Subject: Remote signing? In-Reply-To: References: Message-ID: <43F8DF37.7030105@gmx.li> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060219/9aab4e20/signature-0001.pgp From thomas.kuehne at gmx.li Mon Feb 20 13:04:18 2006 From: thomas.kuehne at gmx.li (=?ISO-8859-1?Q?Thomas_K=FChne?=) Date: Mon Feb 20 12:05:20 2006 Subject: Remote signing? In-Reply-To: References: Message-ID: <43F9B042.1020506@gmx.li> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060220/8cf74ef4/signature.pgp From holger.schuettel at googlemail.com Mon Feb 20 11:40:24 2006 From: holger.schuettel at googlemail.com (Holger Schuettel) Date: Mon Feb 20 12:51:12 2006 Subject: [Announce] First release candidate for 1.4.3 available In-Reply-To: <20060217034402.GA18494@jabberwocky.com> References: <20060217034402.GA18494@jabberwocky.com> Message-ID: <43F99C98.8080302@googlemail.com> David Shaw schrieb: > We are pleased to announce the availability of the first release > candidate for the forthcoming 1.4.3 version of GnuPG: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2 (2.9M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2.sig > Is also a new GnuPG 1.4.3 WIN (XP) Version available ?? I'm using the version 1.4.2.1 or is this the same version for Windows (1.4.3) > SHA-1 checksums for the above files are: > > 6c2d5f65c2acde6eaeb1ae3a4bc9ae971f942126 gnupg-1.4.3rc1.tar.bz2 > 62f13c67d5a32bb9747db0da667e420e5391f1e7 gnupg-1.4.3rc1.tar.bz2.sig > > Note that this is only a release candidate, and as such is not > intended for use on production systems. If you are inclined to help > test, however, we would appreciate you trying this new version and > reporting any problems. > -- ________________________________________________________________________________ Mit freundlichen Gruessen: With Regards: Holger Schuettel E-Mail: holger.schuettel@googlemail.com GPG-Key-ID: 0xC956679A Fingerprint: 96A0 B66D D1B7 620D 9C3D E5F9 8EAA B85E C956 679A Key: http://www.tinyurl.com/9b4y8 Fax: +49 69 13 30 69 13 572 Mit GPG/PGP verschl?sselte/signierte E-Mails sind willkommen !! GPG/PGP encrypted mails are privileged !! ________________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 247 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060220/6796c3c3/signature.pgp From ivalladt at punkass.com Mon Feb 20 16:46:24 2006 From: ivalladt at punkass.com (Ismael Valladolid Torres) Date: Mon Feb 20 16:47:02 2006 Subject: Sign locally a batch of keys Message-ID: <20060220154623.GB11511@localhost.localdomain> I need to import into my keyring several .asc files with some keys each. I want to trust marginally those keys, so I simply am not asked for fingerprint verification. I've thought of using lsign. Is there any way to lsign them all while importing as a batch procedure? Is lsign what I need in order to trust keys personally and locally? Any other ideas useful. Cordially, Ismael -- m?, myself et moi http://lamediahostia.blogspot.com/ http://www.flickr.com/photos/ivalladt/ From chrisbold1 at gmail.com Mon Feb 20 14:17:05 2006 From: chrisbold1 at gmail.com (Chris Boldiston) Date: Mon Feb 20 16:48:05 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <43F968F3.5010205@gmail.com> References: <200602202114.k1KLEkqL001501@vulcan.xs4all.nl> <43F90A4E.8090204@comcast.net> <06A8132A-DBC9-4970-BCC8-70B5249EF48D@gmail.com> <43F968F3.5010205@gmail.com> Message-ID: <42c85dc60602200517g24ed98e7lada22da72c40f23e@mail.gmail.com> If you use Firefox, download the CustomizeGoogle extension and you can select "Secure" https mode for all gmail traffic and "Remove ads and related pages" Chris On 2/20/06, lusfert wrote: > Benjamin Esham wrote on 20.02.2006 7:50: > > John Clizbe wrote: > >> Earthlink and Google's GMail use https on their signin page then then > >> switch > >> over to http once authenticated > > > > I saw a neat trick somewhere online... if you use > > "https://mail.google.com" as your > > login page for Gmail, the entire session is encrypted. I haven't used > > the normal > > method since I learned how to do this. I hope someone finds this > > helpful! :-) > > > This is even included in Gmail help and recommended by Google: > https://mail.google.com/support/bin/answer.py?answer=8155 > I don't understand why it isn't enabled by default. For example, at > https://www.safe-mail.net/ you can use web-interface only via https:// > > -- > Regards > OpenPGP Key ID: 0x9E353B56500B8987 > Encrypted e-mail preferred. > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > From dshaw at jabberwocky.com Mon Feb 20 17:01:39 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Feb 20 17:01:05 2006 Subject: [Announce] First release candidate for 1.4.3 available In-Reply-To: <43F99C98.8080302@googlemail.com> References: <20060217034402.GA18494@jabberwocky.com> <43F99C98.8080302@googlemail.com> Message-ID: <20060220160139.GA17933@jabberwocky.com> On Mon, Feb 20, 2006 at 11:40:24AM +0100, Holger Schuettel wrote: > David Shaw schrieb: > > We are pleased to announce the availability of the first release > > candidate for the forthcoming 1.4.3 version of GnuPG: > > > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2 (2.9M) > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2.sig > > > Is also a new GnuPG 1.4.3 WIN (XP) Version available ?? > I'm using the version 1.4.2.1 or is this the same version for Windows > (1.4.3) There is not currently a 1.4.3rc1 for Windows, I'm afraid you'd have to build it yourself. Several people have done so, judging by the test mails I've gotten in the past few days. Also remember this: > > Note that this is only a release candidate, and as such is not > > intended for use on production systems. If you are inclined to help > > test, however, we would appreciate you trying this new version and > > reporting any problems. David From fctk86 at gmail.com Mon Feb 20 17:46:29 2006 From: fctk86 at gmail.com (Francesco Turco) Date: Mon Feb 20 21:18:03 2006 Subject: file encryption and integrity check Message-ID: <43F9F265.2070803@email.it> hello, i am very new with gnupg and cryptography in general. i'd like to know if gnupg is a good choice for encrypting files with a password and if it is possible to check if an encrypted file is corrupted or not (integrity check). my goal is to burn some files on cds and protect them both from other people and from physical corruption of the media. thanks. From eocsor at gmail.com Mon Feb 20 21:36:49 2006 From: eocsor at gmail.com (Roscoe) Date: Mon Feb 20 21:36:19 2006 Subject: file encryption and integrity check In-Reply-To: <43F9F265.2070803@email.it> References: <43F9F265.2070803@email.it> Message-ID: Sure will. gpg -c is what you want. Make sure you are using a MDC, which means either using one of the 128bit blocksize ciphers (your gpg will probably use AES256 by default, which is good - gpg -vc to find out) or passing the --force-mdc option. If you want protection in the way of recovering from random bit errors rather than just detecting them, running par2 against the encrypted archive might be the way to go. On 2/21/06, Francesco Turco wrote: > hello, > > i am very new with gnupg and cryptography in general. > > i'd like to know if gnupg is a good choice for encrypting files with a > password and if it is possible to check if an encrypted file is > corrupted or not (integrity check). my goal is to burn some files on cds > and protect them both from other people and from physical corruption of > the media. > > thanks. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Mon Feb 20 21:36:57 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Feb 20 21:36:47 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060218211132.GA32475@asteria.noreply.org> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> Message-ID: <20060220203657.GB17933@jabberwocky.com> On Sat, Feb 18, 2006 at 10:11:32PM +0100, Peter Palfrader wrote: > Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: > > > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for > > use with GnuPG). Please note that I already have a working OpenLDAP > > server, so I'd only need to add schema, acls and keys, of course. > > > > Btw, can GnuPG also store secret keys in the keyserver? > > > > However, I was unable to find any schema definiton... > > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip > > If you get an LDAP keyserver running please document your steps > somewhere and let us know. Here's a rough guide for OpenLDAP: 0) Have a working OpenLDAP server running already. 1) Copy pgp-keyserver.schema wherever your schemas go. 2) Add an include line in /etc/openldap/slapd.conf for it: include /etc/openldap/schema/pgp-keyserver.schema 3) Add a place to store the keys to /etc/openldap/slapd.conf: database bdb suffix "ou=PGP Keys,dc=DOMAIN,dc=COM" index objectClass eq index pgpCertID,pgpKeyID,pgpKeyType,pgpUserID,pgpKeyCreateTime sub,eq index pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime sub,eq index pgpDisabled,pgpRevoked eq directory /var/lib/ldap access to dn="ou=PGP Keys,dc=DOMAIN,dc=COM" by * write rootdn "cn=Manager,dc=DOMAIN,dc=COM" 4) Restart slapd 5) Make this file: cat > pgp.ldif dn: ou=PGP Keys,dc=DOMAIN,dc=COM objectclass: organizationalUnit ou: PGP Keys dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM cn: PGPServerInfo objectclass: pgpserverinfo pgpSoftware: OpenLDAP pgpVersion: 2.2.29 pgpBaseKeyspaceDN: ou=PGP Keys,dc=DOMAIN,dc=COM ^D 6) ldapadd -x -D "cn=Manager,dc=DOMAIN,dc=COM" -W -f pgp.ldif The configuration above obviously allows anyone to write/delete keys. That may or may not be what you want. Note that GPG will use TLS or LDAPS just fine if you want to use that. David From dshaw at jabberwocky.com Mon Feb 20 21:41:01 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Feb 20 21:40:26 2006 Subject: file encryption and integrity check In-Reply-To: <43F9F265.2070803@email.it> References: <43F9F265.2070803@email.it> Message-ID: <20060220204101.GC17933@jabberwocky.com> On Mon, Feb 20, 2006 at 05:46:29PM +0100, Francesco Turco wrote: > hello, > > i am very new with gnupg and cryptography in general. > > i'd like to know if gnupg is a good choice for encrypting files with a > password and if it is possible to check if an encrypted file is > corrupted or not (integrity check). my goal is to burn some files on cds > and protect them both from other people and from physical corruption of > the media. You want passphrase encryption (not public key) and integrity protection? gpg --force-mdc --symmetric (thefile) David From walter.haidinger at gmx.at Mon Feb 20 23:14:33 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Mon Feb 20 23:14:32 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060220203657.GB17933@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> Message-ID: On Mon, 20 Feb 2006, David Shaw wrote: > Here's a rough guide for OpenLDAP: [--cut--] Thanks, no problem following the guide. > The configuration above obviously allows anyone to write/delete keys. I'll add appropriate access rules once key import/export works. However, I'm having trouble with authentication (see below), despite I've removed all restrictions (allow * by * write). > Note that GPG will use TLS or LDAPS just fine if you want to use that. TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)? When I try to import my first key, I get the following: > gpg --keyserver "ldap://ldap.private" --keyserver-options verbose \ --keyserver-options verbose --send-keys 5802B67C gpg: sending key 5802B67C to ldap server ldap.private Host: ldap.private Command: SEND Server: OpenLDAP slapd Version: 2.2.27 gpgkeys: error adding key 5802B67C to keyserver: Strong(er) authentication required gpg: keyserver internal error gpg: keyserver send failed: keyserver error > slapd logs to syslog (loglevel=448): : => access_allowed: read access granted by write(=wrscx) : => access_allowed: read access to "cn=PGPServerInfo,dc=private" "pgpBaseKeySpaceDN" requested : => acl_get: [1] attr pgpBaseKeySpaceDN : access_allowed: no res from state (pgpBaseKeySpaceDN) : => acl_mask: access to entry "cn=PGPServerInfo,dc=private", attr "pgpBaseKeySpaceDN" requested : => acl_mask: to value by "", (=n) : <= check a_dn_pat: * : <= acl_mask: [1] applying write(=wrscx) (stop) : <= acl_mask: [1] mask: write(=wrscx) : => access_allowed: read access granted by write(=wrscx) : conn=1 op=1 ENTRY dn="cn=PGPServerInfo,dc=private" : conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= : conn=1 op=2 MOD dn="pgpCertID=B18138775802B67C,ou=PGP Keys,dc=private" : conn=1 op=2 MOD attr=pgpDisabled pgpKeyID pgpKeyType pgpUserID pgpKeyCreateTime pgpSignerID pgpRevoked pgpSubKeyID pgpKeySize pgpKeyExpireTime pgpCertID pgpCertID pgpKeyID pgpKeyType pgpKeySize pgpKeyCreateTime pgpDisabled pgpRevoked pgpUserID pgpSignerID pgpSubKeyID objectClass pgpKey : conn=1 op=2 RESULT tag=103 err=8 text=modifications require authentication : conn=1 fd=13 closed Now, GnuPG gets the base keyspace right but modifications fails because of lack of authentication. Since I'd like to have authentication anyways (users should only be able to remove their own keys) later on, how do I tell GnuPG to use a certain DN to bind? Also, will --passphrase-fd read the password for LDAP login? Regards, Walter From dshaw at jabberwocky.com Tue Feb 21 00:00:25 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Feb 20 23:59:55 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> Message-ID: <20060220230025.GD17933@jabberwocky.com> On Mon, Feb 20, 2006 at 11:14:33PM +0100, Walter Haidinger wrote: > On Mon, 20 Feb 2006, David Shaw wrote: > > > Here's a rough guide for OpenLDAP: > [--cut--] > > Thanks, no problem following the guide. > > > The configuration above obviously allows anyone to write/delete keys. > > I'll add appropriate access rules once key import/export works. > However, I'm having trouble with authentication (see below), despite > I've removed all restrictions (allow * by * write). > > > Note that GPG will use TLS or LDAPS just fine if you want to use that. > > TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)? Try for TLS, and do nothing if TLS can't start: keyserver-options tls=try Try for TLS, and print a warning if TLS can't start: keyserver-options tls=warn Try for TLS, and fail if TLS can't start: keyserver-options tls=require If you want to use a particular certificate file: keyserver-options ca-cert-file=/path/to/the/file If you don't want to check the certificate chain (default is to check it): keyserver-options no-check-cert (Incidentally, the new keyserver handlers in 1.4.3 can do SSL and TLS for HTTP and FTP as well). > When I try to import my first key, I get the following: > > > gpg --keyserver "ldap://ldap.private" --keyserver-options verbose \ > --keyserver-options verbose --send-keys 5802B67C > gpg: sending key 5802B67C to ldap server ldap.private > Host: ldap.private > Command: SEND > Server: OpenLDAP slapd > Version: 2.2.27 > gpgkeys: error adding key 5802B67C to keyserver: Strong(er) > authentication required You could probably use a "allow update_anon" in slapd.conf. > Also, will --passphrase-fd read the password for LDAP login? No. There isn't really a strong notion of authentication for keyservers beyond IP restriction in the server at the moment. In fact, the current LDAP code doesn't explicitly bind at all. The assumption is that any server we're likely to run into is V3 (or that odd NAI semi-LDAP keyserver that's not really used any longer), and doesn't need a bind. I'm not against adding authentication, but I'd want to know more about what you're doing. There are not too many people running their own LDAP servers with OpenPGP keys on them. I'd love to hear how it goes. David From walter.haidinger at gmx.at Tue Feb 21 00:21:42 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Tue Feb 21 00:21:37 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060220230025.GD17933@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> Message-ID: On Mon, 20 Feb 2006, David Shaw wrote: > > TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)? > > Try for TLS, and do nothing if TLS can't start: > keyserver-options tls=try > > Try for TLS, and print a warning if TLS can't start: > keyserver-options tls=warn > > Try for TLS, and fail if TLS can't start: > keyserver-options tls=require > > If you want to use a particular certificate file: > keyserver-options ca-cert-file=/path/to/the/file > > If you don't want to check the certificate chain (default is to check > it): > keyserver-options no-check-cert > > (Incidentally, the new keyserver handlers in 1.4.3 can do SSL and TLS > for HTTP and FTP as well). I'm still using 1.4.2 and the man page doesn't list any tls keyserver options. I guess I need to upgrade... >From the amount of traffic about LDAP on the mailing-list, I should have known this is bleeding edge anyways. > > gpgkeys: error adding key 5802B67C to keyserver: Strong(er) > > authentication required > > You could probably use a "allow update_anon" in slapd.conf. Yes, definitely! ;-) > > Also, will --passphrase-fd read the password for LDAP login? > > No. There isn't really a strong notion of authentication for > keyservers beyond IP restriction in the server at the moment. In > fact, the current LDAP code doesn't explicitly bind at all. The > assumption is that any server we're likely to run into is V3 (or that > odd NAI semi-LDAP keyserver that's not really used any