From vedaal at hush.com Thu Feb 1 17:30:50 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 01 Feb 2007 11:30:50 -0500 Subject: explain nrsign & lsign? Message-ID: <20070201163148.3B39422840@mailserver9.hushmail.com> David Shaw dshaw at jabberwocky.com Wed Jan 31 22:19:33 CET 2007 wrote: > Indeed. It is also possible that the keyservers aren't being targeted >specifically as keyservers, but rather that people have links to >keyserver searches out there, and the spammers are just using a >crawler that happens to follow that link. fwiw, i have two e-mail addresses in my 'real name' (one at hushmail, and one at a private address) and have a key on the pgp global keyserver with the primary address as the private address, and the hushmail address as a secondary id, and have sent it to gpg keyservers as well have not received _any_ spam in the more than 2 years that the key has been uploaded, maybe because those e-mail addresses are not part of any mailing lists, are not on any webpages or usenet posts, and are used only for formal work-related correspondence, in contrast, have tons of spam at the vedaal address ;-( vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From randy at randyburns.us Thu Feb 1 18:43:52 2007 From: randy at randyburns.us (Randy Burns) Date: Thu, 1 Feb 2007 09:43:52 -0800 (PST) Subject: explain nrsign & lsign? In-Reply-To: <20070131211933.GD27765@jabberwocky.com> Message-ID: <17568.57261.qm@web50906.mail.yahoo.com> --- David Shaw wrote: > On Mon, Jan 29, 2007 at 05:20:20PM +0100, Werner Koch wrote: > > On Mon, 29 Jan 2007 16:22, dshaw at jabberwocky.com said: > > > > > etc. Nowadays, many spammers aren't using their own bandwidth or > CPU. > > > So why *not* hit the keyservers? It costs them essentially nothing. > > > > OTOH, addresses taken from the addressbook as available on the host > > (== zombie Windows PC) are much more effective than harvesting the web > > or kyeservers. These local addresses are more certain to actually be > > used and even better: the recipient of the spam knows the sender. > > Indeed. It is also possible that the keyservers aren't being targeted > specifically as keyservers, but rather that people have links to > keyserver searches out there, and the spammers are just using a > crawler that happens to follow that link. Some keyservers don't > obfuscate their search results. > > David > Something to think about when organizing a keysigning too. Avoid putting a participant list on a webpage. Just a keyring maybe. Randy From wk at gnupg.org Thu Feb 1 20:14:20 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 01 Feb 2007 20:14:20 +0100 Subject: New command line language parameter In-Reply-To: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> (Juan =?utf-8?Q?Marug=C3=A1n's?= message of "Tue\, 30 Jan 2007 10\:52\:26 +0100") References: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> Message-ID: <87ps8tu1v7.fsf@wheatstone.g10code.de> On Tue, 30 Jan 2007 10:52, jmarugan at alumnos.upm.es said: > ---Begining of .bat file ---------------------------------- > @echo off > cls > echo Verifying... > %1\gpg.exe --homedir %2 --langfile %1\gnupg.nls\es.mo --verify %3 > ---End of .bat file --------------------------------------- You may already use ---Begining of .bat file ---------------------------------- @echo off cls echo Verifying... set LANG=%1 gpg.exe --homedir %2 --verify %3 ---End of .bat file --------------------------------------- If you just care about the language. For Spanish es_ES should be the right argument. I have not looked at the other isues but setting --homedir should be enough to go without the defaults from the registry. Shalom-Salam, Werner From schneecrash+gnupg-users at gmail.com Thu Feb 1 20:23:58 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 1 Feb 2007 11:23:58 -0800 Subject: 'sensitive' designated revoker -- are the keyservers still aware? Message-ID: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> if i've added a designated revoker to a key, WITH the 'sensitive' flag. am i correct that: (1) the 'sensitive' flag prevents the *export* of the add'l/designated revoker's key (2) the keyservers still learn/know that there IS a designated revoker, AND its KeyID/UID ? thanks. From dshaw at jabberwocky.com Thu Feb 1 21:04:27 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 Feb 2007 15:04:27 -0500 Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> References: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> Message-ID: <20070201200427.GC23780@jabberwocky.com> On Thu, Feb 01, 2007 at 11:23:58AM -0800, snowcrash+gnupg-users wrote: > if i've added a designated revoker to a key, WITH the 'sensitive' flag. > > am i correct that: > > (1) the 'sensitive' flag prevents the *export* of the add'l/designated > revoker's key > (2) the keyservers still learn/know that there IS a designated > revoker, AND its KeyID/UID Not exactly. When exporting a key that has a sensitive designated revoker set, the key is exported, but the designated revoker information is not included. Anyone looking at the key from the outside cannot tell the difference between this state, and no designated revoker set at all. However, if the designated revoker has in fact revoked the key, then the designated revoker information IS included, along with the revocation. The idea behind this is that the relationship between the designated revoker and the key owner is sensitive, and so we must not reveal the identity designated revoker until we absolutely must (i.e. when they actually revoke the key). Note that there is an option "export-sensitive-revkeys" which tells GPG to export the designated revoker information even if the key isn't revoked. This essentially pretends that the "sensitive" flag is not set. Under normal circumstances, you don't want to do this. David From schneecrash+gnupg-users at gmail.com Thu Feb 1 21:12:14 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 1 Feb 2007 12:12:14 -0800 Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <20070201200427.GC23780@jabberwocky.com> References: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> <20070201200427.GC23780@jabberwocky.com> Message-ID: <70f41ba20702011212r5d05e880uab9c48edea46ec44@mail.gmail.com> > When exporting a key that has a sensitive designated > revoker set, the key is exported, but the designated revoker > information is not included. Anyone looking at the key from the > outside cannot tell the difference between this state, and no > designated revoker set at all. However, if the designated revoker has > in fact revoked the key, then the designated revoker information IS > included, along with the revocation. > > The idea behind this is that the relationship between the designated > revoker and the key owner is sensitive, and so we must not reveal the > identity designated revoker until we absolutely must (i.e. when they > actually revoke the key). that, actually, is what i was hoping to hear/learn. :-) thanks for the clarification! From vedaal at hush.com Thu Feb 1 21:21:02 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 01 Feb 2007 15:21:02 -0500 Subject: 'sensitive' designated revoker -- are the keyservers still aware? Message-ID: <20070201202103.453D2DA834@mailserver7.hushmail.com> David Shaw dshaw at jabberwocky.com wrote on Thu Feb 1 21:04:27 CET 2007 >The idea behind this is that the relationship >between the designated revoker and the key owner is sensitive, > and so we must not reveal the identity designated revoker >until we absolutely must >(i.e. when they actually revoke the key). why must the identity be revealed at all, if the key-owner who designated the revoker doesn't want it to be? it doesn't add to the security to know who revoked it, (whoever it as, it was someone the 'key-owner' decided it should be) it only compromises the revoker and/or key owner, as the revoker may become a target to revoke the original key-owner's replacement key (n.b. not a big deal, just curious as to why it was done this way there is a very simple workaround for anyone uncomfortable with it: the designated revoker doesn't have to be a 'person', it just has to be another 'key' which can have a fictitious name, and given to the person who is trusted to do the revoking when necessary) vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From dshaw at jabberwocky.com Thu Feb 1 21:37:25 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 Feb 2007 15:37:25 -0500 Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <20070201202103.453D2DA834@mailserver7.hushmail.com> References: <20070201202103.453D2DA834@mailserver7.hushmail.com> Message-ID: <20070201203725.GD23780@jabberwocky.com> On Thu, Feb 01, 2007 at 03:21:02PM -0500, vedaal at hush.com wrote: > David Shaw dshaw at jabberwocky.com wrote on > Thu Feb 1 21:04:27 CET 2007 > > >The idea behind this is that the relationship > >between the designated revoker and the key owner is sensitive, > > and so we must not reveal the identity designated revoker > >until we absolutely must > >(i.e. when they actually revoke the key). > > > why must the identity be revealed at all, > if the key-owner who designated the revoker doesn't want it to be? Any anonymous revoker could not do their job as we wouldn't know whether to ignore the revocation or not. For example, say you designated me as your revoker. If my identity is kept secret, even after I issued a revocation, how could someone coming across that revocation know that they should accept it? David From dshaw at jabberwocky.com Thu Feb 1 22:39:34 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 Feb 2007 16:39:34 -0500 Subject: explain nrsign & lsign? In-Reply-To: <17568.57261.qm@web50906.mail.yahoo.com> References: <20070131211933.GD27765@jabberwocky.com> <17568.57261.qm@web50906.mail.yahoo.com> Message-ID: <20070201213934.GE23780@jabberwocky.com> On Thu, Feb 01, 2007 at 09:43:52AM -0800, Randy Burns wrote: > > > OTOH, addresses taken from the addressbook as available on the host > > > (== zombie Windows PC) are much more effective than harvesting the web > > > or kyeservers. These local addresses are more certain to actually be > > > used and even better: the recipient of the spam knows the sender. > > > > Indeed. It is also possible that the keyservers aren't being targeted > > specifically as keyservers, but rather that people have links to > > keyserver searches out there, and the spammers are just using a > > crawler that happens to follow that link. Some keyservers don't > > obfuscate their search results. > > Something to think about when organizing a keysigning too. Avoid putting a > participant list on a webpage. Just a keyring maybe. Good point. I like the service that biglumber provides for keysignings. It nicely automates a lot of the bookkeeping, tracks the participant list, etc. It also makes the information spam-unfriendly. David From atom at smasher.org Thu Feb 1 23:14:22 2007 From: atom at smasher.org (Atom Smasher) Date: Thu, 1 Feb 2007 17:14:22 -0500 (EST) Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <20070201202103.453D2DA834@mailserver7.hushmail.com> References: <20070201202103.453D2DA834@mailserver7.hushmail.com> Message-ID: <20070201221423.96884.qmail@smasher.org> On Thu, 1 Feb 2007, vedaal at hush.com wrote: > why must the identity be revealed at all, if the key-owner who > designated the revoker doesn't want it to be? > > it doesn't add to the security to know who revoked it, (whoever it as, > it was someone the 'key-owner' decided it should be) it only compromises > the revoker and/or key owner, as the revoker may become a target to > revoke the original key-owner's replacement key ============================ if that's a concern... bob wants to designate alice as a revoker, but bob [or alice] doesn't want to reveal that alice is the desiganted revoker, even if his key is revoked. the solution is for bob to generate a revocation certificate, encrypt it to alice, and send it to alice with instructions about if/when to publish it. this basically serves the same purpose, but doesn't necessarily reveal that alice was the designated revoker. a variation could break the revocation certificate into shares, requiring any number of "secret revokers" to assemble the revocation certificate. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They tell us that we live in a great free republic; that our institutions are democratic; that we are a free and self-governing people. That is too much, even for a joke. Wars throughout history have been waged for conquest and plunder. And that is war in a nutshell. The master class has always declared the wars; the subject class has always fought the battles." -- Eugene V. Debs, 1918 From wk at gnupg.org Fri Feb 2 10:14:16 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 10:14:16 +0100 Subject: [Announce] Libgcrypt 1.2.4 released Message-ID: <87wt30syzb.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of Libgcrypt 1.2.4. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on the code used in GnuPG. This is a bug fix release solving a few minor issues. There are no new features. If you experience problems with an application using libgcrypt, you might want to update to this version. Noteworthy changes are: * Fixed a bug in the memory allocator which could have been the reason for some non-duplicable bugs. * Other minor bug fixes. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source files and there digital signatures are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2 (781k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2.sig These files are bzip2 compressed. If you can't use the bunzip2 tool, gzip compressed versions of the files are also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz (990k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz.sig As an alternative a patch against version 1.2.3 is available as: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.3-1.2.4.diff.bz2 (87k) SHA-1 checksums are: c72406c69d6ad9fb3fa1e9824b04566cf204093b libgcrypt-1.2.4.tar.bz2 d279e7a4464cccf0cc4e29c374a1e8325fc65b9a libgcrypt-1.2.4.tar.gz d4f5525fa26e92ade2914c6581435171f8b4fc44 libgcrypt-1.2.3-1.2.4.diff.bz2 For help on installing or developing with Libgcrypt you should send mail to the grcypt-devel mailing list. For details see http://www.gnupg.org/documentation/mailing-lists.html . Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [1], or by donating money. Commercial support contracts for Libgcrypt are available [2], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding Libgcrypt development. We are always looking for interesting development projects. Happy hacking, Werner [1] As a GNU project copyright assignments to the FSF are required. [2] See the service directory at http://www.gnupg.org/service.html . -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20070202/6194bdae/attachment.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Fri Feb 2 10:36:55 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 10:36:55 +0100 Subject: [Announce] GnuPG 2.0.2 released Message-ID: <87sldosxxk.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.2 This is maintenance release to fix build problems found after the release of 2.0.1. There are also some minor enhancements. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.6) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL). GnuPG-2 works best on GNU/Linux or *BSD systems. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.2 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-2.0.2.tar.bz2 (3.8M) gnupg-2.0.2.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.1-2.0.2.diff.bz2 (53k) A patch file to upgrade a 2.0.1 GnuPG source. Note, that we don't distribute gzip compressed tarballs. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.2.tar.bz2 you would use this command: gpg --verify gnupg-2.0.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.2.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.2.tar.bz2 and check that the output matches the first line from the following list: 1a3165c5b601f3244b8885143d02bea4210495e3 gnupg-2.0.2.tar.bz2 1d42f46ae2c0d00b56be34bcd95fff51b77163a6 gnupg-2.0.1-2.0.2.diff.bz2 What's New =========== * Fixed a serious and exploitable bug in processing encrypted packages. [CVE-2006-6235]. Note, that a patch was distributed along with the first report of that bug. * Added --passphrase-repeat to set the number of times GPG will prompt for a new passphrase to be repeated. This is useful to help memorize a new passphrase. The default is 1 repetition. * Using a PIN pad does now also work for the signing key. * A warning is displayed by gpg-agent if a new passphrase is too short. New option --min-passphrase-len defaults to 8. * The status code BEGIN_SIGNING now shows the used hash algorithms. Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings most translations are not entirely complete. The Swedish, Turkish, German and Russian translations should be complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG. In fact it has been developed along with the Kmail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Marcus, Werner and all other contributors) -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20070202/8925fbd8/attachment-0001.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From r.post at sara.nl Fri Feb 2 11:15:00 2007 From: r.post at sara.nl (Remco Post) Date: Fri, 02 Feb 2007 11:15:00 +0100 Subject: smartcard and ssh Message-ID: <45C30F24.2030708@sara.nl> Hi All, just recently I've installed ubuntu 6.10 on my desktop. This comes with gpg-agent 1.9.21. I've set the agent with ssh support, and it quite nicely manages my ssh dsa key, but for some reason ssh-add -l does not show my smartcard rsa key while gpg --card-status does work (as does signing e-mail with my smartcard). Anybody any hint on what might be wrong? -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From wk at gnupg.org Fri Feb 2 13:23:40 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 13:23:40 +0100 Subject: smartcard and ssh In-Reply-To: <45C30F24.2030708@sara.nl> (Remco Post's message of "Fri\, 02 Feb 2007 11\:15\:00 +0100") References: <45C30F24.2030708@sara.nl> Message-ID: <87k5z0px2r.fsf@wheatstone.g10code.de> On Fri, 2 Feb 2007 11:15, r.post at sara.nl said: > I've set the agent with ssh support, and it quite nicely manages my ssh > dsa key, but for some reason ssh-add -l does not show my smartcard rsa > key while gpg --card-status does work (as does signing e-mail with my > smartcard). Do you have scdaemon installed? If so, you should put verbose debug 1024 debug 2048 log-file /home/foo/scdaemon.log into the ~/.gnupg/scdaemon.conf and kill the scdaemon process. Make sure that it really got killed. Then do an "ssh-add -l" again and watch the log file. Note, that gpg-agent starts scdaemon and restarts it if has crashed. Shalom-Salam, Werner From shavital at mac.com Fri Feb 2 13:33:29 2007 From: shavital at mac.com (Charly Avital) Date: Fri, 02 Feb 2007 07:33:29 -0500 Subject: [Announce] GnuPG 2.0.2 released In-Reply-To: <87sldosxxk.fsf@wheatstone.g10code.de> References: <87sldosxxk.fsf@wheatstone.g10code.de> Message-ID: <45C32F99.5090408@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote the following on 2/2/07 4:36 AM: | Hello! | | We are pleased to announce the availability of a new stable GnuPG-2 | release: Version 2.0.2 [...] | Thanks | ====== | | We have to thank all the people who helped with this release, be it | testing, coding, translating, suggesting, auditing, administering the | servers, spreading the word or answering questions on the mailing | lists. | | | Happy Hacking, | | The GnuPG Team (David, Marcus, Werner and all other contributors) GnuPG v2.0.2 has been configured as follows: ~ Platform: Darwin (powerpc-apple-darwin8.8.0) ~ OpenPGP: yes ~ S/MIME: yes ~ Agent: yes ~ Smartcard: yes ~ Protect tool: (default) ~ Default agent: (default) ~ Default pinentry: (default) ~ Default scdaemon: (default) ~ Default dirmngr: (default) ~ PKITS based tests: no All seems to be working fine. Shall try later (much later) for Mac Inter Core Duo. Thank you David, Marcus, Werner, all other contributors and Ben Donnachie. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcMvayRJoUyU/RYhAQJqBwP5AYLO5bufqRhkCALlRAu3LMQ8bYrYUpRl pxM7SPzEeONGPpgzP1nxXmteANifPiivqYAogF0tjPa8loDM8MsNDiacj/KoEYIn Jflh4/JerRpUc3tJU6lev+hiLaYzQYKVI/yCo0PzUf5faosKO17AraHsIj+yejLo +ZSYOOsmHtU= =z0Ll -----END PGP SIGNATURE----- From r.post at sara.nl Fri Feb 2 14:00:23 2007 From: r.post at sara.nl (Remco Post) Date: Fri, 02 Feb 2007 14:00:23 +0100 Subject: smartcard and ssh In-Reply-To: <87k5z0px2r.fsf@wheatstone.g10code.de> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> Message-ID: <45C335E7.8060102@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Fri, 2 Feb 2007 11:15, r.post at sara.nl said: > >> I've set the agent with ssh support, and it quite nicely manages my ssh >> dsa key, but for some reason ssh-add -l does not show my smartcard rsa >> key while gpg --card-status does work (as does signing e-mail with my >> smartcard). > > Do you have scdaemon installed? If so, you should put > mope, I didn't. I tried installing it (as part of the gpgsm package) but the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( > verbose > debug 1024 > debug 2048 > log-file /home/foo/scdaemon.log > > into the ~/.gnupg/scdaemon.conf and kill the scdaemon process. Make > sure that it really got killed. Then do an "ssh-add -l" again and > watch the log file. > The log-file: 2007-02-02 13:41:20 scdaemon[5733] can't run PC/SC access module `/usr/lib/gnupg/pcsc-wrapper': No such file or directory scdaemon[5733.0x8096340] DBG: -> ERR 100663404 Card error scdaemon[5733.0x8096340] DBG: <- RESTART scdaemon[5733.0x8096340] DBG: -> OK > Note, that gpg-agent starts scdaemon and restarts it if has crashed. > > > > Shalom-Salam, > > Werner > - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcM14irZkcVehrp5AQK+4wP/du5tH3w55xUIvpBirr4HbbAw3XWPUTgx Ni5zwYqM1NEr5G9E+Dx81VaNXSiqcabtaZC9sG9iuqUCqGMA8t2N3jv9m4TZ/avi fCWdTuB4RH1QEfgYKZdKzNDpmmInlAuai8/2CVone5mdz1t9G5vpc2uMb28NRwTS PgBg5Oysf9I= =aYNG -----END PGP SIGNATURE----- From sravan at atc.tcs.com Fri Feb 2 13:33:11 2007 From: sravan at atc.tcs.com (Sravan) Date: Fri, 02 Feb 2007 18:03:11 +0530 Subject: doubt in clear text signing Message-ID: <45C32F87.8020403@atc.tcs.com> Dear All, I have a question related to clear signing. As per the standard(rfc 2440), a signature of type 'Canonical text document' should be generated after removing any trailing spaces and making the line endings as '\r \n'. Is this the case with clear text signatures generated by gpg? Also, when i generate a signature(actually, i am signing and encrypting) for some data that doesn't contain a newline at the end, gpg inserts one at the end. Will this last new line considered a part of the signed data? Regards, Sravan From wk at gnupg.org Fri Feb 2 14:51:02 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 14:51:02 +0100 Subject: doubt in clear text signing In-Reply-To: <45C32F87.8020403@atc.tcs.com> (sravan@atc.tcs.com's message of "Fri\, 02 Feb 2007 18\:03\:11 +0530") References: <45C32F87.8020403@atc.tcs.com> Message-ID: <8764akoegp.fsf@wheatstone.g10code.de> On Fri, 2 Feb 2007 13:33, sravan at atc.tcs.com said: > I have a question related to clear signing. As per the standard(rfc > 2440), a signature of type 'Canonical text document' should be generated > after removing any trailing spaces and making the line endings as '\r > \n'. Is this the case with clear text signatures generated by gpg? Yes, we don't include trailing ASCII spaces, tabs, CR and the LF when calculating the hast of a clear signed message. The constant string of a CR and a LF is then hashed. Note, that this is different from regular signatures created in textmode - the story behind them is more complicate. > Also, when i generate a signature(actually, i am signing and encrypting) > for some data that doesn't contain a newline at the end, gpg inserts one > at the end. > Will this last new line considered a part of the signed data? No the last line feed is not part of the signature. See the code in g10/textfilter.c. To avoid interpretation problems gpg always ends alinefeed to a message which does not end in one. A clear signed message is intended for human consumption and should not be used if you need to be sure that the verbatim text gets signed. Salam-Shalom, Werner From wk at gnupg.org Fri Feb 2 21:44:38 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 21:44:38 +0100 Subject: smartcard and ssh In-Reply-To: <45C335E7.8060102@sara.nl> (Remco Post's message of "Fri\, 02 Feb 2007 14\:00\:23 +0100") References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> Message-ID: <87veikjnm1.fsf@wheatstone.g10code.de> On Fri, 2 Feb 2007 14:00, r.post at sara.nl said: > mope, I didn't. I tried installing it (as part of the gpgsm package) but > the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( If you have an USB reader, try using the internal ccid-driver. You need to stop the pcscd first. You may test it with the plain gpg - it will also use the ccid-driver (--debug-ccid-driver helps to detect problems). Make sure that the usbfs is loaded and that the permissions are correct . The smart card howto at www.gnupg.org should be helpful. Shalom-Salam, Werner From alon.barlev at gmail.com Fri Feb 2 22:54:52 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 2 Feb 2007 23:54:52 +0200 Subject: smartcard and ssh In-Reply-To: <87veikjnm1.fsf@wheatstone.g10code.de> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0702021354j3afb4ba3x1b41a35ad9824833@mail.gmail.com> On 2/2/07, Werner Koch wrote: > On Fri, 2 Feb 2007 14:00, r.post at sara.nl said: > > > mope, I didn't. I tried installing it (as part of the gpgsm package) but > > the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( > > If you have an USB reader, try using the internal ccid-driver. You > need to stop the pcscd first. You may test it with the plain gpg - it > will also use the ccid-driver (--debug-ccid-driver helps to detect > problems). Make sure that the usbfs is loaded and that the > permissions are correct . The smart card howto at www.gnupg.org > should be helpful. Or if your smartcard supports PKCS#11 interface you can use the gnupg-pkcs11-scd from http://gnupg-pkcs11.sourceforge.net and OpenSSH PKCS#11 from http://alon.barlev.googlepages.com/openssh-pkcs11, this way you can use your smartcard with many application at the same time without stopping any interface or making the card locked by one of them. Best Regards, Alon Bar-Lev. From marcus.brinkmann at ruhr-uni-bochum.de Sat Feb 3 16:42:40 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sat, 03 Feb 2007 16:42:40 +0100 Subject: [Announce] GPGME 1.1.3 released Message-ID: <878xff5jtb.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.1.3 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 897 KB/690 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2-1.1.3.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel at gnupg.org The sha1sum checksums for this distibution are bf88701162d09a1bfacf72594fc32f374144158c gpgme-1.1.2-1.1.3.diff.gz e416854cb41a2e8b92a148ed17d2f2b97eeeba4a gpgme-1.1.3.tar.bz2 c41ca6df0b32281135ed95623dd5f8c0789b5671 gpgme-1.1.3.tar.bz2.sig 98ed8563da4870e3dd2d922e96983bf6a3e7cfb1 gpgme-1.1.3.tar.gz 303f46a7dfcf3581d2e6bad984d909e4f9359af1 gpgme-1.1.3.tar.gz.sig Noteworthy changes in version 1.1.3 (2007-01-29) ------------------------------------------------ * Fixed a memory leak in gpgme_data_release_and_get_mem. * Fixed a bug in Windows command line quoting. Marcus Brinkmann mb at g10code.de -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From j.lysdal at gmail.com Sun Feb 4 21:49:43 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Sun, 04 Feb 2007 21:49:43 +0100 Subject: openpgp card Message-ID: <45C646E7.9060403@gmail.com> On the back of my openpgp card, it says that it has "Private data storage" What is this storage? and can i use it to store anything? -- J?rgen Ch. Lysdal -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070204/a2c73021/attachment-0001.pgp From wk at gnupg.org Sun Feb 4 22:08:10 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 04 Feb 2007 22:08:10 +0100 Subject: openpgp card In-Reply-To: <45C646E7.9060403@gmail.com> (=?utf-8?Q?J=C3=B8rgen?= Lysdal's message of "Sun\, 04 Feb 2007 21\:49\:43 +0100") References: <45C646E7.9060403@gmail.com> Message-ID: <87sldltyv9.fsf@wheatstone.g10code.de> On Sun, 4 Feb 2007 21:49, j.lysdal at gmail.com said: > On the back of my openpgp card, it says that it has > "Private data storage" What is this storage? and can i use > it to store anything? While in the gpg --card-edit menu, optionally enter "admin" and then "privatedo" to change the 4 private DO fields. See the specs for the required permissions of the read/write the fields. Shalom-Salam, Werner From j.lysdal at gmail.com Sun Feb 4 23:19:35 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Sun, 04 Feb 2007 23:19:35 +0100 Subject: openpgp card In-Reply-To: <87sldltyv9.fsf@wheatstone.g10code.de> References: <45C646E7.9060403@gmail.com> <87sldltyv9.fsf@wheatstone.g10code.de> Message-ID: <45C65BF7.8050208@gmail.com> Werner Koch skrev: > While in the gpg --card-edit menu, optionally enter "admin" and then > "privatedo" to change the 4 private DO fields. See the specs for the > required permissions of the read/write the fields. Thanks for the hint. What i was interested in was if i could upload a file to the card and then retrieve it later. It appears i cant do that, anyway, i need at least 1600 bytes storage. -- J?rgen Ch. Lysdal -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070204/69ab9c41/attachment.pgp From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 03:08:54 2007 From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin) Date: Sun, 04 Feb 2007 20:08:54 -0600 Subject: GPG fails to verify clamav Message-ID: <45C691B6.60202@yahoo.com.au> I downloaded clamav 0.90rc3 from http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 I want to verify the integrity of the downloaded file. When I do gpg --keyserver random.sks.keyserver.penguin.de --verify clamav-0.90rc3.tar.gz.sig it fails, saying this: > gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B > gpg: Can't check signature: public key not found Ren? Berber, in message , says that my GPG installation is broken. Can anyone tell me how I can fix it? Thanks in advance. P.S. I also tried using the protocol name in front of the keyserver address (hkp://). It didn't work. -- Send instant messages to your online friends http://au.messenger.yahoo.com From tmz at pobox.com Mon Feb 5 06:19:44 2007 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 5 Feb 2007 00:19:44 -0500 Subject: GPG fails to verify clamav In-Reply-To: <45C691B6.60202@yahoo.com.au> References: <45C691B6.60202@yahoo.com.au> Message-ID: <20070205051944.GE2362@psilocybe.teonanacatl.org> Roy Carin wrote: > I downloaded clamav 0.90rc3 from > http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 > > I want to verify the integrity of the downloaded file. When I do > > gpg --keyserver random.sks.keyserver.penguin.de --verify > clamav-0.90rc3.tar.gz.sig > > it fails, saying this: > >> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B >> gpg: Can't check signature: public key not found > > Ren? Berber, in message > > , says that my GPG installation is broken. > > Can anyone tell me how I can fix it? I think that the problem may be that you don't have the key on your keyring already and you don't have the auto-key-retrieve keyserver option enabled (it's not enabled by default). You can either enable that option or import the key before verifying the signature (via a keyserver webpage or using gpg --recv-key 985A444B). -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== What a terrible thing to have lost one's mind. Or not to have a mind at all. How true that is. -- Dan Quayle, speaking to the United Negro College Fund -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20070205/7ddee2b5/attachment.pgp From dshaw at jabberwocky.com Mon Feb 5 06:12:26 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 Feb 2007 00:12:26 -0500 Subject: GPG fails to verify clamav In-Reply-To: <45C691B6.60202@yahoo.com.au> References: <45C691B6.60202@yahoo.com.au> Message-ID: <20070205051226.GD6299@jabberwocky.com> On Sun, Feb 04, 2007 at 08:08:54PM -0600, Roy Carin wrote: > I downloaded clamav 0.90rc3 from > http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 > > I want to verify the integrity of the downloaded file. When I do > > gpg --keyserver random.sks.keyserver.penguin.de --verify > clamav-0.90rc3.tar.gz.sig > > it fails, saying this: > > > gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B > > gpg: Can't check signature: public key not found Download the key 985A444B: gpg --keyserver random.sks.keyserver.penguin.de --recv-keys 985A444B Then do the verify. David From r.post at sara.nl Mon Feb 5 10:37:19 2007 From: r.post at sara.nl (Remco Post) Date: Mon, 05 Feb 2007 10:37:19 +0100 Subject: smartcard and ssh In-Reply-To: <87veikjnm1.fsf@wheatstone.g10code.de> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> Message-ID: <45C6FACF.3060400@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Fri, 2 Feb 2007 14:00, r.post at sara.nl said: > >> mope, I didn't. I tried installing it (as part of the gpgsm package) but >> the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( > > If you have an USB reader, try using the internal ccid-driver. You > need to stop the pcscd first. You may test it with the plain gpg - it > will also use the ccid-driver (--debug-ccid-driver helps to detect > problems). Make sure that the usbfs is loaded and that the > permissions are correct . The smart card howto at www.gnupg.org > should be helpful. > hmmm, more problems. I've decided that the ubuntu packages are broken. I'll try again in a new release or when I gain some more patience ;-) Normal gpg operations work, it's just the ssh-compatebility and only for the smartcard, well, I gues I can do another few months without, just like the past few years when I suffered a windows desktop ;-) > > Shalom-Salam, > > Werner > - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcb6yirZkcVehrp5AQKrsgQAmmPinNNA0LUJZbEnI7ioOGZfwD6/7OsP o31ffvu7bsyuXDFbrtA/UD6gZt4xCPe3N3W/4ygQgwbkFGWgedrV9muIqtmbvexL kGzt0p0RiIxXJHZ1El1XBfiV6z0gqNEVBvAZd5AYlK+dyLE6S6IC8tfVVlcwSdLS WjqtcD+d2zE= =j0XP -----END PGP SIGNATURE----- From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 18:52:16 2007 From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin) Date: Mon, 05 Feb 2007 11:52:16 -0600 Subject: GPG fails to verify clamav In-Reply-To: <20070205051226.GD6299@jabberwocky.com> References: <45C691B6.60202@yahoo.com.au> <20070205051226.GD6299@jabberwocky.com> Message-ID: <45C76ED0.5070801@yahoo.com.au> On 02/04/2007 11:12 PM, David Shaw wrote: > On Sun, Feb 04, 2007 at 08:08:54PM -0600, Roy Carin wrote: >> I downloaded clamav 0.90rc3 from >> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 >> >> I want to verify the integrity of the downloaded file. When I do >> >> gpg --keyserver random.sks.keyserver.penguin.de --verify >> clamav-0.90rc3.tar.gz.sig >> >> it fails, saying this: >> >>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B >>> gpg: Can't check signature: public key not found > > Download the key 985A444B: > > gpg --keyserver random.sks.keyserver.penguin.de --recv-keys 985A444B > > Then do the verify. > > David > Thanks. The first couple of times it didn't work. Netstat said SYN_SENT for 62.94.26.10 port 11371 but didn't connect. The third time was the charm :-) -- Send instant messages to your online friends http://au.messenger.yahoo.com From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 18:53:03 2007 From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin) Date: Mon, 05 Feb 2007 11:53:03 -0600 Subject: GPG fails to verify clamav In-Reply-To: <20070205051944.GE2362@psilocybe.teonanacatl.org> References: <45C691B6.60202@yahoo.com.au> <20070205051944.GE2362@psilocybe.teonanacatl.org> Message-ID: <45C76EFF.4060601@yahoo.com.au> On 02/04/2007 11:19 PM, Todd Zullinger wrote: > Roy Carin wrote: >> I downloaded clamav 0.90rc3 from >> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 >> >> I want to verify the integrity of the downloaded file. When I do >> >> gpg --keyserver random.sks.keyserver.penguin.de --verify >> clamav-0.90rc3.tar.gz.sig >> >> it fails, saying this: >> >>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B >>> gpg: Can't check signature: public key not found >> Ren? Berber, in message >> >> , says that my GPG installation is broken. >> >> Can anyone tell me how I can fix it? > > I think that the problem may be that you don't have the key on your > keyring already and you don't have the auto-key-retrieve keyserver > option enabled (it's not enabled by default). You can either enable > that option or import the key before verifying the signature (via a > keyserver webpage or using gpg --recv-key 985A444B). > Thanks. Done. -- Send instant messages to your online friends http://au.messenger.yahoo.com From benjamin at py-soft.co.uk Tue Feb 6 01:14:28 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 06 Feb 2007 00:14:28 +0000 Subject: openpgp card In-Reply-To: <45C65BF7.8050208@gmail.com> References: <45C646E7.9060403@gmail.com> <87sldltyv9.fsf@wheatstone.g10code.de> <45C65BF7.8050208@gmail.com> Message-ID: <45C7C864.2020900@py-soft.co.uk> J?rgen Lysdal wrote: > Thanks for the hint. What i was interested in was if i could upload a > file to the card and then retrieve it later. That's one of the aims of the project for the "open implementation of the openpgp smart card standard", see http://www.py-soft.co.uk/wiki/index.php/Openpgp Ben From groups at sowa.cc Sat Feb 3 15:14:50 2007 From: groups at sowa.cc (Thomas Sowa) Date: Sat, 3 Feb 2007 15:14:50 +0100 Subject: gpg.conf missing Message-ID: <1170512090.45c498da17ea1@webmail.in-berlin.de> Hi, i just created my .gnupg file --> gpg --gen-key All is good, but the gpg.conf is missing. It's already the 2run, the first created the file but it was empty. Why, and how do I get this file to modify it? Thanks, Tom From wk at gnupg.org Tue Feb 6 10:24:02 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Feb 2007 10:24:02 +0100 Subject: New command line language parameter In-Reply-To: <200702051357.l15DvWds001544@edison.ccupm.upm.es> (Juan =?utf-8?Q?Marug=C3=A1n's?