longer), and > doesn't need a bind. I see. As update_anon is a global options, this really calls for a dedicated OpenLDAP keyserver. This might be acceptable in a closed environment, but how can you operate a public LDAP keyserver having such an open configuration? That is, how do you prevent someone from deleting/modifying keys arbitrarily? Walter From dshaw at jabberwocky.com Tue Feb 21 00:52:31 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 00:52:02 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> Message-ID: <20060220235231.GE17933@jabberwocky.com> On Tue, Feb 21, 2006 at 12:21:42AM +0100, Walter Haidinger wrote: > On Mon, 20 Feb 2006, David Shaw wrote: > > > > TLS too? How to tell GnuPG to use TLS over port 389 (ldap://)? > > > > Try for TLS, and do nothing if TLS can't start: > > keyserver-options tls=try > > > > Try for TLS, and print a warning if TLS can't start: > > keyserver-options tls=warn > > > > Try for TLS, and fail if TLS can't start: > > keyserver-options tls=require > > > > If you want to use a particular certificate file: > > keyserver-options ca-cert-file=/path/to/the/file > > > > If you don't want to check the certificate chain (default is to check > > it): > > keyserver-options no-check-cert > > > > (Incidentally, the new keyserver handlers in 1.4.3 can do SSL and TLS > > for HTTP and FTP as well). > > I'm still using 1.4.2 and the man page doesn't list any tls > keyserver options. I guess I need to upgrade... LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support in 1.4.3. At one point, I started documenting the new options and stopped because the man page would be enormous. At some point, I'll probably make a "gpgkeys" man page so as to not grow the main "gpg" page too much. > >From the amount of traffic about LDAP on the mailing-list, I should > have known this is bleeding edge anyways. > > > > gpgkeys: error adding key 5802B67C to keyserver: Strong(er) > > > authentication required > > > > You could probably use a "allow update_anon" in slapd.conf. > > Yes, definitely! ;-) > > > > Also, will --passphrase-fd read the password for LDAP login? > > > > No. There isn't really a strong notion of authentication for > > keyservers beyond IP restriction in the server at the moment. In > > fact, the current LDAP code doesn't explicitly bind at all. The > > assumption is that any server we're likely to run into is V3 (or that > > odd NAI semi-LDAP keyserver that's not really used any longer), and > > doesn't need a bind. > > I see. As update_anon is a global options, this really calls for > a dedicated OpenLDAP keyserver. > > This might be acceptable in a closed environment, but how can you > operate a public LDAP keyserver having such an open configuration? > That is, how do you prevent someone from deleting/modifying keys > arbitrarily? I don't know that LDAP is a good *public* keyserver as things stand. By its nature, even if some sort of authentication was added, the server would only carry keys that were explicitly submitted to it. Most other keyservers synchronize with their peers automatically to carry a global keyring. A LDAP keyserver would be useful as a company keyserver where people inside the company IP range or an administrator can add keys, and the rest of the world can just read. The PGP Universal product automatically looks for keys to encrypt to at ldap://keys.thedomain.com, so that fits nicely with this method. Somewhere on my todo list is to do something similar to tie in with the automatic key fetch features coming in 1.4.3. Anyway, that is (more or less) how I was expecting LDAP to be used. I never added LDAP auth because I wasn't sure exactly what was needed, and didn't want to implement it without some clear use case. What is it that you're trying to set up? David From walter.haidinger at gmx.at Tue Feb 21 01:15:08 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Tue Feb 21 01:14:59 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060220235231.GE17933@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> Message-ID: On Mon, 20 Feb 2006, David Shaw wrote: > LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support > in 1.4.3. At one point, I started documenting the new options and > stopped because the man page would be enormous. At some point, I'll > probably make a "gpgkeys" man page so as to not grow the main "gpg" > page too much. Well, at least some hints that tls support exists at all would have been useful! ;-) (*) > I don't know that LDAP is a good *public* keyserver as things stand. > By its nature, even if some sort of authentication was added, the > server would only carry keys that were explicitly submitted to it. > Most other keyservers synchronize with their peers automatically to > carry a global keyring. Agreed. > A LDAP keyserver would be useful as a company keyserver where people > inside the company IP range or an administrator can add keys, and the > rest of the world can just read. That eliminates tcp-wrapping. You'd have to grant write access by using the peername statement in the access field, right? > Anyway, that is (more or less) how I was expecting LDAP to be used. I > never added LDAP auth because I wasn't sure exactly what was needed, > and didn't want to implement it without some clear use case. Well, how about the following for a different usage scenario: It would be nice if all users could submit their keys, readable by all but delete only their own submitted keys. Thus, no dedicated administrator for key management would be required since the LDAP server itself doesn't require much administration after setup. Walter (*) No offense here, you've done a remarkable job so far! From erpo41 at hotpop.com Tue Feb 21 07:21:48 2006 From: erpo41 at hotpop.com (Eric) Date: Tue Feb 21 08:14:11 2006 Subject: file encryption and integrity check In-Reply-To: <43F9F265.2070803@email.it> References: <43F9F265.2070803@email.it> Message-ID: <1140502909.5866.6.camel@localhost.localdomain> On Mon, 2006-02-20 at 17:46 +0100, Francesco Turco wrote: > i'd like to know if gnupg is a good choice for encrypting files with a > password and if it is possible to check if an encrypted file is > corrupted or not (integrity check). my goal is to burn some files on cds > and protect them both from other people and from physical corruption of > the media. If you want to check if an encrypted file is corrupted or not, MDC will do that for you. If you want to protect the files from physical corruption of the media, you'll need to use some kind of error correction system. Eric -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060220/ac72846a/attachment.pgp From thomas.kuehne at gmx.li Tue Feb 21 10:04:07 2006 From: thomas.kuehne at gmx.li (=?ISO-8859-1?Q?Thomas_K=FChne?=) Date: Tue Feb 21 09:05:18 2006 Subject: Remote signing? In-Reply-To: <43F9B042.1020506__32609.9912672818$1140434138$gmane$org@gmx.li> References: <43F9B042.1020506__32609.9912672818$1140434138$gmane$org@gmx.li> Message-ID: <43FAD787.1000800@gmx.li> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060221/82abe315/signature-0001.pgp From smurf at smurf.noris.de Tue Feb 21 10:10:40 2006 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Tue Feb 21 10:11:41 2006 Subject: OpenLDAP schema to store OpenPGP keys? References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> Message-ID: Hi, David Shaw wrote: > Anyway, that is (more or less) how I was expecting LDAP to be used. I > never added LDAP auth because I wasn't sure exactly what was needed, > and didn't want to implement it without some clear use case. The pam_ldap module has optional "binddn" and "bindpw" configuration options. Having the same kind of support in gpg would make sense, IMHO. -- Matthias Urlichs From hhhobbit7 at netscape.net Tue Feb 21 13:52:26 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Tue Feb 21 13:52:32 2006 Subject: Necessity of GPG when using SSL Message-ID: <2E47760F.2E1A284D.0307202B@netscape.net> Johan Wevers wrote: >Henry Hertz Hobbit wrote: > >>Usually, if you are using a web interface to access your email, only the >>initial authentication is done via SSL. After that if your URL address >>shifts to using an "http://" rather than the "https://" you made your >>initial connection with means that your communication just shifted from >>SSL (weak encryption) to NO encryption. That is the norm. > >Strange, I've never seen that happen. All webmail from Dutch providers >that I've accessed (my own and some for people with problems where I >accessed the mail to dump mails with large attachments that took too >long to download) were https all the way. Thanks for the information. The reason I said what I said is because Netscape, Yahoo, gmail (the email account the original person was posting from) almost all do a shift from https:// to http:// after the connection is made. The only ones I have seen that continue using the SSL are small ISPs and only one of the local universities here. But then I have only seen three of the universities, and actually even the one that was using SSL all the time shifted after I showed an acquaintance how to make the connection that way and he spread the information to everybody he knew who spread it to .... Once that was done, even that school shifted to doing it with SSL for connection only. I realize that SSL doesn't have the overhead of more powerful encryption like that provided by OpenPGP, but it is still enough of an overhead that once the load of SSL all the time becomes noticeable to the ISP (or whoever), they feel that the authentication alone should be using SSL and they make the shift to using plain the rest of the time. In other words, consider yourself lucky IF you are getting SSL all the time if you need it all the time. On the other hand if you don't need SSL all the time there MAY be the possibility those long download times are partly being caused by the overhead of SSL encryption taking place on the server. Do you need encryption all the time or not? My advice still remains the same - OpenPGP is still the best choice for the scenario presented, IF I indeed understood all the parameters. It puts the control of when to use it in your hands. It just depends on what is being transported. I could care less whether all that spam is encrypted or not. I also don't want all the redirected email on my comcast account (also spam, but with the worms removed) encrypted during transmission. The faster I get rid of it the better. Not having the transmission of it helps me get rid of it as fast as possible! HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From fctk86 at gmail.com Tue Feb 21 15:09:58 2006 From: fctk86 at gmail.com (Francesco Turco) Date: Tue Feb 21 16:10:00 2006 Subject: file encryption and integrity check In-Reply-To: References: <43F9F265.2070803@email.it> Message-ID: <43FB1F36.40308@gmail.com> Roscoe ha scritto: >Sure will. > >gpg -c is what you want. > >Make sure you are using a MDC, which means either using one of the >128bit blocksize ciphers (your gpg will probably use AES256 by >default, which is good - gpg -vc to find out) or passing the >--force-mdc option. > so no need to hash files (md5/crc32) before encryption? anyway, after reading some man page and experimenting, i ended up with the following settings: encrypt: gpg --symmetric --cipher-algo aes256 --compress-algo none decrypt: gpg --decrypt i avoided 3des,cast5,blowfish becouse they have 64bits blocksize. i preferred aes over twofish, both 128bits blocksize, becouse the first one seems more "standarized" then the second one. last, i preferred aes256 over aes128/aes192 becouse it is more secure and encryption times are quite the same. i have disabled compression becouse files i have to encrypt are already compressed, and compression takes much more time then encryption. do you think it is a good choice? From walter.haidinger at gmx.at Tue Feb 21 17:21:25 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Tue Feb 21 17:21:30 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060220203657.GB17933@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> Message-ID: <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> David Shaw wrote: > 5) Make this file: > > cat > pgp.ldif > dn: ou=PGP Keys,dc=DOMAIN,dc=COM > objectclass: organizationalUnit > ou: PGP Keys > > dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM Change this line to: dn: cn=PGPServerInfo,dc=DOMAIN,dc=COM beause GnuPG looks for PGPServerInfo unter the base DN, not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM". After adding the following to slapd.conf allow update_anon allow bind_anon_dn is was finally be able to import my first pubkey: > gpg --keyserver ldap://localhost --send-keys B15BBBE2 No news is good news! ldapsearch confirmed a new DN with the appropriate attributes. However, adding the next pubkey fails: > gpg --keyserver ldap://localhost --send-keys C2C148FC gpg: sending key C2C148FC to ldap server localhost gpgkeys: error adding key C2C148FC to keyserver: Type or value exists gpg: keyserver internal error gpg: keyserver send failed: keyserver error Syslog shows: : => access_allowed: read access granted by read(=rscx) : conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= : conn=23 op=2 MOD dn="pgpCertID=7809F430C2C148FC,ou=PGP Keys,dc=private" : conn=23 op=2 MOD attr=pgpDisabled pgpKeyID pgpKeyType pgpUserID pgpKeyCreateTime pgpSignerID pgpRevoked pgpSubKeyID pgpKeySize pgpKeyExpireTime pgpCertID pgpCertID pgpKeyID pgpKeyType pgpKeySize pgpKeyCreateTime pgpDisabled pgpRevoked pgpUserID pgpSignerID pgpSubKeyID objectClass pgpKey : conn=23 op=2 RESULT tag=103 err=20 text=pgpKeySize: value #0 provided more than once : conn=23 fd=13 closed I've checked the pgpKeySize attribute, it is not set to single-value. Indeed, the first key has two keysize attributes: > ldapsearch ... pgpKeySize ... dn: pgpCertID=2DCF61D9B15BBBE2,ou=PGP Keys,dc=private pgpKeySize: 01024 pgpKeySize: 02048 After deleting the first key again, I still can't send any _other_ keys to the now empty LDAP directory (same error in logs as above). However, resending the _same_ key (B15BBBE2) again works. Regards, Walter From dshaw at jabberwocky.com Tue Feb 21 18:46:04 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 18:45:51 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> Message-ID: <20060221174604.GA26804@jabberwocky.com> On Tue, Feb 21, 2006 at 05:21:25PM +0100, Walter Haidinger wrote: > David Shaw wrote: > > 5) Make this file: > > > > cat > pgp.ldif > > dn: ou=PGP Keys,dc=DOMAIN,dc=COM > > objectclass: organizationalUnit > > ou: PGP Keys > > > > dn: cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM > > Change this line to: > dn: cn=PGPServerInfo,dc=DOMAIN,dc=COM > > beause GnuPG looks for PGPServerInfo unter the base DN, > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM". Not exactly. It looks for PGPServerInfo under each DN returned from namingContexts in order. It may well check for "cn=PGPServerInfo,dc=DOMAIN,dc=COM" first, but once that fails, it'll get to "cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM" next. > After adding the following to slapd.conf > allow update_anon > allow bind_anon_dn > is was finally be able to import my first pubkey: > > > gpg --keyserver ldap://localhost --send-keys B15BBBE2 > > No news is good news! > ldapsearch confirmed a new DN with the appropriate attributes. > > However, adding the next pubkey fails: > > gpg --keyserver ldap://localhost --send-keys C2C148FC > gpg: sending key C2C148FC to ldap server localhost > gpgkeys: error adding key C2C148FC to keyserver: Type or value exists Very interesting. What version of OpenLDAP are you using? I developed this against a 2.0.x version, and it looks like something has changed. In gpgkeys_ldap.c, try adding: unique=1; At the top of make_one_attr(). David From dshaw at jabberwocky.com Tue Feb 21 19:08:24 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 19:07:48 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> Message-ID: <20060221180824.GB26804@jabberwocky.com> On Tue, Feb 21, 2006 at 01:15:08AM +0100, Walter Haidinger wrote: > On Mon, 20 Feb 2006, David Shaw wrote: > > > LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support > > in 1.4.3. At one point, I started documenting the new options and > > stopped because the man page would be enormous. At some point, I'll > > probably make a "gpgkeys" man page so as to not grow the main "gpg" > > page too much. > > Well, at least some hints that tls support exists at all would have > been useful! ;-) (*) It's in the NEWS file for 2004-02-26, but it's true there wasn't any way to know how to turn it on without reading the source... > > A LDAP keyserver would be useful as a company keyserver where people > > inside the company IP range or an administrator can add keys, and the > > rest of the world can just read. > > That eliminates tcp-wrapping. You'd have to grant write access by > using the peername statement in the access field, right? Yes. Something like peername.ip=192.168.1.0%255.255.255.0 to specify the "inside the company" range for those who can write. > > Anyway, that is (more or less) how I was expecting LDAP to be used. I > > never added LDAP auth because I wasn't sure exactly what was needed, > > and didn't want to implement it without some clear use case. > > Well, how about the following for a different usage scenario: > > It would be nice if all users could submit their keys, readable by > all but delete only their own submitted keys. Thus, no dedicated > administrator for key management would be required since the LDAP > server itself doesn't require much administration after setup. The problem here is remote authentication. Each user would need some way to authenticate to the LDAP server to give them the delete ability. LDAP can do this, of course, and GPG doesn't care one way or the other, but how would you handle password distribution for each user? David From dshaw at jabberwocky.com Tue Feb 21 19:10:57 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 19:10:26 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> Message-ID: <20060221181057.GC26804@jabberwocky.com> On Tue, Feb 21, 2006 at 10:10:40AM +0100, Matthias Urlichs wrote: > Hi, David Shaw wrote: > > > Anyway, that is (more or less) how I was expecting LDAP to be used. I > > never added LDAP auth because I wasn't sure exactly what was needed, > > and didn't want to implement it without some clear use case. > > The pam_ldap module has optional "binddn" and "bindpw" configuration > options. Having the same kind of support in gpg would make sense, IMHO. It's possible to do this, of course, but remember that GPG currently does not have password functionality for keyservers, and so this implies a cleartext password for the keyserver stored somewhere in a config file. To be sure, pam_ldap stores a cleartext password in a config file as well... David From dshaw at jabberwocky.com Tue Feb 21 22:32:13 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 22:31:35 2006 Subject: GnuPG for PalmOS 5 In-Reply-To: <43FB62DC.5080407@web.de> References: <43FB62DC.5080407@web.de> Message-ID: <20060221213213.GE26804@jabberwocky.com> On Tue, Feb 21, 2006 at 07:58:36PM +0100, Wolfgang Klein wrote: > Is there any chance that there will be an implementation of GnuPG > for Palm handhelds in the near future? Not in the near future, no. There are vague possibilities if and when the new Palm OS (aka "Linux on a Palm") comes out, but that's pretty far in the future. The PGP company made a version of PGP for the Palm. I vaguely recall it had problems on OS 5, and was only officially supported on OS 4, but you'd have to check with them to be sure. David From walter.haidinger at gmx.at Tue Feb 21 23:12:32 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Tue Feb 21 23:12:25 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060221174604.GA26804@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> <20060221174604.GA26804@jabberwocky.com> Message-ID: On Tue, 21 Feb 2006, David Shaw wrote: > > beause GnuPG looks for PGPServerInfo unter the base DN, > > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM". > > Not exactly. It looks for PGPServerInfo under each DN returned from > namingContexts in order. It may well check for > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" first, but once that fails, it'll > get to "cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM" next. As far as I can tell from my slapd logs, it only checks for "cn=PGPServerInfo,dc=DOMAIN,dc=COM" once and stops failing that. > > However, adding the next pubkey fails: > > > gpg --keyserver ldap://localhost --send-keys C2C148FC > > gpg: sending key C2C148FC to ldap server localhost > > gpgkeys: error adding key C2C148FC to keyserver: Type or value exists > > Very interesting. What version of OpenLDAP are you using? I'm running 2.2.27, provided by SuSE 10.0. > I developed this against a 2.0.x version, and it looks like something > has changed. In gpgkeys_ldap.c, try adding: > > unique=1; > > At the top of make_one_attr(). I'll try this. Is it ok to stick to 1.4.2? Walter From dshaw at jabberwocky.com Tue Feb 21 23:20:55 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 23:20:20 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> <20060221174604.GA26804@jabberwocky.com> Message-ID: <20060221222055.GF26804@jabberwocky.com> On Tue, Feb 21, 2006 at 11:12:32PM +0100, Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > > > beause GnuPG looks for PGPServerInfo unter the base DN, > > > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM". > > > > Not exactly. It looks for PGPServerInfo under each DN returned from > > namingContexts in order. It may well check for > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" first, but once that fails, it'll > > get to "cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM" next. > > As far as I can tell from my slapd logs, it only checks for > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" once and stops failing that. What does: ldapsearch -h your-ldap-server -x -b "" -s base namingcontexts return? > > I developed this against a 2.0.x version, and it looks like something > > has changed. In gpgkeys_ldap.c, try adding: > > > > unique=1; > > > > At the top of make_one_attr(). > > I'll try this. Is it ok to stick to 1.4.2? Yes. David From walter.haidinger at gmx.at Tue Feb 21 23:35:02 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Tue Feb 21 23:34:53 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060221180824.GB26804@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> Message-ID: On Tue, 21 Feb 2006, David Shaw wrote: > On Tue, Feb 21, 2006 at 01:15:08AM +0100, Walter Haidinger wrote: > > On Mon, 20 Feb 2006, David Shaw wrote: > > > > > LDAP had TLS support back in 1.3.5. HTTP and FTP just got TLS support > > > in 1.4.3. At one point, I started documenting the new options and > > > stopped because the man page would be enormous. At some point, I'll > > > probably make a "gpgkeys" man page so as to not grow the main "gpg" > > > page too much. > > > > Well, at least some hints that tls support exists at all would have > > been useful! ;-) (*) > > It's in the NEWS file for 2004-02-26, but it's true there wasn't any > way to know how to turn it on without reading the source... I have to admit, I haven't read NEWS either. Had a brief look at gpgkeys_ldap.c but did not notice the tls keyserver options (if they're there). > > > A LDAP keyserver would be useful as a company keyserver where people > > > inside the company IP range or an administrator can add keys, and the > > > rest of the world can just read. > > > > That eliminates tcp-wrapping. You'd have to grant write access by > > using the peername statement in the access field, right? > > Yes. Something like peername.ip=192.168.1.0%255.255.255.0 to specify > the "inside the company" range for those who can write. I see, but I'd rather have IP based access control handled by either tcp-wrappers or firewall rules. Read/write access should be governed by user authentication, IMHO. > The problem here is remote authentication. Each user would need some > way to authenticate to the LDAP server to give them the delete > ability. Every user could get this own DN just for authentication, like dn="uid=username,ou=pgpusers,dc=example" > LDAP can do this, of course, and GPG doesn't care one way or > the other, but how would you handle password distribution for each > user? Why not give out initial passwords for DN's like above and let people change the userPassword attribute using either ldapmodify or a frontend? Then, each user would have to specify his login DN to access his keys. Walter From walter.haidinger at gmx.at Tue Feb 21 23:42:56 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Tue Feb 21 23:42:41 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060221222055.GF26804@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> <20060221174604.GA26804@jabberwocky.com> <20060221222055.GF26804@jabberwocky.com> Message-ID: On Tue, 21 Feb 2006, David Shaw wrote: > On Tue, Feb 21, 2006 at 11:12:32PM +0100, Walter Haidinger wrote: > > On Tue, 21 Feb 2006, David Shaw wrote: > > > > > > beause GnuPG looks for PGPServerInfo unter the base DN, > > > > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM". > > > > > > Not exactly. It looks for PGPServerInfo under each DN returned from > > > namingContexts in order. It may well check for > > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" first, but once that fails, it'll > > > get to "cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM" next. > > > > As far as I can tell from my slapd logs, it only checks for > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" once and stops failing that. > > What does: > > ldapsearch -h your-ldap-server -x -b "" -s base namingcontexts > > return? dn: namingContexts: dc=private This is my base DN (i.e. the suffix specified in slapd.conf). Should probably be "dc=DOMAIN,dc=COM" following the example above. > > > I developed this against a 2.0.x version, and it looks like something > > > has changed. In gpgkeys_ldap.c, try adding: > > > > > > unique=1; > > > > > > At the top of make_one_attr(). > > > > I'll try this. Is it ok to stick to 1.4.2? > > Yes. Allright. I'll try this tomorrow. Walter From dshaw at jabberwocky.com Tue Feb 21 23:51:46 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 23:51:10 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <7869.192.168.77.250.1140538885.squirrel@haidinger.dyndns.org> <20060221174604.GA26804@jabberwocky.com> <20060221222055.GF26804@jabberwocky.com> Message-ID: <20060221225146.GG26804@jabberwocky.com> On Tue, Feb 21, 2006 at 11:42:56PM +0100, Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > > On Tue, Feb 21, 2006 at 11:12:32PM +0100, Walter Haidinger wrote: > > > On Tue, 21 Feb 2006, David Shaw wrote: > > > > > > > > beause GnuPG looks for PGPServerInfo unter the base DN, > > > > > not under dn="ou=PGP Keys,dc=DOMAIN,dc=COM". > > > > > > > > Not exactly. It looks for PGPServerInfo under each DN returned from > > > > namingContexts in order. It may well check for > > > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" first, but once that fails, it'll > > > > get to "cn=PGPServerInfo,ou=PGP Keys,dc=DOMAIN,dc=COM" next. > > > > > > As far as I can tell from my slapd logs, it only checks for > > > "cn=PGPServerInfo,dc=DOMAIN,dc=COM" once and stops failing that. > > > > What does: > > > > ldapsearch -h your-ldap-server -x -b "" -s base namingcontexts > > > > return? > > dn: > namingContexts: dc=private > > This is my base DN (i.e. the suffix specified in slapd.conf). > Should probably be "dc=DOMAIN,dc=COM" following the example above. gpgkeys_ldap will only check DNs given in namingContexts. That's part of the LDAP design that the PGP folks did, to allow programs to automatically locate the key store. If you need to override the autodetection, do something like: keyserver-options basedn="ou=PGP Keys,dc=DOMAIN,dc=COM" David From dshaw at jabberwocky.com Tue Feb 21 23:59:10 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 21 23:58:35 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> Message-ID: <20060221225910.GH26804@jabberwocky.com> On Tue, Feb 21, 2006 at 11:35:02PM +0100, Walter Haidinger wrote: > > > > A LDAP keyserver would be useful as a company keyserver where people > > > > inside the company IP range or an administrator can add keys, and the > > > > rest of the world can just read. > > > > > > That eliminates tcp-wrapping. You'd have to grant write access by > > > using the peername statement in the access field, right? > > > > Yes. Something like peername.ip=192.168.1.0%255.255.255.0 to specify > > the "inside the company" range for those who can write. > > I see, but I'd rather have IP based access control handled by > either tcp-wrappers or firewall rules. > Read/write access should be governed by user authentication, IMHO. It's certainly finer-grained. With authentication, you can restrict each user to their own key. However, then you give yourself a password management headache :) > > The problem here is remote authentication. Each user would need some > > way to authenticate to the LDAP server to give them the delete > > ability. > > Every user could get this own DN just for authentication, like > dn="uid=username,ou=pgpusers,dc=example" > > > LDAP can do this, of course, and GPG doesn't care one way or > > the other, but how would you handle password distribution for each > > user? > > Why not give out initial passwords for DN's like above and let > people change the userPassword attribute using either ldapmodify > or a frontend? Then, each user would have to specify his login DN > to access his keys. That sounds like it would work fine. Most of the work is on the LDAP configuration side, but it would be easy enough to add binddn and bindpw to gpgkeys_ldap for the GPG piece. However, the problem is how to handle the password on the GPG side. Prompt the user each time he uses the keyserver? Inconvenient, plus GPG has no code for this today. Stick it in a config file? Potentially dangerous. How sensitive is this password? Is a mode 600 file secure for your usage? David From walter.haidinger at gmx.at Wed Feb 22 01:07:48 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Wed Feb 22 01:07:47 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060221225910.GH26804@jabberwocky.com> References: <43F74D60.8010908@gmx.at> <20060218211132.GA32475@asteria.noreply.org> <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> Message-ID: On Tue, 21 Feb 2006, David Shaw wrote: > > > The problem here is remote authentication. Each user would need some > > > way to authenticate to the LDAP server to give them the delete > > > ability. > > > > Every user could get this own DN just for authentication, like > > dn="uid=username,ou=pgpusers,dc=example" > > > > > LDAP can do this, of course, and GPG doesn't care one way or > > > the other, but how would you handle password distribution for each > > > user? > > > > Why not give out initial passwords for DN's like above and let > > people change the userPassword attribute using either ldapmodify > > or a frontend? Then, each user would have to specify his login DN > > to access his keys. > > That sounds like it would work fine. Most of the work is on the LDAP > configuration side, but it would be easy enough to add binddn and > bindpw to gpgkeys_ldap for the GPG piece. On the LDAP side, you only need to create the users DN once. Authentication can be handled by a single access rule using dn.regex in and dn.exact,expand in . There is an example at the bottom of slapd.access(5). I've done this already for personal addressbooks on OpenLDAP. > However, the problem is how to handle the password on the GPG side. > Prompt the user each time he uses the keyserver? Inconvenient, plus > GPG has no code for this today. Stick it in a config file? Yes, how about adding keyserver options binddn and bindpw, like in pam_ldap as mentioned in another post? Add to your ~/.gnupg/gpg.conf, protect it with 0600 perms and you're authenticated. You don't even need a dedicated config file. As your secure keyrings are usually in the same directory, you need to pay attention to permissions there anyways. > Potentially dangerous. How sensitive is this password? > Is a mode 600 file secure for your usage? Yes, I'd think so. After all, we're talking about protecting a keystore of _public_ keys... If GnuPG could also store secret keys (btw, can it? have never checked) on LDAP, this might be different story. However, at least for now, being as secure as pam_ldap _is_ sufficient, IMHO. Walter From dshaw at jabberwocky.com Wed Feb 22 04:26:41 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 22 04:26:13 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> Message-ID: <20060222032641.GA28593@jabberwocky.com> On Wed, Feb 22, 2006 at 01:07:48AM +0100, Walter Haidinger wrote: > > Potentially dangerous. How sensitive is this password? > > Is a mode 600 file secure for your usage? > > Yes, I'd think so. After all, we're talking about protecting > a keystore of _public_ keys... > > If GnuPG could also store secret keys (btw, can it? have never checked) It's theoretically possible, but no keyserver works that way. > on LDAP, this might be different story. However, at least for now, > being as secure as pam_ldap _is_ sufficient, IMHO. Okay, I buy this. I'll add binddn and bindpw to gpgkeys_ldap for the next release. David From alphasigmax at gmail.com Wed Feb 22 08:19:40 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Feb 22 08:21:52 2006 Subject: file encryption and integrity check In-Reply-To: <43FB1F36.40308@gmail.com> References: <43F9F265.2070803@email.it> <43FB1F36.40308@gmail.com> Message-ID: <43FC108C.2070004@gmail.com> Francesco Turco wrote: > i have disabled compression becouse files i have to encrypt are already > compressed, and compression takes much more time then encryption. > > do you think it is a good choice? > IIRC GnuPG will detect if data is compressed before it tries to compress it; if so, it won't try to. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 550 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060222/74e265de/signature.pgp From walter.haidinger at gmx.at Wed Feb 22 11:02:10 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Wed Feb 22 11:02:00 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060222032641.GA28593@jabberwocky.com> References: <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> Message-ID: On Tue, 21 Feb 2006, David Shaw wrote: > > If GnuPG could also store secret keys (btw, can it? have never checked) > > It's theoretically possible, but no keyserver works that way. Probably not for HTTP keyservers, but for LDAP offering strong authentication and TLS/SSL? A remotely accessible, single storage of secret keys could be quite useful for some people. You wouldn't be required to carry the secret keyring with you on usbsticks or else anymore. When I think about it, probably a better use for LDAP capabilities than to store public keys... Perhaps something to add in the future? (feature request ;-) > > on LDAP, this might be different story. However, at least for now, > > being as secure as pam_ldap _is_ sufficient, IMHO. > > Okay, I buy this. I'll add binddn and bindpw to gpgkeys_ldap for > the next release. Next release of 1.4.x or 1.9.x? Regards, Walter From alex at bofh.net.pl Wed Feb 22 12:22:38 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Feb 22 12:22:12 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <2E47760F.2E1A284D.0307202B@netscape.net> References: <2E47760F.2E1A284D.0307202B@netscape.net> Message-ID: <20060222112238.GL13478@hell.pl> On Tue, Feb 21, 2006 at 07:52:26AM -0500, Henry Hertz Hobbit wrote: > Johan Wevers wrote: > > >Henry Hertz Hobbit wrote: > > > >>Usually, if you are using a web interface to access your email, only the > >>initial authentication is done via SSL. After that if your URL address > >>shifts to using an "http://" rather than the "https://" you made your > >>initial connection with means that your communication just shifted from > >>SSL (weak encryption) to NO encryption. That is the norm. > > > >Strange, I've never seen that happen. All webmail from Dutch providers > >that I've accessed (my own and some for people with problems where I > >accessed the mail to dump mails with large attachments that took too > >long to download) were https all the way. > > Thanks for the information. The reason I said what I said is because > Netscape, Yahoo, gmail (the email account the original person was > posting from) almost all do a shift from https:// to http:// after the > connection is made. The only ones I have seen that continue using the > SSL are small ISPs and only one of the local universities here. But then > I have only seen three of the universities, and actually even the one > that was using SSL all the time shifted after I showed an acquaintance > how to make the connection that way and he spread the information to > everybody he knew who spread it to .... Once that was done, even that > school shifted to doing it with SSL for connection only. I realize that > SSL doesn't have the overhead of more powerful encryption like that > provided by OpenPGP, but it is still enough of an overhead that once > the load of SSL all the time becomes noticeable to the ISP (or whoever), > they feel that the authentication alone should be using SSL and they > make the shift to using plain the rest of the time. In other words, > consider yourself lucky IF you are getting SSL all the time if you > need it all the time. On the other hand if you don't need SSL all the > time there MAY be the possibility those long download times are partly > being caused by the overhead of SSL encryption taking place on the > server. [] SSL/TLS is not ,,much more powerful'' encryption, it is a connection level encryption. As for service providers using SSL to protect only the most sensitive data - computationally SSL on multiple connections is ,,heavy'' and supporting it continuously is expensive (specialized ,,SSL Accelerators'' cost tens of thousands of dollars). And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20060222/a366779c/attachment.pgp From alphasigmax at gmail.com Wed Feb 22 12:56:18 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Feb 22 12:57:00 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> Message-ID: <43FC5162.8040900@gmail.com> Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > >>>If GnuPG could also store secret keys (btw, can it? have never checked) >> >>It's theoretically possible, but no keyserver works that way. > > > Probably not for HTTP keyservers, but for LDAP offering strong > authentication and TLS/SSL? > > A remotely accessible, single storage of secret keys could be quite > useful for some people. You wouldn't be required to carry the secret > keyring with you on usbsticks or else anymore. When I think about it, > probably a better use for LDAP capabilities than to store public keys... > > Perhaps something to add in the future? > (feature request ;-) > Isn't this what Kerberos was designed for? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 558 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060222/4f185494/signature.pgp From walter.haidinger at gmx.at Wed Feb 22 13:45:45 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Wed Feb 22 13:45:35 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <43FC5162.8040900@gmail.com> References: <20060220203657.GB17933@jabberwocky.com> <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <43FC5162.8040900@gmail.com> Message-ID: <43FC5CF9.1010700@gmx.at> Alphax wrote: > Isn't this what Kerberos was designed for? No, Kerberos is only an authentication protocol. I'm talking about _storing_ secret keyrings on LDAP. What if you access your email by IMAP only? Each MUA with GnuPG support (e.g. Thunderbird with Enigmail plugin) could then use the public _and_ secret PGP keys stored on the LDAP server, eliminating the need for a local keystore. Walter From dshaw at jabberwocky.com Wed Feb 22 14:28:31 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 22 14:28:00 2006 Subject: file encryption and integrity check In-Reply-To: <43FC108C.2070004@gmail.com> References: <43F9F265.2070803@email.it> <43FB1F36.40308@gmail.com> <43FC108C.2070004@gmail.com> Message-ID: <20060222132831.GA10374@jabberwocky.com> On Wed, Feb 22, 2006 at 05:49:40PM +1030, Alphax wrote: > Francesco Turco wrote: > > > i have disabled compression becouse files i have to encrypt are already > > compressed, and compression takes much more time then encryption. > > > > do you think it is a good choice? > > > > IIRC GnuPG will detect if data is compressed before it tries to compress > it; if so, it won't try to. This is correct. Of course, it's possible that GnuPG doesn't recognize a particular kind of compression. If I recall, it looks for bzip, gzip, and zip. David From bdesham at gmail.com Wed Feb 22 16:38:19 2006 From: bdesham at gmail.com (Benjamin Esham) Date: Wed Feb 22 16:38:09 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <20060222112238.GL13478@hell.pl> References: <2E47760F.2E1A284D.0307202B@netscape.net> <20060222112238.GL13478@hell.pl> Message-ID: <4CC3ED0D-F44C-4B05-9658-AA80F0A82F32@gmail.com> On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: > And there is really no point in ecryptiong the whole access since the > contents, the emails usually travel the rest of the net unencrypted. But wouldn't it be much easier for an attacker to intercept all of your e-mail by listening in on an unencrypted webmail session than by trying to intercept each e-mail individually somewhere else? I think there certainly is a benefit to having SSL-encrypted webmail for exactly that reason: less determined attackers will not have access to the plaintext of the messages. (Although granted, it would be kind of foolish to depend upon SSL webmail if the messages are sent in plain text.) -- Benjamin D. Esham bdesham@gmail.com | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia ? http://en.wikipedia.org -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060222/01a7a454/PGP.pgp From peter_mikulas at gmx.at Wed Feb 22 19:42:32 2006 From: peter_mikulas at gmx.at (Peter Mikulas) Date: Wed Feb 22 21:18:20 2006 Subject: Error handling OpenPGP card with a cyberjack pinpad Message-ID: <200602221942.32797.peter_mikulas@gmx.at> Hello! I'm unable the to change the PIN, generate a key,... on my OpenPGP card with a cyberjack pinpad smartcard reader (with 1.4.2.1 and 1.9.20). The error messages are: peter@huygens:~$ gpg2 --card-status gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[20008]: NOTE: this is a development version! scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object gpg-agent[20007]: card has S/N: D2760001240101010001000007FD0000 Application ID ...: D2760001240101010001000007FD0000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000007FD Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] peter@huygens:~$ scdaemon[20008]: ct_activate_card(0): activation failed: okay scdaemon[20008]: DBG: received data: 62 01 scdaemon[20008]: scdaemon (GnuPG) 1.9.20 stopped When using the card-edit command: peter@huygens:~$ gpg2 --card-edit [output cut] gpg: DBG: connection to agent established scdaemon[25518]: NOTE: this is a development version! scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object [output cut] Command> scdaemon[25518]: updating status of slot 0 to 0x0007 scdaemon[25518]: client pid is 25517, sending signal 12 scdaemon[25518]: scdaemon (GnuPG) 1.9.20 stopped or when trying to change the pin: peter@huygens:~$ gpg --change-pin gpg: OpenPGP card no. D2760001240101010001000007FD0000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 1 gpg: sending command `SCD PASSWD' to agent failed: ec=6.110 Error changing the PIN: general error 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? -- Any Ideas? Peter M. ---------------------- My scdaemon.conf: disable-ccid ctapi-driver libctapi-cyberjack.so reader-port 1 ---------------------- I'm using a cyberjack pinpad (usb) (Product ID 0x300) The CT-API driver (from reiner-sct) is version 2.0.9. Program versions are: Slackware-10.2 with kernel-2.6.14.7 gnupg-1.4.2.1 gnupg-1.9.20 libgpg-error-1.0 libksba-0.9.13 pth-2.0.4 pinentry-0.7.2 libassuan-0.6.10 From peter_mikulas at gmx.at Wed Feb 22 20:08:39 2006 From: peter_mikulas at gmx.at (Peter Mikulas) Date: Wed Feb 22 21:18:32 2006 Subject: Error handling OpenPGP card with a cyberjack pinpad Message-ID: <200602222008.40352.peter_mikulas@gmx.at> Hello! I'm unable the to change the PIN, generate a key,... on my OpenPGP card with a cyberjack pinpad smartcard reader (with 1.4.2.1 and 1.9.20). The error messages are: peter@huygens:~$ gpg2 --card-status gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[20008]: NOTE: this is a development version! scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object gpg-agent[20007]: card has S/N: D2760001240101010001000007FD0000 Application ID ...: D2760001240101010001000007FD0000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000007FD Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] peter@huygens:~$ scdaemon[20008]: ct_activate_card(0): activation failed: okay scdaemon[20008]: DBG: received data: 62 01 scdaemon[20008]: scdaemon (GnuPG) 1.9.20 stopped When using the card-edit command: peter@huygens:~$ gpg2 --card-edit [output cut] gpg: DBG: connection to agent established scdaemon[25518]: NOTE: this is a development version! scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object [output cut] Command> scdaemon[25518]: updating status of slot 0 to 0x0007 scdaemon[25518]: client pid is 25517, sending signal 12 scdaemon[25518]: scdaemon (GnuPG) 1.9.20 stopped or when trying to change the pin: peter@huygens:~$ gpg --change-pin gpg: OpenPGP card no. D2760001240101010001000007FD0000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 1 gpg: sending command `SCD PASSWD' to agent failed: ec=6.110 Error changing the PIN: general error 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? -- Any Ideas? Peter M. ---------------------- My scdaemon.conf: disable-ccid ctapi-driver libctapi-cyberjack.so reader-port 1 ---------------------- I'm using a cyberjack pinpad (usb) (Product ID 0x300) The CT-API driver (from reiner-sct) is version 2.0.9. Program versions are: Slackware-10.2 with kernel-2.6.14.7 gnupg-1.4.2.1 gnupg-1.9.20 libgpg-error-1.0 libksba-0.9.13 pth-2.0.4 pinentry-0.7.2 libassuan-0.6.10 From peter_mikulas at gmx.at Wed Feb 22 22:00:59 2006 From: peter_mikulas at gmx.at (Peter Mikulas) Date: Wed Feb 22 22:00:50 2006 Subject: Error handling OpenPGP card with a cyberjack pinpad Message-ID: <200602222200.59549.peter_mikulas@gmx.at> Hello again! After reading the thread "OpenPGP card not available: Assuan server fault" my questions to the error messages generatet by gpg2 are obsolete. But when using gnupg-1.4.2.1 I'm still not able to do anything with the OpenPGP card. When I'm trying to e.g. change the PIN via gpg --change-pin and typing 1 or 3 (is't a new unused card), the pinentry-qt dialog pops up and after typing in the PIN the following error occurs: gpg: sending command `SCD PASSWD' to agent failed: ec=4.99 \ Error changing the PIN: general error The same with generating a key: gpg: sending command `SCD SETATTR' to agent failed: ec=6.110 or listing all available data: pgp: sending command `SCD LEARN' to agent failed: ec=6.110 --- Peter M. From sk at intertivity.com Wed Feb 22 21:52:09 2006 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 22 22:27:30 2006 Subject: GpgME: Compile under MinGW Message-ID: <000a01c637f1$d9cc78e0$f500a8c0@HOME> Hi, I downloaded the latest GpgME version and called configure. The last lines it outputes are: configure: WARNING: *** *** ttyname() is not thread-safe and ttyname_r() does not exist *** checking whether we are using the GNU C Library 2.1 or newer... no checking for getenv_r... no configure: WARNING: *** *** getenv() is not thread-safe and getenv_r() does not exist *** checking for timegm... no configure: WARNING: *** *** timegm() not available - a non-thread-safe kludge will be used *** and the TZ variable might be changed at runtime. *** checking for gpg-error-config... no checking for GPG Error - version >= 0.5... no configure: error: libgpg-error was not found What do i need to do? Thanks for help. --esskar From pasquires at gmail.com Wed Feb 22 21:37:46 2006 From: pasquires at gmail.com (Paul Squires) Date: Wed Feb 22 23:18:04 2006 Subject: GPGOL - Error registering DLL Message-ID: Hi, I'm trying to install GPGOL for use with Outlook 2003 on Windows XP SP2. I've followed the instructions and am attempting to register the gpgol.dll file - getting the error message LoadLibrary("gpgol.dll")failed GetLastError returns 0x0000007e There's probably a few "non-standard" components here, but nothing I can see that would cause a problem. I've downloaded the zip from the ftp site and put the other DLLs in the system directory. Any ideas? TIA, -- Paul Squires pasquires@gmail.com | OpenPGP Key ID: 0x423003E0 MSN: pa_squires@hotmail.com | ICQ: 318471677 From dany_list at natzo.com Wed Feb 22 21:26:34 2006 From: dany_list at natzo.com (Dany) Date: Wed Feb 22 23:18:14 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <2E47760F.2E1A284D.0307202B@netscape.net> References: <2E47760F.2E1A284D.0307202B@netscape.net> Message-ID: <43FCC8FA.3030500@natzo.com> Hello, I switched few years ago to fastmail.fm for several reasons : - https + advanced protections when accessing from public terminal (including url pseudo-scrambling) - IMAP with SSL - Text and only text for the webmail interface (no pop-up ad and no graphics), just plain speed - WebDAV (I don't use it) - IMAP access on non-standard port like 80 and 443 so you can go through some difficult firewalls I usually don't promote commercial products but as they offer a free plan as well I thought it might help some people. Dany PS: before writting this email I quickly started Ethereal and used the webmail in order to check that the connection was SSL protected even after login. Henry Hertz Hobbit a ?crit : >Johan Wevers wrote: > > > >>Henry Hertz Hobbit wrote: >> >> >> >>>Usually, if you are using a web interface to access your email, only the >>>initial authentication is done via SSL. After that if your URL address >>>shifts to using an "http://" rather than the "https://" you made your >>>initial connection with means that your communication just shifted from >>>SSL (weak encryption) to NO encryption. That is the norm. >>> >>> >>Strange, I've never seen that happen. All webmail from Dutch providers >>that I've accessed (my own and some for people with problems where I >>accessed the mail to dump mails with large attachments that took too >>long to download) were https all the way. >> >> > >Thanks for the information. The reason I said what I said is because >Netscape, Yahoo, gmail (the email account the original person was >posting from) almost all do a shift from https:// to http:// after the >connection is made. The only ones I have seen that continue using the >SSL are small ISPs and only one of the local universities here. But then >I have only seen three of the universities, and actually even the one >that was using SSL all the time shifted after I showed an acquaintance >how to make the connection that way and he spread the information to >everybody he knew who spread it to .... Once that was done, even that >school shifted to doing it with SSL for connection only. I realize that >SSL doesn't have the overhead of more powerful encryption like that >provided by OpenPGP, but it is still enough of an overhead that once >the load of SSL all the time becomes noticeable to the ISP (or whoever), >they feel that the authentication alone should be using SSL and they >make the shift to using plain the rest of the time. In other words, >consider yourself lucky IF you are getting SSL all the time if