= message of "Mon\, 05 Feb 2007 14\:57\:32 +0100") References: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> <87ps8tu1v7.fsf@wheatstone.g10code.de> <200702012226.l11MQ0RF008768@edison.ccupm.upm.es> <87abzxt0jb.fsf@wheatstone.g10code.de> <200702051357.l15DvWds001544@edison.ccupm.upm.es> Message-ID: <878xfboczx.fsf@wheatstone.g10code.de> On Mon, 5 Feb 2007 14:57, jmarugan at alumnos.upm.es said: > I tried the SET LANG=xx and as far as i read in the GPG documentation > and mailing list's posts, this is only for POSIX systems, not for > windows, at least in windows doesn't work in all the ways i tried. You are right. It works for GPA but not for GPG because with gpg we use a simplified version of gettext. This is easy to fix. > I'm afraid the only way to use a language file in windows is the > registry or a new command line parameter. No. A command line option won't work because how would you then print a localized message like "invalid option" or diagnostics printed even before any option has been parsed. Shalom-Salam, Werner From m-iizuka at cp.jp.nec.com Tue Feb 6 10:14:41 2007 From: m-iizuka at cp.jp.nec.com (Mitsuho Iizuka) Date: Tue, 06 Feb 2007 18:14:41 +0900 (JST) Subject: No Public Key Problem Message-ID: <20070206.181441.74753944.m-iizuka@cp.jp.nec.com> Getting errors as follows, I can't sign by myself with gpgsm of gnupg2.0.1 on Fedora Core 5 Linux. Could you give some hint ? gpgsm: can't sign using `': No public key [GNUPG:] INV_RECP 1 command line are as follows. % ./gpgsm --detach-sign --include-certs 3 --status-fd 2 --local-user '' --output smime.p7s mew5430s-F I tried 2 other user specifying way, such as, m-iizuka at ... and ''. Those results gave almost same error. Only m-iizuka.cp.jp.nec.com gave me valid sign. My certification is as follows(~/.gnupg/keyring.kbx). % gpgsm -kv : Serial number: XXXXXXX Issuer: /CN=NEC Group Certification Authority SMIME/OU=Class 2 CA - OnSite Individual Subscriber/OU=Terms of use at https:\x2f\x2fwww.verisign.co.jp\x2fRPA (c)99/OU=VeriSign Trust Network/O=NEC Corporation Subject: /CN=Mitsuho Iizuka (061221 m-iizuka.cp.jp.nec.com)/OU=www.verisign.com\x2frepository\x2fCPS Incorp. by Ref.,LIAB.LTD(c)96/OU=NEC Group Certification Authority SMIME/O=NEC Corporation/EMail=m-iizuka at cp.jp.nec.com : According to keydb.c at around 1035 line, I don't think there is a method to specify myself with my e-mail address on the above my certicication. How can I specify myself with gpgsm2.0.1 ? Thanks in advance Regards, // Mitsuho Iizuka From info at webinfo.de Tue Feb 6 13:35:00 2007 From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Tue, 06 Feb 2007 13:35:00 +0100 Subject: JADE-S, secure communication with DF? Message-ID: Hi folks, supposed all features of JADE-S are activated - is it possible to encrypt and sign messages adressed to the DF like DFService.register requests? Best regards, Bjorn From JPClizbe at tx.rr.com Tue Feb 6 21:13:30 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 06 Feb 2007 14:13:30 -0600 Subject: gpg.conf missing In-Reply-To: <1170512090.45c498da17ea1@webmail.in-berlin.de> References: <1170512090.45c498da17ea1@webmail.in-berlin.de> Message-ID: <45C8E16A.1020407@tx.rr.com> Thomas Sowa wrote: > Hi, > > i just created my .gnupg file --> gpg --gen-key > > All is good, but the gpg.conf is missing. It's already the 2run, the first > created the file but it was empty. > > Why, and how do I get this file to modify it? gpg.conf is just a text file. You may create it with any editor of your choice. It is for you to use to specify common options to gpg. For example: default-recipient-self default-cert-check-level 3 keyserver pool.sks-keyservers.net keyserver-options auto-key-retrieve include-revoked include-subkeys -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070206/6cccb4ff/attachment.pgp From hawke at hawkesnest.net Wed Feb 7 23:47:11 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed, 07 Feb 2007 16:47:11 -0600 Subject: smartcard and ssh In-Reply-To: <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> Message-ID: Remco Post wrote: > > hmmm, more problems. I've decided that the ubuntu packages are broken. > I'll try again in a new release or when I gain some more patience ;-) Have you looked for and/or reported the bugs you found? It works for me pretty much "out of the box" with ubuntu/feisty, less so with earlier releases. Here are the problems I found and what I had to do to fix them: * gnupg was trying to use pcsc-wrapper at the wrong location (see bug #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the scd is looking for it. This can be solved either by copying the file, or with a symlink. This seems to have been fixed in feisty. * Another was that the ssh-agent support is not enabled out of the box. This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and adding "--enable-ssh-support" in the appropriate place (around line 17). *The final thing I needed to do was to install the package libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create that symlink yourself. This also appears to have been fixed in feisty, though you do still need libpcsclite1 (and pcscd). -Alex Mauer "hawke" From hawke at hawkesnest.net Wed Feb 7 23:47:26 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed, 07 Feb 2007 16:47:26 -0600 Subject: OpenPGP card and secret keys Message-ID: I seem to be having some trouble with my openpgp card: gnupg knows I have secret keys on an openpgp card: $ gpg --list-secret-keys /home/amauer/.gnupg/secring.gpg ------------------------------- sec# 1024D/51192FF2 2002-03-22 ssb> 1024R/4A1C1224 2005-06-27 (output has been modified showing only what I think are relevant lines) but then when I try to sign a file, gpg ignores these keys: $ gpg --clearsign test.txt gpg: secret key parts are not available gpg: no default secret key: general error gpg: test.txt: clearsign failed: general error Even if I specify the signing subkey from the card, it doesn't work: $ gpg --clearsign -u '0x4a1c1224' test.txt gpg: secret key parts are not available gpg: skipped "0x4a1c1224": general error gpg: test.txt: clearsign failed: general error If I force that subkey, it works: $ gpg --clearsign -u '0x4a1c1224!' test.txt $ (gpg agent popped up a pinentry dialog, and I was able to enter the PIN on the pinpad) What am I doing wrong? -Alex Mauer "hawke" From wk at gnupg.org Thu Feb 8 06:43:50 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 06:43:50 +0100 Subject: OpenPGP card and secret keys In-Reply-To: (Alex Mauer's message of "Wed\, 07 Feb 2007 16\:47\:26 -0600") References: Message-ID: <87odo5td9l.fsf@wheatstone.g10code.de> On Wed, 7 Feb 2007 23:47, hawke at hawkesnest.net said: > If I force that subkey, it works: > $ gpg --clearsign -u '0x4a1c1224!' test.txt Okay, so it is not a communication problem with teh card. Please run gpg --debug 64 --clearsign test.txt To see why gpg tries to use the primary key. Salam-Shalom, Werner From r.post at sara.nl Thu Feb 8 09:21:41 2007 From: r.post at sara.nl (Remco Post) Date: Thu, 08 Feb 2007 09:21:41 +0100 Subject: smartcard and ssh In-Reply-To: References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> Message-ID: <45CADD95.3030007@sara.nl> Alex Mauer wrote: > Remco Post wrote: >> hmmm, more problems. I've decided that the ubuntu packages are broken. >> I'll try again in a new release or when I gain some more patience ;-) > > Have you looked for and/or reported the bugs you found? > > It works for me pretty much "out of the box" with ubuntu/feisty, less so > with earlier releases. > > Here are the problems I found and what I had to do to fix them: > > * gnupg was trying to use pcsc-wrapper at the wrong location (see bug > #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). > It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the > scd is looking for it. This can be solved either by copying the file, > or with a symlink. This seems to have been fixed in feisty. > ok, that's a nice one.... > * Another was that the ssh-agent support is not enabled out of the box. > This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and > adding "--enable-ssh-support" in the appropriate place (around line 17). > I've made a gpg-agent.conf file to the same effect. > *The final thing I needed to do was to install the package > libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, > linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create > that symlink yourself. This also appears to have been fixed in feisty, > though you do still need libpcsclite1 (and pcscd). > since normal gpg operations (signing) do work, this doesn't seem to be a problem for me. > -Alex Mauer "hawke" > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From r.post at sara.nl Thu Feb 8 10:47:13 2007 From: r.post at sara.nl (Remco Post) Date: Thu, 08 Feb 2007 10:47:13 +0100 Subject: smartcard and ssh In-Reply-To: References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> Message-ID: <45CAF1A1.6020203@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Mauer wrote: > Remco Post wrote: >> hmmm, more problems. I've decided that the ubuntu packages are broken. >> I'll try again in a new release or when I gain some more patience ;-) > > Have you looked for and/or reported the bugs you found? > > It works for me pretty much "out of the box" with ubuntu/feisty, less so > with earlier releases. > > Here are the problems I found and what I had to do to fix them: > > * gnupg was trying to use pcsc-wrapper at the wrong location (see bug > #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). > It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the > scd is looking for it. This can be solved either by copying the file, > or with a symlink. This seems to have been fixed in feisty. > ok, installing gnupg2 and symlinking this file as well as the libpcslite helped, thanks a lot! > * Another was that the ssh-agent support is not enabled out of the box. > This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and > adding "--enable-ssh-support" in the appropriate place (around line 17). > > *The final thing I needed to do was to install the package > libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, > linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create > that symlink yourself. This also appears to have been fixed in feisty, > though you do still need libpcsclite1 (and pcscd). > > -Alex Mauer "hawke" > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcrxnCrZkcVehrp5AQKo2wP9GNeFlAKXH1J6xCml/tCoap16xxqn8lEp JZ99bwap7GpChuX0qEfHZT6KDK5GuVlJgJ8HzkOmERy/lXIw423bR/M1sWJH/DI2 NTeYiGZ0etS9yDGn6fGfHnLZLpN9djbEYTHCehNz7futl+oYFZxygzP6i8jPFsq3 PxqQf3E3rU4= =GUgP -----END PGP SIGNATURE----- From ber at webschuur.com Thu Feb 8 13:03:05 2007 From: ber at webschuur.com (=?iso-8859-1?q?B=E8r_Kessels?=) Date: Thu, 8 Feb 2007 13:03:05 +0100 Subject: Keyrings for websites Message-ID: <200702081303.09540.ber@webschuur.com> Hello, With the current growth of online services that talk to eachother (the web2.0) I thought it a good idea to think about a way to determine "trust" between the sites. If my site shares its spam tokens, comments, search results, tags and pictures (etc) with a cloud of sites, it could be a good idea to establish a trust-ring. I therefore thought it an interesting idea to make keys not just for people, but for a website. That way I can sign public keys from other sites and give them a trust weight. That way one can establish a web of trust between sites. A good way to make sure spammers don't get inbetween your comments, for example. By allowing so called trackbacks from trusted sites only, one can reduce the amount of spam greatly. By sending my tags to trusted sites only, I can make sure that not some malafide "content thief" runs off with my valuable content, yet still share it. It is still an idea. And no code is made yet. But I am heavy into Drupal (been full time developer for it for over 4 years), and I can introduce this concept there, then hope it takes off into wordpress, plone and other Open Source, or Closed source CMses. All I need is some general idea wether or not this will a) work at all and b) is possible with gnupg, and c) if it would not 'threaten' gnug too much. thanks for reading, B?r -- Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting: www.sympal.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070208/7d647a3f/attachment.pgp From jbruni at mac.com Thu Feb 8 15:36:37 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Thu, 8 Feb 2007 07:36:37 -0700 Subject: Keyrings for websites In-Reply-To: <200702081303.09540.ber@webschuur.com> References: <200702081303.09540.ber@webschuur.com> Message-ID: You might want to check out "Domain Keys" which is used to authenticate email sessions between MTA's. Also, peer-to-peer authentication can be accomplished via X.509 certificates and SSL. Joe On Feb 8, 2007, at 5:03 AM, B?r Kessels wrote: > Hello, > > With the current growth of online services that talk to eachother > (the web2.0) > I thought it a good idea to think about a way to determine "trust" > between > the sites. > ... > B?r > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070208/4d8a1abb/attachment.bin From markybob at gmail.com Thu Feb 8 10:59:26 2007 From: markybob at gmail.com (Mark Pinto) Date: Thu, 8 Feb 2007 04:59:26 -0500 Subject: gen-key non-interactively Message-ID: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> I'm wanting to pass all of the information that gpg needs to create a key (key size, type, expiration, userid, etc) initially and not have gpg keep pausing to ask the user. I've read the man page, read gpg --help, googled, and I still cant figure out how to pass those things to gpg while using --gen-key. Any help would be *greatly* appreciated. Thank you, Mark Pinto From schneecrash+gnupg-users at gmail.com Thu Feb 8 16:44:02 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 8 Feb 2007 07:44:02 -0800 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> here's an "expect"-based function i use in a bash script for just such purpose, # function: "DO_GENKEY_SESSION" # auto-execute a GPG --gen-key session # usage: # DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT # gen-key dialog options (SELECTION): # Please select what kind of key you want: # (1) DSA and Elgamal (default) # (2) DSA (sign only) # (3) DSA (set your own capabilities) # (5) RSA (sign only) # (7) RSA (set your own capabilities) DO_GENKEY_SESSION () { echo "START: $COMMENT" VAR=$($EXPECT -c " spawn $GPG $GPG_RING_OPTS --expert --cert-notation $NOTATION --gen-key set timeout -1 stty -echo expect \"Your selection? \" exp_send \"$1\n\" expect -re \"(What keysize do you want\?).*\\\\(\[0-9\]*\\\\) \" exp_send \"$BITS\n\" expect \"Key is valid for? (0) \" exp_send \"0\n\" expect \"Is this correct? (y/N) \" exp_send \"y\n\" expect \"Real name: \" exp_send \"$NAME_REAL\n\" expect \"Email address: \" exp_send \"$EMAIL\n\" expect \"Comment: \" exp_send \"$SIG_COMMENT\n\" expect \"(O)kay/(Q)uit? \" exp_send \"O\n\" expect \"Enter passphrase: \" exp_send \"$PASS\n\" expect \"Repeat passphrase: \" exp_send \"$PASS\n\" expect exp_continue -continue_timer ") echo " DONE" } of course, you define/pass/replace the various vars as you need/like ... hth! From dshaw at jabberwocky.com Thu Feb 8 17:08:36 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 8 Feb 2007 11:08:36 -0500 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <20070208160836.GA22488@jabberwocky.com> On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* > appreciated. Make a file that looks like this: %echo Generating a standard key Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: Joe Tester Name-Email: joe at foo.bar Passphrase: abc %pubring foo.pub %secring foo.sec # Do a commit here, so that we can later print "done" :-) %commit %echo done Then do: gpg --batch --gen-key /path/to/the/file/above End result will be a public key in foo.pub and secret key in foo.sec. See the DETAILS file (in the doc directory) for the various things you can do. David From wk at gnupg.org Thu Feb 8 17:13:13 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 17:13:13 +0100 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> (Mark Pinto's message of "Thu\, 8 Feb 2007 04\:59\:26 -0500") References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <871wl0pqzq.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 10:59, markybob at gmail.com said: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* Check out the the file DETAILS. It should explain everything. I have copied the section below. Shalom-Salam, Werner Unattended key generation ========================= This feature allows unattended generation of keys controlled by a parameter file. To use this feature, you use --gen-key together with --batch and feed the parameters either from stdin or from a file given on the commandline. The format of this file is as follows: o Text only, line length is limited to about 1000 chars. o You must use UTF-8 encoding to specify non-ascii characters. o Empty lines are ignored. o Leading and trailing spaces are ignored. o A hash sign as the first non white space character indicates a comment line. o Control statements are indicated by a leading percent sign, the arguments are separated by white space from the keyword. o Parameters are specified by a keyword, followed by a colon. Arguments are separated by white space. o The first parameter must be "Key-Type", control statements may be placed anywhere. o Key generation takes place when either the end of the parameter file is reached, the next "Key-Type" parameter is encountered or at the control statement "%commit" o Control statements: %echo Print . %dry-run Suppress actual key generation (useful for syntax checking). %commit Perform the key generation. An implicit commit is done at the next "Key-Type" parameter. %pubring %secring Do not write the key to the default or commandline given keyring but to . This must be given before the first commit to take place, duplicate specification of the same filename is ignored, the last filename before a commit is used. The filename is used until a new filename is used (at commit points) and all keys are written to that file. If a new filename is given, this file is created (and overwrites an existing one). Both control statements must be given. o The order of the parameters does not matter except for "Key-Type" which must be the first parameter. The parameters are only for the generated keyblock and parameters from previous key generations are not used. Some syntactically checks may be performed. The currently defined parameters are: Key-Type: | Starts a new parameter block by giving the type of the primary key. The algorithm must be capable of signing. This is a required parameter. Key-Length: Length of the key in bits. Default is 1024. Key-Usage: Space or comma delimited list of key usage, allowed values are "encrypt", "sign", and "auth". This is used to generate the key flags. Please make sure that the algorithm is capable of this usage. Note that OpenPGP requires that all primary keys are capable of certification, so no matter what usage is given here, the "cert" flag will be on. If no Key-Usage is specified, all the allowed usages for that particular algorithm are used. Subkey-Type: | This generates a secondary key. Currently only one subkey can be handled. Subkey-Length: Length of the subkey in bits. Default is 1024. Subkey-Usage: Similar to Key-Usage. Passphrase: If you want to specify a passphrase for the secret key, enter it here. Default is not to use any passphrase. Name-Real: Name-Comment: Name-Email: The 3 parts of a key. Remember to use UTF-8 here. If you don't give any of them, no user ID is created. Expire-Date: |([d|w|m|y]) Set the expiration date for the key (and the subkey). It may either be entered in ISO date format (2000-08-15) or as number of days, weeks, month or years. Without a letter days are assumed. Preferences: Set the cipher, hash, and compression preference values for this key. This expects the same type of string as "setpref" in the --edit menu. Revoker: : [sensitive] Add a designated revoker to the generated key. Algo is the public key algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.) Fpr is the fingerprint of the designated revoker. The optional "sensitive" flag marks the designated revoker as sensitive information. Only v4 keys may be designated revokers. Handle: This is an optional parameter only used with the status lines KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100 characters and should not contain spaces. It is useful for batch key generation to associate a key parameter block with a status line. Keyserver: This is an optional parameter that specifies the preferred keyserver URL for the key. Here is an example: $ cat >foo < ssb 1024g/8F70E2C0 2000-03-09 From ber at webschuur.com Thu Feb 8 17:32:30 2007 From: ber at webschuur.com (=?utf-8?q?B=C3=A8r_Kessels?=) Date: Thu, 8 Feb 2007 17:32:30 +0100 Subject: Keyrings for websites In-Reply-To: References: <200702081303.09540.ber@webschuur.com> Message-ID: <200702081732.31135.ber@webschuur.com> Hello, Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni: > You might want to check out "Domain Keys" which is used to ? > authenticate email sessions between MTA's. > > Also, peer-to-peer authentication can be accomplished via X.509 ? > certificates and SSL. Ye, I am aware of the X.509 to authenticate servers. Also I know my way around in the SSL "stuff". This, however, is a different thing then what I want to achieve. I am not so much interested in secure connections, nor in authentication, between peers. What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com ultimately. Since you trust me, you can trust Bar.com too'. That way one can allow sign-ins from other trusted sites, trackbacs etc. Thanks for the feedback, though. B?r -- Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting: www.sympal.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070208/ff852ca0/attachment-0001.pgp From anon-bounces at deuxpi.ca Thu Feb 8 14:43:46 2007 From: anon-bounces at deuxpi.ca (Anonyma) Date: Thu, 8 Feb 2007 08:43:46 -0500 (EST) Subject: making a passphrase by doubling a password and tweaking the end Message-ID: (This is as much about ssh as gpg, but I figure there should be some passphrase expertise here.) Suppose my shell password is "SapNilph4" (I just got that from APG), is it stupid to make a passphrase for an ssh or gpg key by doubling it and changing the end, for example "SapNilph4SapNilph3"? Or am I really wasting potential entropy this way? thanks From dshaw at jabberwocky.com Thu Feb 8 17:10:02 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 8 Feb 2007 11:10:02 -0500 Subject: gen-key non-interactively In-Reply-To: <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> Message-ID: <20070208161002.GB22488@jabberwocky.com> On Thu, Feb 08, 2007 at 07:44:02AM -0800, snowcrash+gnupg-users wrote: > here's an "expect"-based function i use in a bash script for just such purpose, > > # function: "DO_GENKEY_SESSION" > # auto-execute a GPG --gen-key session > # usage: > # DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT > # gen-key dialog options (SELECTION): > # Please select what kind of key you want: > # (1) DSA and Elgamal (default) > # (2) DSA (sign only) > # (3) DSA (set your own capabilities) > # (5) RSA (sign only) > # (7) RSA (set your own capabilities) > DO_GENKEY_SESSION () { > echo "START: $COMMENT" > VAR=$($EXPECT -c " I strongly advise against using expect to generate keys. Your expect script will break when we change the text that GPG displays. If you want to generate keys unattended, then use the --batch --gen-key interface. David From rjh at sixdemonbag.org Thu Feb 8 18:07:58 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 11:07:58 -0600 Subject: making a passphrase by doubling a password and tweaking the end In-Reply-To: References: Message-ID: <3555FBDB-5298-4E4A-B5DD-D57B1FEFEA3D@sixdemonbag.org> > Suppose my shell password is "SapNilph4" (I just got that from APG), > is it stupid to make a passphrase for an ssh or gpg key by doubling it > and changing the end, for example "SapNilph4SapNilph3"? Or am I > really wasting potential entropy this way? Stupid? No. May not be especially wise, though. GnuPG passphrases, like root login passwords, are very high-value secrets. You should plan for them to be compromised at some point. If your root login gets compromised and your GnuPG passphrase is derivable from your root login, then you've got two high-value secrets compromised. Vice- versa is the same way. So while no, you're not wasting entropy, this may not be wise due to how it complicates your failsafe plans. From schneecrash+gnupg-users at gmail.com Thu Feb 8 18:14:19 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 8 Feb 2007 09:14:19 -0800 Subject: gen-key non-interactively In-Reply-To: <20070208161002.GB22488@jabberwocky.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> <20070208161002.GB22488@jabberwocky.com> Message-ID: <70f41ba20702080914s6927c25bq910476c36ef997bd@mail.gmail.com> > I strongly advise against using expect to generate keys. Your expect > script will break when we change the text that GPG displays. If you > want to generate keys unattended, then use the --batch --gen-key > interface. i clearly understand that, and will manage my script(s) accordingly. thanks. :-) fwiw, the snippet i attached is a part of a larger, expect-based script i use to roll-out gpg "key packages" to new employees. as 'batch' support is only, currently provided (afaict ...) for gen-key, i simply use expect (even though i think it's a major pita!) to be consistent across all my other script functions. atm, there's no other convenient full-autommation option that i'm aware of; and, again, yes, i know it's 'upgrade fragile'. thanks. From hawke at hawkesnest.net Thu Feb 8 18:22:02 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu, 08 Feb 2007 11:22:02 -0600 Subject: OpenPGP card and secret keys In-Reply-To: <87odo5td9l.fsf__10151.5237045989$1170913958$gmane$org@wheatstone.g10code.de> References: <87odo5td9l.fsf__10151.5237045989$1170913958$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > Okay, so it is not a communication problem with teh card. Please run > > gpg --debug 64 --clearsign test.txt > > To see why gpg tries to use the primary key. aha! it does not. It's trying to use a different subkey instead. Surely missing secret key parts would be cause to reject that subkey as a candidate for use, and just because secret parts are missing for one subkey doesn't mean they're missing for all subkeys, right? $ gpg --debug 64 --clearsign test.txt gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=0) gpg: DBG: using key 51192FF2 gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=1) gpg: DBG: checking subkey 4A1C1224 gpg: DBG: subkey looks fine gpg: DBG: checking subkey F4878DDE gpg: DBG: usage does not match: want=1 have=2 gpg: DBG: checking subkey 9A37EEFF gpg: DBG: subkey looks fine gpg: DBG: using key 9A37EEFF gpg: DBG: cache_user_id: already in cache gpg: secret key parts are not available gpg: no default secret key: general error gpg: test.txt: clearsign failed: general error secmem usage: 1408/3488 bytes in 2/15 blocks of pool 3488/32768 From roam at ringlet.net Thu Feb 8 16:51:03 2007 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 8 Feb 2007 17:51:03 +0200 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <20070208155103.GB1621@straylight.m.ringlet.net> On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* > appreciated. If you are trying to do this as part of a bigger program, you might want to check out the gpgme and libgcrypt libraries. Otherwise, the gnupg manual page mentions an experimental method for using --gen-key non-interactively, which is described in the DETAILS file in the doc/ subdirectory of the gnupg source archive. Thus, you need to download the gnupg source (either 1.4.x or 2.0.x, depending on which version you're using anyway), read the doc/DETAILS file, and see if the method described there works for you. I just tried it with GnuPG 1.4.6, and it worked just fine here. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20070208/0a3372dc/attachment.pgp From roam at ringlet.net Thu Feb 8 16:01:30 2007 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 8 Feb 2007 17:01:30 +0200 Subject: Keyrings for websites In-Reply-To: <200702081303.09540.ber@webschuur.com> References: <200702081303.09540.ber@webschuur.com> Message-ID: <20070208150130.GA1621@straylight.m.ringlet.net> On Thu, Feb 08, 2007 at 01:03:05PM +0100, B?r Kessels wrote: > Hello, > > With the current growth of online services that talk to eachother (the > web2.0) I thought it a good idea to think about a way to determine > "trust" between the sites. > > If my site shares its spam tokens, comments, search results, tags and > pictures (etc) with a cloud of sites, it could be a good idea to > establish a trust-ring. > > I therefore thought it an interesting idea to make keys not just for > people, but for a website. That way I can sign public keys from other > sites and give them a trust weight. [snip] > > It is still an idea. And no code is made yet. But I am heavy into > Drupal (been full time developer for it for over 4 years), and I can > introduce this concept there, then hope it takes off into wordpress, > plone and other Open Source, or Closed source CMses. > > All I need is some general idea wether or not this will a) work at all > and b) is possible with gnupg, and c) if it would not 'threaten' gnug > too much. It ought to be both possible and trivial. ISTR several discussions on this mailing list, where people mentioned using PGP keys (or rather, uid's) with only names, no e-mail addresses. You could either use such keys with the hostname (or the full path to the web application) placed directly in the "name" part of the user ID, or develop some kind of machine-readable encoding to represent a host name, application path, application name, or any level of detail you feel comfortable with, and then place those in the "name" or the "comment" part of the key's user ID. After that, proceed as usual - sign the user-ID with the key itself (GnuPG should do that as part of the key generation anyway), sign it with your own key, and send the public key to the others. They should generate keys for their web apps too, sign them with their own (developers') keys, and send them to you. Then each of you establishes his own trustdb, places trust in (some of) the developers' keys, and off you go. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20070208/72ecdc95/attachment.pgp From alex at bofh.net.pl Thu Feb 8 17:49:11 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu, 8 Feb 2007 17:49:11 +0100 Subject: Keyrings for websites In-Reply-To: <200702081732.31135.ber@webschuur.com> References: <200702081303.09540.ber@webschuur.com> <200702081732.31135.ber@webschuur.com> Message-ID: <20070208164911.GG11476@hell.pl> On Thu, Feb 08, 2007 at 05:32:30PM +0100, B??r Kessels wrote: > Hello, > > Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni: > > You might want to check out "Domain Keys" which is used to ? > > authenticate email sessions between MTA's. > > > > Also, peer-to-peer authentication can be accomplished via X.509 ? > > certificates and SSL. > > Ye, I am aware of the X.509 to authenticate servers. Also I know my way around > in the SSL "stuff". This, however, is a different thing then what I want to > achieve. I am not so much interested in secure connections, nor in > authentication, between peers. > > What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com > ultimately. Since you trust me, you can trust Bar.com too'. That way one can > allow sign-ins from other trusted sites, trackbacs etc. > > Thanks for the feedback, though. Check out OpenID, although it is not cryptography based (AFAIK). Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From hawke at hawkesnest.net Thu Feb 8 20:10:00 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu, 08 Feb 2007 13:10:00 -0600 Subject: Keyrings for websites In-Reply-To: <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> References: <200702081303.09540.ber@webschuur.com> <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> Message-ID: Peter Pentchev wrote: > using PGP keys (or rather, uid's) with only names, no e-mail addresses. > You could either use such keys with the hostname (or the full path to > the web application) placed directly in the "name" part of the user ID, > or develop some kind of machine-readable encoding to represent a host > name, application path, application name, or any level of detail you > feel comfortable with, and then place those in the "name" or the > "comment" part of the key's user ID. After that, proceed as usual - This sort of overloading of the name/comment/email fields bothers me. I wish that UIDs were more of a key/value system (one key/value pair per IUID), e.g. name=William Surrey, email=bill at home.example.org, email=william.surrey at business.example.com, comment=Billy's key, alias=Bill; or name=Example's awesome wiki!, hostname=www.example.org, application=mediawiki (for the purpose given above). I'm thinking something equivalent to what vorbis comments are for ogg vorbis audio files. See http://xiph.org/vorbis/doc/v-comment.html Of course, I doubt that the OpenPGP spec allows for this sort of extensibility in the comments, or if it does that anyone's willing to implement it (or it would have been done by now). But it sure would be great if it were to happen. From newsgroups at thomas-huehn.de Thu Feb 8 20:24:37 2007 From: newsgroups at thomas-huehn.de (=?iso-8859-1?Q?Thomas_H=FChn?=) Date: Thu, 08 Feb 2007 20:24:37 +0100 Subject: Keyrings for websites References: <200702081303.09540.ber@webschuur.com> <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> Message-ID: <87d54kpi4q.fsf@mid.thomas-huehn.de> Alex Mauer writes: > This sort of overloading of the name/comment/email fields bothers me. I > wish that UIDs were more of a key/value system (one key/value pair per As far as I understand it there are no such fields. User ID is freeform, just a string. So feel free to put in "Key: Value" or whatever you'd like to. Thomas From wk at gnupg.org Thu Feb 8 20:28:55 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 20:28:55 +0100 Subject: gen-key non-interactively In-Reply-To: <20070208155103.GB1621@straylight.m.ringlet.net> (Peter Pentchev's message of "Thu\, 8 Feb 2007 17\:51\:03 +0200") References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> <20070208155103.GB1621@straylight.m.ringlet.net> Message-ID: <87veicla88.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 16:51, roam at ringlet.net said: > Otherwise, the gnupg manual page mentions an experimental method for BTW, I forgot to remove the "experimental" tag. That is a stable feature and useful for production. Salam-Shalom, Werner From wk at gnupg.org Thu Feb 8 20:44:00 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 20:44:00 +0100 Subject: Keyrings for websites In-Reply-To: (Alex Mauer's message of "Thu\, 08 Feb 2007 13\:10\:00 -0600") References: <200702081303.09540.ber@webschuur.com> <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> Message-ID: <87d54kl9j3.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 20:10, hawke at hawkesnest.net said: > wish that UIDs were more of a key/value system (one key/value pair per You may use notations for this. They are however stored with the self-signature, so some care needs to be taken. If you need something simialr to the user ID, use the User Attribute Packet (Tag 17). It is currently only used for the photo ID but it may be extended. From the latest OpenPGP I-D: The User Attribute packet is a variation of the User ID packet. It is capable of storing more types of data than the User ID packet which is limited to text. Like the User ID packet, a User Attribute packet may be certified by the key owner ("self-signed") or any other key owner who cares to certify it. Except as noted, a User Attribute packet may be used anywhere that a User ID packet may be used. While User Attribute packets are not a required part of the OpenPGP standard, implementations SHOULD provide at least enough compatibility to properly handle a certification signature on the User Attribute packet. A simple way to do this is by treating the User Attribute packet as a User ID packet with opaque contents, but an implementation may use any method desired. The User Attribute packet is made up of one or more attribute subpackets. Each subpacket consists of a subpacket header and a body. The header consists of: - the subpacket length (1, 2, or 5 octets) - the subpacket type (1 octet) and is followed by the subpacket specific data. The only currently defined subpacket type is 1, signifying an image. An implementation SHOULD ignore any subpacket of a type that it does not recognize. Subpacket types 100 through 110 are reserved for private or experimental use. Salam-Shalom, Werner From j.lysdal at gmail.com Thu Feb 8 21:24:17 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 08 Feb 2007 21:24:17 +0100 Subject: GnuPG on MS Vista Message-ID: <45CB86F1.7000607@gmail.com> Hi, it appears to be impossible to connect to any keyservers through gpg on my newly installed Vista box. I have disabled UAC and im running as admin, so that should not be the cause of any problems. Whenever i try to get something from a keyserver i get: gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de gpg: requesting key xxxxxxxx from hkp server pgpkeys.pca.dfn.de gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/ gpg: no valid OpenPGP data found. gpg: Total number processed: 0 All the keyservers i have tried works well when using their web interface. Does anyone know how to solve this problem? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070208/2f93c123/attachment.pgp From hhhobbit at securemecca.net Thu Feb 8 21:37:29 2007 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu, 08 Feb 2007 13:37:29 -0700 Subject: New command line language parameter In-Reply-To: References: Message-ID: <45CB8A09.7090004@securemecca.net> Werner Koch said: > On Mon, 5 Feb 2007 14:57, jmarugan at alumnos.upm.es said: > > >>I tried the SET LANG=xx and as far as i read in the GPG documentation >>and mailing list's posts, this is only for POSIX systems, not for >>windows, at least in windows doesn't work in all the ways i tried. > > > You are right. It works for GPA but not for GPG because with gpg we > use a simplified version of gettext. This is easy to fix. > > >>I'm afraid the only way to use a language file in windows is the >>registry or a new command line parameter. > > > No. A command line option won't work because how would you then print > a localized message like "invalid option" or diagnostics printed even > before any option has been parsed. Now be patient here for a moment. All of the following IS related to running GnuPG on Windows! To lead it all off, if you are running as an Administrator user all the time on Windows you are doing the equivalent of RUNNING AS root ALL THE TIME ON A UNIX SYSTEM! The present Windows GnuPG 1.4.X installs assume people do this. Most of them probably do run their Windows system this way, but that doesn't make it the only way, and I believe it is NOT THE RIGHT WAY! Microsoft isn't helping them do it properly either. NOW HAVING SAID WHAT I JUST SAID, IF YOU ARE *NOT* A MICROSOFT WINDOWS USER DELETE THIS MESSAGE AND MOVE ON! TRUST ME! You are wasting your time reading unless you use Microsoft Windows either ALL or a substantial amount of the time. You will just get confused until you understand how Microsoft Windows works. Even a lot of full-time Microsoft Windows users don't know how it works. I should know. I help them all the time and am apalled at how little they know about a system they have used for years. Some of them I have given up on them EVER understanding their systems. Where is the URL on setting these language settings in the HKCU registry keys? I am getting ready to put a lot of this stuff up on web pages. I already have a ZIP file with SOME of what is needed in it. I will have a web page or a set of web pages that will be devoted strictly to GnuPG (1.4.x) on Windows. I WILL provide REG files for what some people think in this forum are strange situations. I suppose this could be one of them. I posted an actual REG file in this forum and somebody didn't even see the REG4 at the top of it and said I should provide the actual REG file. I DID provide the actual REG file! All they had to do was to copy and paste, AND THEN ALTER SOME VARIABLES. You cannot use ENVIRONMENT variables in a REG file since they are part of the registry anyway. But this forum is NOT the right place to do it. What I posted was partially wrong anyway. It had the HKLM entries which I will either let the install do, or provide an HKLM.reg file. What is needed for most people are the HKCU keys for each Windows user that is running as a restricted user. You can fix the code if you want to Werner, but the proper way for a lot of this stuff on Windows is to put it into the registry. Even the ENVIRONMENT variables are stored in, you guessed it - THE REGISTRY! They are in the HKLM hive for the ones in the lower everybody panel and in the HKCU area for the ones in the uppger panel if you use the Control Panel method to look at the environment variables. There are several other things going along with this like the fact that without using higher order registry editing tools (not regedit) you can't normally dive into anybody else's HKCU hive. You normally only see your own (the one belonging to who you logged in as). Reading and adding or modifying somebody else's HKCU entries is possible but I consider that more esoteric than just providing somebody with a REG file and telling them to modify it. I am looking at writing a program that will actually create the REG file for them (yes, overkill, but it saves people from typing mistakes). What is being provided in the GnuPG install is only suitable for idiots who run as an Administrator, all the time with only one account on the system and that one is an Administrator account (you need at least one). They can keep their account as an Administrator and install the Drop My Rights program (which I give to everybody because that is usually more than they can do even if I provide them *.lnk files to paste onto the desktop and in the Start folders which even then they seem to muck up): http://tinyurl.com/3u46a That is unsuitable because likely or not somebody is going to message the default browser which is running in admin space and can thus modify the HKLM keys and all the files in the %WinDir% folder and all sub-folders. Even if the browser is messaged into running with lower privileges via DropMyRights.exe, a RealPlayer or Windows Media Player is messaged into running as the logged in user. Windows dows NOT fork off the App like Unix systems do. Nevertheless, that is what I used for years on Administrator accounts for my logon type administrator accounts. There IS a better Windows way of doing it - the LUA method. I recommend this way of doing it in home situations: http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx That is a MUCH better way of doing it in home or other situations where you control access to the computer. You are now protecting your HKLM keys and your %WinDir% folder. That is the reason I was arguing for putting the iconv.dll file over in the %WinDir% folder. Now you CAN do an attrib +s on the file where it is at but I have no guarantees that will keep it safe. You should do an attrib +s on all your files in the %ProgramFiles% area anyway, unless you don't consider GnuPG a security product. I just happen to believe it is a security product. But it is only ONE piece of securing Windows systems. One of the things that has occurred to me is to ask the question "can I make GnuPG say a signed message is okay whether it is or not?" By that I mean, can I by changing just the message strings of GnuPG make all signed messages show up as okay? If you don't think that if GnuPG takes off like mad on Windows and that you don't have that situation covered that it won't happen, you better think again. I spend a LOT of time finding out how people subvert Windows systems. That is because it is done so much. That is probably more of a flame against Windows users who run their systems in a stupid manner than a slam against Microsoft, although Microsoft doesn't help very much. They need to look very seriously at making it possible for users to login as restricted users and still have anti-virus programs do their updating, firewalls to lock the network connections when they walk away, etc. That is OUTSIDE THE SCOPE OF THIS NEWSGROUP. Doing a proper install of GnuPG on Windows IS a part of this newsgroup. If any of you have information of running GnuPG in a Windows environment with some other way of doing it other than as always one user with an Administrator account ship it to me. And do NOT ask me to install CygWin. If I want to run a Nix I shift to running Fedora Core Linux which I use over 85% of the time. That does NOT mean I am not a very knowledgeable Windows user. I am VERY good at understanding it. On the other hand if you want to flame me and say I am stupid, or that I need lessons in writing, or that all I am doing is spamming like a University Computer Science Professor recently said I was doing (I believe he was the department chair), then HIT THE DELETE BUTTON instead. But please stop being arrogant unless you really know more about Windows than I do. If you have information for setting up GnuPG for WINDOWS users that run their systems as safely as possible (GnuPG is only one piece of that puzzle), then send it to me. But do it out of group please. I don't think it is of much general interest. >From now on I will just write a simple - check this page out and paste the the URL in it, mostly OUT of newsgroup in private email messages. Thanks HHH From dshaw at jabberwocky.com Thu Feb 8 21:45:32 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 8 Feb 2007 15:45:32 -0500 Subject: GnuPG on MS Vista In-Reply-To: <45CB86F1.7000607@gmail.com> References: <45CB86F1.7000607@gmail.com> Message-ID: <20070208204532.GA23127@jabberwocky.com> On Thu, Feb 08, 2007 at 09:24:17PM +0100, J?rgen Lysdal wrote: > Hi, it appears to be impossible to connect to any keyservers > through gpg on my newly installed Vista box. I have disabled > UAC and im running as admin, so that should not be the cause > of any problems. > > Whenever i try to get something from a keyserver i get: > > gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de > gpg: requesting key xxxxxxxx from hkp server pgpkeys.pca.dfn.de > gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/ > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > > All the keyservers i have tried works well when using their > web interface. Does anyone know how to solve this problem? Can you do the request, but add --debug 1024 --keyserver-options "use-temp-files keep-temp-files" There will be a line that says something like "DBG: Using temp file such-and-such". Send me the tempin.txt and tempout.txt file. David From rjh at sixdemonbag.org Thu Feb 8 21:58:16 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 14:58:16 -0600 Subject: GnuPG on MS Vista In-Reply-To: <20070208204532.GA23127@jabberwocky.com> References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > There will be a line that says something like "DBG: Using temp file > such-and-such". Send me the tempin.txt and tempout.txt file. David-- Vista has radically changed the process of compiling code for the platform. Neither MinGW nor Cygwin GCC work under Vista without substantial kludges and workarounds; Microsoft recommends against VS.NET and VS2003; VS2005 is only supported with the latest service pack and some known issues. GnuPG will not build with VS2005 without some major overhauls to the build environment. While I know that generally the Windows build system involves Linux and a cross-compiler for Win32, it's very possible behind-the-scenes changes in Vista will lead to breakage. It may be worth considering telling people that Vista is an unsupported OS for GnuPG 1.4.x. (goes back to hacking CMake and VS2005's command-line compiler) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy47oAAoJELcA9IL+r4EJeqAH/0Vdb98seQf6gtE8HQLoilgz l/FaqsxYT1yoq+2rbUcrGyMfBXkeXZMgK31DbEEIapdGSNtwgts0KuIlI7d2y542 IVfe1orchdUtbCJYDAimKufsOlAAl9bqz0gFKvR9VXW+S/YKBMvMjwzxlmSXjZsp 6FkJhPsVDkWWVYinUu8IYHYRp4FdxSQIz5Y4+m2X1SKwLQTTSukGj1QF9x7XTewT ZO75khQLDT5tbQZM0hvCM90jCWhQb7viw9N1NVsI6RkjOwvv3qRFeavHme/6KDlB th884fOga/7K0GNmTqNFdkvV2FK8GDf7LNkeXkNZiQBrd5srKAve7VmdSmkfXkg= =Zs3+ -----END PGP SIGNATURE----- From j.lysdal at gmail.com Thu Feb 8 22:09:41 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 08 Feb 2007 22:09:41 +0100 Subject: GnuPG on MS Vista In-Reply-To: References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> Message-ID: <45CB9195.40304@gmail.com> Robert J. Hansen skrev: > It may be worth considering > telling people that Vista is an unsupported OS for GnuPG 1.4.x. But will it be supported in any near future? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070208/afa35aa0/attachment.pgp From rjh at sixdemonbag.org Thu Feb 8 23:02:10 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 16:02:10 -0600 Subject: GnuPG on MS Vista In-Reply-To: <45CB9195.40304@gmail.com> References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> <45CB9195.40304@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > But will it be supported in any near future? That's up to the GnuPG developers, and whether they have any Vista boxes available to do regression testing on. They may have already tested it against Vista; I don't know. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy53iAAoJELcA9IL+r4EJQaAH/1lDIIFrnuHMIKidli6PDD0q +lDHObUHNlAaYOwQinui+O4lyZT2NohRW/ADmtZCw3/qb3H9yhfslQJGuM+8Fqs/ WEjQIbVnVajK6mW5XRE2935YObq8pQKejpcvNS7Bf9sIvj/rQTy9gIzdPYQw/pdM aBpwzTAVyITFWVPZLnokHgudBMZ4d+kuWB9SKrQ84hpAdTUPbmuRlK1Mq7yttMAX osXMOUWhwcP8v0O2NIGgfGwSQrVtezMbdGH10Ezs8DqtKq5mTnSp7BOkWjMpBZsm UMR13AqN8OqPUxeuLHmyzWxdJ8lm8D7of3rMVEtvteGCOqhvgs588j6DNUNub9s= =yLXD -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 8 23:37:05 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 16:37:05 -0600 Subject: New command line language parameter In-Reply-To: <45CB8A09.7090004@securemecca.net> References: <45CB8A09.7090004@securemecca.net> Message-ID: <55C09D1F-B0D1-49DF-89E8-922BE1CEC491@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The present Windows GnuPG 1.4.X installs assume people [run > as Administrator]. The installer requires Administrator rights to install to the program files directory, just like every other Win32 program that wants to install there. Once installed, GnuPG does not require Administrator rights to run. > All they had to do was to copy and paste, AND THEN ALTER > SOME VARIABLES. This is unwise from a security perspective. Messing up a registry file can have terrible consequences. If you're advocating that people make edits to a registry file without understanding the registry, what they're looking at, what they're changing, etcetera, then disaster is waiting in the wings. Regular users should not edit the Windows registry. Ever. > There are several other things going along with this like the fact > that > without using higher order registry editing tools (not regedit) you > can't normally dive into anybody else's HKCU hive. This is by design; it's an important security mechanism. Alice shouldn't be allowed to inspect or modify Bob's registry entries. Only the Administrator should have access to everyone's registry entries. Please consider the implications of advocating that people bypass a security mechanism so they can install a piece of security software. It doesn't make much sense. > What is being provided in the GnuPG install is only suitable for > idiots who run as an Administrator, all the time with only one > account on the system and that one is an Administrator account... Please do not insult regular users by calling them idiots. The GnuPG installer is suitable for many kinds of Windows users. Speaking for myself, I administer a small XP network with several users, all of whom have GnuPG available to them. Their user accounts don't have Administrator privileges. The installer worked just fine for us. > One of the things that has occurred to me is to ask the question > "can I make GnuPG say a signed message is okay whether it is or > not?" By that I mean, can I by changing just the message strings > of GnuPG make all signed messages show up as okay? Sure. But if you install it as Administrator, then you need Administrator privileges to modify the file. If a malicious attacker has Administrator access to your Windows box, then it's a game-over condition anyway and there's nothing GnuPG can do to fix this. > If you don't think that if GnuPG takes off like mad on Windows According to the Enigmail folks, their number of Windows downloads are routinely an order of magnitude larger than their number of UNIX downloads. This strongly suggests more people run GnuPG on Windows than run GnuPG on UNIX. > That is probably more of a flame against Windows users who run their > systems in a stupid manner than a slam against Microsoft, although > Microsoft doesn't help very much. Again, we don't need to insult either users or corporations as being "stupid". > If any of you have information of running GnuPG in a Windows > environment with some other way of doing it other than as always > one user with an Administrator account ship it to me. Get the zip archive, uncompress it to some directory you own, add that directory to your own personal PATH. > On the other hand if you want to flame me and say I am stupid, > or that I need lessons in writing, or that all I am doing is > spamming like a University Computer Science Professor recently > said I was doing (I believe he was the department chair), I'm not a professor. I'm a pre-comps Ph.D. candidate in computer science. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy6YRAAoJELcA9IL+r4EJw1MH/0pbmIf7FiLrt1Q7b7g/udTF Urg+DxdhmjujowJLg1qIcD6ntmkiItCjp2ww3zff8/We12faktxt72gyXoV+Qgw+ 1gLa1EqATXrLVKxighkg/Yw0PT1yGGHnqFvbnTBT48N5sD8RRjxhu71yD5JzuQCJ mQS8RF2xGArb0qJTCns0QGsPyD5S83+IE4rMVO6Uc16dpAJmFNdEVlKGcnd2EFU3 aiJ5Mv0tJScPyjP7aGVbCN8nx1eHgwfj8KKK/ExdjkyTaj3ZqMyi8F9zjD2oT28y etHbI2/ifMZlFEvk9FtWwP+Vx/p08F2vMFpP0G4F4iIZnVRJBWKIjbzpyyWx3KY= =iaCr -----END PGP SIGNATURE----- From sjlopezb at hackindex.com Thu Feb 8 22:21:00 2007 From: sjlopezb at hackindex.com (=?ISO-8859-15?Q?Santiago_Jos=E9_L=F3pez_Borraz=E1s?=) Date: Thu, 08 Feb 2007 22:21:00 +0100 Subject: A question... Message-ID: <45CB943C.5010109@foo.hackindex.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi: I ask a question: How the two lines are removed that appears above all of the signed of messages? There is some human way to tell him al GnuPG to that show not those two lines of BEGIN PGP MESSAGE? TIA. - -- Slds de Santiago Jos? L?pez Borraz?s. Admin de hackindex.com/.es Conocimientos avanzados en seguridad inform?tica. Conocimientos avanzados en redes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBRcuUO7uF9/q6J55WAQpemhAAopGfH/12MM15MGw8QVDt+607rSiXOLFr 7EWz+TjCLrykZRnCpejq5Bpi6Px9po4YqMyXHJUnHIGuGxlBBCKIXCuohzqlCmJY Gq8DcY+MXAszqMmpIeLYxYkhRivCJnx7vN+S6AxAvb6wtsChZ53DJDT7fhRpSCHQ ENEMQqN+AXue7AHA8mO285v3Ago5MccbxiQ9vR+B4y3+5kosaYJFqThlNfPV8Qws UT/fyfgHQ8nZbQrVlXyLF0Elq32M2sTfecSnL22ZeRfTGpqH2UIZnt00Yo5HJTo4 KRSa+MjlSTTBJfinb/n2yL5aGmxjArdiY/558l+jYIt2dbxpF1t5alXADcBsysJY ZMIcrJLx9A2OB1wr0QOf2KdaI0iKZGLXiR/hEBo6nMue857uB4TdZt0QV76EKsRY k6vRTwofk4CZyhy78ceNf3iCoSDRrMCgQzZpvalBCT5hBGEbwEQaxD+4dsmteFv7 5wEXMcTDSWNHaNoiyGuZZuNRgvkCgsczu1KiTN1MBp8/0bBZ3zNym/bWnZdDkDpp ojoc53ISZwoKji3cxNPuuktcJQBQ7fFrNlJr5GpY+Ssa1hzCZmc3pUIjae6pJB3H y1Cgj4JilKVoltfrrArk0kGyY+SiqaiUt5MnISUl9lXYUD/upq3vJadyQettdP45 /G0iFEGRVys= =LvJD -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 8 23:56:35 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 16:56:35 -0600 Subject: A question... In-Reply-To: <45CB943C.5010109@foo.hackindex.es> References: <45CB943C.5010109@foo.hackindex.es> Message-ID: <7AF6DCD9-005C-457A-A1D2-DE2D304F46E9@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > There is some human way to tell him al GnuPG to that show not those > two > lines of BEGIN PGP MESSAGE? Those two lines are required by OpenPGP and must be present in any clearsigned message. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy6qjAAoJELcA9IL+r4EJ7AgH/2gsEbgOv+mcKDk85YykKIiY NXnn6dajCXg5/cF4MM3Fsnwu/9Ox6cSLUVDCPZKejZsCMEiNLMOrcjh2N/kGt6mw OWL7Xoy7gOdKJI56aFDbQlTu2/xtI702tu+uabPZt8HHoE6Wd+LOhNjeCagl4mk+ lIoOl5BxMfCr658gwv3Z9fVblGL3W4DnrqDMyx/uPJP24y2HqwbY950bN6ONpX6X mganwtJd1Jy/KRuu0628bY14Jxs1DjPQF2zBxnDtTsYx+EJSXgwusnD3N10w6pzX r/OmGWqjDua2b727cnPLTKvnPBXxzFX7QWGucFbFjeu4DJQep5nb9ZXneP4UKHA= =On13 -----END PGP SIGNATURE----- From laurent.jumet at skynet.be Fri Feb 9 01:03:56 2007 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri, 09 Feb 2007 01:03:56 +0100 Subject: A question... In-Reply-To: <45CB943C.5010109@foo.hackindex.es> Message-ID: Hello Santiago ! Santiago Jos? L?pez Borraz?s wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > How the two lines are removed that appears above all of the signed of > messages? > There is some human way to tell him al GnuPG to that show not those two > lines of BEGIN PGP MESSAGE? No, there is no human, and inclusive no God, that could remove the two first lines of a PGP message. -- Laurent Jumet KeyID: 0xCFAF704C From rjh at sixdemonbag.org Fri Feb 9 07:18:19 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 9 Feb 2007 00:18:19 -0600 Subject: Random numbers Message-ID: <4B919F51-BAC3-476B-B890-26A1578EF5F0@sixdemonbag.org> While this may be off-topic, sometimes the community needs a good laugh, and today's XKCD provides a good laugh about random numbers. :) http://www.xkcd.net From wk at gnupg.org Fri Feb 9 10:25:36 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Feb 2007 10:25:36 +0100 Subject: GnuPG on MS Vista In-Reply-To: (Robert J. Hansen's message of "Thu\, 8 Feb 2007 16\:02\:10 -0600") References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> <45CB9195.40304@gmail.com> Message-ID: <87veibisxb.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 23:02, rjh at sixdemonbag.org said: > That's up to the GnuPG developers, and whether they have any Vista > boxes available to do regression testing on. They may have already No, I don't have decent hardware to install Vista on it. I plan to do so but it may take sometime. A points which needs some investigation is the entropy gatherer - this is very system specific code and we need to check whether it will still deliver enough entropy. Shalom-Salam, Werner From antonio.bleile at seac02.it Fri Feb 9 11:11:41 2007 From: antonio.bleile at seac02.it (Antonio Bleile) Date: Fri, 9 Feb 2007 11:11:41 +0100 Subject: Newbie question Message-ID: <45CBFFE900039C45@> (added by postmaster@aa001msb.fastweb.it) Hi all, I have a question concerning an "unusual" way of using gnuPG... I don't want to encrypt emails, I just want to encrypt binary data and deliver that over the internet. Consider the following scenario: I have a program that gets deliverd to various clients. The program is a viewer for 3d models. The viewer can load and display various types of input formats (e.g. CAD models). It can also load models directly from a URL. Now we'd like to put some cool models on our web page but we don't want people to disassemble the file and thus getting to the mathematic definition of a CAD model (people giving you a CAD model of e.g. a brandnew car are very concerned about their data!!!). So I thought to protect the data with public/private key encryption. We encrypt the data with a private key and put the result on our server. Our viewer contains the public key for decryption. You might say that it's easy to get to the data anyway, you just have to dump the memory of the program after the data has been decypted.... But that requires some higher "criminal energy", and I think I can live with the risk... - So actually, my question is: Does this approach make any sense for you crypto-gurus out there? (Please forgive me my ignorance, I have just a vague memory of my cryptography lessons...). - Does libcrypt do the job? - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? Thank you and kind regards, Toni From antonio.bleile at seac02.it Fri Feb 9 11:36:35 2007 From: antonio.bleile at seac02.it (Antonio Bleile) Date: Fri, 9 Feb 2007 11:36:35 +0100 Subject: Newbie question In-Reply-To: <45CC4D3E.907@radde.name> Message-ID: <45CBFFE900041DDE@> (added by postmaster@aa001msb.fastweb.it) Hi Sven, > Hi! > > Private/Public key does not buy you much in this case if all > you want is to obfuscate the file contents. > Just use some AES implementation with the same symmetric key > on the server and the client. > > Despite you seem to be aware of it, let me stress again: > It cannot possibly be secure if the decryption key is stored > alongside with the enrcypted data (which is why I chose the > word "obfuscate" above). Mh... That means I've missed something really fundamental... When you send an encrypted mail you send the encrypted data and the receiver at some point has both, the public key and your encrypted mail. Else, how should he read your mail? Am I totally wrong? Bye, Toni From wk at gnupg.org Fri Feb 9 11:54:27 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Feb 2007 11:54:27 +0100 Subject: Newbie question In-Reply-To: <45CBFFE900041DDE@> (added by postmaster@aa001msb.fastweb.it) (Antonio Bleile's message of "Fri\, 9 Feb 2007 11\:36\:35 +0100") References: <45CBFFE900041DDE@> Message-ID: <87veibfvoc.fsf@wheatstone.g10code.de> On Fri, 9 Feb 2007 11:36, antonio.bleile at seac02.it said: > Mh... That means I've missed something really fundamental... > When you send an encrypted mail you send the encrypted > data and the receiver at some point has both, the public > key and your encrypted mail. Else, how should he read your > mail? Am I totally wrong? It is the way around. You use the *public* key to *en*crypt to the recipient. The recipent uses his *private* key to *de*crypt. Of course you could include a private key in a viewer software so that anyone can encrypt files for use by this viewer. I think that is what you had in mind. Salam-Shalom, Werner From antonio.bleile at seac02.it Fri Feb 9 12:01:45 2007 From: antonio.bleile at seac02.it (Antonio Bleile) Date: Fri, 9 Feb 2007 12:01:45 +0100 Subject: Newbie question In-Reply-To: <87veibfvoc.fsf@wheatstone.g10code.de> Message-ID: <45CC027200049718@> (added by postmaster@aa002msb.fastweb.it) Hi, > On Fri, 9 Feb 2007 11:36, antonio.bleile at seac02.it said: > > > Mh... That means I've missed something really fundamental... > > When you send an encrypted mail you send the encrypted data and the > > receiver at some point has both, the public key and your encrypted > > mail. Else, how should he read your mail? Am I totally wrong? > > It is the way around. You use the *public* key to *en*crypt > to the recipient. The recipent uses his *private* key to *de*crypt. > > Of course you could include a private key in a viewer > software so that anyone can encrypt files for use by this > viewer. I think that is what you had in mind. Exactly. I interchanged the terms. Weird. Shouldn't public be "public"??? Thank you for clearing this up. There are the other two questions still open ;) : - Does libcrypt do the job? I guess so... - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? Thank's and Salam, Toni From hans.ekbrand at gmail.com Fri Feb 9 11:53:22 2007 From: hans.ekbrand at gmail.com (Hans Ekbrand) Date: Fri, 9 Feb 2007 11:53:22 +0100 Subject: Newbie question In-Reply-To: <45CBFFE900041DDE@> References: <45CC4D3E.907@radde.name> <45CBFFE900041DDE@> Message-ID: <20070209105322.GG28831@localhost.localdomain> On Fri, Feb 09, 2007 at 11:36:35AM +0100, Antonio Bleile wrote: > Hi Sven, > > > Hi! > > > > Private/Public key does not buy you much in this case if all > > you want is to obfuscate the file contents. > > Just use some AES implementation with the same symmetric key > > on the server and the client. > > > > Despite you seem to be aware of it, let me stress again: > > It cannot possibly be secure if the decryption key is stored > > alongside with the enrcypted data (which is why I chose the > > word "obfuscate" above). > > Mh... That means I've missed something really fundamental... > When you send an encrypted mail you send the encrypted > data and the receiver at some point has both, the public > key and your encrypted mail. The receiver has the *private* key. The sender encrypts with the *public* key. -- Hans Ekbrand (http://sociologi.cjb.net) Q. What is that strange attachment in this mail? A. My digital signature, see www.gnupg.org for info on how you could use it to ensure that this mail is from me and has not been altered on the way to you. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : /pipermail/attachments/20070209/e5418791/attachment.pgp From wk at gnupg.org Fri Feb 9 14:56:58 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Feb 2007 14:56:58 +0100 Subject: Newbie question In-Reply-To: <45CC027200049718@> (added by postmaster@aa002msb.fastweb.it) (Antonio Bleile's message of "Fri\, 9 Feb 2007 12\:01\:45 +0100") References: <45CC027200049718@> Message-ID: <87ps8je8np.fsf@wheatstone.g10code.de> On Fri, 9 Feb 2007 12:01, antonio.bleile at seac02.it said: > - Does libcrypt do the job? I guess so... No. Libgcrypt provides basic building blocks but has no support for any specific protocol. > - The CAD data may contain a fixed header, so an atacker knowing > the header might use this info to easily get the private key? It all depends on the protocol used. Getting the protocol right is not easy and thus the best advise I can give is to use an established protocol like OpenPGP or CMS (pkcs#7) For your application I would simply use a different file suffix or a special MIME type and pipe the data through gpg while reading. Salam-Shalom, Werner From jharris at widomaker.com Sat Feb 10 00:41:51 2007 From: jharris at widomaker.com (Jason Harris) Date: Fri, 9 Feb 2007 18:41:51 -0500 Subject: new (2007-02-04) keyanalyze results (+sigcheck) Message-ID: <20070209234151.GA33946@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2007-02-04/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: b3d0aacd19c088a661a19e37d74d7e1996fccb15 14459760 preprocess.keys c946effa31b83959f501dbfe95109d38cab85a69 8480415 othersets.txt b072ddbaceabe9eaa3a4256e7a4aaf10d0a6f6e0 3477622 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html fccd1b1cf5e7c6611e7950a2a7d741aff08f9153 2278 keyring_stats 397cd852840bb462638ca7096800399f828b7c47 1368288 msd-sorted.txt.bz2 e0ced60c9562daa3032abe7551a26a7a5afce36b 26 other.txt e86c800743a8ab0a16952ebeb6de2e355e27d87f 1839751 othersets.txt.bz2 82ce02825d887ff48aed71efa4ba82b0a7e59957 5880850 preprocess.keys.bz2 3c86a21d7d6e444e43a15f98bc92f8bbf50e0593 14725 status.txt d4973bf6a1f33319d91cd4e7c1f5f6c46214a81f 194595 top1000table.html a23e213fb8c0a2a6064100d392b337127824fdf4 29780 top1000table.html.gz dae7b4ddf0d5d71940632bffb9cdbfe9a54cd80d 9782 top50table.html e26e21e89dc47cbe4a79f8bf775c7eb0edb24341 2529 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070209/65be30bf/attachment.pgp From greg at reaume.name Sat Feb 10 01:09:02 2007 From: greg at reaume.name (Greg Reaume) Date: Fri, 09 Feb 2007 19:09:02 -0500 Subject: sig-keyserver-url Message-ID: <45CD0D1E.6020502@reaume.name> I'm having troubles with the sig-keyserver-url option in GPG 1.4.6 on Windows XP. I have it specified in my gpg.conf: sig-keyserver-url hkp://subkeys.pgp.net ...but it doesn't seem to have any effect. I also try to specify it on the cmd line: gpg --sig-keyserver-url hkp://subkeys.pgp.net --sign-key ######## ...and it proceeds with signing but leaves off the keyserver URL. I have found only one way to make it work on my own key. If I first self-sign my key, quit, then return to edit and use the 'keyserver' command it will work. If I try to do both things in the same edit session it will quietly take the command but do nothing. Unfortunately edit mode won't allow me to do this on someone else's key because I don't have the private key. I'm using the openpgp option (no-force-v3-sigs) and I have successfully set the cert-policy-url in my gpg.conf and it works every time. I have set list-options and verify-options show-keyserver-urls. verbose and debug 1024 options yield no useful output for this issue. I'm able to reproduce the behaviour on another Windows XP computer with a different key. Is this a bug? Is there anything I can do to provide more info to better troubleshoot the issue? TIA, Greg Reaume From dshaw at jabberwocky.com Sat Feb 10 04:12:45 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 9 Feb 2007 22:12:45 -0500 Subject: sig-keyserver-url In-Reply-To: <45CD0D1E.6020502@reaume.name> References: <45CD0D1E.6020502@reaume.name> Message-ID: <20070210031245.GA30327@jabberwocky.com> On Fri, Feb 09, 2007 at 07:09:02PM -0500, Greg Reaume wrote: > I'm having troubles with the sig-keyserver-url option in GPG 1.4.6 on > Windows XP. > > I have it specified in my gpg.conf: > sig-keyserver-url hkp://subkeys.pgp.net > ...but it doesn't seem to have any effect. > > I also try to specify it on the cmd line: > gpg --sig-keyserver-url hkp://subkeys.pgp.net --sign-key ######## > ...and it proceeds with signing but leaves off the keyserver URL. > > I have found only one way to make it work on my own key. If I first > self-sign my key, quit, then return to edit and use the 'keyserver' > command it will work. If I try to do both things in the same edit > session it will quietly take the command but do nothing. Unfortunately > edit mode won't allow me to do this on someone else's key because I > don't have the private key. > > I'm using the openpgp option (no-force-v3-sigs) and I have successfully > set the cert-policy-url in my gpg.conf and it works every time. I have > set list-options and verify-options show-keyserver-urls. verbose and > debug 1024 options yield no useful output for this issue. I think there is some confusion here. sig-keyserver-url applies to signatures. That is, signatures on data (--sign-file or the other signature making commands). It has no effect on signing keys (--sign-key). What are you trying to accomplish? David From rocket at heddway.com Sat Feb 10 22:13:42 2007 From: rocket at heddway.com (jason heddings) Date: Sat, 10 Feb 2007 14:13:42 -0700 Subject: Sending Public Key Message-ID: <001101c74d58$57e1b8e0$6700a8c0@enterprise> I'm making use of libgcrypt for a specific encryption application. I'm assuming that the following is secure: - Use libgcrypt to create a keypair - Save the S-exp to an internal, protected keystore - Base64 encode the public-key portion of the S-exp - Broadcast the base64-encoded key to associated clients - Use the broadcasted public-key to encrypt data - Send encrypted data back to a server containing the keystore - Only server can decrypt encrypted data using private keys Can someone please correct me if I am wrong? Is there a problem with this approach, or perhaps a better one? --jah From MichaelParker at gmx.de Sun Feb 11 15:44:37 2007 From: MichaelParker at gmx.de (Michael Parker) Date: Sun, 11 Feb 2007 15:44:37 +0100 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader Message-ID: <200702111544.37742.MichaelParker@gmx.de> Hi, I tried to setup an external smartcard reader with a pinpad and on gentoo I don't get it to work. On an ubuntu-installation the pin isn't enterd by the external pinpad but by the regualar keyboard and that works fine. On gentoo I'm asked to enter the pin on the pinpad of the reader. After entering it doesn't find the secret key. Some details of my system: It's a Code: Bus 002 Device 002: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard Reader gpg-agent.conf Code: pinentry-program /usr/bin/pinentry-qt no-grab default-cache-ttl 1800 gpg.conf Code: grep -v ^# gpg.conf | grep -v ^$ require-cross-certification keyserver hkp://subkeys.pgp.net hidden-encrypt-to 0219F045 hidden-encrypt-to 18BA2C46 default-recipient 0219F045 default-recipient 18BA2C46 use-agent reader access works gpg --card-status Code: Application ID ...: D276000124010101000100000AA60000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems ... I tried those variations of useflags settings Code: emerge -tpv gnupg Calculating dependencies... done! [ebuild R ] app-crypt/gnupg-2.0.2 USE="X nls smartcard -bzip2 -doc -ldap -openct -pcsc-lite (-selinux)" 0 kB emerge -tpv gnupg These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild R ] app-crypt/gnupg-2.0.2 USE="X nls pcsc-lite smartcard -bzip2 -doc -ldap -openct (-selinux)" 0 kB gpg-agent is running Code: ps ax | grep agent 23837 ? Ss 0:00 gpg-agent --daemon installed software Code: app-crypt/gnupg Latest version available: 2.0.2 Latest version installed: 2.0.2 Size of files: 3,876 kB Homepage: http://www.gnupg.org/ Description: The GNU Privacy Guard, a GPL pgp replacement License: GPL-2 app-crypt/pinentry Latest version available: 0.7.2-r2 Latest version installed: 0.7.2-r2 Size of files: 389 kB Homepage: http://www.gnupg.org/aegypten/ Description: Collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol License: GPL-2 sys-apps/pcsc-lite Latest version available: 1.3.1-r1 Latest version installed: 1.3.1-r1 Size of files: 822 kB Homepage: http://www.linuxnet.com/middle.html Description: PC/SC Architecture smartcard middleware library License: as-is sys-libs/libchipcard Latest version available: 2.1.8 Latest version installed: 2.1.8 Size of files: 974 kB Homepage: http://www.libchipcard.de Description: Libchipcard is a library for easy access to chip cards via chip card readers (terminals). License: GPL-2 * dev-libs/opensc Latest version available: 0.10.1 Latest version installed: 0.10.1 Size of files: 1,275 kB Homepage: http://www.opensc.org/ Description: SmartCard library and applications License: LGPL-2 * dev-libs/openct Latest version available: 0.6.6 Latest version installed: 0.6.6 Size of files: 550 kB Homepage: http://opensc.org/ Description: library for accessing smart card terminals License: BSD Does the external pinpad in between work at all under linux ? If ubuntu is configured that way, so pins are still enterd by the regular keybord, how do I configure it the same with gentoo ? Do I have to change my software/configuration ? Any hints will be appreciated From alon.barlev at gmail.com Sun Feb 11 17:42:53 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 11 Feb 2007 18:42:53 +0200 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <200702111544.37742.MichaelParker@gmx.de> References: <200702111544.37742.MichaelParker@gmx.de> Message-ID: <9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com> On 2/11/07, Michael Parker wrote: > Hi, > > I tried to setup an external smartcard reader with a pinpad and on gentoo I > don't get it to work. > On an ubuntu-installation the pin isn't enterd by the external pinpad but by > the regualar keyboard and that works fine. > On gentoo I'm asked to enter the pin on the pinpad of the reader. After > entering it doesn't find the secret key. If you use opensc enabled card, is the PKCS#11 provider works with the external PIN pad? You can test it using firefox or pkcs11-tool. If yes, you can use the gnupg-pkcs11-scd. Best Regards, Alon Bar-Lev. From MichaelParker at gmx.de Sun Feb 11 18:18:03 2007 From: MichaelParker at gmx.de (Michael Parker) Date: Sun, 11 Feb 2007 18:18:03 +0100 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com> References: <200702111544.37742.MichaelParker@gmx.de> <9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com> Message-ID: <200702111818.03917.MichaelParker@gmx.de> On Sunday 11 February 2007 17:42, Alon Bar-Lev wrote: > > If you use opensc enabled card, is the PKCS#11 provider works with the > external PIN pad? > You can test it using firefox or pkcs11-tool. > > If yes, you can use the gnupg-pkcs11-scd. > Hi Alon, thanks for the hint ! I don't know if I get it. For example: when I try pkcs11-tool -L I get: winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared file: /var/run/pcscd.pub Available slots: Slot 0 (empty) Slot 1 (empty) Slot 2 (empty) Slot 3 (empty) Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) which doesn't mean a think to me. I don't think that this is the reason for my problem. A year ago it already worked with the exception that there was not popup asking me to enter the pin by the cardreader. As I mentioned the ubuntu-distribution behaves different. Kind regards, Michael From benjamin at py-soft.co.uk Sun Feb 11 18:44:59 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 11 Feb 2007 17:44:59 +0000 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <45C0D588.70106@py-soft.co.uk> References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> Message-ID: <45CF561B.90305@py-soft.co.uk> Benjamin Donnachie wrote: > Actually, I wonder whether creating bundle information for gpg-agent > would be the solution... I'll give it a go soon and will let you know > the outcome. Ah no, that didn't work. But invoking gpg-agent with the option --pinentry-program "/bin/sh -c /Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac" did. I'll modify my start gpg-agent script and release a new version soon. It's not a particularly great solution, but makes gnupg 2.0.2 usable under MacOS. I haven't had chance to look into the MacOS function NSTask yet but if it does what we want correctly, I'll then look into a MacOS specific version of the assuan library. Take care, Ben From alex at bofh.net.pl Sun Feb 11 18:58:40 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Sun, 11 Feb 2007 18:58:40 +0100 Subject: Sending Public Key In-Reply-To: <001101c74d58$57e1b8e0$6700a8c0@enterprise> References: <001101c74d58$57e1b8e0$6700a8c0@enterprise> Message-ID: <20070211175840.GL11476@hell.pl> On Sat, Feb 10, 2007 at 02:13:42PM -0700, jason heddings wrote: > I'm making use of libgcrypt for a specific encryption application. I'm > assuming that the following is secure: > > - Use libgcrypt to create a keypair > - Save the S-exp to an internal, protected keystore > - Base64 encode the public-key portion of the S-exp > - Broadcast the base64-encoded key to associated clients > - Use the broadcasted public-key to encrypt data > - Send encrypted data back to a server containing the keystore > - Only server can decrypt encrypted data using private keys > > Can someone please correct me if I am wrong? Is there a problem with this > approach, or perhaps a better one? Without a detailed specification of the protocol it is almost impossible, but for starters, do not encrypt actual non-random data with a pubkey. It is always bad idea to roll your own crypto protocol, use SSL/TLS or OpenPGP or CMS, or XML cryptography if possible. Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From alon.barlev at gmail.com Sun Feb 11 19:34:20 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 11 Feb 2007 20:34:20 +0200 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <200702111818.03917.MichaelParker@gmx.de> References: <200702111544.37742.MichaelParker@gmx.de> <9e0cf0bf0702110842s398be2d1y7bb660331e32639b@mail.gmail.com> <200702111818.03917.MichaelParker@gmx.de> Message-ID: <9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com> On 2/11/07, Michael Parker wrote: > For example: > when I try > pkcs11-tool -L > > I get: > > winscard_clnt.c:320:SCardEstablishContextTH() Cannot open public shared > file: /var/run/pcscd.pub > Available slots: > Slot 0 (empty) > Slot 1 (empty) > Slot 2 (empty) > Slot 3 (empty) > Slot 4 (empty) > Slot 5 (empty) > Slot 6 (empty) > Slot 7 (empty) Strange... It seems like the pcscd is not up... Can you check it out? > I don't think that this is the reason for my problem. A year ago it already > worked with the exception that there was not popup asking me to enter the pin > by the cardreader. So you will be able to reach at least the same state... :) > As I mentioned the ubuntu-distribution behaves different. But you said ubuntu does not use the external PIN PAD... Regards, Alon Bar-Lev. From MichaelParker at gmx.de Sun Feb 11 20:08:24 2007 From: MichaelParker at gmx.de (Michael Parker) Date: Sun, 11 Feb 2007 20:08:24 +0100 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com> References: <200702111544.37742.MichaelParker@gmx.de> <200702111818.03917.MichaelParker@gmx.de> <9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com> Message-ID: <200702112008.25358.MichaelParker@gmx.de> On Sunday 11 February 2007 19:34, Alon Bar-Lev wrote: > Strange... It seems like the pcscd is not up... > Can you check it out? ok, I did a /etc/init.d/pcscd start * Starting pcscd ... I get in /var/log/messages Feb 11 20:03:36 zaphod su(pam_unix)[3950]: session opened for user root by (uid=500) Feb 11 20:06:18 zaphod pcscd: configfile.l:106:evaluatetoken() Error with device GEN_SMART_RDR: No such file or directory Feb 11 20:06:18 zaphod pcscd: configfile.l:107:evaluatetoken() You should use 'DEVICENAME /dev/null' if your driver does not use this field Feb 11 20:06:18 zaphod pcscd: configfile.l:127:evaluatetoken() Error with library /usr/lib/readers/usb/libgen_ifd.so: No such file or directory Feb 11 20:06:18 zaphod pcscd: pcscdaemon.c:489:at_exit() cleaning /var/run Feb 11 20:06:18 zaphod pcscd: pcscdaemon.c:508:clean_temp_files() Cannot unlink /var/run/pcscd.comm: No such file or directory > But you said ubuntu does not use the external PIN PAD... That would be fine with me, because the pinpad wasn't supported in the past at all. Kind regards, Michael From alon.barlev at gmail.com Sun Feb 11 20:13:31 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 11 Feb 2007 21:13:31 +0200 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <200702112008.25358.MichaelParker@gmx.de> References: <200702111544.37742.MichaelParker@gmx.de> <200702111818.03917.MichaelParker@gmx.de> <9e0cf0bf0702111034w6003ea0en1e6ef9660b4d7b04@mail.gmail.com> <200702112008.25358.MichaelParker@gmx.de> Message-ID: <9e0cf0bf0702111113m7d3ddf9bs4ca4108f4c00f3d1@mail.gmail.com> On 2/11/07, Michael Parker wrote: > > But you said ubuntu does not use the external PIN PAD... > That would be fine with me, because the pinpad wasn't supported in the past at > all. Oh... I thought you wish to use the external PIN PAD... You can work with MUSCLE mailing list in order to make pcscd work... Sorry I cannot help you further... Regards, Alon Bar-Lev. From benjamin at py-soft.co.uk Sun Feb 11 20:31:19 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 11 Feb 2007 19:31:19 +0000 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <45CF561B.90305@py-soft.co.uk> References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk> Message-ID: <45CF6F07.9040809@py-soft.co.uk> Benjamin Donnachie wrote: > Ah no, that didn't work. But invoking gpg-agent with the option > --pinentry-program "/bin/sh -c > /Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac" did. How embarrassing... my mistake - I was still using the old patched version! Ooops... :-/ Ben From hawke at hawkesnest.net Sun Feb 11 21:14:55 2007 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Sun, 11 Feb 2007 14:14:55 -0600 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de> References: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de> Message-ID: Michael Parker wrote: > Hi, > > I tried to setup an external smartcard reader with a pinpad and on gentoo I > don't get it to work. > On an ubuntu-installation the pin isn't enterd by the external pinpad but by > the regualar keyboard and that works fine. > On gentoo I'm asked to enter the pin on the pinpad of the reader. After > entering it doesn't find the secret key. > For what it's worth, the external pinpad did start to work for me on Ubuntu for awhile. But then I changed something and it stopped (it may have been enabling ssh support in the scdaemon -- I changed a few things and didn't keep track of exactly what it was). So the external pinpad is very very close to working in Ubuntu. -Alex Mauer "hawke" -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070211/2e942ad9/attachment.pgp From johanw at vulcan.xs4all.nl Mon Feb 12 01:12:59 2007 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 12 Feb 2007 01:12:59 +0100 (MET) Subject: New command line language parameter In-Reply-To: <45CB8A09.7090004@securemecca.net> Message-ID: <200702120012.l1C0Cxl5005366@vulcan.xs4all.nl> Henry Hertz Hobbit wrote: >running GnuPG on Windows! To lead it all off, if you are running as >an Administrator user all the time on Windows you are doing the >equivalent of RUNNING AS root ALL THE TIME ON A UNIX SYSTEM! The >present Windows GnuPG 1.4.X installs assume people do this. On Unix systems, you also often have to be root to install software. Especially for GnuPG on Linux to set the s-bit to allow it to claim secure memory. To run it as user is no problem though, both on Linux of Windows. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From greg at reaume.name Mon Feb 12 04:14:51 2007 From: greg at reaume.name (Greg Reaume) Date: Sun, 11 Feb 2007 22:14:51 -0500 Subject: sig-keyserver-url Message-ID: <45CFDBAB.6000201@reaume.name> On Fri, 9 Feb 2007 at 22:12:45 -0500, David Shaw wrote: > > I think there is some confusion here. sig-keyserver-url applies to > signatures. That is, signatures on data (--sign-file or the other > signature making commands). It has no effect on signing keys > (--sign-key). > > What are you trying to accomplish? > > David You're right, I'm using the wrong option then. I want to attach the preferred keyserver URL to a key certification. I've been able to do it on my self-cert using the edit command 'keyserver', but how do I do it on someone else's key? Is there another option I can put in my .conf file? TIA, Greg Reaume From dshaw at jabberwocky.com Mon Feb 12 06:56:42 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 12 Feb 2007 00:56:42 -0500 Subject: sig-keyserver-url In-Reply-To: <45CFDBAB.6000201@reaume.name> References: <45CFDBAB.6000201@reaume.name> Message-ID: <20070212055642.GB3208@jabberwocky.com> On Sun, Feb 11, 2007 at 10:14:51PM -0500, Greg Reaume wrote: > On Fri, 9 Feb 2007 at 22:12:45 -0500, David Shaw wrote: > > > > I think there is some confusion here. sig-keyserver-url applies to > > signatures. That is, signatures on data (--sign-file or the other > > signature making commands). It has no effect on signing keys > > (--sign-key). > > > > What are you trying to accomplish? > > > > David > > You're right, I'm using the wrong option then. > > I want to attach the preferred keyserver URL to a key certification. > I've been able to do it on my self-cert using the edit command > 'keyserver', but how do I do it on someone else's key? Given the current GPG, you can't. There is no ability to do that. You can only put a preferred keyserver URL on your own key (in a self-signature), or in a data signature. David From wk at gnupg.org Mon Feb 12 12:23:10 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 12 Feb 2007 12:23:10 +0100 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <200702111544.37742.MichaelParker@gmx.de> (Michael Parker's message of "Sun\, 11 Feb 2007 15\:44\:37 +0100") References: <200702111544.37742.MichaelParker@gmx.de> Message-ID: <87d54faach.fsf@wheatstone.g10code.de> On Sun, 11 Feb 2007 15:44, MichaelParker at gmx.de said: > I tried to setup an external smartcard reader with a pinpad and on gentoo I > don't get it to work. > On an ubuntu-installation the pin isn't enterd by the external pinpad but by > the regualar keyboard and that works fine. > On gentoo I'm asked to enter the pin on the pinpad of the reader. After > entering it doesn't find the secret key. You need to make sure to use the interal CCID driver and not pcscd. This requires proper setting of the permissions as explained int the smart card how to and that you don't run pcscd! To test this you should enter debug-ccid-driver debug 2048 log-file /somewhere/scdaemon.log into scdaemon.conf and kill a running scdaemon process. Instead of the log file you may also use watchgnupg as explained in the manual. There is no support for PIN pads when using pcscd. Shalom-Salam, Werner From wk at gnupg.org Mon Feb 12 12:27:02 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 12 Feb 2007 12:27:02 +0100 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: (Alex L. Mauer's message of "Sun\, 11 Feb 2007 14\:14\:55 -0600") References: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de> Message-ID: <878xf3aa61.fsf@wheatstone.g10code.de> On Sun, 11 Feb 2007 21:14, hawke at hawkesnest.net said: > For what it's worth, the external pinpad did start to work for me on > Ubuntu for awhile. But then I changed something and it stopped (it may > have been enabling ssh support in the scdaemon -- I changed a few things > and didn't keep track of exactly what it was). So the external pinpad > is very very close to working in Ubuntu. I am pretty sure that this is a problem of the distribution. The most common problem is that pcscd has been started and thus gained exclusive access to the reader. BTW, I am using a Kobil Advanced reader all the day for ssh access as well as for signing files. The SPR532 does also work but the keyboard of the KAAN has better keys. Salam-Shalom, Werner From rocket at heddway.com Mon Feb 12 15:15:44 2007 From: rocket at heddway.com (jason heddings) Date: Mon, 12 Feb 2007 07:15:44 -0700 Subject: Sending Public Key In-Reply-To: <20070211175840.GL11476@hell.pl> References: <001101c74d58$57e1b8e0$6700a8c0@enterprise> <20070211175840.GL11476@hell.pl> Message-ID: <000401c74eb0$497e19c0$6700a8c0@enterprise> Thanks for the reply... I think I'm missing something, then... Does that mean the operations provided by libgcrypt are not secure to use by themselves? --jah -----Original Message----- From: Janusz A. Urbanowicz [mailto:alex at hell.pl] On Behalf Of Janusz A. Urbanowicz Sent: Sunday, 11 February, 2007 10:59 To: jason heddings Cc: gnupg-users at gnupg.org Subject: Re: Sending Public Key On Sat, Feb 10, 2007 at 02:13:42PM -0700, jason heddings wrote: > I'm making use of libgcrypt for a specific encryption application. I'm > assuming that the following is secure: > > - Use libgcrypt to create a keypair > - Save the S-exp to an internal, protected keystore > - Base64 encode the public-key portion of the S-exp > - Broadcast the base64-encoded key to associated clients > - Use the broadcasted public-key to encrypt data > - Send encrypted data back to a server containing the keystore > - Only server can decrypt encrypted data using private keys > > Can someone please correct me if I am wrong? Is there a problem with this > approach, or perhaps a better one? Without a detailed specification of the protocol it is almost impossible, but for starters, do not encrypt actual non-random data with a pubkey. It is always bad idea to roll your own crypto protocol, use SSL/TLS or OpenPGP or CMS, or XML cryptography if possible. Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From hawke at hawkesnest.net Mon Feb 12 16:13:32 2007 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Mon, 12 Feb 2007 09:13:32 -0600 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <878xf3aa61.fsf__1767.28663868762$1171284374$gmane$org@wheatstone.g10code.de> References: <200702111544.37742.MichaelParker__1389.95028469271$1171211737$gmane$org@gmx.de> <878xf3aa61.fsf__1767.28663868762$1171284374$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > I am pretty sure that this is a problem of the distribution. The most > common problem is that pcscd has been started and thus gained > exclusive access to the reader. I'd agree, except that mine is now prompting, and accepting input from the keyboard, for the PIN. That's a symptom of the problem you describe above, correct? The previous pinpad problem I had was that it would prompt to use the pinpad but then would fail after entering the PIN. That's a separate problem, correct? -Alex Mauer "hawke" -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070212/aa33dd25/attachment.pgp From wk at gnupg.org Mon Feb 12 16:22:20 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 12 Feb 2007 16:22:20 +0100 Subject: Sending Public Key In-Reply-To: <000401c74eb0$497e19c0$6700a8c0@enterprise> (jason heddings's message of "Mon\, 12 Feb 2007 07\:15\:44 -0700") References: <001101c74d58$57e1b8e0$6700a8c0@enterprise> <20070211175840.GL11476@hell.pl> <000401c74eb0$497e19c0$6700a8c0@enterprise> Message-ID: <873b5b5rkj.fsf@wheatstone.g10code.de> On Mon, 12 Feb 2007 15:15, rocket at heddway.com said: > I think I'm missing something, then... Does that mean the operations > provided by libgcrypt are not secure to use by themselves? It is with all tools. It needs to be used properly. A chainsaw is a very powerful tool but not used properly you will do worse than without. Salam-Shalom, Werner From hawke at hawkesnest.net Mon Feb 12 18:18:31 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Mon, 12 Feb 2007 11:18:31 -0600 Subject: external pinpad, gnupg, SPR532 PinPad SmartCard Reader In-Reply-To: <87d54faach.fsf__14086.0900086865$1171287201$gmane$org@wheatstone.g10code.de> References: <200702111544.37742.MichaelParker@gmx.de> <87d54faach.fsf__14086.0900086865$1171287201$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > > There is no support for PIN pads when using pcscd. Is this a limitation of pcscd or of GnuPG? It sounds like pcscd supports the pinpad as of 1.2.9. [1] If it's a limitation of GnuPG, are there any plans to support it in future? [1] http://lists.apple.com/archives/Apple-cdsa/2006/Jan/msg00107.html -Alex Mauer "hawke" From rocket at heddway.com Mon Feb 12 20:53:38 2007 From: rocket at heddway.com (jason heddings) Date: Mon, 12 Feb 2007 12:53:38 -0700 Subject: Sending Public Key In-Reply-To: <873b5b5rkj.fsf@wheatstone.g10code.de> References: <001101c74d58$57e1b8e0$6700a8c0@enterprise><20070211175840.GL11476@hell.pl><000401c74eb0$497e19c0$6700a8c0@enterprise> <873b5b5rkj.fsf@wheatstone.g10code.de> Message-ID: <001c01c74edf$7dd98770$6700a8c0@enterprise> Thanks for the reply (and keeping me from making a big mistake)... So, for doing basic data encryption / transmission, what's the right way to go? We just need to do public key encryption, send the data (via email or postal), decrypt on a backend. Thanks for all the help here... Obviously I'm trying to forge new ground for our company. --jah -----Original Message----- From: Werner Koch [mailto:wk at gnupg.org] Sent: Monday, 12 February, 2007 08:22 To: jason heddings Cc: 'Janusz A. Urbanowicz'; gnupg-users at gnupg.org Subject: Re: Sending Public Key On Mon, 12 Feb 2007 15:15, rocket at heddway.com said: > I think I'm missing something, then... Does that mean the operations > provided by libgcrypt are not secure to use by themselves? It is with all tools. It needs to be used properly. A chainsaw is a very powerful tool but not used properly you will do worse than without. Salam-Shalom, Werner From bdc at topenergy.co.nz Mon Feb 12 20:06:11 2007 From: bdc at topenergy.co.nz (Bruce Cowin) Date: Tue, 13 Feb 2007 08:06:11 +1300 Subject: public keys newbie question Message-ID: As I understand it, people only need my public key if they are going to encrypt a file for me. If I will only be sending them encrypted files, then I need their public key but they don't need mine. Is this correct? Thanks. Regards, Bruce From johanw at vulcan.xs4all.nl Mon Feb 12 02:25:31 2007 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 12 Feb 2007 02:25:31 +0100 (MET) Subject: GnuPG on MS Vista In-Reply-To: <87veibisxb.fsf@wheatstone.g10code.de> Message-ID: <200702120125.l1C1PVpn006334@vulcan.xs4all.nl> Werner Koch wrote: >No, I don't have decent hardware to install Vista on it. Switching off the baby-face interface reduces hardware requirements a lot. That also helps with XP. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From linux at thorstenhau.de Mon Feb 12 23:01:13 2007 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon, 12 Feb 2007 23:01:13 +0100 Subject: public keys newbie question In-Reply-To: References: Message-ID: <20070212220113.GH1886@eumel.yoo.local> Hi, * Bruce Cowin wrote (2007-02-13 08:06): >As I understand it, people only need my public key if they are going to encrypt a file for me. If I will only be sending them encrypted files, then I need their public key but they don't need mine. Is this correct? Yup. They will also need your public key to verify stuff you signed. Thorsten -- Every person shall have the right freely to inform himself without hindrance from generally accessible sources. - German Grundgesetz, Article 5, Sec. 1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070212/e01c73c6/attachment.pgp From johanw at vulcan.xs4all.nl Tue Feb 13 00:05:35 2007 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 13 Feb 2007 00:05:35 +0100 (MET) Subject: GnuPG on MS Vista In-Reply-To: <45D0E788.30370.AC62479@gnupg.myrealbox.com> Message-ID: <200702122305.l1CN5Zmi005003@vulcan.xs4all.nl> Dennis wrote: >> Switching off the baby-face interface reduces hardware requirements a lot. >> That also helps with XP. >What is the baby-face interface? Also called "Aero" with Vista. Switch back to "classic" and the system requirements drop significantly without reducing the functionality. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jajom at hawaiiantel.net Mon Feb 12 23:41:29 2007 From: jajom at hawaiiantel.net (Jim McQueeney) Date: Mon, 12 Feb 2007 12:41:29 -1000 Subject: public keys newbie question In-Reply-To: References: Message-ID: <45D0ED19.1050107@hawaiiantel.net> Bruce Cowin wrote: > As I understand it, people only need my public key if they are going to encrypt a file for me. If I will only be sending them encrypted files, then I need their public key but they don't need mine. Is this correct? > > Thanks. > > > > Regards, > > Bruce > > Not quite; If you sign your messages, the recipient will need your public key to verify the signature... -- * Jim McQueeney ** ***** Jim McQueeney ***** ******* OpenPGP ** DH: 0x22768E06 ******** ********* Keys *** DH: 0x41B6F689 ******** From alex at bofh.net.pl Tue Feb 13 14:14:53 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Tue, 13 Feb 2007 14:14:53 +0100 Subject: Sending Public Key In-Reply-To: <001c01c74edf$7dd98770$6700a8c0@enterprise> References: <873b5b5rkj.fsf@wheatstone.g10code.de> <001c01c74edf$7dd98770$6700a8c0@enterprise> Message-ID: <20070213131453.GQ11476@hell.pl> On Mon, Feb 12, 2007 at 12:53:38PM -0700, jason heddings wrote: > Thanks for the reply (and keeping me from making a big mistake)... > > So, for doing basic data encryption / transmission, what's the right way to > go? We just need to do public key encryption, send the data (via email or > postal), decrypt on a backend. > > Thanks for all the help here... Obviously I'm trying to forge new ground > for our company. It sounds like OpenPGP is exactly what you need. All senders get your key, encrypt the data, send it to you you decrypt it. It can be easily automated with scripts around GPG or (in compiled languages) using GPGME. Since you don't mention need of any kinky stuff in the area of key management, it seems trivial. And if you need moral support, I can attest that I've seen GPG used to do similar stuff in the banking industry. Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From nobody at dizum.com Thu Feb 8 15:30:04 2007 From: nobody at dizum.com (Nomen Nescio) Date: Thu, 8 Feb 2007 15:30:04 +0100 (CET) Subject: storing password lists in mails to myself on IMAP? Message-ID: <00387739ad35be0cc009f910b3bf73ab@dizum.com> I use thunderbird on my laptop and desktop with an IMAP server, and I've been mailing myself encrypted mails with website passwords so I have access to them on both computers. This is just as secure as encrypting a file and copying it onto both computers without using e-mail as a medium, right? Or am I doing something stupid? thanks From dshaw at jabberwocky.com Tue Feb 13 17:43:11 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 13 Feb 2007 11:43:11 -0500 Subject: Sending Public Key In-Reply-To: <001c01c74edf$7dd98770$6700a8c0@enterprise> References: <873b5b5rkj.fsf@wheatstone.g10code.de> <001c01c74edf$7dd98770$6700a8c0@enterprise> Message-ID: <20070213164310.GB2051@jabberwocky.com> On Mon, Feb 12, 2007 at 12:53:38PM -0700, jason heddings wrote: > Thanks for the reply (and keeping me from making a big mistake)... > > So, for doing basic data encryption / transmission, what's the right way to > go? We just need to do public key encryption, send the data (via email or > postal), decrypt on a backend. It sounds like straight OpenPGP will do the job for you. It is a well-understood and widely supported protocol for public key encryption. GnuPG can do what you need right out of the box, and can handle both email and postal easily. David From benjamin at py-soft.co.uk Tue Feb 13 20:03:24 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 13 Feb 2007 19:03:24 +0000 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <45CF6F07.9040809@py-soft.co.uk> References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk> Message-ID: <45D20B7C.8030909@py-soft.co.uk> Benjamin Donnachie wrote: > How embarrassing... my mistake - I was still using the old patched version! Ah-ha! That's better! As a quick test I threw together the following helper application: /* ** Mac OS fails to process bundle information correctly ** for pinentry-mac. ** ** This quick hack attempts to address that. ** */ #include int main() { return system ("/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac"); } Compile this using "gcc -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc pinentry-helper.c -o pinentry-helper" (Or download from http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-helper) and copy it to "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper". Then add the following to ~/.gnupg/gpg-agent.conf: pinentry-program "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper" Unpatched gpg-agent (admittedly v1.9.21) correctly invokes pinentry-mac, reading the GUI bundle information correctly. It needs more work to achieve a tidy solution - especially since the location of pinentry-mac is fixed and it fails to pass any command line arguments. Plus I might still use NSTask instead. Ben From dshaw at jabberwocky.com Tue Feb 13 19:45:55 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 13 Feb 2007 13:45:55 -0500 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <00387739ad35be0cc009f910b3bf73ab@dizum.com> References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> Message-ID: <20070213184555.GD2051@jabberwocky.com> On Thu, Feb 08, 2007 at 03:30:04PM +0100, Nomen Nescio wrote: > I use thunderbird on my laptop and desktop with an IMAP server, and > I've been mailing myself encrypted mails with website passwords so I > have access to them on both computers. > > This is just as secure as encrypting a file and copying it onto both > computers without using e-mail as a medium, right? Yes. If the data is securely encrypted, mail is just as good as any other over-the-network method for moving the file from machine to machine. David From jrhendri at maine.rr.com Tue Feb 13 19:20:25 2007 From: jrhendri at maine.rr.com (Jim Hendrick) Date: Tue, 13 Feb 2007 13:20:25 -0500 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <00387739ad35be0cc009f910b3bf73ab@dizum.com> Message-ID: <000001c74f9b$a67e03b0$0b00a8c0@D7LMKZ01> What you are doing works. But take a look at password safe (Bruce Schneier & Counterpane labs). Also Password Gorilla (compatible w/ password safe) If you are truly paranoid, you could encrypt and email the safe back and forth w/ gpg, or carry it on a USB stick. > -----Original Message----- > From: gnupg-users-bounces at gnupg.org > [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Nomen Nescio > Sent: Thursday, February 08, 2007 9:30 AM > To: gnupg-users at gnupg.org > Subject: storing password lists in mails to myself on IMAP? > > > I use thunderbird on my laptop and desktop with an IMAP > server, and I've been mailing myself encrypted mails with > website passwords so I have access to them on both computers. > > This is just as secure as encrypting a file and copying it > onto both computers without using e-mail as a medium, right? > > Or am I doing something stupid? > > thanks > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-> users > From randy at randyburns.us Tue Feb 13 20:53:26 2007 From: randy at randyburns.us (Randy Burns) Date: Tue, 13 Feb 2007 11:53:26 -0800 (PST) Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <00387739ad35be0cc009f910b3bf73ab@dizum.com> Message-ID: <163077.18506.qm@web50915.mail.yahoo.com> --- Nomen Nescio wrote: > I use thunderbird on my laptop and desktop with an IMAP server, and > I've been mailing myself encrypted mails with website passwords so I > have access to them on both computers. > > This is just as secure as encrypting a file and copying it onto both > computers without using e-mail as a medium, right? > > Or am I doing something stupid? > > thanks > As far as I know, once it's encrypted, you can publish it on a webpage, or put it on a billboard by the highway if you want. Without the secret key, and the passphrase, the message might as well be buried two miles under a pyramid by the Nile. It may not always be that way, but it is now. Randy From jbruni at mac.com Tue Feb 13 22:33:57 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Tue, 13 Feb 2007 14:33:57 -0700 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <000001c74f9b$a67e03b0$0b00a8c0@D7LMKZ01> References: <000001c74f9b$a67e03b0$0b00a8c0@D7LMKZ01> Message-ID: <63C35C58-035B-484C-A9F8-91088AC66689@mac.com> If you happen to be using Mac OS X, you can store encrypted bits of information in the Keychain. And if you have a .mac account, your keychain data can be automatically synchronized across systems. -Joe On Feb 13, 2007, at 11:20 AM, Jim Hendrick wrote: > What you are doing works. But take a look at password safe (Bruce > Schneier & > Counterpane labs). Also Password Gorilla (compatible w/ password safe) > > If you are truly paranoid, you could encrypt and email the safe > back and > forth w/ gpg, or carry it on a USB stick. > > > >> -----Original Message----- >> From: gnupg-users-bounces at gnupg.org >> [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Nomen Nescio >> Sent: Thursday, February 08, 2007 9:30 AM >> To: gnupg-users at gnupg.org >> Subject: storing password lists in mails to myself on IMAP? >> >> >> I use thunderbird on my laptop and desktop with an IMAP >> server, and I've been mailing myself encrypted mails with >> website passwords so I have access to them on both computers. >> >> This is just as secure as encrypting a file and copying it >> onto both computers without using e-mail as a medium, right? >> >> Or am I doing something stupid? >> >> thanks >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-> users >> > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From rocket at heddway.com Wed Feb 14 03:45:09 2007 From: rocket at heddway.com (jason heddings) Date: Tue, 13 Feb 2007 19:45:09 -0700 Subject: Sending Public Key In-Reply-To: <20070213164310.GB2051@jabberwocky.com> References: <873b5b5rkj.fsf@wheatstone.g10code.de><001c01c74edf$7dd98770$6700a8c0@enterprise> <20070213164310.GB2051@jabberwocky.com> Message-ID: <000001c74fe2$2558faa0$6700a8c0@enterprise> Thanks for all the help! We are going to look into OpenPGP and OpenSSL (since we may need it for our web server anyway). --jah -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Shaw Sent: Tuesday, 13 February, 2007 09:43 To: gnupg-users at gnupg.org Subject: Re: Sending Public Key On Mon, Feb 12, 2007 at 12:53:38PM -0700, jason heddings wrote: > Thanks for the reply (and keeping me from making a big mistake)... > > So, for doing basic data encryption / transmission, what's the right way to > go? We just need to do public key encryption, send the data (via email or > postal), decrypt on a backend. It sounds like straight OpenPGP will do the job for you. It is a well-understood and widely supported protocol for public key encryption. GnuPG can do what you need right out of the box, and can handle both email and postal easily. David _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From roam at ringlet.net Wed Feb 14 09:22:19 2007 From: roam at ringlet.net (Peter Pentchev) Date: Wed, 14 Feb 2007 10:22:19 +0200 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <45D20B7C.8030909@py-soft.co.uk> References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk> <45D20B7C.8030909@py-soft.co.uk> Message-ID: <20070214082219.GA1956@straylight.m.ringlet.net> On Tue, Feb 13, 2007 at 07:03:24PM +0000, Benjamin Donnachie wrote: > Benjamin Donnachie wrote: > > How embarrassing... my mistake - I was still using the old patched version! > > Ah-ha! That's better! As a quick test I threw together the following > helper application: > > /* > ** Mac OS fails to process bundle information correctly > ** for pinentry-mac. > ** > ** This quick hack attempts to address that. > ** > */ > > #include > > int main() > { > return system > ("/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac"); > } Is there any reason for not using execv(3)? (disclaimer: not tested on PPC or MacOS X or, really, anything besides FreeBSD/i386 and Debian/i386...) #include #include #ifndef __unused #if defined(__GNUC__) && !defined(__INTEL_COMPILER) #define __unused __attribute__((unused)) #else /* __GNUC__ */ #if defined(__INTEL_COMPILER) #define __unused __attribute__((__unused__)) #else /* __INTEL_COMPILER */ #define __unused #endif /* __INTEL_COMPILER */ #endif /* __GNUC__ */ #endif /* __unused */ #define APP "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac" int main(int argc __unused, char * const argv[]) { execv(APP, argv); perror("execv"); return (1); } Of course, you may skip the whole __unused dance if you know that you are only ever going to compile it on a single OS/arch/compiler - or if you don't care about compiler warnings :) > Compile this using "gcc -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch > i386 -arch ppc pinentry-helper.c -o pinentry-helper" (Or download from > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-helper) and > copy it to "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper". > > Then add the following to ~/.gnupg/gpg-agent.conf: > > pinentry-program > "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper" > > Unpatched gpg-agent (admittedly v1.9.21) correctly invokes pinentry-mac, > reading the GUI bundle information correctly. > > It needs more work to achieve a tidy solution - especially since the > location of pinentry-mac is fixed and it fails to pass any command line > arguments. The above will take care of passing command-line arguments; the executable location might be handled by a symlink or something. > Plus I might still use NSTask instead. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20070214/4b6be4f0/attachment-0001.pgp From benjamin at py-soft.co.uk Wed Feb 14 19:58:28 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 14 Feb 2007 18:58:28 +0000 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <20070214082219.GA1956@straylight.m.ringlet.net> References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk> <45D20B7C.8030909@py-soft.co.uk> <20070214082219.GA1956@straylight.m.ringlet.net> Message-ID: <45D35BD4.1000703@py-soft.co.uk> Peter Pentchev wrote: > Is there any reason for not using execv(3)? 'cos I was searching through my MacOS programming book for a solution to MacOS X not reading the GUI bundle information and it suggested using system. > G'luck, Christian's suggestion of trying a shell script was perfect and makes my life soooooo much easier! :) Ben From bdc at topenergy.co.nz Wed Feb 14 21:46:10 2007 From: bdc at topenergy.co.nz (Bruce Cowin) Date: Thu, 15 Feb 2007 09:46:10 +1300 Subject: GPG4Win keys not appearing Message-ID: I'm using GPG4win 1.0.8. I have imported a key and have used it for encrypting a few times. I notice that sometimes when I right click on a file, this key doesn't appear in the key lists and sometimes it does. Has anyone else experienced this? Do we know why it does this? Thanks. Regards, Bruce From twoaday at gmx.net Thu Feb 15 11:04:45 2007 From: twoaday at gmx.net (Timo Schulz) Date: Thu, 15 Feb 2007 11:04:45 +0100 Subject: GPG4Win keys not appearing In-Reply-To: References: Message-ID: <45D4303D.10108@gmx.net> Bruce Cowin wrote: > I notice that sometimes when I right click on a file, this key doesn't appear in the key > lists and sometimes it does. Has anyone else experienced this? Do we know why it does this? Do you use GPGee or the WinPT File Manager? GPGee has a website with a forum for such questions: http://gpgee.excelcia.org/ I'm not familiar with most parts of the code so I guess it's the best idea to use the forum and, maybe later, ask the author directly if this is a known problem. (I'm not aware of any bug tracker for this program) Timo From kfitzner at excelcia.org Thu Feb 15 12:14:02 2007 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu, 15 Feb 2007 04:14:02 -0700 Subject: GPG4Win keys not appearing Message-ID: <45D4407A.50703@excelcia.org> Hi Bruce, I'm the author of GPGee (GPG Explorer Extensions), which from what you have described, seems to be the component you're having problems with. I've had several reports of keys disappearing at odd times. I've never been able to duplicate the problem myself, so I haven't been able to track it down completely. My GPGee program ran into problems because it has to deal with an issue with GnuPG where specifying the same key ring more than once causes keys to duplicate in its output. It's quite easy to mis-configure the gpg.conf file to cause GPG to do this, so I had to write in code in the explorer extension that filtered this out. I am fairly certain it is this code that is, in certain cases, misbehaving, but I've not been able to work out exactly how. Several times I've requested a change to GPG to cause it to not duplicate keyring output, but this has not been done. If you can produce a sample keyring that exhibits the disappearing key behavior, I'll try again to track the problem down. Failing that, I suppose enough people will just have to step up and ask for GPG to change. Regards, Kurt Fitzner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070215/aa5ffa3a/attachment.pgp From nobody at dizum.com Tue Feb 13 22:30:03 2007 From: nobody at dizum.com (Nomen Nescio) Date: Tue, 13 Feb 2007 22:30:03 +0100 (CET) Subject: storing password lists in mails to myself on IMAP? References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> Message-ID: <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> Nomen Nescio wrote: > I use thunderbird on my laptop and desktop with an IMAP server, and > I've been mailing myself encrypted mails with website passwords so I > have access to them on both computers. > > This is just as secure as encrypting a file and copying it onto both > computers without using e-mail as a medium, right? > > Or am I doing something stupid? > You're doing something "strange" anyway. The encryption is just as strong either way, but any email client is liable to create temp files and stuff which could hold unencrypted copies of your password lists. Given that this is an IMAP account it's possible those temp files exist on the IMAP server. :-( From jbruni at mac.com Thu Feb 15 18:34:36 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Thu, 15 Feb 2007 09:34:36 -0800 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> Message-ID: On Thursday, February 15, 2007, at 10:01AM, "Nomen Nescio" wrote: >Nomen Nescio wrote: > >> I use thunderbird on my laptop and desktop with an IMAP server, and >> I've been mailing myself encrypted mails with website passwords so I >> have access to them on both computers. >> >> This is just as secure as encrypting a file and copying it onto both >> computers without using e-mail as a medium, right? >> >> Or am I doing something stupid? >> > >You're doing something "strange" anyway. The encryption is just as >strong either way, but any email client is liable to create temp >files and stuff which could hold unencrypted copies of your password >lists. Given that this is an IMAP account it's possible those temp >files exist on the IMAP server. :-( Not true. Since encryption and decryption can only take place on the local computer, there won't be any "temp" files stored on the IMAP server. From rjh at sixdemonbag.org Thu Feb 15 18:56:58 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 Feb 2007 12:56:58 -0500 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> Message-ID: <45D49EEA.8010009@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nomen Nescio wrote: > Given that this is an IMAP account it's possible those temp > files exist on the IMAP server. :-( Can you point me to an IMAP client which does this? Or to part of the IMAP RFC which lists "storing arbitrary data for the client's use on the server" as a feature? Or an IMAP server which supports this? Otherwise, this seems to be paranoid fantasy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJF1J7qAAoJELcA9IL+r4EJoFgIAK4yClL3x/iRYBiu2hDx0aQ7 90y2O0YU0T69hEDcAMKaA9AAdZFk36lPQDV1frTB7IPxf2Gq7MQrFNSo0nG1jC9i q4DLjvUAYvFRP8ll2OZ7/u1BbyGf9+hG3WLPr1evLKJgEU8KYayGyrddkj/ZykCT bEnC/qSKNgHh3hfpUMB/3+ma/Qg+d/q/PHJo2AMqxzR0a+gbMZYwPKl0l1G4RTC5 1iic9W+W0YQQXB55KvUIN74dycvhpH7AVuViCS4ie0O49VI+0nNnwzJMiFLrN2or m4OnylpgV0xDcd0WH11bvZayx9Bkhry9WEE13qqhfsZGNB07iNSa0igaDlUwM0I= =asKl -----END PGP SIGNATURE----- From bdc at topenergy.co.nz Thu Feb 15 21:07:20 2007 From: bdc at topenergy.co.nz (Bruce Cowin) Date: Fri, 16 Feb 2007 09:07:20 +1300 Subject: GPG4Win keys not appearing Message-ID: Hi Kurt, Yes it is GPGee I'm using. Thanks for the explanation. I'll see if I can produce the keyrings. Failing that, I guess we'll just keep trying until the key reappears or use GPG commands. Thanks again. Regards, Bruce >>> Kurt Fitzner 16/02/2007 12:14:02 a.m. >>> Hi Bruce, I'm the author of GPGee (GPG Explorer Extensions), which from what you have described, seems to be the component you're having problems with. I've had several reports of keys disappearing at odd times. I've never been able to duplicate the problem myself, so I haven't been able to track it down completely. My GPGee program ran into problems because it has to deal with an issue with GnuPG where specifying the same key ring more than once causes keys to duplicate in its output. It's quite easy to mis-configure the gpg.conf file to cause GPG to do this, so I had to write in code in the explorer extension that filtered this out. I am fairly certain it is this code that is, in certain cases, misbehaving, but I've not been able to work out exactly how. Several times I've requested a change to GPG to cause it to not duplicate keyring output, but this has not been done. If you can produce a sample keyring that exhibits the disappearing key behavior, I'll try again to track the problem down. Failing that, I suppose enough people will just have to step up and ask for GPG to change. Regards, Kurt Fitzner From r.post at sara.nl Thu Feb 15 21:29:02 2007 From: r.post at sara.nl (Remco Post) Date: Thu, 15 Feb 2007 21:29:02 +0100 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <45D49EEA.8010009@sixdemonbag.org> References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> <45D49EEA.8010009@sixdemonbag.org> Message-ID: <45D4C28E.4040300@sara.nl> Robert J. Hansen wrote: > Nomen Nescio wrote: >> Given that this is an IMAP account it's possible those temp >> files exist on the IMAP server. :-( > > Can you point me to an IMAP client which does this? Or to part of the > IMAP RFC which lists "storing arbitrary data for the client's use on the > server" as a feature? Or an IMAP server which supports this? > most mail-clients store draft e-mails on the imap server, thunderbird does this with user-interaction, others might do the same without you knowing. Anything can be stored on the mailserver as a mail-message. > Otherwise, this seems to be paranoid fantasy. > > Not really. I can very well inmagine it happening without you knowing. Of course, local temp diskspace is usually faster than an imap servers, so very few applications will safe unfinished mail on imap without you noticing. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From r.post at sara.nl Fri Feb 16 00:06:45 2007 From: r.post at sara.nl (Remco Post) Date: Fri, 16 Feb 2007 00:06:45 +0100 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <47EE23A4-5778-45DE-8A4A-31AF2A32E457@sixdemonbag.org> References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> <45D49EEA.8010009@sixdemonbag.org> <45D4C28E.4040300@sara.nl> <47EE23A4-5778-45DE-8A4A-31AF2A32E457@sixdemonbag.org> Message-ID: <45D4E785.9050209@sara.nl> Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> most mail-clients store draft e-mails on the imap server, thunderbird >> does this with user-interaction, others might do the same without you >> knowing. Anything can be stored on the mailserver as a mail-message. > > That's true. That doesn't mean that MUAs should be thought of as > caching your passphrases on the server. If there were MUAs in common > use that did this, don't you think someone would have noticed by now? > You should if you mail yourself your passwords or passphrases. Highly unlikely nobody would have noticed by now, but be careful with what you do. -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From rjh at sixdemonbag.org Thu Feb 15 23:59:23 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 Feb 2007 17:59:23 -0500 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <45D4C28E.4040300@sara.nl> References: <00387739ad35be0cc009f910b3bf73ab@dizum.com> <8ddfbdf6a1be205168880b59e62dfa8d@dizum.com> <45D49EEA.8010009@sixdemonbag.org> <45D4C28E.4040300@sara.nl> Message-ID: <47EE23A4-5778-45DE-8A4A-31AF2A32E457@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > most mail-clients store draft e-mails on the imap server, thunderbird > does this with user-interaction, others might do the same without you > knowing. Anything can be stored on the mailserver as a mail-message. That's true. That doesn't mean that MUAs should be thought of as caching your passphrases on the server. If there were MUAs in common use that did this, don't you think someone would have noticed by now? If this issue is the most pressing one in your security policy, then either check it out for yourself or get a definitive answer from someone you trust. Otherwise, start at the most pressing issues and start working your way down to the low-risk items like this. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJF1OXDAAoJELcA9IL+r4EJqYoH/ihAlcm7HApA9sXe5IGLEXH1 +YCu3Y6DJWjpS4YAMPesEMmP2Ec2zfmJfLhyNTQlOeDk6ltrpTU2ER6PjR/1nTqj GI7GEtZWCwxKZ5Eb8IwmvrQ/i64fjP+oxIfMYJwrqeWVAFRxPboxhqEvQaYXl/n7 OCPHM97dsoC/3TmMxLTQFWzqcFEdUQl2Pf6q73OGJhzPnu9e3xd2cM/J6VTsPH74 ++lHeOFf5nHSwCrqsEW4Yj0O9Mbs4qfvjEvKSqazmAfeWSl/kTP0rVSZjci1+wf+ HnGGQTuD16/Kcv3VG5B4uO7SUJiEFE7mOQspc5pLVGdRaMEY0l3Gp87fZCAxMg8= =X6pd - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJF1OXLAAoJELcA9IL+r4EJUtQIANdh8HuPEGvtwVnoX+CfwxmN U9jO+toIgpijVaHGogcpTHaYPHMBE/qhiGoGHk+6WEElVY9nC8YJFbB8Hs89SKin z6WNg8vyjg+ePd2UR+pn4XpeIOTF/xICakZSwNxcM90nxHbEajhCp1ZWMfsZ+W1J 55RewfWtwmDTUtH5bydg4GSJM4PNI6tUP1tVpdi81ieEHgQt75+QN5boi9qF9dWu dMp1DACHPt5ImVunkM0u+oPGkPn2uYYhBDo/ztZRFV+bUx92PDFG+RRA+pnZCBQ5 HGz492OPoMVnFiAxefiv8GdBPmGs9ceTIbpcLDdr3EY2+wIi0N4XizjzI3AYE0s= =SBiR -----END PGP SIGNATURE----- From greg at reaume.name Fri Feb 16 02:28:35 2007 From: greg at reaume.name (Greg Reaume) Date: Thu, 15 Feb 2007 20:28:35 -0500 Subject: OpenPGP Card Digest Algorithms Message-ID: <45D508C3.4020909@reaume.name> Which digest algorithms does the OpenPGP card support? I'm getting the following error when I try to use my card: gpg: card does not support digest algorithm SHA256 gpg: signing failed: invalid argument TIA, Greg Reaume From dshaw at jabberwocky.com Fri Feb 16 06:03:26 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 16 Feb 2007 00:03:26 -0500 Subject: OpenPGP Card Digest Algorithms In-Reply-To: <45D508C3.4020909@reaume.name> References: <45D508C3.4020909@reaume.name> Message-ID: <20070216050326.GA27943@jabberwocky.com> On Thu, Feb 15, 2007 at 08:28:35PM -0500, Greg Reaume wrote: > Which digest algorithms does the OpenPGP card support? > > I'm getting the following error when I try to use my card: > > gpg: card does not support digest algorithm SHA256 > gpg: signing failed: invalid argument The card supports SHA-1 and RIPEMD160. David From nobody at dizum.com Thu Feb 15 22:10:08 2007 From: nobody at dizum.com (Nomen Nescio) Date: Thu, 15 Feb 2007 22:10:08 +0100 (CET) Subject: storing password lists in mails to myself on IMAP? References: <45D49EEA.8010009@sixdemonbag.org> Message-ID: <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com> Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Nomen Nescio wrote: > > Given that this is an IMAP account it's possible those temp > > files exist on the IMAP server. :-( > > Can you point me to an IMAP client which does this? Or to part of the Amusing as it is to me anyway, Firefox will do this. Part of it's crash recovery is saving a copy of messages you're composing every few keystrokes. I'm not even sure you can turn the feature off, and if you have a "everything but the kitchen sink on the server" setup those temporary copies are stored in a draft folder *on the IMAP server*, unencrypted. I know for a fact it can happen because I've seen it first hand on my own Courier/Postfix server in bold, living color. > IMAP RFC which lists "storing arbitrary data for the client's use on > the server" as a feature? Or an IMAP server which supports this? > > Otherwise, this seems to be paranoid fantasy. Yeah. Sure it does. Maybe you should think things through, or God forbid even run a few tests or something before puffing your chest there Robert. Especially when you're in the unenviable position of potentialy being your own proof of concept. From nobody at dizum.com Thu Feb 15 22:10:08 2007 From: nobody at dizum.com (Nomen Nescio) Date: Thu, 15 Feb 2007 22:10:08 +0100 (CET) Subject: storing password lists in mails to myself on IMAP? References: <45D49EEA.8010009@sixdemonbag.org> Message-ID: <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com> Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Nomen Nescio wrote: > > Given that this is an IMAP account it's possible those temp > > files exist on the IMAP server. :-( > > Can you point me to an IMAP client which does this? Or to part of the Amusing as it is to me anyway, Firefox will do this. Part of it's crash recovery is saving a copy of messages you're composing every few keystrokes. I'm not even sure you can turn the feature off, and if you have a "everything but the kitchen sink on the server" setup those temporary copies are stored in a draft folder *on the IMAP server*, unencrypted. I know for a fact it can happen because I've seen it first hand on my own Courier/Postfix server in bold, living color. > IMAP RFC which lists "storing arbitrary data for the client's use on > the server" as a feature? Or an IMAP server which supports this? > > Otherwise, this seems to be paranoid fantasy. Yeah. Sure it does. Maybe you should think things through, or God forbid even run a few tests or something before puffing your chest there Robert. Especially when you're in the unenviable position of potentialy being your own proof of concept. From pcannon at riseup.net Thu Feb 15 22:28:05 2007 From: pcannon at riseup.net (pete) Date: Thu, 15 Feb 2007 16:28:05 -0500 Subject: GnuPG, Thunderbird, and Armor Headers From PGP 9.5 Message-ID: <45D4D065.3040504@riseup.net> I have to communicate via PGP a lot via Windows, and I've been having a problem for a while that I'm trying to avoid having to go through a lengthy workaround. I'm running XP, Thunderbird 1.5.0.9 with GnuPG for Windows 0.7.4 (I know, I know -- I'm downloading an update right now, but I'm not sure that's the problem). When most people PGP me, they use GnuPG, and it's straightforward: I enter my passphrase, and it decrypts. However, people emailing me using PGP Desktop 9.5.2 give me a big headache. I'll enter my passphrase, and get this error: gpg command line and output:,C:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --batch --no-tty --status-fd 2 -d --passphrase-fd 0 --no-use-agent ,gpg: invalid armor header: www.pgp.com\r\n,gpg: invalid radix64 character 2E skipped,gpg: invalid radix64 character 2E skipped,gpg: CRC error; 661020 - 8E84F7,gpg: packet(3) with unknown version 41 I played around for a while, and found a fix for this. The top of the message looks like this: > -----BEGIN PGP MESSAGE----- > Version: PGP Desktop 9.5.2 (Build 4075) - not licensed for commercial use: > www.pgp.com PGP Desktop adds a second line for "www.pgp.com". If I paste the message into notepad and delete that line, then decrypt the text file I save, everything is fine. It's a huge hassle to do every time I have a message, though (and a potential security issue), so I'm looking for a way to have this decrypt regularly in Thunderbird? Sorry if this should be in the enigmail list, I'm not quite sure where to send it. From rjh at sixdemonbag.org Fri Feb 16 18:16:39 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 16 Feb 2007 12:16:39 -0500 Subject: storing password lists in mails to myself on IMAP? In-Reply-To: <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com> References: <45D49EEA.8010009@sixdemonbag.org> <09ef3c2b5bd7c6a2d6d89c152f771ec3@dizum.com> Message-ID: <371A3ACE-9966-4B7C-8278-039616635A94@sixdemonbag.org> > Maybe you should think things through, or God forbid even run a > few tests or something before puffing your chest there Robert. > Especially when you're in the unenviable position of potentialy > being your own proof of concept. I don't know why you have such an allergy to being shown wrong. Or why you think I do. It works like this: if you can find me a commonly-used IMAP client that's this stupid, then I will welcome being shown wrong. And really, why shouldn't I? Being wrong isn't the end of the world. But until you can show me an IMAP client in common use which is dumb enough to store sensitive and arbitrary data server-side, then I'm going to continue to say this is a nonissue and you shouldn't worry about it. You can also assume the existence of MUAs which, when you encrypt data, will also send an unencrypted copy to a recipient. This could be done while still being perfectly in accordance with the OpenPGP spec. And yet, we're not worried about MUAs doing it. Why? Because it's so incredibly dumb that we're going to assume people are smarter than that. The same logic applies here. Once you show me a commonly-used IMAP client that's this stupid, I'll happily admit that yes, I was wrong, and some IMAP client authors are this stupid. But until then, what's the use in fearmongering? From shavital at mac.com Fri Feb 16 22:20:14 2007 From: shavital at mac.com (Charly Avital) Date: Fri, 16 Feb 2007 23:20:14 +0200 Subject: GnuPG, Thunderbird, and Armor Headers From PGP 9.5 In-Reply-To: <45D4D065.3040504@riseup.net> References: <45D4D065.3040504@riseup.net> Message-ID: <45D6200E.8040103@mac.com> pete wrote the following on 2/15/07 11:28 PM: [...] > I played around for a while, and found a fix for this. The top of the > message looks like this: > >> -----BEGIN PGP MESSAGE----- >> Version: PGP Desktop 9.5.2 (Build 4075) - not licensed for commercial use: >> www.pgp.com > > PGP Desktop adds a second line for "www.pgp.com". I am a Mac registered user of PGP 9.5.2, and I have just made some googling on the issue you raise. I have seen examples of similar PGP headers, originated only by freeware versions of PGP Desktop (as far back as versions 7.