you >need it all the time. On the other hand if you don't need SSL all the >time there MAY be the possibility those long download times are partly >being caused by the overhead of SSL encryption taking place on the >server. > >Do you need encryption all the time or not? My advice still remains the >same - OpenPGP is still the best choice for the scenario presented, IF I >indeed understood all the parameters. It puts the control of when to use >it in your hands. It just depends on what is being transported. I could >care less whether all that spam is encrypted or not. I also don't want all >the redirected email on my comcast account (also spam, but with the worms >removed) encrypted during transmission. The faster I get rid of it the >better. Not having the transmission of it helps me get rid of it as fast >as possible! > >HHH > > >__________________________________________________________________ >Switch to Netscape Internet Service. >As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register > >Netscape. Just the Net You Need. > >New! Netscape Toolbar for Internet Explorer >Search from anywhere on the Web and block those annoying pop-ups. >Download now at http://channels.netscape.com/ns/search/install.jsp > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From dshaw at jabberwocky.com Thu Feb 23 00:28:48 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 00:28:21 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> Message-ID: <20060222232848.GG10987@jabberwocky.com> On Wed, Feb 22, 2006 at 11:02:10AM +0100, Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > > > If GnuPG could also store secret keys (btw, can it? have never checked) > > > > It's theoretically possible, but no keyserver works that way. > > Probably not for HTTP keyservers, but for LDAP offering strong > authentication and TLS/SSL? > > A remotely accessible, single storage of secret keys could be quite > useful for some people. You wouldn't be required to carry the secret > keyring with you on usbsticks or else anymore. When I think about it, > probably a better use for LDAP capabilities than to store public keys... It's a bit more complex than that - what LDAP (and any keyserver) does is provide the key itself. That key is then imported and lives locally from then on until it is deleted. There would need to be cleanup after use or keys would be left behind. Are you looking for a remote keyring? That's slightly different than a keyserver, or at least the thing that GnuPG calls a keyserver. > > > on LDAP, this might be different story. However, at least for now, > > > being as secure as pam_ldap _is_ sufficient, IMHO. > > > > Okay, I buy this. I'll add binddn and bindpw to gpgkeys_ldap for > > the next release. > > Next release of 1.4.x or 1.9.x? 1.4.3. I've added the new feature, so you could probably grab the gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There aren't significant changes to the keyserver protocol between the two. Just replace the existing gpgkeys_ldap.c with the new one and recompile. This is just for testing though - the actual feature needs a little more work before 1.4.3 release - the binddn and bindpw is global for all keyservers, so if someone selects a different ldap keyserver without removing the binddn and bindpw, they likely will be refused (bad password). This can happen automatically with keyserver URLs. What is really needed is a .netrc-style "ldap-password" file that contains binddn and bindpw for different machines. David From walter.haidinger at gmx.at Thu Feb 23 01:04:10 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 01:04:12 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060222232848.GG10987@jabberwocky.com> References: <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> Message-ID: On Wed, 22 Feb 2006, David Shaw wrote: > It's a bit more complex than that - what LDAP (and any keyserver) does > is provide the key itself. That key is then imported and lives > locally from then on until it is deleted. There would need to be > cleanup after use or keys would be left behind. I see. Obviously not a problem for public keys put definitely for private... Should have thought a bit more about how GnuPG works first. I guess I was too enthusiastic about the soon-working LDAP keyserver... Btw, I'll test the unique flag later today. > Are you looking for a remote keyring? > That's slightly different than a keyserver, or at least the thing > that GnuPG calls a keyserver. Now that you mention it: acutally yes, for private keys. I've not done any research about that yet. Just came to my mind during the discussion in this thread. Does GnuPG support remote keyrings? > 1.4.3. I've added the new feature, so you could probably grab the > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. Thanks. I was about to ask if I can get it from the SVN tree early... You're just too quick! ;-) > There aren't significant changes to the keyserver protocol between > the two. > Just replace the existing gpgkeys_ldap.c with the new one and > recompile. I'll try a full checkout, though. I've read about another option which allows for keyserver failover, 'query' IIRC. > This is just for testing though - the actual feature needs a little > more work before 1.4.3 release - the binddn and bindpw is global for > all keyservers, so if someone selects a different ldap keyserver > without removing the binddn and bindpw, they likely will be refused > (bad password). This can happen automatically with keyserver URLs. > What is really needed is a .netrc-style "ldap-password" file that > contains binddn and bindpw for different machines. This is a general limitation, not to be solved by the ldap code, IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? Therefore, any keyserver options apply to the one set. There should be a mechanism to specify multiple keyservers, each with its own option set, binddn and bindpw just being one of them. Walter From dshaw at jabberwocky.com Thu Feb 23 04:24:27 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 04:24:02 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: References: <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> Message-ID: <20060223032427.GA11782@jabberwocky.com> On Thu, Feb 23, 2006 at 01:04:10AM +0100, Walter Haidinger wrote: > On Wed, 22 Feb 2006, David Shaw wrote: > > Are you looking for a remote keyring? > > That's slightly different than a keyserver, or at least the thing > > that GnuPG calls a keyserver. > > Now that you mention it: acutally yes, for private keys. I've not done > any research about that yet. Just came to my mind during the discussion > in this thread. > Does GnuPG support remote keyrings? No, unless it's via a remote filesystem (NFS, SMB, some magic with fuse, etc). > > This is just for testing though - the actual feature needs a little > > more work before 1.4.3 release - the binddn and bindpw is global for > > all keyservers, so if someone selects a different ldap keyserver > > without removing the binddn and bindpw, they likely will be refused > > (bad password). This can happen automatically with keyserver URLs. > > What is really needed is a .netrc-style "ldap-password" file that > > contains binddn and bindpw for different machines. > > This is a general limitation, not to be solved by the ldap code, > IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? > Therefore, any keyserver options apply to the one set. There should > be a mechanism to specify multiple keyservers, each with its own > option set, binddn and bindpw just being one of them. I'm not sure I agree with this. GnuPG does support multiple keyservers in the sense that it handles preferred keyserver records on keys, as well as the new auto-key-locate feature. All of these have the same set of options, as keyserver options are not per-keyserver. They're not "options for keyserver x" - they are "options that pertain to keyservers". For example, "auto-key-retrieve" is not meaningful except in the general sense. Until yesterday, in fact, when I added binddn and bindpw, all the options were not meaningful except in the general sense. I think the right place for the solution is in gpgkeys_ldap itself. Certainly, HTTP, FTP, and HKP have no notion of a DN to bind to. David From alex at bofh.net.pl Thu Feb 23 12:03:42 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Feb 23 12:03:14 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <4CC3ED0D-F44C-4B05-9658-AA80F0A82F32@gmail.com> References: <2E47760F.2E1A284D.0307202B@netscape.net> <20060222112238.GL13478@hell.pl> <4CC3ED0D-F44C-4B05-9658-AA80F0A82F32@gmail.com> Message-ID: <20060223110342.GR13478@hell.pl> On Wed, Feb 22, 2006 at 10:38:19AM -0500, Benjamin Esham wrote: > On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: > > >And there is really no point in ecryptiong the whole access since the > >contents, the emails usually travel the rest of the net unencrypted. > But wouldn't it be much easier for an attacker to intercept all of your > e-mail by listening in on an unencrypted webmail session than by trying to > intercept each e-mail individually somewhere else? I think there > certainly is a benefit to having SSL-encrypted webmail for exactly that > reason: less determined attackers will not have access to the plaintext of > the messages. (Although granted, it would be kind of foolish to depend > upon SSL webmail if the messages are sent in plain text.) Answering this question is impossible without actually describing the attacker's powers (defining a formal threat model). Clarify your question and ask again, now the answer is: Mu. A. From walter.haidinger at gmx.at Thu Feb 23 12:04:06 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 12:04:09 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060223032427.GA11782@jabberwocky.com> References: <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <20060223032427.GA11782@jabberwocky.com> Message-ID: <2717.192.168.77.250.1140692646.squirrel@haidinger.dyndns.org> On Thu, February 23, 2006 04:24, David Shaw wrote: >> Does GnuPG support remote keyrings? > > No, unless it's via a remote filesystem (NFS, SMB, some magic with > fuse, etc). Well, would have been nice, though. I'll stick to rsync to distribute secret keyrings then. >> This is a general limitation, not to be solved by the ldap code, >> IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? >> Therefore, any keyserver options apply to the one set. There should >> be a mechanism to specify multiple keyservers, each with its own >> option set, binddn and bindpw just being one of them. > > I'm not sure I agree with this. GnuPG does support multiple > keyservers in the sense that it handles preferred keyserver records on > keys, as well as the new auto-key-locate feature. All of these have > the same set of options, as keyserver options are not per-keyserver. I was unaware that _all_ keyserver options apply to any type, i.e. http/hkp/ldap. The manpage talks about 'a' preferred keyserver, though, so I thought that there can be only one, which means all options are global anyways. Haven't had a look at the new auto-key-locate feature yet. > They're not "options for keyserver x" - they are "options that pertain > to keyservers". No, not yet but would make sense now with binddn and binddn. However, just a single LDAP server I can authenticate against, is fine for me. > Until yesterday, in fact, when I added binddn and bindpw, all the > options were not meaningful except in the general sense. That's what I meant with "general limitation" above. > I think the right place for the solution is in gpgkeys_ldap itself. > Certainly, HTTP, FTP, and HKP have no notion of a DN to bind to. If you create a framework which allows for options to apply to certain keyservers, why limit yourself to LDAP only? What if HTTP or FTP keyservers require authentication? How would you do e.g. basic authentication against multiple HTTP keyservers, each with different username and password? Therefore, implementing keyserver specific options _just_ for LDAP simply doesn't make sense, or does it? Walter From walter.haidinger at gmx.at Thu Feb 23 13:01:48 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 13:01:49 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060222232848.GG10987@jabberwocky.com> References: <20060220230025.GD17933@jabberwocky.com> <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> Message-ID: <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> On Thu, February 23, 2006 00:28, David Shaw wrote: >> Next release of 1.4.x or 1.9.x? > > 1.4.3. I've added the new feature, so you could probably grab the > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There > aren't significant changes to the keyserver protocol between the two. > Just replace the existing gpgkeys_ldap.c with the new one and > recompile. I've checked out rev. 4020 (gpg reports version 1.4.3rc1). First the good news: Anonymous access works, can send and receive keys just fine. The problem about the pgpKeysize is gone, although I did _not_ do any changes to the code. The CVS diffs show that you probably took care of this. Now for the bad news: binding with a DN does not work yet. I tried the new binddn and bindpw options with the following setup: > cat pgpusers.ldif dn: ou=PGP Users,dc=EXAMPLE,dc=COM objectclass: organizationalUnit ou: PGP Users dn: uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM objectClass: inetOrgPerson objectClass: uidObject uid: user1 # password is 'user1'. Use slappasswd(8) to create a new # one and replace the string here! userPassword: {SSHA}sLbxdJt53SZvU9BMRSSmdD78vfiSoPHR sn: User1 cn: Test User1 > ldapadd -x -h localhost -W -D "cn=Manager,dc=EXAMPLE,dc=COM" < pgpusers.ldif adding new entry "ou=PGP Users,dc=EXAMPLE,dc=COM" ... Changed the acl in slapd.conf from # PGP keystore: limit write access to localhost access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM" by peername.ip=127.0.0.1 write by * read to: # PGP keystore: only users of "ou=PGP Users,dc=EXAMPLE,dc=COM" may write access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM" by dn.regex="uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM" write by * read and tried the following: > gpg --keyserver ldap://localhost --keyserver-option verbose --keyserver-option "binddn=uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" --keyserver-option bindpw=user1 --send-keys B15BBBE2 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: sending key B15BBBE2 to ldap server localhost gpgkeys: internal LDAP bind error: Invalid credentials gpg: keyserver internal error gpg: keyserver send failed: keyserver error Syslog shows that pgp only binds with DN 'uid=user1' instead of the whole specified DN: slapd[10055]: conn=6 op=2 BIND dn="uid=user1" method=128 There is a bug in the option parsing. Added a few diagnostics in main() of gpgkeys_ldap.c, which showed that binddn is already truncated after and including the first comma when you strdup() it from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'. Had a quick look but no obvious origin of the problem. Walter From dshaw at jabberwocky.com Thu Feb 23 14:03:36 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 14:03:13 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> References: <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> Message-ID: <20060223130336.GA12897@jabberwocky.com> On Thu, Feb 23, 2006 at 01:01:48PM +0100, Walter Haidinger wrote: > On Thu, February 23, 2006 00:28, David Shaw wrote: > >> Next release of 1.4.x or 1.9.x? > > > > 1.4.3. I've added the new feature, so you could probably grab the > > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There > > aren't significant changes to the keyserver protocol between the two. > > Just replace the existing gpgkeys_ldap.c with the new one and > > recompile. > > I've checked out rev. 4020 (gpg reports version 1.4.3rc1). > > First the good news: Anonymous access works, can send and receive > keys just fine. The problem about the pgpKeysize is gone, although > I did _not_ do any changes to the code. The CVS diffs show that you > probably took care of this. I did. > There is a bug in the option parsing. Added a few diagnostics > in main() of gpgkeys_ldap.c, which showed that binddn is already > truncated after and including the first comma when you strdup() it > from start[], i.e. any DN, like 'a,b,c,d' would be truncated to 'a'. > Had a quick look but no obvious origin of the problem. Not a bug - you're quoting it wrong in the shell. It takes a lot to make the shell not eat stuff sometimes: --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" That is, quote the value, not the name=value. The parser in GPG understands quotes. David From walter.haidinger at gmx.at Thu Feb 23 14:59:53 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 15:00:02 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060223130336.GA12897@jabberwocky.com> References: <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> <20060223130336.GA12897@jabberwocky.com> Message-ID: <17059.192.168.77.250.1140703193.squirrel@haidinger.dyndns.org> On Thu, February 23, 2006 14:03, David Shaw wrote: > Not a bug - you're quoting it wrong in the shell. It takes a lot to > make the shell not eat stuff sometimes: > > --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" > > That is, quote the value, not the name=value. The parser in GPG > understands quotes. Of course, should have thought of that! Silly me. <:| Everything works now! :-) Thanks a _lot_ for your help to get this operational! Walter PS: Tweaked the ACLs a bit to: # let PGP users change their passwords access to dn.regex="^uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM$" by self write by * none # PGP keystore: only users may write access to dn.subtree="ou=PGP Keys,dc=EXAMPLE,dc=COM" by dn.regex="^uid=([^,]+),ou=PGP Users,dc=EXAMPLE,dc=COM$" write by * read From walter.haidinger at gmx.at Thu Feb 23 16:13:51 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 16:13:59 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060223130336.GA12897@jabberwocky.com> References: <20060220235231.GE17933@jabberwocky.com> <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> <20060223130336.GA12897@jabberwocky.com> Message-ID: <8109.192.168.77.250.1140707631.squirrel@haidinger.dyndns.org> On Thu, February 23, 2006 14:03, David Shaw wrote: > --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" I've got yet another problem when I put keyserver-options into ~/.gnupg/gpg.conf, like: > nl -b a ~/.gnupg/gpg.conf | tail -5 225 keyserver ldap://localhost 226 keyserver-option verbose 227 keyserver-option binddn="uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" 228 keyserver-option bindpw=user1 229 > gpg --list-keys gpg: /home/walter/.gnupg/gpg.conf:226: invalid option gpg: /home/walter/.gnupg/gpg.conf:227: invalid option gpg: /home/walter/.gnupg/gpg.conf:228: invalid option What is wrong here? Walter From dshaw at jabberwocky.com Thu Feb 23 16:22:21 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 16:21:49 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <8109.192.168.77.250.1140707631.squirrel@haidinger.dyndns.org> References: <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> <20060223130336.GA12897@jabberwocky.com> <8109.192.168.77.250.1140707631.squirrel@haidinger.dyndns.org> Message-ID: <20060223152221.GA14298@jabberwocky.com> On Thu, Feb 23, 2006 at 04:13:51PM +0100, Walter Haidinger wrote: > On Thu, February 23, 2006 14:03, David Shaw wrote: > > --keyserver-option "binddn=\"uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM\"" > > I've got yet another problem when I put keyserver-options into > ~/.gnupg/gpg.conf, like: > > > nl -b a ~/.gnupg/gpg.conf | tail -5 > 225 keyserver ldap://localhost > 226 keyserver-option verbose > 227 keyserver-option binddn="uid=user1,ou=PGP Users,dc=EXAMPLE,dc=COM" > 228 keyserver-option bindpw=user1 > 229 > > > gpg --list-keys > gpg: /home/walter/.gnupg/gpg.conf:226: invalid option > gpg: /home/walter/.gnupg/gpg.conf:227: invalid option > gpg: /home/walter/.gnupg/gpg.conf:228: invalid option > > What is wrong here? keyserver-options. Not keyserver-option. The 's' is part of the option name. It works on the command line for convenience, but the config file must be strict. David From zwon at severodvinsk.ru Thu Feb 23 15:30:17 2006 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Thu Feb 23 16:25:29 2006 Subject: GpgME: Compile under MinGW In-Reply-To: <000a01c637f1$d9cc78e0$f500a8c0@HOME> References: <000a01c637f1$d9cc78e0$f500a8c0@HOME> Message-ID: <20060223143017.GB1038@sky.schizandra.ru> On Feb 22, 2006 at 21:52 +0100, Kiefer, Sascha wrote: > I downloaded the latest GpgME version and called configure. > The last lines it outputes are: > > configure: WARNING: > *** > *** ttyname() is not thread-safe and ttyname_r() does not exist > *** > checking whether we are using the GNU C Library 2.1 or newer... no > checking for getenv_r... no > configure: WARNING: > *** > *** getenv() is not thread-safe and getenv_r() does not exist > *** > checking for timegm... no > configure: WARNING: > *** > *** timegm() not available - a non-thread-safe kludge will be used > *** and the TZ variable might be changed at runtime. > *** > checking for gpg-error-config... no > checking for GPG Error - version >= 0.5... no > configure: error: libgpg-error was not found > > > What do i need to do? You must install libgpg-error. But I'm not sure if gpgme can be compiled in the mingw at all. Vale! -- Pawel I. Shajdo From walter.haidinger at gmx.at Thu Feb 23 16:42:56 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 16:42:46 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <20060223152221.GA14298@jabberwocky.com> References: <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <5444.192.168.77.250.1140696108.squirrel@haidinger.dyndns.org> <20060223130336.GA12897@jabberwocky.com> <8109.192.168.77.250.1140707631.squirrel@haidinger.dyndns.org> <20060223152221.GA14298@jabberwocky.com> Message-ID: <5407.192.168.77.250.1140709376.squirrel@haidinger.dyndns.org> On Thu, February 23, 2006 16:22, David Shaw wrote: >> What is wrong here? > > keyserver-options. Not keyserver-option. The 's' is part of the > option name. It works on the command line for convenience, but the > config file must be strict. Thanks. I've just read the following from the manpage which is a bit misleading: "Long options can be put in an options file (default "~/.gnupg/gpg.conf"). [...] Do not write the 2 dashes, but simply the name of the option and any required arguments." Walter PS: I've written a brief howto to summarize this thread and will post it shortly. From walter.haidinger at gmx.at Thu Feb 23 17:01:08 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Thu Feb 23 17:01:09 2006 Subject: Howto setup an OpenLDAP PGP keyserver Message-ID: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> Hi! After all issues are finally resolved, I'm glad to post this howto about setting up a PGP keyserver with OpenLDAP. The inital thread that finally leads to here starts at: http://marc.theaimsgroup.com/?l=gnupg-users&m=114028686432264&w=2 Many thanks to Peter Palfrader for providing the LDAP schema and especially to David Shaw for providing invaluable help and adding LDAP basic authentication to GnuPG. Used software: OpenLDAP 2.2.27, run under SuSE 10.0 GnuPG 1.4.3rc1 (subversion revision 4020). If you don't want to wait until 1.4.3 is officially released, grab yourself a copy from svn: > svn co svn://cvs.gnupg.org/gnupg/trunk Attached is tarball with the files for OpenLDAP configuration, to which will be refered to below. I hope this doesn't violate the rules of this list but the attachment is very small anyways. You should have a basic understanding about LDAP first. If not, I'd recommend to read the OpenLDAP Admin Guide on http://www.openldap.org, which provides excellent documentation. Also, as an LDAP client and excellent server management tool, I'd recommend phpLDAPadmin: http://phpldapadmin.sourceforge.net The LDAP tree created in this example setup looks like: dc=EXAMPLE,dc=COM | +----cn=Manager +----cn=PGPServerInfo +----ou=PGP Keys | +---pgpCertID=... | +---pgpCertID=... +----ou=PGP Users +---uid=... +---uid=... where dc=EXAMPLE,dc=COM is obviously the base DN. First, install pgp-keyserver.schema from the tarball into to your schema directory. There are two more files which are not used here, but have been part of the schema I got from Peter, so I kept them for completeness. Next, install slapd.conf and edit to suit your needs. That is, select either anonymous or user authentication. In the provided file, anonymous writes are enabled. However, access is restricted to writes from localhost only. You may lift this restriction by modifying the peername.ip statement. See slapd.access(5) for details and examples. Think twice before opening up anonymous writes, as _any_ user who can connect to your LDAP server can not only upload but also delete keys. For user authentication, comment out update_anon and the access rule for anonymous writes. Users are stored as DN "uid=,ou=PGP Users,dc=EXAMPLE,dc=COM". You need to create users to bind to LDAP. One sample user is provided in ldif/pgpusers.ldif. Just copy the entry and modify it to create more and read the file to learn the used password. Also, the password for the OpenLDAP manager is stored as a hash. It is 'gpg'. Run slappasswd(8) to create a stronger password and replace the hash in slapd.conf. Try to start your OpenLDAP server now. Under SuSE, I run "/etc/init.d/ldap start". Next, populate the directory with the basic layout by importing the example.ldif file (enter on a single line): > cat example.ldif | ldapadd -x -W -h localhost -D "cn=Manager,dc=EXAMPLE,dc=COM" When prompted for a password, enter the one you've created above or 'gpg' if you did not. If you selected anonymous writes, you're done configuring your OpenLDAP PGP keyserver. If you selected user authentication, you need to add users now: > cat pgpusers.ldif | ldapadd -x -W -h localhost -D "cn=Manager,dc=EXAMPLE,dc=COM" Finally, you can use GnuPG to add keys (always on a single line): For anonymous write: > gpg --keyserver ldap://localhost --send-key 12345678 For user authentication (insecure on command-line, see below): > gpg --keyserver ldap://localhost --keyserver-options "binddn=\"uid=user1,ou=PGPUsers,dc=EXAMPLE,dc=COM\"" --keyserver-options bindpw=user1 --send-keys 12345678 To receive keys, simply do: > gpg --keyserver ldap://localhost --recv-keys 12345678 Further notes: * GnuPG looks for PGPServerInfo under the base DN. If you decide to put it somewhere else, use keyserver-option basedn to specify the new location, e.g.: keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\"" * Beware of shell quoting, like above which is the correct format if you have spaces in your DN and specify the keyserver option on the command line. * GnuPG can use TLS/SSL. For SSL, use ldaps:// and for tls the keyserver-options tls. It takes 'no','try','warn' or 'require' as an argument, e.g.: keyserver-options tls=require * Put other keyserver options into ~/.gnupg/gpg.conf, e.g.: keyserver ldap://localhost keyserver-options binddn="uid=test1,ou=PGP Keys,dc=EXAMPLE,dc=COM" keyserver-options bindpw=verysecret keyserver-options tls=try keyserver-options verbose Then the following will just work: > gpg --send-keys 12345678 or > gpg --recv-keys 12345678 * As it is INSECURE to specify your bind password on the command line, you should put it to your ~/.gnupg/gpg.conf and protect this file with 0600 permissions. Well, that's it for now. I hope this howto is helpful and somewhat complete! Good luck setting up your PGP keyserver with OpenLDAP. I'd be glad if someone could verify the steps so that there are no glitches. Comments, notes, questions or else are appreciated. Last but not least a final request: Please add a CC: to my email address too if you reply to this list. Thanks. Regards, Walter -- Walter Haidinger -------------- next part -------------- A non-text attachment was scrubbed... Name: openldap_pgp_keyserver.tar.gz Type: application/x-gzip Size: 4220 bytes Desc: not available Url : /pipermail/attachments/20060223/76391f9b/openldap_pgp_keyserver.tar.bin From dshaw at jabberwocky.com Thu Feb 23 17:45:01 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 17:44:34 2006 Subject: OpenLDAP schema to store OpenPGP keys? In-Reply-To: <2717.192.168.77.250.1140692646.squirrel@haidinger.dyndns.org> References: <20060221180824.GB26804@jabberwocky.com> <20060221225910.GH26804@jabberwocky.com> <20060222032641.GA28593@jabberwocky.com> <20060222232848.GG10987@jabberwocky.com> <20060223032427.GA11782@jabberwocky.com> <2717.192.168.77.250.1140692646.squirrel@haidinger.dyndns.org> Message-ID: <20060223164501.GB14298@jabberwocky.com> On Thu, Feb 23, 2006 at 03:52:37PM +0000, Walter Haidinger wrote: > I was unaware that _all_ keyserver options apply to any type, i.e. > http/hkp/ldap. > The manpage talks about 'a' preferred keyserver, though, so I thought > that there can be only one, which means all options are global anyways. No. Preferred keyservers are a different sort of thing. Look at it this way: you have one list of options, with which you can use any keyserver. Preferred keyservers are the OpenPGP way for the keyholder to say "I like this keyserver - when using my key, please use this keyserver". It's like an automated way of changing --keyserver on a per-user ID basis. > > They're not "options for keyserver x" - they are "options that pertain > > to keyservers". > No, not yet but would make sense now with binddn and binddn. That's true. Here's what I did - keyserver-options must be global, but I added the ability to have per-keyserver options as well: Global options: keyserver-options option1 option2 Options tied to ldap://my.ldap.server: keyserver ldap://my.ldap.server option1 option2 option3 In your case you could do something like: keyserver ldap://server binddn="ou=pgp keys, etc..." bindpw=secret David From dshaw at jabberwocky.com Thu Feb 23 17:55:54 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 17:55:19 2006 Subject: Howto setup an OpenLDAP PGP keyserver In-Reply-To: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> References: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> Message-ID: <20060223165554.GC14298@jabberwocky.com> On Thu, Feb 23, 2006 at 05:01:08PM +0100, Walter Haidinger wrote: Thanks for writing this up! I will certainly be pointing people to this when they ask inthe future. One comment: > Further notes: > * GnuPG looks for PGPServerInfo under the base DN. > If you decide to put it somewhere else, use keyserver-option > basedn to specify the new location, e.g.: > keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\"" This isn't quite correct. GnuPG looks for PGPServerInfo under each namingContext in order until it finds one. It is perfectly fine not to have PGPServerInfo under the base DN. PGP as well as PGP Universal does this the same way. David From dshaw at jabberwocky.com Thu Feb 23 19:21:51 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 19:21:20 2006 Subject: Howto setup an OpenLDAP PGP keyserver In-Reply-To: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> References: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> Message-ID: <20060223182151.GF14298@jabberwocky.com> Another thing worth adding to your HOWTO is that if the LDAP server is going to be publically available, a good name to use is "keys.(yourdomain)". The reason for this is that both PGP and GnuPG (as of 1.4.3) can automatically locate keys using that name. For example, let's say I want to encrypt a message to joe@example.com, but I have no joe@example.com key. GnuPG can automatically ask ldap://keys.example.com for joe@example.com and import it. David From walter.haidinger at gmx.at Fri Feb 24 11:40:32 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Fri Feb 24 11:40:28 2006 Subject: Howto setup an OpenLDAP PGP keyserver In-Reply-To: <20060223165554.GC14298@jabberwocky.com> References: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> <20060223165554.GC14298@jabberwocky.com> Message-ID: On Thu, 23 Feb 2006, David Shaw wrote: > On Thu, Feb 23, 2006 at 05:01:08PM +0100, Walter Haidinger wrote: > > Thanks for writing this up! I will certainly be pointing people to > this when they ask inthe future. Hopefully the setup of an LDAP PGP keyserver will be officially documented sometime. If this provides a start, I'm glad to have contributed. > One comment: > > > Further notes: > > * GnuPG looks for PGPServerInfo under the base DN. > > If you decide to put it somewhere else, use keyserver-option > > basedn to specify the new location, e.g.: > > keyserver-options "basedn=\"cn=PGPServerInfo,ou=PGP Info,dc=MYDOM\"" > > This isn't quite correct. GnuPG looks for PGPServerInfo under each > namingContext in order until it finds one. It is perfectly fine not > to have PGPServerInfo under the base DN. PGP as well as PGP Universal > does this the same way. True, I have to admit that I forgot to add this when I finished the howto after everything worked. You did mention it a in recent reply. Actually quite useful when using a seperate database for PGP in slapd.conf. Walter From hhhobbit7 at netscape.net Fri Feb 24 12:06:17 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Fri Feb 24 12:06:57 2006 Subject: Necessity of GPG when using SSL Message-ID: <170C2468.55FECD69.0307202B@netscape.net> Benjamin Esham wrote: >On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: > >> And there is really no point in ecryptiong the whole access since the >> contents, the emails usually travel the rest of the net unencrypted. > >But wouldn't it be much easier for an attacker to intercept all of >your e-mail by listening in on an unencrypted webmail session than by >trying to intercept each e-mail individually somewhere else? I think >there certainly is a benefit to having SSL-encrypted webmail for >exactly that reason: less determined attackers will not have access >to the plaintext of the messages. (Although granted, it would be kind >of foolish to depend upon SSL webmail if the messages are sent in >plain text.) Last then first. Generally, it is very difficult to intercept email en-transit. That was not always the case. There was a time when you had hubs and you could listen in to everything on a LAN. Those days are gone with switches (multi-port bridges) making it very difficult to listen in on communications since the only traffic you see now at the LAN level is the broadcast traffic. There are some switches and routers that have a listening port, and this is what the FBI and others want, but they are the exception, not the rule. Once