*), where the header e.g.: Version: PGPfreeware 7.0.3 for non-commercial use Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com comes in one single line. I am aware that in your example, that header is longer because of the '(Build.....) mention. I correspond with a friend who uses a licensed PGP 9.5.2, where that header is also shorter than the one you mention. > If I paste the > message into notepad and delete that line, then decrypt the text file I > save, everything is fine. It's a huge hassle to do every time I have a > message, though (and a potential security issue),so I'm looking for a > way to have this decrypt regularly in Thunderbird? > > Sorry if this should be in the enigmail list, I'm not quite sure where > to send it. As far as I can remember there's an excellent list that addresses PGP issues named PGP-Basics: where subscribers and moderators are always ready to help. You can also try PGP's CTO Jon Callas , who's usually ready to help with PGP issues. Good luck Charly From dshaw at jabberwocky.com Fri Feb 16 23:51:52 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 16 Feb 2007 17:51:52 -0500 Subject: GnuPG, Thunderbird, and Armor Headers From PGP 9.5 In-Reply-To: <45D4D065.3040504@riseup.net> References: <45D4D065.3040504@riseup.net> Message-ID: <20070216225152.GE32368@jabberwocky.com> On Thu, Feb 15, 2007 at 04:28:05PM -0500, pete wrote: > > -----BEGIN PGP MESSAGE----- > > Version: PGP Desktop 9.5.2 (Build 4075) - not licensed for commercial use: > > www.pgp.com > > PGP Desktop adds a second line for "www.pgp.com". If I paste the > message into notepad and delete that line, then decrypt the text file I > save, everything is fine. It's a huge hassle to do every time I have a > message, though (and a potential security issue), so I'm looking for a > way to have this decrypt regularly in Thunderbird? This is a problem that pops up now and then. PGP Desktop isn't adding a second line (the "www.pgp.com"). Rather, it is adding one big Version line, and then something in the mail chain (generally it's their mail program) is "helping" by word wrapping the mail. Since that Version line is really long, the www.pgp.com bit ends up on a new line. You might want to ask the folks mailing you to check their word wrapping settings. David From benjamin at py-soft.co.uk Sat Feb 17 01:35:57 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 00:35:57 +0000 Subject: GnuPG v2.0.2 MAC OS install - TESTING NEEDED! Message-ID: <45D64DED.1070800@py-soft.co.uk> I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.tgz (Sig available at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.tgz.sig) This is a Universal Binary and /should/ work on both PPC and Intel. Save archive to disk, and then type "sudo tar xzvC / -f /path/to/mac-gnupg-2.0.2-TEST1.tgz" If you have not used mac-gpg2 before, you will then need to complete the following steps: i/ Add the new program "start gpg-agent" in Applications to the list of programs to start on login. ii/ Download http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist and save in ~/.MacOSX/ iii/ Add "source ~/.gnupg/.gpg-agent" to the file ~/.profile (Create ~/.profile if it doesn't already exist) iv/ Create the file ~/.gnupg/gpg-agent.conf containing the single line: pinentry-program "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper" v/ Log out. Then when you log in gpg-agent should be started automatically and be available to all applications. This has been tested on a PPC but not Intel yet. There's a small chance that it may not work at all on your system, but I need feedback so that I can improve it! Once I know that it's working I will write an installer that automates the above steps. Remember, you can install this alongside regular gpg and if this version doesn't work, regular gpg will be unaffected. No patches were needed to any of the code and only libgcrypt's config.h needed a minor edit for endian issues with the fat build. Thanks as always to Charly for this patience. Thanks to Werner and his team for such a great product, and thanks to the macgpg team for getting me started! :-) **** REMEMBER POSITIVE AND NEGATIVE FEEDBACK NEEDED!!! **** Ben From contactium at gmail.com Sat Feb 17 05:04:16 2007 From: contactium at gmail.com (Marc) Date: Fri, 16 Feb 2007 23:04:16 -0500 Subject: Problem with Evolution Message-ID: <1171685056.6052.15.camel@earth> Hello, I use GnuPG 1.4.3 with Ubuntu 6.10, Seahorse 0.9.5 and Evolution 2.8.1 and I have this error message : Because "can't connect to `/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': Aucun fichier ou r?pertoire de ce type gpg: impossible de se connecter ? `/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': connect failed gpg: ?criture de `-' gpg: DSA/SHA1 signature de: ? 0F70F90E Marc ? ", you may need to select different mail options. I don't have the file S.gpg-agent. How to include it in seahorse-akXvEN ? Thanks Marc. From shavital at mac.com Sat Feb 17 08:02:44 2007 From: shavital at mac.com (Charly Avital) Date: Sat, 17 Feb 2007 09:02:44 +0200 Subject: GnuPG v2.0.2 running on Intel Mac (was: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED!) In-Reply-To: <45D64DED.1070800@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> Message-ID: <45D6A894.9060505@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Benjamin Donnachie wrote the following on 2/17/07 2:35 AM: [...] > Thanks as always to Charly for this patience. Thanks to Werner and his > team for such a great product, and thanks to the macgpg team for getting > me started! :-) > > > **** REMEMBER POSITIVE AND NEGATIVE FEEDBACK NEEDED!!! **** > > Ben > 1. Machine: Machine Name: Mac Machine Model: MacBook2,1 Processor Name: Intel Core 2 Duo Processor Speed: 2 GHz Number Of Processors: 1 Total Number Of Cores: 2 L2 Cache (per processor): 4 MB Memory: 2 GB Bus Speed: 667 MHz Boot ROM Version: MB21.00A5.B00 SMC Version: 1.13f3 2. Running perfectly: [...]$ gpg-agent gpg-agent: gpg-agent running and available [...]$ gpg-agent --version gpg-agent (GnuPG) 2.0.2 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Tested for signing and decrypting. 3. My thanks go to Ben for his patience and dedication to have gpg2 configured for Intel Macs. Charly MacOS X 10.4.8 - GnuPG 1.4.6 - GnuPG2.0.2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRdaokM3GMi2FW4PvAQgwcQgAlq1/ZGDw1uJpGPrcPAVK35Um+rlmCS52 Gk2up2+J08q9ODag5er5SIrczSG8yZ2zE9FBF51Ti+ZdaypDNqYMaR/7VPyVowZ2 0LcpgUp2x6b/s7cQWPjQ5CHTxRO/6eIPBqnsxm+iAkdQ7xd1C146bY/A5aR25zpv znAVwK2OfXv1UvadxD3p5+BkUecLjw4DpG0Vf3b2WLRwuGDpdGqb3A5zKpGSSDNr zr3sngZMZ+j99J7GTUg7dN1dX5VzWbO0ja1m/xpl8aeiYsYVuDEIxcCA0dlpVAxt eTa5huPfyIuqP4jtJ8aBYjrbTfALsF8uv1k5SANDR0YNtUfyc+Si/A== =jzN1 -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sat Feb 17 11:39:23 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 10:39:23 +0000 Subject: GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D64DED.1070800@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> Message-ID: <45D6DB5B.4000804@py-soft.co.uk> Benjamin Donnachie wrote: > I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available > at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.tgz There have been a couple of issues with the tar archive - I guess I'm too used to the command line! I'll throw together a friendlier GUI fronted install package this afternoon and will make an announcement when it's ready. Ben From shavital at mac.com Sat Feb 17 12:24:22 2007 From: shavital at mac.com (Charly Avital) Date: Sat, 17 Feb 2007 13:24:22 +0200 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D6E09F.605@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk> <45D6E09F.605@py-soft.co.uk> Message-ID: <45D6E5E6.40303@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Benjamin Donnachie wrote the following on 2/17/07 1:01 PM: > Benjamin Donnachie wrote: >> I'll throw together a friendlier GUI fronted install >> package this afternoon and will make an announcement >> when it's ready. > > It was quicker than I thought... GUI install can be downloaded from > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.zip > > Double click to extract the installer from the archive and then double > click on the newly created mac-gnupg-2.0.2-TEST1 install package. > > Follow the prompts, entering your password when asked, and then all > files for gpg2 will be installed in the right places. > > You will still need to complete the following steps: > > ii/ Download > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist > and save in ~/.MacOSX/ > > iii/ Add "source ~/.gnupg/.gpg-agent" to the file ~/.profile (Create > ~/.profile if it doesn't already exist) > > iv/ Create the file ~/.gnupg/gpg-agent.conf containing the single line: > pinentry-program > "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper" > > > v/ Log out. > > > Remember that "~" is a shortcut recognised by the command line that > represents your home directory. So ~/.guupg/ actually means > /Users/benjamin/.gnupg/ on *my* system! > > Apologies for any confusion caused by the .tgz archive. Again, the > remaining install steps will be automated. > > Ben Hi, Although I had already managed with the command line used in the previous release, and reported that all was working fine, I downloaded the GUI package to test it. Unzipped, ran, logged out/logged back in (for good measure). Everything is working fine just as reported in my previous e-mail: gpg-agent is running fine for signing and decrypting in Thunderbird and Mail Thanks, Ben. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRdbl4s3GMi2FW4PvAQj/4AgAvlVhXKsYAvEz5jAEmaHGXX5Od0tcecTx 343vR8bSBh453BdtyFCO1nkDvUqnAPeBS38MqEQwIETjl125LfkyDbXEkkKwP++J s50feCl55Ka4baYzflNqgypP3RyBRxftyriEj8CcxVmogw3bJl3tpH0RelAuUACu s6+qKXPW58lKC+vEYj+pKTLiwQ7XzsqSAOc7TdjMdv8cJAhYVQtS/oCVOonNkFwn Ot6rqs9efuoiX941iA+Kyx5ZJ0dtue9uSRvHss6UZ+y16NbaFKSYgNRyxL6mb4JD Th8LFUYUzBAXsNBWbtvYFMyDKsO3Oi5V6Bq1SjL1I2zpCpqED0avlQ== =tYp6 -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sat Feb 17 12:01:51 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 11:01:51 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D6DB5B.4000804@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk> Message-ID: <45D6E09F.605@py-soft.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Benjamin Donnachie wrote: > I'll throw together a friendlier GUI fronted install > package this afternoon and will make an announcement > when it's ready. It was quicker than I thought... GUI install can be downloaded from http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST1.zip Double click to extract the installer from the archive and then double click on the newly created mac-gnupg-2.0.2-TEST1 install package. Follow the prompts, entering your password when asked, and then all files for gpg2 will be installed in the right places. You will still need to complete the following steps: ii/ Download http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist and save in ~/.MacOSX/ iii/ Add "source ~/.gnupg/.gpg-agent" to the file ~/.profile (Create ~/.profile if it doesn't already exist) iv/ Create the file ~/.gnupg/gpg-agent.conf containing the single line: pinentry-program "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-helper" v/ Log out. Remember that "~" is a shortcut recognised by the command line that represents your home directory. So ~/.guupg/ actually means /Users/benjamin/.gnupg/ on *my* system! Apologies for any confusion caused by the .tgz archive. Again, the remaining install steps will be automated. Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRdbgnOgNmph0Y1E2AQJfJBAAhL4GUB1SFJ8uXK6y7i39Xm4fCGJn3qc5 QmvHbh6qaovLlfaf3JSZTAlEZMysp9C1YnUQA6OIN5U5CqCMqfJcI3/9yP/s8Okn YyoZ1e87vfgKOrQMR9MYciUnOSbj+jaY9lervfWVVs6O3x0g1Rghy9tGv5YiJ+o4 mVYHwaLJgRmXQTZUPB1I+FkpEhwKBcUhJHvCJon/yVXaWHsTXRsTsFzef+0ducXF W1GACx2hf0FtVDcmaz9e/BCMBMl5pPe+qtPX+DUBdagmA56Vj5KYQ3RDcXkNDfhW lsTME7w5wcVDsj3ER1TXyhNVCz0fZ1x5jjUshncILb1q+7qfSy1tdpuoawMvEqsO AdzOgLufoTIli2DOfn4qD4TYxSKsIeBZXqfWJpj6dslABlmzmOmfrFVz6aWobg5A YFpPJ5mAu5Psx1Z8jpTDznIgQ8BO61SCDQKT/K38nex5dQuXURdXGUQ4XSqzRkJ/ cpfiOBcHUZ7Q0rP05gvHfg7c8rvNZtNtTe843vH46cvLhe17/hjchxMSutkf9FJN GWMwW4PG1IPFXDS0Y++1fiPBBctJIx1HoeBu2Z97kZA9v0kYa7fZcgOkZ/YIGql9 sWu7hyOr4kkq+Li2P2BDPpWduJI0+DzfKpg71vTxbnORhAKCvJLKO+So7RFq9/Ez JYQgOPqTwGs= =8NzE -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sat Feb 17 12:29:51 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 11:29:51 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D6E5E6.40303@mac.com> References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk> <45D6E09F.605@py-soft.co.uk> <45D6E5E6.40303@mac.com> Message-ID: <45D6E72F.90602@py-soft.co.uk> Charly Avital wrote: > Everything is working fine just as reported in my previous e-mail: > gpg-agent is running fine for signing and decrypting in Thunderbird and Mail Excellent news! :-) > Version: GnuPG v1.4.6 (Darwin) What happens if you use gpg2 for signing etc? Take care, Ben From shavital at mac.com Sat Feb 17 13:01:58 2007 From: shavital at mac.com (Charly Avital) Date: Sat, 17 Feb 2007 14:01:58 +0200 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D6E72F.90602@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk> <45D6E09F.605@py-soft.co.uk> <45D6E5E6.40303@mac.com> <45D6E72F.90602@py-soft.co.uk> Message-ID: <45D6EEB6.90306@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Benjamin Donnachie wrote the following on 2/17/07 1:29 PM: [...] > > What happens if you use gpg2 for signing etc? 1. In Thunderbird, changed the executable path (typed in /usr/local/bin/gpg2), quit TB, launch TB, everything works fine. 2. I still have to find out how to change the executable path, system-wide, in GPGPreferences (attention St?phane Corth?sy). Ben, have a fine week end. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.2 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRdbuqc3GMi2FW4PvAQideggAr4y9KyqMbQa1j/naigVBlQiB6dBV+Nt6 HPyjyT6WkVl2dDAokuw25qkQK3oZpY2i7aCKXIIDNbhalW6UQevxmzif4WZsNZ5W 75ubuouBv2plSEPbdadQIZ8DjzbhX8kKg+KAv1dCM/n/mIho/MIRaHZ5KW+rOAJk 9RL3Mw5A9zfg0VCzly8svw4BGDPqjy+LTNURaWxBh9f0eVdMQmEMe9CtFyJbfGHz bdGnA9nPsabTRUyowWqFbDlAxkHc402azKDBuMb79Wqlgwe4TWe366BQ1fP7GLkB uCOIfXVnXY/juIHTIKDNXVWLsszXDosqB0eJbGTwqWjU61lJbY3+oA== =qbWn -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sat Feb 17 13:18:42 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 12:18:42 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D6EEB6.90306@mac.com> References: <45D64DED.1070800@py-soft.co.uk> <45D6DB5B.4000804@py-soft.co.uk> <45D6E09F.605@py-soft.co.uk> <45D6E5E6.40303@mac.com> <45D6E72F.90602@py-soft.co.uk> <45D6EEB6.90306@mac.com> Message-ID: <45D6F2A2.1030506@py-soft.co.uk> Charly Avital wrote: >> What happens if you use gpg2 for signing etc? > 1. In Thunderbird, changed the executable path (typed in > /usr/local/bin/gpg2), quit TB, launch TB, everything works fine. > Version: GnuPG v2.0.2 (Darwin) Fantastic news! :-)))) Libgcrypt took a while to convince to build as a Universal Binary and I was concerned that it may not work on Intels. I've been over the executables with a fine tooth comb (okay, just otool -L) and there are not dependencies outside the Apple provided libraries, so the install should work on all Tiger Macs whether Intel or PPC! :-) (At least that's the theory!) Be From benjamin at py-soft.co.uk Sat Feb 17 14:36:42 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 13:36:42 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D64DED.1070800@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> Message-ID: <45D704EA.4030301@py-soft.co.uk> Benjamin Donnachie wrote: > No patches were needed to any of the code and only libgcrypt's config.h > needed a minor edit for endian issues with the fat build. Unfortunately, gpg v2.0.2 does not appear to recognise the option pcsc-driver anymore: $ gpg2 --pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC --card-status gpg: Invalid option "--pcsc-driver" Despite the following in the man page: --pcsc-driver file Use file to access the smartcard reader. The current default is `libpcsclite.so.1' for GLIBC based systems, `/Sys- tem/Library/Frameworks/PCSC.framework/PCSC' for MAC OS X, `win- scard.dll' for Windows and `libpcsclite.so' for other systems. Neither scdaemon: /* The card dirver we use by default for PC/SC. */ #if defined(HAVE_W32_SYSTEM) || defined(__CYGWIN__) #define DEFAULT_PCSC_DRIVER "winscard.dll" #elif defined(__GLIBC__) #define DEFAULT_PCSC_DRIVER "libpcsclite.so.1" #else #define DEFAULT_PCSC_DRIVER "libpcsclite.so" #endif ... or pcsc-wrapper correctly default correctly on the Mac: #define DEFAULT_PCSC_DRIVER "libpcsclite.so" This shouldn't matter if you are using a CCID compliant smartcard reader as TEST1 was compiled with libusb support (Though this still needs testing). However, if you are using a PCSC smartcard reader please download the newly patched TEST2 at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2.zip Werner et al - any chance the source could please be patched for MacOS, or support for the pcsc-driver option returned? Ben From sadam at clemson.edu Sat Feb 17 13:35:25 2007 From: sadam at clemson.edu (Adam Schreiber) Date: Sat, 17 Feb 2007 07:35:25 -0500 Subject: Problem with Evolution In-Reply-To: <1171685056.6052.15.camel@earth> References: <1171685056.6052.15.camel@earth> Message-ID: <8298be230702170435x7fb94578j1eec0c5b17bd9433@mail.gmail.com> On 2/16/07, Marc wrote: > I use GnuPG 1.4.3 with Ubuntu 6.10, Seahorse 0.9.5 and > Evolution 2.8.1 and I have this error message : > > Because "can't connect to > `/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': Aucun fichier ou > r?pertoire de ce type > gpg: impossible de se connecter ? > `/home/marc/.gnome2/seahorse-akXvEN/S.gpg-agent': connect failed > gpg: ?criture de `-' > gpg: DSA/SHA1 signature de: ? 0F70F90E Marc ? > ", you may need to select different mail options. > > I don't have the file S.gpg-agent. > How to include it in seahorse-akXvEN ? This message is really more appropriate for the seahorse-users list so I'm cc'ing it. I can only imagine that you have changed how you started up seahorse-agent and now have a stale entry at the end of ~/.gnupg/gpg.conf. Make sure that seahorse-agent is properly chained into your session with the information found on one of our wiki pages[1]. Cheers, Adam [1] http://live.gnome.org/Seahorse/SessionIntegration From benjamin at py-soft.co.uk Sat Feb 17 21:48:42 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 17 Feb 2007 20:48:42 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D64DED.1070800@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> Message-ID: <45D76A2A.2090908@py-soft.co.uk> Benjamin Donnachie wrote: > ii/ Download > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/environment.plist > and save in ~/.MacOSX/ I forgot to mention that this file will need editing - replace all instances of ~ with the full path to your user area. Unfortunately, it won't accept the ~ short cut. Ben From wk at gnupg.org Sun Feb 18 14:07:52 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 18 Feb 2007 14:07:52 +0100 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D704EA.4030301@py-soft.co.uk> (Benjamin Donnachie's message of "Sat\, 17 Feb 2007 13\:36\:42 +0000") References: <45D64DED.1070800@py-soft.co.uk> <45D704EA.4030301@py-soft.co.uk> Message-ID: <87ps87havr.fsf@wheatstone.g10code.de> On Sat, 17 Feb 2007 14:36, benjamin at py-soft.co.uk said: > $ gpg2 --pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC > --card-status > gpg: Invalid option "--pcsc-driver" There has never been such an option. You need to specify this option with scdaemon. gpg2 has no internal fallback support for smart cards. It requires gpg-agent/scdaemon. > Despite the following in the man page: > > --pcsc-driver file I'll fix the doc. > Neither scdaemon: I just tested scdaemon and it definitely has this option. > #define DEFAULT_PCSC_DRIVER "libpcsclite.so" I added a default value for OS X. Salam-Shalom, Werner From benjamin at py-soft.co.uk Sun Feb 18 18:44:48 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 18 Feb 2007 17:44:48 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <87ps87havr.fsf@wheatstone.g10code.de> References: <45D64DED.1070800@py-soft.co.uk> <45D704EA.4030301@py-soft.co.uk> <87ps87havr.fsf@wheatstone.g10code.de> Message-ID: <45D89090.50401@py-soft.co.uk> Werner Koch wrote: > There has never been such an option. You need to specify this option > with scdaemon. gpg2 has no internal fallback support for smart > cards. It requires gpg-agent/scdaemon. [...] >> Despite the following in the man page: > I'll fix the doc. That'd be good - many thanks. >> Neither scdaemon: > I just tested scdaemon and it definitely has this option. But it wasn't defaulting correctly for Mac OS X though. >> #define DEFAULT_PCSC_DRIVER "libpcsclite.so" > I added a default value for OS X. That's great - many thanks! :-) Ben From pubmb01 at skynet.be Sun Feb 18 23:11:37 2007 From: pubmb01 at skynet.be (Bruno Costacurta) Date: Sun, 18 Feb 2007 23:11:37 +0100 Subject: Keyserver refresh period after gpg --send-keys Message-ID: <200702182311.37828.pubmb01@skynet.be> Hello, I updated the expiration (via gpg --edit-key using expire option) of my key and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to keyserver subkeys.pgp.net. However key is still not updated after few hours. What are normal delays ? Bye, Bruno -- http://counter.li.org/ #353844 -- From JPClizbe at tx.rr.com Mon Feb 19 02:34:16 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 18 Feb 2007 19:34:16 -0600 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <200702182311.37828.pubmb01@skynet.be> References: <200702182311.37828.pubmb01@skynet.be> Message-ID: <45D8FE98.4080408@tx.rr.com> Bruno Costacurta wrote: > Hello, > > I updated the expiration (via gpg --edit-key using expire option) of my key > and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to > keyserver subkeys.pgp.net. > However key is still not updated after few hours. > What are normal delays ? Depends on the actual server that subkeys.pgp.net resolved to. Try sending to the SKS keyserver net, hkp://pool.sks-keyservers.net -- John P. Clizbe Inet: JPClizbe(a)tx DAWT rr DAHT com "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070218/26751f1d/attachment.pgp From niknot at gmail.com Mon Feb 19 01:27:24 2007 From: niknot at gmail.com (NikNot) Date: Sun, 18 Feb 2007 16:27:24 -0800 Subject: Newbie question In-Reply-To: <87ps8je8np.fsf@wheatstone.g10code.de> References: <45CC027200049718@> <87ps8je8np.fsf@wheatstone.g10code.de> Message-ID: <328a5cf40702181627w3cbfd1bcq1a78269277006740@mail.gmail.com> I used libTomCrypt (cf.: http://libtom.org/) to implement something similar. The data viewer executable contains (somewhat concealed) private key, and data sets are encrypted using the public key of the pair. (LibTomCrypt is much more flexible and easier to program against than Libgcrypt when you are building your own applications that have nthing to do with PGP). Piping data through GPG is not a solution that our users would appreciate. NikNot On 2/9/07, Werner Koch wrote: > On Fri, 9 Feb 2007 12:01, antonio.bleile at seac02.it said: > > > - Does libcrypt do the job? I guess so... > > No. Libgcrypt provides basic building blocks but has no support for > any specific protocol. > > > - The CAD data may contain a fixed header, so an atacker knowing > > the header might use this info to easily get the private key? > > It all depends on the protocol used. Getting the protocol right is > not easy and thus the best advise I can give is to use an established > protocol like OpenPGP or CMS (pkcs#7) > > For your application I would simply use a different file suffix or a > special MIME type and pipe the data through gpg while reading. > > > Salam-Shalom, > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Mon Feb 19 05:31:55 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 18 Feb 2007 23:31:55 -0500 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <200702182311.37828.pubmb01@skynet.be> References: <200702182311.37828.pubmb01@skynet.be> Message-ID: <20070219043155.GA6216@jabberwocky.com> On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote: > Hello, > > I updated the expiration (via gpg --edit-key using expire option) of my key > and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to > keyserver subkeys.pgp.net. > However key is still not updated after few hours. > What are normal delays ? There is not an easy answer to that question. subkeys.pgp.net is not actually a keyserver, but rather a collection of (at the moment) 5 different keyservers. When you use it, you get one server from the pool in a round-robin fashion. Generally speaking, any given keyserver in the pool that you update reflects the update immediately, but frequently people update one keyserver in the pool, but then check for the update from another server in the pool which hasn't gotten it yet. That said, if you don't see an update by tomorrow, I'd send it again. David From eemaestro at gmail.com Mon Feb 19 15:21:56 2007 From: eemaestro at gmail.com (eemaestro at gmail.com) Date: Mon, 19 Feb 2007 09:21:56 -0500 Subject: Local file encryption Message-ID: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> I have been using gpg to encrypt/decrypt files on my computer "for my eyes only". I have been using my public/private keypair on my keyring to do so. I just discovered that I can use encrypt/decrypt local files using a symmetric cipher--i.e., you enter one secret passphrase to encrypt and then enter the same secret passphrase to decrypt. Since my encryption is only for files for myself, do you think using a symmetric cipher would be a better idea, or doesn't it matter? Or is choice of a passphrase a bigger issue than the type of cipher -- symmetric vs. public/private keypair ? From ml at mareichelt.de Mon Feb 19 16:41:37 2007 From: ml at mareichelt.de (markus reichelt) Date: Mon, 19 Feb 2007 16:41:37 +0100 Subject: Key signing at FOSDEM Message-ID: <20070219154137.GC7353@tatooine.rebelbase.local> Hi, this is just a reminder that there's a key signing party at FOSDEM this year again. I am a bit late to post this note (due to carneval season), submissions are already closed by now, but it's possible to exchange key fingerprints according to the usual scheme (with me ;-) FOSDEM takes place in Brussels, 24/25th this month. http://fosdem.org/2007/keysigning#gpg for more info PS: There's a CAcert event as well, in case you are interested. -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070219/db276420/attachment-0001.pgp From JPClizbe at tx.rr.com Mon Feb 19 17:05:53 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 19 Feb 2007 10:05:53 -0600 Subject: Local file encryption In-Reply-To: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> Message-ID: <45D9CAE1.7040904@tx.rr.com> eemaestro at gmail.com wrote: > I have been using gpg to encrypt/decrypt files on my computer "for my > eyes only". I have been using my public/private keypair on my keyring > to do so. I just discovered that I can use encrypt/decrypt local > files using a symmetric cipher--i.e., you enter one secret passphrase > to encrypt and then enter the same secret passphrase to decrypt. > Since my encryption is only for files for myself, do you think using a > symmetric cipher would be a better idea, or doesn't it matter? Or > is choice of a passphrase a bigger issue than the type of cipher -- > symmetric vs. public/private keypair ? If your GnuPG keyring files reside on the computer, then either approach is equivalent -- your protection is ultimately determined by the strength of the chosen passphrase protecting the secret key or the encrypted file. Either method will encrypt the file using a symmetric cipher. The difference is that in OpenPGP, a random session key is generated and that is used to symmetrically encrypt the file. Then, the session key is encrypted using the chosen public key(s). The passphrase is only one protection on your keypair and it's pretty much the protection of last resort - given an easily guessable/brute-forced passphrase, it's "Game-Over." if an attacker gets access to the keyring files. Another protection is to physically secure your keyring files (or at the minimum, the secret ring) by storing it on removable media of some sort: floppy, PCMCIA flash card, USB dongle,... and removing that media when you leave the computer. Now, an attacker must have both the media with the secret keyring as well as the secret key's passphrase. If removable media is not an option, or for additional security on removable media, you may use a disk encryption product such as TrueCrypt to create an encrypted volume to store your keyring files. (Hint: Use a new key and passphrase.) -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070219/92a15420/attachment.pgp From nobody at dizum.com Fri Feb 16 20:10:02 2007 From: nobody at dizum.com (Nomen Nescio) Date: Fri, 16 Feb 2007 20:10:02 +0100 (CET) Subject: storing password lists in mails to myself on IMAP? References: <371A3ACE-9966-4B7C-8278-039616635A94@sixdemonbag.org> Message-ID: <93d1c364422a311e2ebf9f3ccc9aaf7c@dizum.com> Robert J. Hansen wrote: > > Maybe you should think things through, or God forbid even run a > > few tests or something before puffing your chest there Robert. > > Especially when you're in the unenviable position of potentialy > > being your own proof of concept. > > I don't know why you have such an allergy to being shown wrong. Or > why you think I do. > > It works like this: if you can find me a commonly-used IMAP client > that's this stupid, then I will welcome being shown wrong. And > really, why shouldn't I? Being wrong isn't the end of the world. Well Robert, unless you care to further debase yourself by trying to argue the Thunderbird isn't a "commonly-used IMAP client" you've been handed the very example you're harping about. By two different people no less. It was in the part you snipped and ignored, in case you were wondering. The bottom line is this: There's probably a lot of IMAP clients out there that will by default or design write portions or whole copies of unencrypted text to a server. It really doesn't take a boat load of IQ points to realize this is the nature of IMAP. Storing pass phrases in email at all is bad idea for a number of reasons. You don't have many clues what a client does with it when it's open for one. The odds you'll inadvertantly click where you shouldn't and send an unencrypted copy some place you don't want it to go increase dramatically too. Likewise the chances of corruption or compromise at the hands of some script kiddie. If we invested a little thought in the project though we could probably come up with a few dozen reasons why mailing passwords about is a bad idea even if you have absolute control over the hardware at the end points of the encryption, let ALONE any scenario where you can't guarantee they won't be written to hardware you don't own. In the clear. :-( From alex at bofh.net.pl Mon Feb 19 17:11:14 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Mon, 19 Feb 2007 17:11:14 +0100 Subject: Local file encryption In-Reply-To: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> Message-ID: <20070219161114.GK7549@hell.pl> On Mon, Feb 19, 2007 at 09:21:56AM -0500, eemaestro at gmail.com wrote: > I have been using gpg to encrypt/decrypt files on my computer "for my > eyes only". I have been using my public/private keypair on my keyring > to do so. I just discovered that I can use encrypt/decrypt local > files using a symmetric cipher--i.e., you enter one secret passphrase > to encrypt and then enter the same secret passphrase to decrypt. > Since my encryption is only for files for myself, do you think using a > symmetric cipher would be a better idea, or doesn't it matter? Or > is choice of a passphrase a bigger issue than the type of cipher -- > symmetric vs. public/private keypair ? It doesnt matter, in both cases the files are symmetrically encrypted, only keying method changes. I prefer to use pubkey encryption anyway, , one passphrase less to remember. -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From jharris at widomaker.com Mon Feb 19 17:51:02 2007 From: jharris at widomaker.com (Jason Harris) Date: Mon, 19 Feb 2007 11:51:02 -0500 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <20070219043155.GA6216@jabberwocky.com> References: <200702182311.37828.pubmb01@skynet.be> <20070219043155.GA6216@jabberwocky.com> Message-ID: <20070219165102.GA82395@wilma.widomaker.com> On Sun, Feb 18, 2007 at 11:31:55PM -0500, David Shaw wrote: > On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote: > > I updated the expiration (via gpg --edit-key using expire option) of my key > > and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to > > keyserver subkeys.pgp.net. > > However key is still not updated after few hours. > > What are normal delays ? Keys do get temporarily "trapped" on the SKS keyserver network until keyserver.kjsl.com copies them over to the rest of the planet. BTW, your subkey isn't currently usable: sub 2048g/0CC897B5 2006-06-11 [subkey] Key fingerprint = CCE0 5315 0022 9460 0337 6C6F 4253 1C9A 0CC8 97B5 sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: type 2, e0 0f] sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: type 2, e0 0f] > There is not an easy answer to that question. subkeys.pgp.net is not > actually a keyserver, but rather a collection of (at the moment) 5 > different keyservers. When you use it, you get one server from the > pool in a round-robin fashion. Generally speaking, any given > keyserver in the pool that you update reflects the update immediately, > but frequently people update one keyserver in the pool, but then check > for the update from another server in the pool which hasn't gotten it > yet. NB: I think if GPG printed the IP address of the keyserver it used, it could end some of this confusion. Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/ etc. (all times are TZ=UTC): 2007-02-06 23:02:08.290952260 display_new_sig: new sig 28 by 2E604D51 added to 2E604D51 Bruno Costacurta and these were in another batch update: 2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51 added to 2E604D51 Bruno Costacurta -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070219/0ef23c22/attachment.pgp From a24061 at yahoo.com Mon Feb 19 17:42:42 2007 From: a24061 at yahoo.com (Adam Funk) Date: Mon, 19 Feb 2007 16:42:42 +0000 Subject: Local file encryption References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> <45D9CAE1.7040904@tx.rr.com> Message-ID: <2l0pa4-8rp.ln1@news.ducksburg.com> On 2007-02-19, John Clizbe wrote: > The passphrase is only one protection on your keypair and it's > pretty much the protection of last resort - given an easily > guessable/brute-forced passphrase, it's "Game-Over." if an attacker > gets access to the keyring files. Another protection is to > physically secure your keyring files (or at the minimum, the secret > ring) by storing it on removable media of some sort: Is there any reason to physically secure your *public* keyring in normal use? (Well, I suppose you might want to hide your secret identity!) From dshaw at jabberwocky.com Mon Feb 19 18:19:32 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 19 Feb 2007 12:19:32 -0500 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <20070219165102.GA82395@wilma.widomaker.com> References: <200702182311.37828.pubmb01@skynet.be> <20070219043155.GA6216@jabberwocky.com> <20070219165102.GA82395@wilma.widomaker.com> Message-ID: <20070219171932.GA9543@jabberwocky.com> On Mon, Feb 19, 2007 at 11:51:02AM -0500, Jason Harris wrote: > > There is not an easy answer to that question. subkeys.pgp.net is not > > actually a keyserver, but rather a collection of (at the moment) 5 > > different keyservers. When you use it, you get one server from the > > pool in a round-robin fashion. Generally speaking, any given > > keyserver in the pool that you update reflects the update immediately, > > but frequently people update one keyserver in the pool, but then check > > for the update from another server in the pool which hasn't gotten it > > yet. > > NB: I think if GPG printed the IP address of the keyserver it used, it > could end some of this confusion. I think you're right (to print as a "verbose" thing for those who care to know or to help with debugging), but unfortunately there is not an easy way to get the IP address when using libcurl. I'm not particularly eager to start playing socket games with CURLINFO_LASTSOCKET just to get a string to print. David From niknot at gmail.com Mon Feb 19 19:54:17 2007 From: niknot at gmail.com (NikNot) Date: Mon, 19 Feb 2007 10:54:17 -0800 Subject: Secret key holder identity (was: Local file encryption) Message-ID: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> On 2/19/07, Adam Funk wrote: > Is there any reason to physically secure your *public* keyring in > ... (Well, I suppose you might want to hide your secret identity!) Unfortunately, the whole GPG, with WebOfTrust construct, makes the assumption that there is no need whatsoever to protect the identity of the secret key holder (and, by extension, that traffic analysis - as opposed to the secret content analysis - is not something to be concerned with). NikNot From jbruni at mac.com Mon Feb 19 21:27:38 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Mon, 19 Feb 2007 13:27:38 -0700 Subject: Secret key holder identity (was: Local file encryption) In-Reply-To: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> Message-ID: <352D579D-A797-4216-AEE4-72BDE1413C98@mac.com> On Feb 19, 2007, at 11:54 AM, NikNot wrote: > On 2/19/07, Adam Funk wrote: >> Is there any reason to physically secure your *public* keyring in >> ... (Well, I suppose you might want to hide your secret identity!) > > Unfortunately, the whole GPG, with WebOfTrust construct, makes the > assumption that there is no need whatsoever to protect the identity of > the secret key holder (and, by extension, that traffic analysis - as > opposed to the secret content analysis - is not something to be > concerned with). > > NikNot > > ___ It's funny you mention this: I got into an argument with a "consultant" about how X.509 certificates are a privacy violation because your identity is encoded into the "subject" field. I kept asking him, "How would you know whose cert. it is without it?" At any rate, there are lot of bozos in the world posing as "security experts" who shouldn't be taken seriously. Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070219/e55b3db3/attachment.bin From JPClizbe at tx.rr.com Mon Feb 19 21:27:07 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 19 Feb 2007 14:27:07 -0600 Subject: Local file encryption In-Reply-To: <2l0pa4-8rp.ln1@news.ducksburg.com> References: <356ca3c00702190621t5f18532dje039b76267d9223d@mail.gmail.com> <45D9CAE1.7040904@tx.rr.com> <2l0pa4-8rp.ln1@news.ducksburg.com> Message-ID: <45DA081B.2040507@tx.rr.com> Adam Funk wrote: > On 2007-02-19, John Clizbe wrote: > >> The passphrase is only one protection on your keypair and it's >> pretty much the protection of last resort - given an easily >> guessable/brute-forced passphrase, it's "Game-Over." if an attacker >> gets access to the keyring files. Another protection is to >> physically secure your keyring files (or at the minimum, the secret >> ring) by storing it on removable media of some sort: > > Is there any reason to physically secure your *public* keyring in > normal use? Convenience of having all the files together in one place and mitigating the need to sync keys between public keyrings are only reasons that come to mind. Outside of convenience factors, there is no real need to secure public keyrings; that's why the keys are public. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070219/482613b6/attachment-0001.pgp From niknot at gmail.com Tue Feb 20 00:16:44 2007 From: niknot at gmail.com (NikNot) Date: Mon, 19 Feb 2007 15:16:44 -0800 Subject: Secret key holder identity (was: Local file encryption) In-Reply-To: <352D579D-A797-4216-AEE4-72BDE1413C98@mac.com> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> <352D579D-A797-4216-AEE4-72BDE1413C98@mac.com> Message-ID: <328a5cf40702191516k6d981224pf472bc9fdac19746@mail.gmail.com> On 2/19/07, Joseph Oreste Bruni wrote: > It's funny you mention this: I got into an argument with a > "consultant" about how X.509 certificates are a privacy violation > because your identity is encoded into the "subject" field. I kept > asking him, "How would you know whose cert. it is without it?" At any > rate, there are lot of bozos in the world posing as "security > experts" who shouldn't be taken seriously. (Its not clear (to me) from the above what was "the bozo" saying: that the certificates _are_ or _are not_ a privacy violation?) I find it very interesting that Phil Zimmemann, who invented WOT, apparently realizes that times are changing, and that WOT has outlived its usefullness; specifically because - unlike perhaps at the time of birth of PGP - trafic analysis is a threat that may be naively ignored only in geek kindergartens, but not in the real life. NikNot From wk at gnupg.org Tue Feb 20 11:23:50 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 20 Feb 2007 11:23:50 +0100 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <45D35BD4.1000703@py-soft.co.uk> (Benjamin Donnachie's message of "Wed\, 14 Feb 2007 18\:58\:28 +0000") References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk> <45D20B7C.8030909@py-soft.co.uk> <20070214082219.GA1956@straylight.m.ringlet.net> <45D35BD4.1000703@py-soft.co.uk> Message-ID: <87y7mt9lft.fsf@wheatstone.g10code.de> On Wed, 14 Feb 2007 19:58, benjamin at py-soft.co.uk said: > 'cos I was searching through my MacOS programming book for a solution to > MacOS X not reading the GUI bundle information and it suggested using > system. I might have a solution. In agent/call-pinentry you find this code: if ( !(pgmname = strrchr (opt.pinentry_program, '/'))) pgmname = opt.pinentry_program; else pgmname++; argv[0] = pgmname; What is does is to setup argv[0] so that there is no directory part. Now my guess is that OS X uses argv[0] to locate the bundle and won't find it if there is no directory part in argv[0]. To test it, you just need to change the last line to: argv[0] = opt.pinentry_program; Let me know if it works and I change the code. Using system helps because it creates a new argv[0]. Shalom-Salam, Werner From benjamin at py-soft.co.uk Tue Feb 20 14:48:03 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 20 Feb 2007 13:48:03 +0000 Subject: Compiling GnuPG 2.0.1 on MacOS X In-Reply-To: <87y7mt9lft.fsf@wheatstone.g10code.de> References: <20070104.141847.12788317.kazu@iij.ad.jp> <20070105194302.GH1278@curie-int.orbis-terrarum.net> <87wt33l1t7.fsf@wheatstone.g10code.de> <45C0A96B.6090301@py-soft.co.uk> <45C0D588.70106@py-soft.co.uk> <45CF561B.90305@py-soft.co.uk> <45CF6F07.9040809@py-soft.co.uk> <45D20B7C.8030909@py-soft.co.uk> <20070214082219.GA1956@straylight.m.ringlet.net> <45D35BD4.1000703@py-soft.co.uk> <87y7mt9lft.fsf@wheatstone.g10code.de> Message-ID: <45DAFC13.40103@py-soft.co.uk> Werner Koch wrote: > Let me know if it works and I change the code. It works perfectly - many thanks! :-))) > Using system helps because it creates a new argv[0]. Unfortunately, I was barking up the wrong tree after reading that MacOSX relies upon modified copies of the shell interpreters to interpret the bundle information. I must remember to be more critical of what I read on the web! :-/ In theory, this should also mean that the QT version of pinentry when properly bundled up should also work correctly. Rather than produce a whole new install to test v2.0.2, I'll knock together an archive with just the files that have changed. Thanks again for all your help, Ben From benjamin at py-soft.co.uk Tue Feb 20 15:22:45 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 20 Feb 2007 14:22:45 +0000 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45D64DED.1070800@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> Message-ID: <45DB0435.1010302@py-soft.co.uk> Benjamin Donnachie wrote: > I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available Patch for TEST2 available at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip and sig at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip.sig This implements the more secure method of involving pinentry directly. Just download the archive, extract and then follow the instructions in readme.txt. Feedback still needed; particularly from OpenPGP smartcard users. Ben From alex at bofh.net.pl Tue Feb 20 15:24:40 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Tue, 20 Feb 2007 15:24:40 +0100 Subject: Secret key holder identity (was: Local file encryption) In-Reply-To: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> Message-ID: <20070220142440.GL7549@hell.pl> On Mon, Feb 19, 2007 at 10:54:17AM -0800, NikNot wrote: > On 2/19/07, Adam Funk wrote: > >Is there any reason to physically secure your *public* keyring in > >... (Well, I suppose you might want to hide your secret identity!) > > Unfortunately, the whole GPG, with WebOfTrust construct, makes the > assumption that there is no need whatsoever to protect the identity of > the secret key holder (and, by extension, that traffic analysis - as > opposed to the secret content analysis - is not something to be > concerned with). That statement is definitely not true. * PGP was the first cryptosystem to hide sender's ID (when signing+encrypting), compare PEM to see the difference; * one can issue himself a key pair with pseudonym User ID the same way as with RL identity and use it normally; * without having recipient pubkey it is impossible to determine the recipient of the message (assuming the subkey ID is not widely known) * it is possible to hide recipient's completely ID by using --throw-keyid Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From mail at raphael.poss.name Mon Feb 19 23:45:56 2007 From: mail at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Mon, 19 Feb 2007 23:45:56 +0100 Subject: Use same key for S/MIME and OpenPGP Message-ID: <4C78E9B9-147D-4040-8BFC-F863CF5C66F3@raphael.poss.name> Hi all, I'm just curious: since a RSA public key is made mainly of just two numbers, is it not possible (theoretically) to create both a valid PGP key and X509 certificate using the same key information, and use it with both protocols? Also, is it not (theoretically) possible to convert X509 key certificates to PGP key signatures or vice-versa, based on the numerical values of the signing certificates/keys ? If not, I would be interested to know what are the technical limitations. Thanks in advance for any insight, -- Raphael -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: =?ISO-8859-1?Q?Ceci_est_une_signature_=E9lectronique_PGP?= Url : /pipermail/attachments/20070219/8a07fe62/attachment-0001.pgp From sven at radde.name Tue Feb 20 09:24:50 2007 From: sven at radde.name (Sven Radde) Date: Tue, 20 Feb 2007 09:24:50 +0100 Subject: Secret key holder identity (was: Local file encryption) In-Reply-To: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> Message-ID: <45DAB052.80505@radde.name> NikNot schrieb: > Unfortunately, the whole GPG, with WebOfTrust construct, makes the > assumption that there is no need whatsoever to protect the identity of > the secret key holder You have, however, the possibility of using pseudonyms as UID. Only the signers of your key would have to know about your true identity. Another option against traffic analysis is to drop the Key-IDs of the recipients of encrypted mail (-throw-key-ids IIRC?!). cu, Sven From paul.house at connect-spot.com Tue Feb 20 12:41:25 2007 From: paul.house at connect-spot.com (PaulH) Date: Tue, 20 Feb 2007 03:41:25 -0800 (PST) Subject: walkthrough Message-ID: <9060231.post@talk.nabble.com> Hi, I have just installed gpg4win-1.0.8. I'm new to this and not sure what I'm doing exactly and haven't the time to teach myself. I have looked for tutorials etc but can only find using gpg from the command line. All I simply need to do is set up a private key and be able to send encrypted emails to a particular client. I have tried but any email sent is not encrypted. My mail client is Outlook 2003. At some point the emails will automatically be sent from a server, the emails themselves will be generated by php script. Are there any issues with using gpg in this way? Sorry for the brevity of this post but I have my boss breathing down my neck expecting answers. Regards Paul -- View this message in context: http://www.nabble.com/walkthrough-tf3259979.html#a9060231 Sent from the GnuPG - User mailing list archive at Nabble.com. From niknot at gmail.com Tue Feb 20 18:02:27 2007 From: niknot at gmail.com (NikNot) Date: Tue, 20 Feb 2007 09:02:27 -0800 Subject: Secret key holder identity (was: Local file encryption) In-Reply-To: <20070220142440.GL7549@hell.pl> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> <20070220142440.GL7549@hell.pl> Message-ID: <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com> On 2/20/07, Janusz A. Urbanowicz wrote: > * without having recipient pubkey it is impossible to determine the recipient > of the message (assuming the subkey ID is not widely known) ... If the system was designed for the real world, the encrypted message would, by default, consist of a binary data set, indistingushable from a random stream, until and unless decrypted using the recipient's private key. NikNot From vedaal at hush.com Tue Feb 20 18:16:52 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 20 Feb 2007 12:16:52 -0500 Subject: Secret key holder identity (was: Local file encryption) Message-ID: <20070220171653.783712284A@mailserver9.hushmail.com> Janusz A. Urbanowicz alex at bofh.net.pl wrote on Tue Feb 20 15:24:40 CET 2007 : >* it is possible to hide recipient's completely ID by using -- throw-keyid well, not 'completely' running gpg-list-packets or pgpdump on the encrypted message, lists the key-type (dh or rsa), key size, and symmetric algorithm used so, for people who prefer 8092 rsa keys and use blowfish [ you know who you are ;-)) ] using throw keyid won't help much ... vedaal -- Click to get 125% of your home's value, super fast, no lender fees http://tagline.hushmail.com/fc/CAaCXv1QaK0r1IT1ABMgmz21Tf3y9WCZ/ From vedaal at hush.com Tue Feb 20 19:00:38 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 20 Feb 2007 13:00:38 -0500 Subject: Secret key holder identity (was: Local file encryption) Message-ID: <20070220180039.8C7812284F@mailserver9.hushmail.com> vedaal at hush.com vedaal at hush.com Tue Feb 20 18:16:52 CET 2007 wrote: > running gpg-list-packets or pgpdump on the encrypted message, lists the key-type (dh or rsa), key size, and symmetric algorithm used sorry, my mistake ;-(( pgpdump doesn't list which symmetric algo, only lists that an mdc was or wasn't used the actual symmetric algo type used is encrypted with the session key to the public key is there a way to tell though, (without decrypting) which symmetric algo was used? tia, vedaal -- Click to consolidate your debt and lower your monthly expenses http://tagline.hushmail.com/fc/CAaCXv1QPxbwBGTnei9j0EserPyHAirc/ From shavital at mac.com Tue Feb 20 20:00:19 2007 From: shavital at mac.com (Charly Avital) Date: Tue, 20 Feb 2007 21:00:19 +0200 Subject: [Macgpg-users] GnuPG v2.0.2 MAC OS install - TESTING NEEDED! In-Reply-To: <45DB0435.1010302@py-soft.co.uk> References: <45D64DED.1070800@py-soft.co.uk> <45DB0435.1010302@py-soft.co.uk> Message-ID: <45DB4543.8060008@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Tested successfully on PPC (Powerbook 15" G4 1.33GHz), and Intel Core 2 Duo (MacBook 2 13" 2GHz), both running MacOS X 10.4.8. Thank you Ben. Charly Benjamin Donnachie wrote the following on 2/20/07 4:22 PM: > Benjamin Donnachie wrote: >> I have a test version of a GnuPG v2.0.2 Mac OS Tiger install available > > Patch for TEST2 available at > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip > and sig at > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.2-TEST2-PATCH1.zip.sig > > This implements the more secure method of involving pinentry directly. > > Just download the archive, extract and then follow the instructions in > readme.txt. > > Feedback still needed; particularly from OpenPGP smartcard users. > > Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.2 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRdtFPs3GMi2FW4PvAQhuOgf+MwBObMdJERCtA5f4/0R30Nwm5AzIaSIr Le1F2ZMEo31dITRpIK5pv8mhWLGeGsZz+qYu5/qbIxwNNj1kW+m8oE+ySKItwneF jpm5UtGihBHPoRp72bIhOqHwoNK+wF/TD7Rme+iCf6sVk5lKX5FoPHii08nQ8GGN X9ZTY3qBJGw6ZOBllKqwoGnEaWcVbRsFV3WQuvEwSVmghEVpNG17I98dKfkUsaHY 906DNuozzmlooGXkuX9LDBHM43ylyTTW7Ktlkm2SheoSGWRtvsNsVSZ6JG27SDt5 4Is4MApI8YzuXbFvk2/Ust4yDAF3OEZ7zwL3aPj+Z0txXNuWDtU1Cg== =iZU5 -----END PGP SIGNATURE----- From niknot at gmail.com Thu Feb 22 02:19:52 2007 From: niknot at gmail.com (NikNot) Date: Wed, 21 Feb 2007 17:19:52 -0800 Subject: Secret key holder identity (was: Local file encryption) In-Reply-To: <20070220180039.8C7812284F@mailserver9.hushmail.com> References: <20070220180039.8C7812284F@mailserver9.hushmail.com> Message-ID: <328a5cf40702211719k54e99b3cu2c9030535d998afe@mail.gmail.com> On 2/20/07, vedaal at hush.com wrote: > pgpdump doesn't list which symmetric algo, > only lists that an mdc was or wasn't used The attacker performing large-scale traffic uses his own software that is - so it must be presumed - capable of distilling all (to him) usefull information from the flow of messages. Consequently, the question should not be what pgpdump will or will not produce, the question should be what information is or is not contained in the message previous to its decryption. NikNot From jharris at widomaker.com Thu Feb 22 04:06:40 2007 From: jharris at widomaker.com (Jason Harris) Date: Wed, 21 Feb 2007 22:06:40 -0500 Subject: new (2007-02-18) keyanalyze results (+sigcheck) Message-ID: <20070222030640.GA11959@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2007-02-18/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 6223f3b4be449e8973f25c64ab56432561396786 14501664 preprocess.keys bd467da8b2eb9370bdbfcebedeba81f8e290f926 8500470 othersets.txt c8068451d690c8514377c7e721831554d06696d1 3493296 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 65f95783f1cecccbda9f03aa130fbbb3192efc00 2278 keyring_stats 3bb6777995a0896c97138dcb82c70d8bbd77b96e 1374285 msd-sorted.txt.bz2 46f0b7e3b8429e96adaac2c451af6d8e18c202c1 26 other.txt a6beb7767223d04e7e6c7c55ab110876b28c2fd2 1844558 othersets.txt.bz2 0a4b4f0cd325836ee7fc6498d8e013e176013dde 5901206 preprocess.keys.bz2 a4654bbc1b95c89b4bed19a6b9ec18233aba12b0 14728 status.txt 86d7adf2acfc22a5de070bb7df2b24d314ecd9fd 194548 top1000table.html 36e0127b31c75a1051ba0fc32ff6d973ed468faf 29703 top1000table.html.gz be7a6d26967cc3f5021bba2bfa0633fd3b25d305 9791 top50table.html 16c570a7443f24cb544c8eab20efec045e9fbc2d 2529 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070221/84680c07/attachment.pgp From JPClizbe at tx.rr.com Thu Feb 22 03:57:43 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 21 Feb 2007 20:57:43 -0600 Subject: walkthrough In-Reply-To: <9060231.post@talk.nabble.com> References: <9060231.post@talk.nabble.com> Message-ID: <45DD06A7.1030103@tx.rr.com> PaulH wrote: > Hi, > > I have just installed gpg4win-1.0.8. I'm new to this and not sure what I'm > doing exactly and haven't the time to teach myself. I have looked for > tutorials etc but can only find using gpg from the command line. All I > simply need to do is set up a private key and be able to send encrypted > emails to a particular client. I have tried but any email sent > is not encrypted. My mail client is Outlook 2003. > > At some point the emails will automatically be sent from a server, the > emails themselves will be generated by php script. Are there any issues > with using gpg in this way? > > Sorry for the brevity of this post but I have my boss breathing down my neck > expecting answers. Have you installed the GnuPG Outlook plug-in? http://www.g10code.de/p-gpgol.html Since you're encrypting all mails from a server, you may also wish to take a look at GPGrelay: http://sites.inka.de/tesla/gpgrelay.html -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070221/03dfc471/attachment.pgp From wk at gnupg.org Thu Feb 22 09:15:53 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Feb 2007 09:15:53 +0100 Subject: walkthrough In-Reply-To: <45DD06A7.1030103@tx.rr.com> (John Clizbe's message of "Wed\, 21 Feb 2007 20\:57\:43 -0600") References: <9060231.post@talk.nabble.com> <45DD06A7.1030103@tx.rr.com> Message-ID: <87mz36y5dy.fsf@wheatstone.g10code.de> On Thu, 22 Feb 2007 03:57, JPClizbe at tx.rr.com said: > Have you installed the GnuPG Outlook plug-in? http://www.g10code.de/p-gpgol.html He does as it is part of gpg4win and installed by default. Shalom-Salam, Werner From wk at gnupg.org Thu Feb 22 09:23:00 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Feb 2007 09:23:00 +0100 Subject: Secret key holder identity In-Reply-To: <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com> (niknot@gmail.com's message of "Tue\, 20 Feb 2007 09\:02\:27 -0800") References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> <20070220142440.GL7549@hell.pl> <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com> Message-ID: <87irduy523.fsf@wheatstone.g10code.de> On Tue, 20 Feb 2007 18:02, niknot at gmail.com said: > If the system was designed for the real world, the encrypted message > would, by default, consist of a binary data set, indistingushable from a > random stream, until and unless decrypted using the recipient's private key. A real world system needs to know the key for decryption and not fall back to a time consuming mode of trial decryption with all available secret keys. Some people are using dozens or even hundreds of secret keys; in particular if you are using several pseudonyms or key rotating. OpenPGP is not designed to thwart traffic analysis. It has merely some provisions to help such a system Salam-Shalom, Werner From wk at gnupg.org Thu Feb 22 09:24:53 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Feb 2007 09:24:53 +0100 Subject: Use same key for S/MIME and OpenPGP In-Reply-To: <4C78E9B9-147D-4040-8BFC-F863CF5C66F3@raphael.poss.name> (=?utf-8?Q?Rapha=C3=ABl?= Poss's message of "Mon\, 19 Feb 2007 23\:45\:56 +0100") References: <4C78E9B9-147D-4040-8BFC-F863CF5C66F3@raphael.poss.name> Message-ID: <87ejoiy4yy.fsf@wheatstone.g10code.de> On Mon, 19 Feb 2007 23:45, mail at raphael.poss.name said: > I'm just curious: since a RSA public key is made mainly of just two > numbers, is it not possible (theoretically) to create both a valid > PGP key and X509 certificate using the same key information, and use > it with both protocols? Yes, you can do that. In fact we are doing this already with the OpenPGP smart card and Scute. > Also, is it not (theoretically) possible to convert X509 key > certificates to PGP key signatures or vice-versa, based on the > numerical values of the signing certificates/keys ? It does not buy you anything unless you have not enough space to store both keys (the case of a smart card). Shalom-Salam, Werner From niknot at gmail.com Thu Feb 22 16:53:44 2007 From: niknot at gmail.com (NikNot) Date: Thu, 22 Feb 2007 07:53:44 -0800 Subject: Secret key holder identity In-Reply-To: <87irduy523.fsf@wheatstone.g10code.de> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> <20070220142440.GL7549@hell.pl> <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com> <87irduy523.fsf@wheatstone.g10code.de> Message-ID: <328a5cf40702220753j730ca179y525c618be8354fc@mail.gmail.com> On 2/22/07, Werner Koch wrote: > On Tue, 20 Feb 2007 18:02, niknot at gmail.com said: > > > If the system was designed for the real world, the encrypted message > > would, by default, consist of a binary data set, indistingushable from a > > random stream, until and unless decrypted using the recipient's private key. > > A real world system needs to know the key for decryption and not fall > back to a time consuming mode of trial decryption with all available > secret keys... > > OpenPGP is not designed to thwart traffic analysis. It has merely > some provisions to help such a system > Thanks Werner - we agree on the OpenPGP design. I'm only trying to point out that this is a serious limitation, more so now than at the time PGP was born (or OpenPGP was designed). Tempora mutantur (et nos in illis?) NikNot From pubmb01 at skynet.be Thu Feb 22 18:33:38 2007 From: pubmb01 at skynet.be (Bruno Costacurta) Date: Thu, 22 Feb 2007 18:33:38 +0100 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <20070219165102.GA82395@wilma.widomaker.com> References: <200702182311.37828.pubmb01@skynet.be> <20070219043155.GA6216@jabberwocky.com> <20070219165102.GA82395@wilma.widomaker.com> Message-ID: <200702221833.38067.pubmb01@skynet.be> On Monday 19 February 2007 17:51:02 Jason Harris wrote: > On Sun, Feb 18, 2007 at 11:31:55PM -0500, David Shaw wrote: > > On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote: > > > I updated the expiration (via gpg --edit-key using expire option) of my > > > key and (re)sended it to a keyserver (via gpg --send-keys [my key id]) > > > to keyserver subkeys.pgp.net. > > > However key is still not updated after few hours. > > > What are normal delays ? > > Keys do get temporarily "trapped" on the SKS keyserver network until > keyserver.kjsl.com copies them over to the rest of the planet. > > BTW, your subkey isn't currently usable: > > sub 2048g/0CC897B5 2006-06-11 [subkey] > Key fingerprint = CCE0 5315 0022 9460 0337 6C6F 4253 1C9A 0CC8 97B5 > sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: > type 2, e0 0f] sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] > [keybind, hash: type 2, e0 0f] > > > There is not an easy answer to that question. subkeys.pgp.net is not > > actually a keyserver, but rather a collection of (at the moment) 5 > > different keyservers. When you use it, you get one server from the > > pool in a round-robin fashion. Generally speaking, any given > > keyserver in the pool that you update reflects the update immediately, > > but frequently people update one keyserver in the pool, but then check > > for the update from another server in the pool which hasn't gotten it > > yet. > > NB: I think if GPG printed the IP address of the keyserver it used, it > could end some of this confusion. > > Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/ > etc. (all times are TZ=UTC): > > 2007-02-06 23:02:08.290952260 display_new_sig: new sig 28 by 2E604D51 > added to 2E604D51 Bruno Costacurta 23:02:08.291023778 display_new_sig: new subkey sig by 2E604D51 added to > 2E604D51 > > these were first seen from pgp.nic.ad.jp: > > 2007-02-16 13:41:00.597122207 display_new_sig: new sig 1 by 2E604D51 > added to 2E604D51 Bruno Costacurta 13:41:00.597182829 display_new_sig: new sig 2 by 2E604D51 added to 2E604D51 > pubmb02 > > and these were in another batch update: > > 2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51 > added to 2E604D51 Bruno Costacurta 23:02:27.870319946 display_new_sig: new sig 72 by 2E604D51 added to > 2E604D51 pubmb02 Well, I still cannot see any refresh of my keys...sent 4 days ago. Should I try again ? Thanks. Bruno From jharris at widomaker.com Thu Feb 22 20:41:32 2007 From: jharris at widomaker.com (Jason Harris) Date: Thu, 22 Feb 2007 14:41:32 -0500 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <200702221833.38067.pubmb01@skynet.be> References: <200702182311.37828.pubmb01@skynet.be> <20070219043155.GA6216@jabberwocky.com> <20070219165102.GA82395@wilma.widomaker.com> <200702221833.38067.pubmb01@skynet.be> Message-ID: <20070222194132.GA17370@wilma.widomaker.com> On Thu, Feb 22, 2007 at 06:33:38PM +0100, Bruno Costacurta wrote: > On Monday 19 February 2007 17:51:02 Jason Harris wrote: > > Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/ > > etc. (all times are TZ=UTC): > > 2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51 > > added to 2E604D51 Bruno Costacurta > 23:02:27.870319946 display_new_sig: new sig 72 by 2E604D51 added to > > 2E604D51 pubmb02 (NB: Nothing new has been seen by keyserver.kjsl.com since this entry.) > Well, I still cannot see any refresh of my keys...sent 4 days ago. > Should I try again ? Yes, you need to. None of the 45 keyservers I just checked had anything to add to your key. keyserver.ganneff.de, currently part of subkeys.pgp.net, isn't SKS-synchronizing right now, but it does email kjsl.com and didn't have anything new either. Right now, your full key in binary form hashes (SHA-1) to: 144278d5c7c4b138b76800333fe372bff355ee2c 2127 ./keyserver.kjsl.com/pks/lookup?op=get&search=0x2E604D51.gpg e17306f3a61d468ad4a436b727c64461a7d4b604 2127 ./gpg-keyserver.de/pks/lookup?op=get&search=0x2E604D51.gpg the latter matching on all the SKS servers I checked, except: c751fdc463fae7f9525b5ab62a29439f9107683c 1735 ./keyserver.ganneff.de/pks/lookup?op=get&search=0x2E604D51.gpg -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070222/5d30127a/attachment.pgp From bchill at bch.net Fri Feb 23 01:17:56 2007 From: bchill at bch.net (Brian C. Hill) Date: Thu, 22 Feb 2007 16:17:56 -0800 Subject: gnupg 2.0.2 and funopen/fopencookie on Solaris 8 Message-ID: <20070223001756.GC16116@romulus.mondobox.com> I built all of the requirements, but it wants libassuan built with funopen / fopencooke support, which aren't available on SunOS 5.8 (Solaris 8). I have scoured the docs, the FAQ and the web in general looking for this issue, but found only one report (unresolved). I have a feeling I am missing something. How have other managed to build gnupg on SunOS 5.8? Brian From pubmb01 at skynet.be Fri Feb 23 09:57:40 2007 From: pubmb01 at skynet.be (Bruno Costacurta) Date: Fri, 23 Feb 2007 09:57:40 +0100 Subject: Attribute 'comment' Message-ID: <200702230957.40762.pubmb01@skynet.be> Hello, is it possible to change 'comment' attribute, ie. via gpg options like --comment [string] or --no-comments ? Bye, Bruno From wk at gnupg.org Fri Feb 23 10:48:16 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 23 Feb 2007 10:48:16 +0100 Subject: gnupg 2.0.2 and funopen/fopencookie on Solaris 8 In-Reply-To: <20070223001756.GC16116@romulus.mondobox.com> (Brian C. Hill's message of "Thu\, 22 Feb 2007 16\:17\:56 -0800") References: <20070223001756.GC16116@romulus.mondobox.com> Message-ID: <878xeptdb3.fsf@wheatstone.g10code.de> On Fri, 23 Feb 2007 01:17, bchill at bch.net said: > How have other managed to build gnupg on SunOS 5.8? You can't build GnuPG 2 on a system without funopen. We will eventually solve this by replacing most stdio operations by a our own and enhanced stdio implementation. Unfortunately there is no other way to do that. Shalom-Salam, Werner From dshaw at jabberwocky.com Fri Feb 23 14:09:20 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 23 Feb 2007 08:09:20 -0500 Subject: Attribute 'comment' In-Reply-To: <200702230957.40762.pubmb01@skynet.be> References: <200702230957.40762.pubmb01@skynet.be> Message-ID: <20070223130920.GA30939@jabberwocky.com> On Fri, Feb 23, 2007 at 09:57:40AM +0100, Bruno Costacurta wrote: > Hello, > > is it possible to change 'comment' attribute, ie. via gpg options > like --comment [string] or --no-comments ? If you're referring to the "Comment: xxxxxx" string that appears in the header of armored messages, then yes. Just use "--comment xxxxx" David From alex at bofh.net.pl Fri Feb 23 14:35:22 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri, 23 Feb 2007 14:35:22 +0100 Subject: Secret key holder identity In-Reply-To: <87irduy523.fsf@wheatstone.g10code.de> References: <328a5cf40702191054u3898fae4t5b6059070107878c@mail.gmail.com> <20070220142440.GL7549@hell.pl> <328a5cf40702200902k5c3c7d15l8a6c8900cf90e5ba@mail.gmail.com> <87irduy523.fsf@wheatstone.g10code.de> Message-ID: <20070223133521.GN7549@hell.pl> On Thu, Feb 22, 2007 at 09:23:00AM +0100, Werner Koch wrote: > On Tue, 20 Feb 2007 18:02, niknot at gmail.com said: > > > If the system was designed for the real world, the encrypted message > > would, by default, consist of a binary data set, indistingushable from a > > random stream, until and unless decrypted using the recipient's private key. > > A real world system needs to know the key for decryption and not fall > back to a time consuming mode of trial decryption with all available > secret keys. Some people are using dozens or even hundreds of secret > keys; in particular if you are using several pseudonyms or key > rotating. > > OpenPGP is not designed to thwart traffic analysis. It has merely > some provisions to help such a system And the modern anti-terrorist research and operational practice shows, that you dont need to know actual meessage to do law-enforcement-level-meaningful traffic analysis. Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From pubmb01 at skynet.be Fri Feb 23 21:22:48 2007 From: pubmb01 at skynet.be (Bruno Costacurta) Date: Fri, 23 Feb 2007 21:22:48 +0100 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <200702182311.37828.pubmb01@skynet.be> References: <200702182311.37828.pubmb01@skynet.be> Message-ID: <200702232122.48986.pubmb01@skynet.be> On Sunday 18 February 2007 23:11:37 Bruno Costacurta wrote: > Hello, > > I updated the expiration (via gpg --edit-key using expire option) of my key > and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to > keyserver subkeys.pgp.net. > However key is still not updated after few hours. > What are normal delays ? > > Bye, > Bruno Hello, it seems to works better now but all changes are not reflected. Via 'gpg --list-key' I'm able to modify keys expiration, add / remove uid and delete uneeded signatures. Save and list reflect my changes. However, after export, only new expiration and uid are present, other removed items are still present. How to export all the changes ? Thanks for attention. Bye, Bruno -- Bruno Costacurta PGP key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070223/7f2eaf08/attachment.pgp From JPClizbe at tx.rr.com Sat Feb 24 00:22:34 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 23 Feb 2007 17:22:34 -0600 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <200702232122.48986.pubmb01@skynet.be> References: <200702182311.37828.pubmb01@skynet.be> <200702232122.48986.pubmb01@skynet.be> Message-ID: <45DF773A.8060909@tx.rr.com> Bruno Costacurta wrote: > On Sunday 18 February 2007 23:11:37 Bruno Costacurta wrote: >> Hello, >> >> I updated the expiration (via gpg --edit-key using expire option) of my key >> and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to >> keyserver subkeys.pgp.net. >> However key is still not updated after few hours. >> What are normal delays ? >> >> Bye, >> Bruno > > Hello, > it seems to works better now but all changes are not reflected. > > Via 'gpg --list-key' I'm able to modify keys expiration, add / remove uid and > delete uneeded signatures. Save and list reflect my changes. > However, after export, only new expiration and uid are present, other removed > items are still present. > How to export all the changes ? You can't delete information from a keyserver that synchronizes with others. That's why new information and changes show up, but your deletions do not. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070223/3c0c7b92/attachment-0001.pgp From m_d_berger_1900 at yahoo.com Sat Feb 24 18:49:17 2007 From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED) Date: Sat, 24 Feb 2007 12:49:17 -0500 Subject: Why a subkey? Message-ID: On FC4 with gpg 1.4.1: I created a new user account and used gpg --gen-key . I selected RSA (sign only) since it was the only RSA option. It says the key cannot be used for encryption, and a subkey must be generated. Why? Is it related to (sign only)? If so, why was (sign and encrypt) not offered as an option? I did this a year or two ago, and I do not remember needing a subkey. I still have that keyring in under another user. Thanks for your help. Mike. From rjh at sixdemonbag.org Sat Feb 24 19:42:09 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 24 Feb 2007 12:42:09 -0600 Subject: Why a subkey? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > On FC4 with gpg 1.4.1: Please upgrade. There have been a couple of security updates since 1.4.1. > It says the key cannot be used for encryption, and a > subkey must be generated. Why? Why must an encryption subkey be generated? Because you don't have one. If you mean "why doesn't GnuPG create an encryption subkey at the same time it creates a signing subkey, the way it does for DSS/ ElGamal keypairs", for that one you'd have to ask the developers. It's never made a lick of sense to me, myself. > If so, why was (sign and encrypt) not offered as an option? Having one key that can be used for both signing and encryption operations is thought by some to be bad crypto policy. The problems with it appear to be mostly theoretical, though. > I did this a year or two ago, and I do not remember > needing a subkey. I still have that keyring in > under another user. If your other key was DSS/ElGamal, that's because GnuPG created the additional subkey for you at the same time as your signing subkey. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJF4IcBAAoJELcA9IL+r4EJ7yEH/jhlcNgLfmiptvSd238r9Ox5 89TNIXp0O4hb0hcps8nOTax7Y1k1JFGKR1UetTtExUSGmqHqYAn5mFj1RJCLkhl1 3WKxONKHHyzx1rDdXm58veaEUdr+BFwrNwjTSioqosw40k37Wng1/kMN+KTfkA1i 8DYGIEs6X5zswIAET3BDsDUpdXp5XHBlpg2W+DevNOXACpA20TOy8yFYoSXVbg5O HcpeqVJvvtPBIYkC77OWER4Eb5GQ/nD0BNWTeC0F0JBSflR6vYkNgi8hf6sqZGih ojd+qJDVJNxoUNuS+6/hZVbbpmX49HlQJHuzhcvf3mlPmrpzw6wo7rRE2cIlj3U= =LIcg -----END PGP SIGNATURE----- From m_d_berger_1900 at yahoo.com Sat Feb 24 20:18:18 2007 From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED) Date: Sat, 24 Feb 2007 14:18:18 -0500 Subject: Why a subkey? References: Message-ID: On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> On FC4 with gpg 1.4.1: > > Please upgrade. There have been a couple of security updates since > 1.4.1. > >> It says the key cannot be used for encryption, and a >> subkey must be generated. Why? > > Why must an encryption subkey be generated? Because you don't have > one. If you mean "why doesn't GnuPG create an encryption subkey at > the same time it creates a signing subkey, the way it does for DSS/ > ElGamal keypairs", for that one you'd have to ask the developers. > It's never made a lick of sense to me, myself. > >> If so, why was (sign and encrypt) not offered as an option? > > Having one key that can be used for both signing and encryption > operations is thought by some to be bad crypto policy. The problems > with it appear to be mostly theoretical, though. > >> I did this a year or two ago, and I do not remember >> needing a subkey. I still have that keyring in >> under another user. > > If your other key was DSS/ElGamal, that's because GnuPG created the > additional subkey for you at the same time as your signing subkey. :) > > [...] Now I created a key using "DSA and Elgamal (default)". As you suggest, it created a subkey for me, as can be seen in gpg --list-keys. If I run gpg --list-keys on my old keyring, I see no subkeys in the old keys (Apr 2006), but there is a subkey in the public key imported from the new user account. Has there been a change? Are my old keys obsolete? I don't remember if I upgraded gpg in the interim (present version 1.4.1), but I will upgrade, as you suggest. Thanks, Mike. From bok at pinoymac.org Sat Feb 24 06:36:28 2007 From: bok at pinoymac.org (boksbox) Date: Fri, 23 Feb 2007 21:36:28 -0800 (PST) Subject: Update 1.4.6 Mac OS configure error Message-ID: <9131273.post@talk.nabble.com> I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I followed the compile instruction I encounter an error. When I do ./configure an error comes up at the end of the display and according to the logs: ... configure:3397: checking for cl.exe configure:3427: result: no configure:3456: error: no acceptable C compiler found in $PATH See `config.log' for more details. I'm stuck. Any help would be appreciated. I'm using PPC Mac running 10.4.8 -- View this message in context: http://www.nabble.com/Update-1.4.6-Mac-OS-configure-error-tf3282741.html#a9131273 Sent from the GnuPG - User mailing list archive at Nabble.com. From sven at radde.name Sat Feb 24 19:55:58 2007 From: sven at radde.name (Sven Radde) Date: Sat, 24 Feb 2007 19:55:58 +0100 Subject: Why a subkey? In-Reply-To: References: Message-ID: <45E08A3E.5090000@radde.name> Robert J. Hansen schrieb: >> If so, why was (sign and encrypt) not offered as an option? > > Having one key that can be used for both signing and encryption > operations is thought by some to be bad crypto policy. The problems > with it appear to be mostly theoretical, though. If you use "gpg --expert --gen-key", it will offer the selection: (7) RSA (set your own capabilities) This lets you choose a key which can be used for signing and encrypting. Anyway, if there's a question "Why a subkey?", its partner-question would be: "Why not?" cu, Sven From dan_yt555 at yahoo.com Sat Feb 24 23:15:10 2007 From: dan_yt555 at yahoo.com (Dan Tipton) Date: Sat, 24 Feb 2007 14:15:10 -0800 (PST) Subject: Available and default options Message-ID: <229949.35374.qm@web63110.mail.re1.yahoo.com> Hello, I have a question about how GPG assigns default preferences to a key. When I check the version I get a list of supported ciphers, digests, etc: Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 But then when I create a key with the default settings & do a showpref, the key doesn't include all supported options: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, RIPEMD160 Compression: ZLIB, ZIP, Uncompressed It seems to me that the key should include all the options it is capable of using. I know I can add all of these options but why aren't they there by default? Thanks, Dan ____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ From jbruni at mac.com Mon Feb 26 17:42:43 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Mon, 26 Feb 2007 09:42:43 -0700 Subject: Update 1.4.6 Mac OS configure error In-Reply-To: <9131273.post@talk.nabble.com> References: <9131273.post@talk.nabble.com> Message-ID: <72D8AD29-9E79-4573-8B57-0D619F80A471@mac.com> Do you have the developer tools installed? Joe On Feb 23, 2007, at 10:36 PM, boksbox wrote: > > I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I > followed the > compile instruction I encounter an error. When I do ./configure > an error > comes up at the end of the display and according to the logs: > ... > configure:3397: checking for cl.exe > configure:3427: result: no > configure:3456: error: no acceptable C compiler found in $PATH > See `config.log' for more details. > > I'm stuck. Any help would be appreciated. I'm using PPC Mac > running 10.4.8 > > -- > View this message in context: http://www.nabble.com/Update-1.4.6- > Mac-OS-configure-error-tf3282741.html#a9131273 > Sent from the GnuPG - User mailing list archive at Nabble.com. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070226/47d6cf3f/attachment.bin From rjh at sixdemonbag.org Mon Feb 26 17:52:03 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 26 Feb 2007 10:52:03 -0600 Subject: Update 1.4.6 Mac OS configure error In-Reply-To: <9131273.post@talk.nabble.com> References: <9131273.post@talk.nabble.com> Message-ID: <02742BE0-8302-4AC3-8C0B-169D13690506@sixdemonbag.org> > I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I > followed the > compile instruction I encounter an error. When I do ./configure > an error > comes up at the end of the display and according to the logs: The configure script can't find a C compiler. Make sure you have the XCode development tools installed. Once you install them, visit http://developer.apple.com and sign up for an Apple Developer membership (it's free). Then download the latest and greatest XCode tools. Once those are installed, then do the ./configure dance over again. Alternately, try looking at Fink (http://fink.sf.net), which has a GnuPG package available. From benjamin at py-soft.co.uk Mon Feb 26 18:57:17 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 26 Feb 2007 17:57:17 +0000 Subject: Update 1.4.6 Mac OS configure error In-Reply-To: <9131273.post@talk.nabble.com> References: <9131273.post@talk.nabble.com> Message-ID: <45E31F7D.9060400@py-soft.co.uk> boksbox wrote: > I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I followed the > compile instruction I encounter an error. Try my gnupg 1.4.6 binary install at http://www.py-soft.co.uk/~benjamin/download/mac-gpg/GnuPG1.4.6.dmg Ben From pubmb01 at skynet.be Mon Feb 26 21:33:34 2007 From: pubmb01 at skynet.be (Bruno Costacurta) Date: Mon, 26 Feb 2007 21:33:34 +0100 Subject: Keyserver refresh period after gpg --send-keys In-Reply-To: <45DF773A.8060909@tx.rr.com> References: <200702182311.37828.pubmb01@skynet.be> <200702232122.48986.pubmb01@skynet.be> <45DF773A.8060909@tx.rr.com> Message-ID: <200702262133.34950.pubmb01@skynet.be> On Saturday 24 February 2007 00:22:34 John Clizbe wrote: > Bruno Costacurta wrote: > > On Sunday 18 February 2007 23:11:37 Bruno Costacurta wrote: > >> Hello, > >> > >> I updated the expiration (via gpg --edit-key using expire option) of my > >> key and (re)sended it to a keyserver (via gpg --send-keys [my key id]) > >> to keyserver subkeys.pgp.net. > >> However key is still not updated after few hours. > >> What are normal delays ? > >> > >> Bye, > >> Bruno > > > > Hello, > > it seems to works better now but all changes are not reflected. > > > > Via 'gpg --list-key' I'm able to modify keys expiration, add / remove uid > > and delete uneeded signatures. Save and list reflect my changes. > > However, after export, only new expiration and uid are present, other > > removed items are still present. > > How to export all the changes ? > > You can't delete information from a keyserver that synchronizes with > others. That's why new information and changes show up, but your deletions > do not. Well...it makes sense. Thanks for your attention and answer. Bye, Bruno From dshaw at jabberwocky.com Mon Feb 26 21:52:31 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 26 Feb 2007 15:52:31 -0500 Subject: Available and default options In-Reply-To: <229949.35374.qm@web63110.mail.re1.yahoo.com> References: <229949.35374.qm@web63110.mail.re1.yahoo.com> Message-ID: <20070226205231.GC5853@jabberwocky.com> On Sat, Feb 24, 2007 at 02:15:10PM -0800, Dan Tipton wrote: > Hello, > > I have a question about how GPG assigns default > preferences to a key. When I check the version I get a > list of supported ciphers, digests, etc: > > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, > TWOFISH > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > But then when I create a key with the default settings > & do a showpref, the key doesn't include all supported > options: > > Cipher: AES256, AES192, AES, CAST5, 3DES > Digest: SHA1, RIPEMD160 > Compression: ZLIB, ZIP, Uncompressed > > > It seems to me that the key should include all the > options it is capable of using. This is an example of "be liberal in what you accept, conservative in what you generate". In theory, it shouldn't matter what algorithms were listed in the preference list as the OpenPGP protocol would never allow using an algorithm that couldn't be handled by all users. In practice, however, it turned out that not all programs properly handled preferences, and there were issues with people generating a key with one program and using it on another without resetting the preferences to what the new program could handle, and things like that. Even though most of the old systems are no longer used, the end result is the preference list as you see it now, and there is high confidence that it will interoperate with anything. Nothing stops you from putting whatever algorithm you want in there, of course. David From m_d_berger_1900 at yahoo.com Mon Feb 26 23:23:31 2007 From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED) Date: Mon, 26 Feb 2007 17:23:31 -0500 Subject: Why a subkey? References: <45E08A3E.5090000__16914.5108121031$1172507410$gmane$org@radde.name> Message-ID: On Sat, 24 Feb 2007 19:55:58 +0100, Sven Radde wrote: > Robert J. Hansen schrieb: >>> If so, why was (sign and encrypt) not offered as an option? >> >> Having one key that can be used for both signing and encryption >> operations is thought by some to be bad crypto policy. The problems >> with it appear to be mostly theoretical, though. > > If you use "gpg --expert --gen-key", it will offer the selection: > (7) RSA (set your own capabilities) > This lets you choose a key which can be used for signing and encrypting. > > Anyway, if there's a question "Why a subkey?", its partner-question > would be: "Why not?" > > cu, Sven Thanks four your "-expert" suggestion. While I would consider myself a "-novice" with regard to gpg, it is, perhaps, something I should try. Your "Why not?" question is another matter. If you are employed, I suggest you try it on your manager next time you are required to justify a costly idea. Mike. From jsd at cluttered.com Tue Feb 27 01:36:37 2007 From: jsd at cluttered.com (Jon Drukman) Date: Mon, 26 Feb 2007 16:36:37 -0800 Subject: Newbie Q: decryption Message-ID: A company I'm getting a data feed from sent me a public key and an encrypted file. I want to decrypt it, but I don't know I'm doing. My naive approach is not working: $ gpg --homedir=/var/httpd/keyring --decrypt upc.xml.pgp gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: mpi too large for this implementation (40856 bits) the public key is in the file "nf_key". i thought i imported it but i don't how to tell if i did it right, or if it's even the right key for the file. help! -jsd- From jbruni at mac.com Tue Feb 27 02:54:36 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Mon, 26 Feb 2007 18:54:36 -0700 Subject: Newbie Q: decryption In-Reply-To: References: Message-ID: <87A56D2F-7479-40EE-8C51-DEE4EAFFF82B@mac.com> Two things: 1) You can't decrypt a file with a public key. Obviously the company who sent you the file doesn't understand public-key encryption either because they would need YOUR public key in order to encrypt files to you. The first step for them would have been to request a key from you. On the other hand, they might have merely signed the file and the public key would be used by you to "verify" the signature and it might not be encrypted at all. See next. 2) The "mpi too large" message would indicate to me that the file is most like corrupted by the file transfer process. Check to make sure that if the file is binary that the transfer method does not perform conversion on end-of-line characters. Another thing you can try to examine the file is to use the "--list- packets" command. $ gpg --list-packets This will tell you (usually) whether the file is valid OpenPGP data, as well as the algorithm and key ID used to encrypt the file (if it is encrypted and not just corrupted). Regards, Joe On Feb 26, 2007, at 5:36 PM, Jon Drukman wrote: > A company I'm getting a data feed from sent me a public key and an > encrypted file. I want to decrypt it, but I don't know I'm doing. My > naive approach is not working: > > $ gpg --homedir=/var/httpd/keyring --decrypt upc.xml.pgp > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: mpi too large for this implementation (40856 bits) > > the public key is in the file "nf_key". i thought i imported it but i > don't how to tell if i did it right, or if it's even the right key for > the file. > > help! > -jsd- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070226/a992eca7/attachment.bin From jbruni at mac.com Tue Feb 27 02:56:39 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Mon, 26 Feb 2007 18:56:39 -0700 Subject: Newbie Q: decryption In-Reply-To: References: Message-ID: <857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com> Oh yeah, third thing: The "insecure memory" warning just means that the executable probably needs to be setuid-root in order to allocate wired memory. You can ignore this and still use the product. It just means that gpg tried to allocate memory that cannot be swapped to disk and failed due to permissions. Some OS's allow non-root users to allocate a limited amount of wired memory (BSD, OS X) whereas HP-UX does not. Joe On Feb 26, 2007, at 5:36 PM, Jon Drukman wrote: > A company I'm getting a data feed from sent me a public key and an > encrypted file. I want to decrypt it, but I don't know I'm doing. My > naive approach is not working: > > $ gpg --homedir=/var/httpd/keyring --decrypt upc.xml.pgp > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: mpi too large for this implementation (40856 bits) > > the public key is in the file "nf_key". i thought i imported it but i > don't how to tell if i did it right, or if it's even the right key for > the file. > > help! > -jsd- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070226/8d706bb4/attachment.bin From m_d_berger_1900 at yahoo.com Tue Feb 27 03:48:18 2007 From: m_d_berger_1900 at yahoo.com (Mike - EMAIL IGNORED) Date: Mon, 26 Feb 2007 21:48:18 -0500 Subject: Why a subkey? References: Message-ID: On Sat, 24 Feb 2007 12:42:09 -0600, Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> On FC4 with gpg 1.4.1: > > Please upgrade. There have been a couple of security updates since > 1.4.1. > [...] Following your advice, I ran: yum update gnupg a few days ago, and now I have v1.4.5 . But I see that you have v1.4.6 . I ran yum again, and it got nothing new. So what's happening? Thanks, Mike. From rjh at sixdemonbag.org Tue Feb 27 03:58:25 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 26 Feb 2007 20:58:25 -0600 Subject: Why a subkey? In-Reply-To: References: Message-ID: <9F903BDD-568A-4F3B-A5FE-766E2AEF6594@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Following your advice, I ran: > yum update gnupg > a few days ago, and now I have v1.4.5 . But I > see that you have v1.4.6 . I ran yum again, > and it got nothing new. So what's happening? I'm guessing that FC4 isn't getting updates very frequently anymore. This doesn't surprise me, given that it's either been EOLed or is due for EOLing. The current version of Fedora is FC6. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJF455SAAoJELcA9IL+r4EJqbMH/RSEMKAIg2Tzl2gO6n9wwPj1 yYKFm5wqq1icoas8WxEOnMrYA32ALSD8OLKAbAoixR4t3NDA8BNnoBGE4PPIDBy3 o5/MGlaAmjdfFzmIirjClOcftoWA19MyEkz4/LLJBVCTF+B3rmSltZ4240uDBx0t x2cTSHyUlWVgSlfE62WryjDbAb55Qnu+EY1Bd9Shbjv1hDlgrIZZu56RBiBqPW26 TWbw0bgFNoC+t7nO78mgDHBcwkSBkG0jDrX2PmfXOhXRJIAvcbFo9M+cX6gnj9RS DFxtzeslDDlgd6Qtng6nuXGEY/ujgkU/EMQ+YeeVpbxRi/y5hzN43HJc6gv90f8= =J9Qi -----END PGP SIGNATURE----- From tobias.weisserth at gmail.com Tue Feb 27 03:25:29 2007 From: tobias.weisserth at gmail.com (Tobias Weisserth) Date: Tue, 27 Feb 2007 03:25:29 +0100 Subject: Newbie Q: decryption In-Reply-To: <857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com> References: <857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com> Message-ID: <200702270325.29827.tobias.weisserth@gmail.com> Hi there, On Tuesday, 27. February 2007 02:56, Joseph Oreste Bruni wrote: > Oh yeah, third thing: > > The "insecure memory" warning just means that the executable probably > needs to be setuid-root in order to allocate wired memory. You can > ignore this and still use the product. It just means that gpg tried > to allocate memory that cannot be swapped to disk and failed due to > permissions. Some OS's allow non-root users to allocate a limited > amount of wired memory (BSD, OS X) whereas HP-UX does not. Having GnuPG use swap partitions/files is a risky business. There's another way around this mess without having to make the GnuPG binary setuid. If you don't use Windows simply encrypt swap space. OpenBSD does this by default, Mac OS X can be set up to do it and swap partition encryption in GNU/Linux is trivial to setup too. Maybe there should be an option in GnuPG to disable this warning when compiling it on a platform that does swap encryption anyway. Take a look here too: https://www.weisserth.eu/index.php/2007/01/13/encrypting-your-swap-partition-with-opensuse-102/ Hope this helps, Tobias From bok at pinoymac.org Tue Feb 27 03:40:33 2007 From: bok at pinoymac.org (Bok NgSinco) Date: Tue, 27 Feb 2007 10:40:33 +0800 Subject: Update 1.4.6 Mac OS configure error In-Reply-To: <45E31F7D.9060400@py-soft.co.uk> References: <9131273.post@talk.nabble.com> <45E31F7D.9060400@py-soft.co.uk> Message-ID: On 2/27/07, at 1:57 AM, Benjamin Donnachie wrote: > boksbox wrote: >> I tried to install the 1.4.6 update to my 1.4.5 GnuPG. As I >> followed the >> compile instruction I encounter an error. > > Try my gnupg 1.4.6 binary install at > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/GnuPG1.4.6.dmg > > Ben Thanks Ben! Your binary install works good. And thanks to Joseph and Robert for letting me know I have to have developer's kit to compile. But I may have to put that off for a while now thanks to Ben. -bok From rjh at sixdemonbag.org Tue Feb 27 06:13:18 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 26 Feb 2007 23:13:18 -0600 Subject: Newbie Q: decryption In-Reply-To: <200702270325.29827.tobias.weisserth@gmail.com> References: <857DD0A6-AA14-42F0-BCB0-510E57E8F336@mac.com> <200702270325.29827.tobias.weisserth@gmail.com> Message-ID: <304117DF-959C-4D9A-94BD-63AE63A07C0B@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Having GnuPG use swap partitions/files is a risky business. As a general principle, I'm unconvinced of the truth of this as a general statement. It's risky within certain security models. Let's not go about saying it's universally risky. Let's also not recommend encrypting swap space _a priori_ without also warning people of the (massive) performance penalty that can result from encrypted swap. I recall seeing some numbers from OpenBSD that indicated encrypted swap resulted in a 33% slowdown for swap access compared to unencrypted swap. This could be related to OpenBSD internals or it could be indicative of a deeper problem with encrypted swap. Either way, the potential downsides of encrypted swap should be considered before anyone decides to undertake this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJF473vAAoJELcA9IL+r4EJrHgH/2azJYCxZXWYd53Ir6f7AwSe X3XmXaX4w3lSD9JbaF7xPlTSlLZThuyfEC59hOKUWiPAd9QcJwkySOx0/rrwVZRp sAArZgGaTbvInn7R7xKWSUrztXJtM/fNRuP3UOCg7hvNtdVe2E7Oe2Q60fl753Om p6vk3H93dwyIG2tbJqnJUAXyBhx/Mm5ULct4F99zXHdtgWpvIaylkR0CNvAiLUfM bm/8zk1uXY+4dAJONUB7uQITMynpbwCEGan9ej8JsQMt5Bv1rDZLW5fc7ra+MLG+ UMEDdFTa7KoRU1c3ljM+dwuzub9+CFoeevsDIUEJ5wn1no2ou/HFuWk4aW44Zto= =kZwk -----END PGP SIGNATURE----- From mike.keighley at adare.com Tue Feb 27 16:21:36 2007 From: mike.keighley at adare.com (mike.keighley at adare.com) Date: Tue, 27 Feb 2007 15:21:36 +0000 Subject: Why a subkey? Message-ID: "Robert J. Hansen" writes: > I'm guessing that FC4 isn't getting updates very frequently anymore. > This doesn't surprise me, given that it's either been EOLed or is due > for EOLing. FC4 was EOLed in Aug06. It was expected that security updates would be taken up by Fedora Legacy, but that project has since wound down. There didn't seem to be the same level of demand or contributions as for RH7, RH9, FC1, FC2. -- Mike From mike.keighley at adare.com Tue Feb 27 20:13:26 2007 From: mike.keighley at adare.com (mike.keighley at adare.com) Date: Tue, 27 Feb 2007 19:13:26 +0000 Subject: Newbie Q: decryption Message-ID: Joseph Oreste Bruni writes: > Some OS's allow non-root users to allocate a limited > amount of wired memory (BSD, OS X) whereas HP-UX does not. HP-UX can ! It just doesn't, by default. root can use setprivgrp(1M) to allow specified groups of ordinary users the "mlock" priviledge. -- Mike From jbruni at mac.com Tue Feb 27 21:12:25 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Tue, 27 Feb 2007 13:12:25 -0700 Subject: Newbie Q: decryption In-Reply-To: References: Message-ID: <13C5EE09-7F35-4250-B990-D216414FB0F1@mac.com> On Feb 27, 2007, at 12:13 PM, mike.keighley at adare.com wrote: > Joseph Oreste Bruni writes: > >> Some OS's allow non-root users to allocate a limited >> amount of wired memory (BSD, OS X) whereas HP-UX does not. > > HP-UX can ! It just doesn't, by default. > root can use setprivgrp(1M) to allow specified groups of > ordinary users the "mlock" priviledge. > Well there it is; interesting. That might be something to include in the FAQ regarding insecure memory. On my HP box, there doesn't seem to be a man page for that command, just the syscall for it. Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070227/890221d2/attachment.bin From lists_de at zemisch.de Wed Feb 28 05:56:44 2007 From: lists_de at zemisch.de (Dirk Zemisch) Date: Wed, 28 Feb 2007 11:56:44 +0700 Subject: Fwd: Zusammenspiel GnuPG - GPG-Relay - sTunnel In-Reply-To: <1779200883.20070223103503@zemisch.de> References: <1779200883.20070223103503@zemisch.de> Message-ID: <1668330864.20070228115644@zemisch.de> Morning, I'm forwarding my mail from gnupg-de, cause get no answer there. Maybe anyone *here* can help me out with some tips. German original you can find at the end. Sorry for my bad english - if your german is better, please read the german version. :-) Last week I reinstalled GnuPG and GPGRelay, using GnuPG-Pack Basics and the GPGRelay installer. Before doing so I uninstalled the old installation (GnuPT and GPGRelay). Now I have some mysterious errors, which I can not place to one or another program directly. At first, the DLLs for OpenSSL (from GnuPG-Pack, sTunnel) and GPGRelay are not compatible (libeay32 and libssl32). GPGRelay do not accept the DLLs from the OpenSSL package (dated october, 1st 2006), while the DLLs from the GPGRelay Site (dated july, 10th 2004) are not working with stunnel (compression:Zlib parameter in the .conf). As I'm not using sTunnel so far, I'm using now the old DLLs, but for me it is not the best solution. On the other hand GPGRelay do not find the right recipient of mails, and tests all keys from the keyring. Why? The mail has only on receiver (To:), and this one is only in one key present. Windows XP (NT 5.1 Build 2600 - Service Pack 2 - all updates) CPU: Intel Pentium M (586 - @1728 GHz) with RAM: 504MB (virtual: 1921MB; used 62%) IP: 192.168.0.11 If additional information is needed - please ask for it. Thanks in advance. Dirk -=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Date: Freitag, 23. Februar 2007 10:35:03 To: GnuPG (DE) Subject: Zusammenspiel GnuPG - GPG-Relay - sTunnel -=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hallo Listlinge, ich h?tte da gern mal ein Problem: Ich habe gestern meine alte Installation von GnuPT (GnuPG 1.4.3, GPG-Relay 0.959, GPGee und WinPT) durch die neue GnuPG-Pack Basics (GnuPG 1.4.6 eben und sTunnel) und GPG-Relay (wieder 0.959) ersetzt. Dazu habe ich die alte Installation zuerst (IMHO komplett, inkl. Neustart) entfernt und dann die neuen Pakete entsprechend der Anweisung auf der GnuPG-Pack WebSite neu eingespielt. Nun habe ich folgende Probleme, kann sie aber leider nicht genau einem Programm zuordnen und frage deshalb erstmal hier im Allgemeinen. Aber konkrete Hinweise werden auch gern genommen. ;-) Ich hole einen Gro?teil der ?ber GPG-Relay laufenden Mailkonten per SSL (bzw. TLS) ab. Klappte vorher ganz wunderbar, seit der Neuinstallation meckert GPG-Relay das Fehlen der beiden SSL-DLLs (libeay32 und libssl32) an. Allerdings sind diese da (im GPG-Relay Verzeichnis), aber offensichtlich stammen diese aus dem OpenSSL Paket und werden von GPG-Relay nicht erkannt. Es funktioniert aber sofort , sobald ich die beiden Dateien mit den gleichnamigen aus dem SSL Paket von der GPG-Relay Projektseite ersetze. Dann allerdings funktioniert 'Compression: zlib' f?r sTunnel nicht. (OpenSSL-DLLs mit Datum 1.10.2006, GPG-Relay DLLs vom 10.07.2004) Im Moment habe ich erst einmal die Kompression in der stunnel.conf ausgeknipst und nutze die alten Dateien, aber als endg?ltige L?sung finde ich das nicht sch?n. Frage: Ist dieses Problem bekannt? Gibt es vielleicht sogar eine L?sung? Das zweite Problem scheint seine Ursache auch irgendwie im Zusammenspiel des neuen Paketes mit GPG-Relay zu haben. Und zwar bekomme ich (silent Mode in GPG-Relay) folgende Header (@dressen redigiert): > X-GPGrelay-GoodSig: 9D9A3B133BC72B51 Dirk Zemisch > X-GPGrelay-SigID: bSmhCqei3PQ0GqKuOqxpmw6ckoQ 2007-02-23 1172198022 > X-GPGrelay-EncTo: 0000000000000000 16 0 > X-GPGrelay-Status: This mail was encrypted (PGP-MIME). > ,-----GnuPG output follows (current time: Fri, Feb 23 2007 - 09:42:50)-- > | > | anonymous recipient; trying secret key DF5D2ACB ... > | anonymous recipient; trying secret key F1F5C6D4 ... > | anonymous recipient; trying secret key 4D6196B5 ... > | anonymous recipient; trying secret key E2E6A997 ... > | anonymous recipient; trying secret key 37732829 ... > | anonymous recipient; trying secret key 9D273BF0 ... > | anonymous recipient; trying secret key 51211DD6 ... > | anonymous recipient; trying secret key 212B1BDF ... > | anonymous recipient; trying secret key BF53A544 ... > | anonymous recipient; trying secret key C1C51B93 ... > | anonymous recipient; trying secret key A4555DC0 ... > | anonymous recipient; trying secret key FAC31E23 ... > | anonymous recipient; trying secret key 9D91C0BE ... > | anonymous recipient; trying secret key 577445AF ... > | anonymous recipient; trying secret key AFB66E83 ... > | anonymous recipient; trying secret key 2F3559D7 ... > | Alles klar, wir sind der ungenannte Empf?nger. > | Signature made 02/23/07 09:33:42 using DSA key ID 3BC72B51 > | Good signature from "Dirk Zemisch " > | aka "Dirk Zemisch " > | aka "Dirk Zemisch " > | aka "Dirk Zemisch " > | aka "Dirk Zemisch " > | aka "[jpeg image of size 4106]" > | > `----------------------------------------------------------------------- Zu jedem 'trying ...' kommt nat?rlich der entsprechende Dialog zur Passphrase Abfrage hoch. Ist ja sch?n, dass letztendlich einer der Keys gegriffen hat, aber wer behauptet denn da 'anonymous recipient'? Im 'To:' steht nur eine Adresse und zwar genau die zum 2F3559D7 geh?rende, die in keinem der anderen (gr??tenteils tempor?ren Tests dienenden) Schl?sseln auftaucht. Ja, ich kann nat?rlich jedes Mal alle anderen Schl?sselabfragen skippen oder die entsprechenden tempor?ren Schl?ssel killen, aber l?stig ist das schon und die Eingabe und Speicherung aller Passphrasen im Relay kann auch kaum als L?sung gelten. Au?erdem: warum ging das gestern noch in der alten Konfiguration und nun nicht mehr? GPG-Relay w?rde ich fast ausschlie?en, weil dieselbe Version. Ich habe mich schon durch die verschiedensten .conf und die Registry gew?hlt, aber leider ohne Erfolg. Windows XP (NT 5.1 Build 2600 - Service Pack 2 - alle aktuellen Updates) CPU: Intel Pentium M (586 - @1728 GHz) with RAM: 504MB (virtual: 1921MB; used 62%) IP: 192.168.0.11 -- Gru? Dirk Unterwegs mit The Bat! 3.95.8 unter Zuhilfenahme von Windows XP Service Pack 2 _______________________________________________ Gnupg-de mailing list Gnupg-de at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-de -=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- Adios, Dirk An excerpt from Emo Philips: "My girlfriend said to me in bed last night, 'You're a pervert' - I said, 'That's a big word for a girl of nine.'"