packets start hitting the WAN pipes, the torrent of packets you have to sift through becomes almost impossible to manage, even if you know the person's WAN IP address, and it is just that - a person. If you have several hundred people sharing that WAN IP address, then en-transit capturing has to be done at the LAN level. How do you say this packet from WAN IP address 92.23.4.107 is Bob's and not Bill's when up to 100 people share that WAN IP address? You have to go inside the firewall where that IP address is and find out on the LAN. Lo and behold, when you do that, they are using DHCP, so you then have to know their MAC address (which used to be something you couldn't change, but now with MS Windows you can change it). So let's just go to Bob's machine and put something on it instead. And that is usually exactly what is done. Where your email is most easily compromised is on the mail server. There it sits until you start to pull it down. SSL isn't even a factor. All SSL does is secure the transmission, not the data at the end points. In fact, a hacker can pull down your email using SSL to cover their tracks - and that is usually exactly what they do. It is usually pretty easily done too, since ALL of the messages are usually in just one file. They just have to suck down that one file and now they have ALL of your messages. Now, if the email on the server is in plain-text, how secure is that? On the other hand, if it is encrypted with some OpenPGP package like GnuPG with strong encryption, how secure is that? Pretty darn secure. So the hacker pulls down your file. Whoopity doo. He gets to read all that crappy spam in plain text, but the juicy email messages that contain your financial information is encrypted. So, I repeat - SSL is not good enough unless all of your messages don't convey financial information or anything else important. If they are important, use GnuPG or other strong end-point encryption and the only thing you have to watch for now are those pesky key loggers. But even then if they get your passphrase, they still need your keyring, but if they have a keylogger working for them, then they probably have all your GnuPG DB files. HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From hhhobbit7 at netscape.net Fri Feb 24 12:34:36 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Fri Feb 24 12:34:33 2006 Subject: GnuPG for PalmOS 5 Message-ID: <562AC71C.62B158D6.0307202B@netscape.net> Wolfgang Klein wrote: >May I please make a humble wish that somebody will start to develop >GnuPG for PalmOS 5 very soon? That version of PalmOS is the most recent >version and I think it's the version that will be sold for a long time, >because according to Palm it is very unsure if there ever will be a >version 6 of PalmOS. > >It is very frustrating when you own a handheld that has WLAN capability >but you can not use it to send and receive certain kinds of e-mails that >have to be encrypted. (Company's policy.) Are you volunteering to do it? 8^) I don't have a Palm, but at one time I developed for Pen Systems, one of which had a Hobbit chip. It sounds like a very frustrating development project to me. Is your company willing to sponsor the costs of development? HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From m.pederboni at cineca.it Fri Feb 24 15:54:18 2006 From: m.pederboni at cineca.it (Marco Pederboni) Date: Fri Feb 24 19:18:07 2006 Subject: problem in decrypting large file Message-ID: <200602241554.17180.m.pederboni@cineca.it> Hello, When I try to decrypt this file: 27395867626 Feb 16 18:38 dati.tar.gpg with the command: gpg --decrypt dati.tar.gpg > dati.tar I obtain this error: gpg: fatal: zlib inflate problem: invalid literal/length code secmem usage: 2048/2048 bytes in 4/4 blocks of pool 2048/32768 And the file dati.tar is 1646067712 byte long Have you got any Idea ? Thank you, M A R C O -- ===================================================== | Marco Pederboni - SETTORE GESTIONE SISTEMI | CINECA Via Magnanelli 6/3 40033 Casalecchio di Reno | Bologna, Italy - http://www.cineca.it | Tel: 051/6171707 - Fax 051/6132198 ===================================================== -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: not available Url : /pipermail/attachments/20060224/67a6ec2e/attachment.pgp From zwon at severodvinsk.ru Fri Feb 24 19:56:36 2006 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Fri Feb 24 20:15:52 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <170C2468.55FECD69.0307202B@netscape.net> References: <170C2468.55FECD69.0307202B@netscape.net> Message-ID: <20060224185636.GA1010@sky.schizandra.ru> On Feb 24, 2006 at 06:06 -0500, Henry Hertz Hobbit wrote: > Last then first. Generally, it is very difficult to intercept email > en-transit. That was not always the case. There was a time when you > had hubs and you could listen in to everything on a LAN. Those days are > gone with switches (multi-port bridges) making it very difficult to > listen in on communications since the only traffic you see now at the > LAN level is the broadcast traffic. Try ettercap (http://ettercap.sourceforge.net/) ;) It allows you easily sniff traffic in the switched LAN. Vale! -- Pawel I. Shajdo From tmz at pobox.com Sat Feb 25 18:08:38 2006 From: tmz at pobox.com (Todd Zullinger) Date: Sat Feb 25 18:08:45 2006 Subject: GnuPG for PalmOS 5 In-Reply-To: <440020E7.4000604@web.de> References: <562AC71C.62B158D6.0307202B@netscape.net> <440020E7.4000604@web.de> Message-ID: <20060225170838.GB2754@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wolfgang Klein wrote: > Since there is already a version of pgp for Palm (palmopgp12), I was > thinking that it shouldn't be too difficult to modify that code to > work under PalmOS 5 in a convenient way. But on the other hand: I am > not a programmer. So my estimation will most probably be totally > wrong. I don't know much at all about the Palm or programming for them, but FWIW I recalled questions about OS 5 on the pgp-users list a while back. Will Price, a long-time developer of PGP, answered someone this way in June of 2003: - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In some respects, we are just as frustrated as you may be. If I may be quite frank, Palm OS 5 was a hack job not ready for prime time. If we felt that some amount of maintenance work would quickly clean up issues with different Palm OS 5 devices, we would engage the effort. I look forward to Palm OS 6. Palm OS 5 appears to be a halfway step down the transition road towards Palm OS 6 later this year which will (finally!) bring full support for the new processor types allowing acceptable speeds for all the key sizes and one hopes fix the API issues which prevent some of the features of PGP on Palm OS 4.X from working properly on Palm OS 5. It is my hope that a major new release of PGP Mobile will be ready for that OS and others. On Saturday, June 7, 2003, at 06:54 AM, Michael Disabato wrote: >> I hope someone there is doing some work with Palm OS 5's s/w >> development and >> getting progressively more familiar with its possibilities. It's hard >> to > > I certainly hope so as well. I just got my Tungsten T, and PGP > Mobile's operation on it is just about as bad as you can get. Their > web site is highly misleading when it says that some of the > functionality may not be there. Even encrypting/decrypting mail is > broken, though not seriously if you tinker. > > Since Palm OS 5 is going to be the standard, it would be nice if PGP > caught up with the industry. - - -- Will Price, VP Engineering PGP Corporation - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBPuPS3ay7FkvPc+xMEQK2UACg5qGyPODtVKurgV+HiyQr+3reGnUAoK4G tdzK3JxEcHNZsosV27w7Gq9y =tfYC - -----END PGP SIGNATURE----- - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Never do anything against conscience even if the state demands it. -- Albert Einstein, Quoted in Saturday Review obituary, 1955 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkQAjxYmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1r8AQCcCH7+f1CTlT6t7eI4vJ1K2dTiCqoAnjMKAUmG VFsnJdu20MR3Wz/xRL6N =wKAM -----END PGP SIGNATURE----- From lporter at hdsmith.com Sat Feb 25 18:11:21 2006 From: lporter at hdsmith.com (lporter@hdsmith.com) Date: Sat Feb 25 18:10:43 2006 Subject: Auto Reply to your message ... Message-ID: <43C6973C00044E21@HDSPRIME.hdsmith.com> ----- The following text is an automated response to your message ----- Hello, I'm on vacation from Monday, February 27 through Friday, March 3. I'll be returning on Monday, March 6. If you need IMMEDIATE URGENT help email helpdesk@hdsmith.com. Please do not use helpdesk@hdsmith.com unless it requires immediate action. I will check my email from time to time. Thanks - Lowell From johanw at vulcan.xs4all.nl Tue Feb 28 00:18:07 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Feb 27 00:17:49 2006 Subject: file encryption and integrity check In-Reply-To: <20060222132831.GA10374@jabberwocky.com> Message-ID: <200602272318.k1RNI7ob001580@vulcan.xs4all.nl> David Shaw wrote: >This is correct. Of course, it's possible that GnuPG doesn't >recognize a particular kind of compression. If I recall, it looks for >bzip, gzip, and zip. A simple default test would be of course to check if the used compression algorithm could decrease the file size: this would also prevent compression being used from files like jpeg and mpeg. However, I don't see how to use this method in streaming mode. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jharris at widomaker.com Mon Feb 27 02:47:19 2006 From: jharris at widomaker.com (Jason Harris) Date: Mon Feb 27 02:47:10 2006 Subject: new (2006-02-19) keyanalyze results (+sigcheck) Message-ID: <20060227014719.GA2389@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-02-19/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 0a6e11e334d49ee84c31b9ef2cbd5022c0f2260a 13345164 preprocess.keys fd73e40577b1ea72f25d39de4e6ff2e9014ad1c2 8048305 othersets.txt 7dbf74b0436da5d4201bb43cb78760b686efedbf 3290588 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html 4df8a23c192c16511bfcc4fc9644bdc60dd6da5c 2291 keyring_stats 37722a9bee389b045e447d1a2e81ae580e11e4ad 1293435 msd-sorted.txt.bz2 d42f3646de666c023d11e7ef68c4d1d789a728f6 26 other.txt 399a07272d608b746bf6a374ca6939613429fb8e 1740645 othersets.txt.bz2 7fbda0478090769a5c18e1804713d39346e35a3a 5414731 preprocess.keys.bz2 16077143ed4b9bf9ccd7fd3eba39978fb83301f8 13643 status.txt de6fcadeb2589e0496a7ec6b910bbdd1b21dca82 209957 top1000table.html 97f7c9c49dc802ccc296eabfb0f1f4227f65908f 30049 top1000table.html.gz 7b167ed506954f3bfee1ebfa0d5dff67f21035c5 10771 top50table.html 756af2551f40f00819d79a522235b18f1d05f10f 2544 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20060226/ee1dead3/attachment.pgp From jaboles at fastmail.fm Thu Feb 23 00:07:31 2006 From: jaboles at fastmail.fm (Jonathan Boles) Date: Mon Feb 27 10:51:30 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <43FCC8FA.3030500@natzo.com> References: <2E47760F.2E1A284D.0307202B@netscape.net> <43FCC8FA.3030500@natzo.com> Message-ID: <5502c8d32b10372f5b5c082639c80583@fastmail.fm> On 23/02/2006, at 7:26 AM, Dany wrote: > Hello, > > I switched few years ago to fastmail.fm for several reasons : > > - https + advanced protections when accessing from public terminal > (including url pseudo-scrambling) > - IMAP with SSL > - Text and only text for the webmail interface (no pop-up ad and no > graphics), just plain speed > - WebDAV (I don't use it) > - IMAP access on non-standard port like 80 and 443 so you can go > through some difficult firewalls > > I usually don't promote commercial products but as they offer a free > plan as well I thought it might help some people. I once vowed that I'd never pay for email. Then I discovered fastmail.fm, and was so impressed with their service that I subscribed to their paid service :) From subscript at free.fr Thu Feb 23 11:00:57 2006 From: subscript at free.fr (wwp) Date: Mon Feb 27 10:51:35 2006 Subject: List all UIDs from a key (gpgme_passphrase_cb_t, uid_hint) Message-ID: <20060223110057.3c590eba@localhost.localdomain> Hello all, I'm wondering how a gpgme_passphrase_cb_t-typed callback function could receive a full list of UIDs for a key, instead of just the primary (1st) one. I'm using gpgme 1.0.3. Let me explain what I'd like to do: on a MUA point of view (Sylpheed-Claws, thru its gpg plugins), a dialog uses the gpgme_passphrase_cb callback, which will receive a UID_hint from gpgme that only shows the pub key and the primary email address, whatever I've asked for a *secondary* address (gpgme_op_keylist_start() is given this secondary address, and gpgme_op_keylist_next() will only list the primary one). Would it be possible to get a string that contains the email address I was referring, or all UIDs maybe? Like `gpg --list-keys "my name"`, that shows here: pub my name uid my other name 1 uid my other name 2 [..] uid my other name n sub That would allow me showing in the pass-phrase-asking dialog the right address (parsing the uid_hint would be up to me if it contains all UIDs) instead of the primary one, which is a bit confusing. Or maybe there's a way from the gpgme API to get all UIDs that belong to a key? Please keep CC'ing me, as I'm not on this mailing list. Regards, -- wwp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060223/22363471/signature.pgp From pederbon at cs.unibo.it Fri Feb 24 15:48:35 2006 From: pederbon at cs.unibo.it (pederbon@cs.unibo.it) Date: Mon Feb 27 10:51:38 2006 Subject: problem in decrypting large file Message-ID: <200602241548.43939.pederbon@cs.unibo.it> Hello, When I try to decrypt this file: 27395867626 Feb 16 18:38 dati.tar.gpg with the command: gpg --decrypt dati.tar.gpg > dati.tar I obtain this error: gpg: fatal: zlib inflate problem: invalid literal/length code secmem usage: 2048/2048 bytes in 4/4 blocks of pool 2048/32768 And the file dati.tar is 1646067712 byte long Have you got any Idea ? Thank you, M A R C O -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: not available Url : /pipermail/attachments/20060224/06ccc6ed/attachment.pgp From alex at bofh.net.pl Mon Feb 27 10:32:40 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Mon Feb 27 11:04:11 2006 Subject: Necessity of GPG when using SSL In-Reply-To: <170C2468.55FECD69.0307202B@netscape.net> References: <170C2468.55FECD69.0307202B@netscape.net> Message-ID: <20060227093240.GB2172@hell.pl> On Fri, Feb 24, 2006 at 06:06:17AM -0500, Henry Hertz Hobbit wrote: > Benjamin Esham wrote: > > >On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: > > > >> And there is really no point in ecryptiong the whole access since the > >> contents, the emails usually travel the rest of the net unencrypted. > > > >But wouldn't it be much easier for an attacker to intercept all of > >your e-mail by listening in on an unencrypted webmail session than by > >trying to intercept each e-mail individually somewhere else? I think > >there certainly is a benefit to having SSL-encrypted webmail for > >exactly that reason: less determined attackers will not have access > >to the plaintext of the messages. (Although granted, it would be kind > >of foolish to depend upon SSL webmail if the messages are sent in > >plain text.) > > Last then first. Generally, it is very difficult to intercept email > en-transit. No, it is not. You only need to get a intercept warrant against the uplink provider. > How do you say this packet from WAN IP address 92.23.4.107 is Bob's > and not Bill's when up to 100 people share that WAN IP address? There are commercial products to do so. It costs money, but most of the telcos have deployed them to comply with law regulations. > Where your email is most easily compromised is on the mail server. > There it sits until you start to pull it down. SSL isn't even a > factor. All SSL does is secure the transmission, not the data at > the end points. So? > In fact, a hacker can pull down your email using SSL to cover their > tracks - and that is usually exactly what they do. It is usually > pretty easily done too, since ALL of the messages are usually in > just one file. They just have to suck down that one file and now > they have ALL of your messages. Now, if the email on the server is > in plain-text, how secure is that? On the other hand, if it is > encrypted with some OpenPGP package like GnuPG with strong > encryption, how secure is that? Pretty darn secure. Against what? Put the recipient in the Guantanamo or equivalent and s/he will divulge all his passwords. And it is all legal. We have a war going, after all. > So, I repeat - SSL is not good enough unless all of your messages don't > convey financial information or anything else important. 95% of the web commerce doesn't agree with that statement (the other 5% doesnt use crypto at all). > If they are important, use GnuPG or other strong end-point > encryption and the only thing you have to watch for now are those > pesky key loggers. But even then if they get your passphrase, they > still need your keyring, but if they have a keylogger working for > them, then they probably have all your GnuPG DB files. Again, you haven't defined the attacker, the threat model, or anything, you just put some out of context statements to support your four legs good two legs bad slogan. It is impossible to answer the question asked in the subject of the thread without defining the type of threat and the resources of the attacker you want to protect against. This was not done even in the form "will my email be secure against the big evil governement?" or "will my email be secure agains my brother's snooping?", so the question of SSL/OpenPGP cannot be answered. A. From gnupg-users at spodhuis.demon.nl Mon Feb 27 10:34:10 2006 From: gnupg-users at spodhuis.demon.nl (Phil Pennock) Date: Mon Feb 27 11:47:59 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) Message-ID: <20060227093410.GA27800@domus.home.globnix.net> Is this a known issue, fixed in 1.4.3? There's nothing obviously dealing with it in % gpg --version gpg (GnuPG) 1.4.2.1-ecc0.1.6 [...] % gpg --list-sigs 0xC9541FB2 [...] gpg: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 sig 0x2927A28A 2003-01-12 zsh: abort gpg --list-sigs 0xC9541FB2 A selection of other complaints listing signatures on that key: gpg: packet(7) with unknown version 0 gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring gpg: keydb_search failed: invalid keyring gpg: skipped compressed packet in keyring gpg: keydb_get_keyblock failed: eof gpg: [don't know]: indeterminate length for invalid packet type 6 gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring gpg: keydb_search failed: invalid keyring gpg: [don't know]: invalid packet (ctb=03) gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring gpg: keydb_search failed: invalid keyring (also with a few other values of ctb) gpg: packet(14) with unknown version 115 gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring gpg: keydb_search failed: invalid keyring Thanks, -- I am keeping international relations on a peaceable footing. You are biding your time before acting. He is coddling tyrants. -- Roger BW on topic of verb conjugation -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : /pipermail/attachments/20060227/df882672/attachment.pgp From gnupg at raphael.poss.name Mon Feb 27 14:06:57 2006 From: gnupg at raphael.poss.name (=?ISO-8859-15?Q?Rapha=EBl_Poss?=) Date: Mon Feb 27 16:18:24 2006 Subject: Using GnuPG subkeys at two insecure locations Message-ID: <4402F971.1010508@raphael.poss.name> Hi all, I have read Adrian's tutorial at http://fortytwo.ch/gpg/subkeys and related documents, and I am yet unsure how to apply this technique to my situation where I have _two_ "insecure" locations instead of one. You will find below: description of situation, my needs, how I did achieve something using Adrian's technique for my needs, tests, and additional questions. You can jump straight to the end if you are not interested by the details. Here is the situation: - laptop as main personal computer, carried around and therefore not-so-secure, - windows workstation at work, not-so-secure as well, - some other computer in "hidden" place, secure and not connected to the internet. What I would like to: - send encrypted email with the insecure computers, - sign email with both insecure computers, - send encrypted-to-self email from the windows workstation, that can be decrypted on the laptop - sign other keys with the laptop - read encrypted emails sent by other people to me on the laptop - no private encryption key on the windows workstation - have a subkey for "secure" communication attached to my primary key, so that people can send me stuff that can be read only on my secure computer Here is what I did on the secure computer: 1. create a primary DSA key id# 0x5024FAE3 2. create a DSA signing subkey id# 0x66808804 for use on the windows workstation 3. create a DSA signing subkey id# 0xACD488B7 for use on the laptop 4. create an EL-Gamal encryption subkey id# 0xB8838617 for use on the laptop 5. create an El-Gamal encryption subkey id# 0x7FEFD6B8 for use on the secure computer 6. export public keys to file 7. backup everything 8. delete 0xACD488B7 0xB8838617 0x7FEFD6B8 9. export secret subkeys 0x66808804, import them on windows workstation with public keys 10. restore everything 11. mark 0xACD488B7 as able to sign other keys 12. delete 0x66808804 0x7FEFD6B8 13. export secret subkeys 0xACD488B7 0xB8838617, import them on laptop with public keys 14. restore everything Here are the tests I did: - send signed mail and verify them on either insecure computer or 3rd-party with access to only public keys - send encrypted mail with any computer and decrypt it on the laptop - encrypt data using the secure key, decrypt it on the secure computer Here are the tests I did not do yet (as of today, I don't have access to the secure computer): - sign other keys, check signatures, etc. - sign other keys on the laptop without access to the primary key, - test everything with PGP Now, questions: Q1. how do you think other software (PGP, old GPG, ...) behave when they see multiple encryption public subkeys? Q2. will signatures on other keys made with the laptop be recognised by other software? Is there anything I should care for w.r.t trust when I sign keys? Q3. do you think it is better I do not entrust the laptop subkey to sign other keys? For that last question I have to state the difference between the windows workstation and the laptop: the laptop is "more" secure than the workstation. If the laptop is compromised I would know about it immediately, and issue any relevant revocation certificates straight away. Any encrypted data on the laptop is deleted securely after I have decrypted it. The windows workstation is quite secure (read: well-maintained configuration, good IT staff and workplace access control) but could be compromised at any time *by the company* without me knowing it, and data backups including my secret keyring will float around for several years. I will probably revocate company-related keys only when I leave the employment. Or maybe on a yearly basis. I don't know yet. Therefore, any signature made with the laptop before the key is revoked should be trusted (as much as a signature made with the primary key), whereas any signature made with the windows workstation is valid only inside the company. Q4. How can I mark my level of trust for the different subkeys using gnupg? Thanks in advance for any enlightenment, -- Rapha?l Poss -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060227/da012626/signature-0001.pgp From lporter at hdsmith.com Mon Feb 27 16:23:47 2006 From: lporter at hdsmith.com (lporter@hdsmith.com) Date: Mon Feb 27 16:23:12 2006 Subject: Auto Reply to your message ... Message-ID: <43C6973C00045C4B@HDSPRIME.hdsmith.com> ----- The following text is an automated response to your message ----- Hello, I'm on vacation from Monday, February 27 through Friday, March 3. I'll be returning on Monday, March 6. If you need IMMEDIATE URGENT help email helpdesk@hdsmith.com. Please do not use helpdesk@hdsmith.com unless it requires immediate action. I will check my email from time to time. Thanks - Lowell From dshaw at jabberwocky.com Tue Feb 28 05:39:33 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 28 05:39:01 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <20060227093410.GA27800@domus.home.globnix.net> References: <20060227093410.GA27800@domus.home.globnix.net> Message-ID: <20060228043933.GA20051@jabberwocky.com> On Mon, Feb 27, 2006 at 10:34:10AM +0100, Phil Pennock wrote: > Is this a known issue, fixed in 1.4.3? > There's nothing obviously dealing with it in > > > % gpg --version > gpg (GnuPG) 1.4.2.1-ecc0.1.6 This is a heavily patched GnuPG release. Did you try this on the official version? David From gnupg-users at spodhuis.demon.nl Tue Feb 28 11:13:32 2006 From: gnupg-users at spodhuis.demon.nl (Phil Pennock) Date: Tue Feb 28 11:12:58 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <20060228043933.GA20051@jabberwocky.com> References: <20060227093410.GA27800@domus.home.globnix.net> <20060228043933.GA20051@jabberwocky.com> Message-ID: <20060228101332.GA25308@domus.home.globnix.net> On 2006-02-27 at 23:39 -0500, David Shaw wrote: > This is a heavily patched GnuPG release. Did you try this on the > official version? I hadn't, since the official version has the mpicoder bug which causes it to abort whilst processing some keys on my keyring; Gentoo pulls in your patch, after I noted this and pointed to it; Taking the official 1.4.2.1 code and applying that patch, things worked; but I then used the Gentoo gpg and things still worked. So I'm now confused. I don't see what's different between the set-up yesterday and today, except that baseline code has run over the keyring; I ran "gpg --update-trustdb" with the Gentoo version and the problem is still absent. Okay, thanks. -- I am keeping international relations on a peaceable footing. You are biding your time before acting. He is coddling tyrants. -- Roger BW on topic of verb conjugation From sbt at megacceso.com Tue Feb 28 13:07:00 2006 From: sbt at megacceso.com (sbt@megacceso.com) Date: Tue Feb 28 16:47:57 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <20060228101332.GA25308@domus.home.globnix.net> References: <20060227093410.GA27800@domus.home.globnix.net> <20060228043933.GA20051@jabberwocky.com> <20060228101332.GA25308@domus.home.globnix.net> Message-ID: <200602281307.00624.sbt@megacceso.com> A Dimarts 28 Febrer 2006 11:13, Phil Pennock va escriure: > On 2006-02-27 at 23:39 -0500, David Shaw wrote: > > This is a heavily patched GnuPG release. Did you try this on the > > official version? > > I hadn't, since the official version has the mpicoder bug which causes > it to abort whilst processing some keys on my keyring; Gentoo pulls in > your patch, after I noted this and pointed to it; > > > 1.4.2-mpicoder.patch> Ok, now it works, but can you send me any information that could be interesting? For example how you create the 0xC9541FB2, is it over finite fields o elliptics? Length, and this characteristics. Or what operations you did with patched gpg. Over a patched gpg, could you have problems finite fields that you haven't on the official version. I could broke something (for sure accidentally) in the patch... Maybe the patch hurt the key ring. /Sergi. > > Taking the official 1.4.2.1 code and applying that patch, things worked; > but I then used the Gentoo gpg and things still worked. So I'm now > confused. I don't see what's different between the set-up yesterday and > today, except that baseline code has run over the keyring; I ran "gpg > --update-trustdb" with the Gentoo version and the problem is still > absent. > > Okay, thanks. From dshaw at jabberwocky.com Tue Feb 28 20:21:36 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 28 20:21:03 2006 Subject: Using GnuPG subkeys at two insecure locations In-Reply-To: <4402F971.1010508@raphael.poss.name> References: <4402F971.1010508@raphael.poss.name> Message-ID: <20060228192136.GA21871@jabberwocky.com> On Mon, Feb 27, 2006 at 02:06:57PM +0100, Rapha?l Poss wrote: > Q1. how do you think other software (PGP, old GPG, ...) behave when they > see multiple encryption public subkeys? Unless it's really old PGP (say, PGP 5.0 era) it'll work fine. > Q2. will signatures on other keys made with the laptop be recognised by > other software? Is there anything I should care for w.r.t trust when I > sign keys? > > Q3. do you think it is better I do not entrust the laptop subkey to sign > other keys? > > For that last question I have to state the difference between the > windows workstation and the laptop: the laptop is "more" secure than the > workstation. If the laptop is compromised I would know about it > immediately, and issue any relevant revocation certificates straight > away. Any encrypted data on the laptop is deleted securely after I have > decrypted it. All this is somewhat moot, as you cannot make key signatures with a subkey. > Q4. How can I mark my level of trust for the different subkeys using gnupg? You can't. The concept of trust is a whole-key concept. David From marji22 at yahoo.com Tue Feb 28 23:41:59 2006 From: marji22 at yahoo.com (CHRISTINA MARJI) Date: Wed Mar 1 01:17:56 2006 Subject: Gnupg make error Message-ID: <20060228224159.50556.qmail@web31103.mail.mud.yahoo.com> Hi, I have downloaded gnupg 1.4.2.1 source code from gnupg.org. I get the following errors when I run the make utility: make[1]: Entering directory `/home/tina/gnupg-1.4.2.1/checks' ../g10/gpg --homedir . --quiet --yes --no-permission-warning --import ./pubdemo. asc gpg: mpi larger than indicated length (124 bytes) gpg: read_block: read error: invalid packet gpg: no valid OpenPGP data found. gpg: import from `./pubdemo.asc' failed: invalid keyring make[1]: *** [prepared.stamp] Error 2 make[1]: Leaving directory `/home/tina/gnupg-1.4.2.1/checks' make: *** [check-recursive] Error 1 Can someone help me regarding this matter. Thank you Christina Michael __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sergi at calcurco.org Tue Feb 28 08:58:55 2006 From: sergi at calcurco.org (Sergi Blanch i =?iso-8859-1?q?Torn=E9?=) Date: Thu Mar 2 10:38:49 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <20060228043933.GA20051@jabberwocky.com> References: <20060227093410.GA27800@domus.home.globnix.net> <20060228043933.GA20051@jabberwocky.com> Message-ID: <200602280858.56262.sergi@calcurco.org> A Dimarts 28 Febrer 2006 05:39, David Shaw va escriure: > On Mon, Feb 27, 2006 at 10:34:10AM +0100, Phil Pennock wrote: > > Is this a known issue, fixed in 1.4.3? > > There's nothing obviously dealing with it in > > > > >4003&view=markup> > > > > % gpg --version > > gpg (GnuPG) 1.4.2.1-ecc0.1.6 > > This is a heavily patched GnuPG release. Did you try this on the > official version? Please Phil, could you send more details to reproduce the bug? Like key generation, and specially if this 0xC9541FB2 key is over elliptics. In anyway, neither in ElGamal/DSA key over a patched gpg you can forget this is experimental. /Sergi. From karl at freefriends.org Tue Feb 28 19:46:29 2006 From: karl at freefriends.org (Karl Berry) Date: Thu Mar 2 10:38:58 2006 Subject: eudora, windows xp, and gpg Message-ID: <200602281846.k1SIkTS02644@f7.net> Greetings, A colleague is stuck using Windows (XP), and prefers Eudora (she has version 6.2.3.4, which I believe is the latest) to read mail. She only needs to decrypt occasional gpg/pgp-signed messages. Any advice on the easiest way to do this would be gratefully received. I found the Eudora plugin as part of the Windows Privacy Tools at http://winpt.sourceforge.net/en/, but the last release was apparently in 2003, which somewhat worries me with such a new version of Eudora. And the "tray" idea worries me. We don't need or want any UI or any screen real estate to be used; all that's needed is email decryption. I'd rather use GPG, but I also looked for PGP versions, and was rather dismayed at the array of products out there. Pretty much all of them claim to work with Eudora and XP, but it is hard to know which "really" work, without messing up anything else, etc. If anyone has any experiences on that front, I'd be grateful to hear those as well. Thanks, Karl From marcus.brinkmann at ruhr-uni-bochum.de Wed Feb 22 13:11:54 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri Mar 3 11:13:45 2006 Subject: [Announce] GPGME 1.1.1 released Message-ID: <87y8031tkl.wl%marcus.brinkmann@ruhr-uni-bochum.de> We are pleased to announce version 1.1.1 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 860 KB/663 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.0-1.1.1.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel@gnupg.org The sha1sum checksums for this distibution are 9db9b31fe83c2d37572995ca9857971f02d0a3dd gpgme-1.1.0-1.1.1.diff.gz 0cc2de4258897b5ef2b2750e652f608d56cdd282 gpgme-1.1.1.tar.bz2 899ca06e739a317a175b6217b56051d912530f3e gpgme-1.1.1.tar.bz2.sig bb93fb4414f1e4790b7af035a3e7abc64805d68c gpgme-1.1.1.tar.gz 7b70ae11584b5e8f814532a832477e3fba226c5e gpgme-1.1.1.tar.gz.sig Noteworthy changes in version 1.1.1 (2006-02-22) ------------------------------------------------ * Fixed a bug in that the fingerprints of subkeys are not available. * Clarified usage of the SECRET flag in key listings. It is now reset for stub keys. * Reading signature notations and policy URLs on key signatures is supported. They can be found in the new field notations of the gpgme_key_sig_t structure. This has to be enabled with the keylist mode flag GPGME_KEYLIST_MODE_SIG_NOTATIONS. * A new gpgme_free() function solves the problem of using different allocators in a single program. This function should now be used instead calling free() to release the buffer returned by gpgme_data_release_and_get_mem. It is recommended that you always do this, but it is only necessary on certain platforms, so backwards compatibility is provided. In other words: If free() worked for you before, it will keep working. * New status codes GPGME_PKA_TRUST_GOOD and GPGME_PKA_TRUST_BAD. They are analyzed by the verify handlers and made available in the new PKA_TRUST and PKA_ADDRESS fields of the signature result structure. * Interface changes relative to the 1.1.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_key_sig_t EXTENDED: New field notations. GPGME_KEYLIST_MODE_SIG_NOTATIONS NEW gpgme_free NEW GPGME_STATUS_PKA_TRUST_BAD NEW GPGME_STATUS_PKA_TRUST_GOOD NEW gpgme_signature_t EXTENDED: New field pka_trust. gpgme_signature_t EXTENDED: New field pka_address. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Brinkmann mb@g10code.de _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce