From eocsor at gmail.com  Tue Jan  1 00:12:31 2008
From: eocsor at gmail.com (Roscoe)
Date: Tue, 1 Jan 2008 08:42:31 +0930
Subject: Social networking
In-Reply-To: <cf657bae0712311511y646615f5ld150f16640d75510@mail.gmail.com>
References: <d7a3cfdf0712310840n118a6238uf6bc6dad567ba71b@mail.gmail.com>
	<cf657bae0712311511y646615f5ld150f16640d75510@mail.gmail.com>
Message-ID: <cf657bae0712311512k4dd0e93es296ea61ee3295675@mail.gmail.com>

Is this a major problem?
I'm sure it happens, but does it happen with any significant frequency?

I can't imagine such a system, which has a higher barrier to entry
than the normal social networking sites, being well received.

But sure, such a system could be constructed, perhaps you could allow
two modes of registration, one requiring a trusted key and the other
requiring ID of some sort. (Now you've made yourself effectively a
certificate authority, though)

-- Roscoe



On Jan 1, 2008 2:10 AM, Hardeep Singh <hs2412 at gmail.com> wrote:
> Hi All
>
> Current social networking sites have a major problem: anybody can
> download your photograph and related details, edit them to his wish,
> and repost on the same site.
>
> I would suggest the following: building of, or using an existing WOT
> and each person wishing to join the social networking site be asked to
> get his profile (photo, name, DOB and some basic details) signed by
> three people already in the WOT. Once this is done, a centralised
> identity, sign the profile having verified the signatures by the other
> three people. Uploads of the photo and profile to any social
> networking site would then require a profile signed by the centralised
> authority. An exchange of any secret can be done to ensure that the
> person uploading the profile is the owner, and the basic details
> entered by the uploader verified against those in the profile.
>
> Does this make sense? Is there a way to make this work without the
> centralised identity?
>
> Regards
> Hardeep
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From wk at gnupg.org  Wed Jan  2 09:46:00 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 02 Jan 2008 09:46:00 +0100
Subject: pipes cgi and gnupg
In-Reply-To: <3ac86fa70712281903o4e41f56ex8bb366d7a893610a@mail.gmail.com>
	(Brad Tilley's message of "Fri, 28 Dec 2007 22:03:15 -0500")
References: <3ac86fa70712281903o4e41f56ex8bb366d7a893610a@mail.gmail.com>
Message-ID: <873atgmx87.fsf@wheatstone.g10code.de>

On Sat, 29 Dec 2007 04:03, byte8bits at gmail.com said:

> os.system("echo %s | gpg --batch --password-fd 0 -d %s > d.out"

 os.system("echo %s | gpg --batch --password-fd 0 --output - -d %s > d.out"

Note that all users on the machine will see the passphrase in the output
of ps(1).  You are better ofd not using a passphrase at all or by using
--passphrase-file.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From fweimer at bfk.de  Wed Jan  2 09:55:48 2008
From: fweimer at bfk.de (Florian Weimer)
Date: Wed, 02 Jan 2008 09:55:48 +0100
Subject: Ignoring expiration dates
Message-ID: <82ir2cwqqz.fsf@mid.bfk.de>

Is it possible to ignore the key expiration date during encryption?

Unfortunately, people tend to set expiration dates without thinking
about the consequences.  It's not always possible to get a new
self-signature in a reasonable time frame.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra?e 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


From joao.grilo at gmail.com  Wed Jan  2 12:13:26 2008
From: joao.grilo at gmail.com (=?ISO-8859-1?Q?Jo=E3o_Grilo?=)
Date: Wed, 2 Jan 2008 11:13:26 +0000
Subject: fatal: zlib inflate problem: invalid distance code
Message-ID: <2a221bd70801020313w4f5e3fcbk41b890a70090f0ba@mail.gmail.com>

Hello,

Recently, I was asked to backup and archive a ton of sensitive data, so I
used gpg keep it away from evil eyes.

Now, trying to recover it on a different machine, it fails with the
following error:
debian:~# gpg mybigbackupfile.tar.gz.gpg
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
-- correct password is typed --
gpg: fatal: zlib inflate problem: invalid distance code
secmem usage: 2048/2240 bytes in 4/5 blocks of pool 2240/32768

I have no clue, since I have tried pretty much everything (including
installing the same operating system on the machine where I need to decipher
the data, using the "$ gpg < bigfile.gpg > bigfile" syntax and so on). The
error keeps showing up, and always stalls after processing the same amount
of data (aproximately 27 gigabytes).

The weirdest part is that decrypting the data on the same machine it was
encrypted works perfectly. I have tried to replicate the environment exactly
(apart from a few packages which will probably be different, but this is
debian stable branch anyways). The only "big" difference, is the hardware,
but even the architecture is the same, the cpu is exactly alike.

On the machine where the compression+encryption were done:
Debian Etch Beta 4
Zlib Version: 1:1.2.3-13
Gnupg Version: 1.4.6-2

On the machine where the decompression+decryption is being done (and
failing):
Debian Etch RC1
Zlib Version: 1:1.2.3-13
Gnupg Version: 1.4.6-2

Note that these are all amd64 binaries. The size of "mybigbackupfile" is
aproximately 105 gigabytes.

If I can provide any additional information that can be useful to trace the
problem down, don't hesitate to ask.

Apart from the request "how to recover this file", I'd also like to ask if
there are any measures I could take in the future to ensure this does not
happen again.

Thank you in advance,
Joao Marques
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080102/240a4c4e/attachment.htm>

From wk at gnupg.org  Wed Jan  2 13:40:59 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 02 Jan 2008 13:40:59 +0100
Subject: Ignoring expiration dates
In-Reply-To: <82ir2cwqqz.fsf@mid.bfk.de> (Florian Weimer's message of "Wed, 02
	Jan 2008 09:55:48 +0100")
References: <82ir2cwqqz.fsf@mid.bfk.de>
Message-ID: <87y7b8jt7o.fsf@wheatstone.g10code.de>

On Wed,  2 Jan 2008 09:55, fweimer at bfk.de said:

> Is it possible to ignore the key expiration date during encryption?

Not with gpg.  With gpgsm you may try --debug-ignore-expiration.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From fweimer at bfk.de  Wed Jan  2 13:53:24 2008
From: fweimer at bfk.de (Florian Weimer)
Date: Wed, 02 Jan 2008 13:53:24 +0100
Subject: Ignoring expiration dates
In-Reply-To: <87y7b8jt7o.fsf@wheatstone.g10code.de> (Werner Koch's message of
	"Wed, 02 Jan 2008 13:40:59 +0100")
References: <82ir2cwqqz.fsf@mid.bfk.de> <87y7b8jt7o.fsf@wheatstone.g10code.de>
Message-ID: <82tzlwtmm3.fsf@mid.bfk.de>

* Werner Koch:

> On Wed,  2 Jan 2008 09:55, fweimer at bfk.de said:
>
>> Is it possible to ignore the key expiration date during encryption?
>
> Not with gpg.  With gpgsm you may try --debug-ignore-expiration.

Oh well, this is a bit counterintuitive because the expiration time is
a hard fact in X.509, and rather fuzzy in OpenPG.

Would you accept a patch, even if it's a kludge?  (Expiration doesn't
seem to be signalled separately, so we'd have to change the code that
generates the expiration flag, and not the code that uses it.)

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra?e 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


From JPClizbe at tx.rr.com  Wed Jan  2 14:41:11 2008
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Wed, 02 Jan 2008 07:41:11 -0600
Subject: fatal: zlib inflate problem: invalid distance code
In-Reply-To: <2a221bd70801020313w4f5e3fcbk41b890a70090f0ba@mail.gmail.com>
References: <2a221bd70801020313w4f5e3fcbk41b890a70090f0ba@mail.gmail.com>
Message-ID: <477B9477.8010200@tx.rr.com>

Jo?o Grilo wrote:
> Recently, I was asked to backup and archive a ton of sensitive data, so
> I used gpg keep it away from evil eyes.
> 
> Now, trying to recover it on a different machine, it fails with the
> following error:
> debian:~# gpg mybigbackupfile.tar.gz.gpg
> gpg: CAST5 encrypted data
> gpg: encrypted with 1 passphrase
> -- correct password is typed --
> gpg: fatal: zlib inflate problem: invalid distance code
> secmem usage: 2048/2240 bytes in 4/5 blocks of pool 2240/32768
> 
> I have no clue, since I have tried pretty much everything (including
> installing the same operating system on the machine where I need to
> decipher the data, using the "$ gpg < bigfile.gpg > bigfile" syntax and
> so on). The error keeps showing up, and always stalls after processing
> the same amount of data (aproximately 27 gigabytes).
> 
> The weirdest part is that decrypting the data on the same machine it was
> encrypted works perfectly. I have tried to replicate the environment
> exactly (apart from a few packages which will probably be different, but
> this is debian stable branch anyways). The only "big" difference, is the
> hardware, but even the architecture is the same, the cpu is exactly alike.

<OS details snipped>

> Note that these are all amd64 binaries. The size of "mybigbackupfile" is
> aproximately 105 gigabytes.
> 
> If I can provide any additional information that can be useful to trace
> the problem down, don't hesitate to ask.

Since the original decrypts fine, I'd check and compare the hashes of the two
encrypted archives.

Small errors can creep in during transfer that will invalidate later decryption.
Comparing the outputs from md5sum or sha1sum will alert you to the error.

GnuPG may also be used to generate the file hashes:

    gpg --print-md algo [files]

algo may be taken from the listing produced by 'gpg --version'.

    gpg --print-mds [files]

will generate hashes for all available algorithms.

Good luck.

-- 
John P. Clizbe                   Inet:   JPClizbe(a) tx DAWT rr DAHT con
Ginger Bear Networks             hkp://keyserver.gingerbear.net
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080102/a63372a2/attachment-0001.pgp>

From wk at gnupg.org  Wed Jan  2 15:25:38 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 02 Jan 2008 15:25:38 +0100
Subject: Ignoring expiration dates
In-Reply-To: <82tzlwtmm3.fsf@mid.bfk.de> (Florian Weimer's message of "Wed, 02
	Jan 2008 13:53:24 +0100")
References: <82ir2cwqqz.fsf@mid.bfk.de> <87y7b8jt7o.fsf@wheatstone.g10code.de>
	<82tzlwtmm3.fsf@mid.bfk.de>
Message-ID: <87r6h0i9st.fsf@wheatstone.g10code.de>

On Wed,  2 Jan 2008 13:53, fweimer at bfk.de said:

> Oh well, this is a bit counterintuitive because the expiration time is
> a hard fact in X.509, and rather fuzzy in OpenPG.

I don't agree that it is fuzzy in OpenPGP; it is well defined.  The fact
that you may change the expiration time does not make it fuzzy.

> Would you accept a patch, even if it's a kludge?  (Expiration doesn't

Sure.  Make it also --debug-ignore-expiration and for gpg2 (backporting
it then is easy).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From fweimer at bfk.de  Wed Jan  2 15:39:56 2008
From: fweimer at bfk.de (Florian Weimer)
Date: Wed, 02 Jan 2008 15:39:56 +0100
Subject: Ignoring expiration dates
In-Reply-To: <87r6h0i9st.fsf@wheatstone.g10code.de> (Werner Koch's message of
	"Wed, 02 Jan 2008 15:25:38 +0100")
References: <82ir2cwqqz.fsf@mid.bfk.de> <87y7b8jt7o.fsf@wheatstone.g10code.de>
	<82tzlwtmm3.fsf@mid.bfk.de> <87r6h0i9st.fsf@wheatstone.g10code.de>
Message-ID: <82fxxgthoj.fsf@mid.bfk.de>

* Werner Koch:

> On Wed,  2 Jan 2008 13:53, fweimer at bfk.de said:
>
>> Oh well, this is a bit counterintuitive because the expiration time is
>> a hard fact in X.509, and rather fuzzy in OpenPG.
>
> I don't agree that it is fuzzy in OpenPGP; it is well defined.

For v3 keys, it is, but not for v4 keys.  Implementations are free to
take the minimum or maximum of the expiration date over all available
self-signatures.  After all, OpenPGP is just a format spec, and
doesn't say much about semantics.

Actually, this is a very old discussion.  I've come to accept that
it's okay to choose the maximum, but I still don't buy that's the only
choice.  8-)

>> Would you accept a patch, even if it's a kludge?  (Expiration doesn't
>
> Sure.  Make it also --debug-ignore-expiration and for gpg2 (backporting
> it then is easy).

Okay.  I guess I need some form for my employer.  Would you send it to
me, please?

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra?e 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


From joao.grilo at gmail.com  Wed Jan  2 16:05:00 2008
From: joao.grilo at gmail.com (=?ISO-8859-1?Q?Jo=E3o_Grilo?=)
Date: Wed, 2 Jan 2008 15:05:00 +0000
Subject: fatal: zlib inflate problem: invalid distance code
In-Reply-To: <477B9477.8010200@tx.rr.com>
References: <2a221bd70801020313w4f5e3fcbk41b890a70090f0ba@mail.gmail.com>
	<477B9477.8010200@tx.rr.com>
Message-ID: <2a221bd70801020705y3e17e827pf8fe24021300d1fc@mail.gmail.com>

Hello again,

First of all, thanks for the quick reply.

The checksum did reveal that there are differences. I know this isn't
directly related to GnuPG, but since the file in question is so big
(100gigs), and I don't have physical access to the original file any more,
is it possible to simply transfer the difference between both binaries
through a network connection? If so, what would you consider the best option
in this situation? Rsync?

Thank you for your time, and I'll understand if you redirect me to the rsync
mailing list instead of providing an answer.

Best regards,
Joao Marques


On Jan 2, 2008 1:41 PM, John Clizbe <JPClizbe at tx.rr.com> wrote:

> Jo?o Grilo wrote:
> > Recently, I was asked to backup and archive a ton of sensitive data, so
> > I used gpg keep it away from evil eyes.
> >
> > Now, trying to recover it on a different machine, it fails with the
> > following error:
> > debian:~# gpg mybigbackupfile.tar.gz.gpg
> > gpg: CAST5 encrypted data
> > gpg: encrypted with 1 passphrase
> > -- correct password is typed --
> > gpg: fatal: zlib inflate problem: invalid distance code
> > secmem usage: 2048/2240 bytes in 4/5 blocks of pool 2240/32768
> >
> > I have no clue, since I have tried pretty much everything (including
> > installing the same operating system on the machine where I need to
> > decipher the data, using the "$ gpg < bigfile.gpg > bigfile" syntax and
> > so on). The error keeps showing up, and always stalls after processing
> > the same amount of data (aproximately 27 gigabytes).
> >
> > The weirdest part is that decrypting the data on the same machine it was
> > encrypted works perfectly. I have tried to replicate the environment
> > exactly (apart from a few packages which will probably be different, but
> > this is debian stable branch anyways). The only "big" difference, is the
> > hardware, but even the architecture is the same, the cpu is exactly
> alike.
>
> <OS details snipped>
>
> > Note that these are all amd64 binaries. The size of "mybigbackupfile" is
> > aproximately 105 gigabytes.
> >
> > If I can provide any additional information that can be useful to trace
> > the problem down, don't hesitate to ask.
>
> Since the original decrypts fine, I'd check and compare the hashes of the
> two
> encrypted archives.
>
> Small errors can creep in during transfer that will invalidate later
> decryption.
> Comparing the outputs from md5sum or sha1sum will alert you to the error.
>
> GnuPG may also be used to generate the file hashes:
>
>    gpg --print-md algo [files]
>
> algo may be taken from the listing produced by 'gpg --version'.
>
>    gpg --print-mds [files]
>
> will generate hashes for all available algorithms.
>
> Good luck.
>
> --
> John P. Clizbe                   Inet:   JPClizbe(a) tx DAWT rr DAHT con
> Ginger Bear Networks             hkp://keyserver.gingerbear.net
> "Be who you are and say what you feel because those who mind don't matter
> and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080102/ae1e7f91/attachment.htm>

From stevecliu at gmail.com  Wed Jan  2 17:07:55 2008
From: stevecliu at gmail.com (Steve Liu)
Date: Wed, 2 Jan 2008 11:07:55 -0500
Subject: GPG Decryption of a PGP encrypted zip file resulting in garbled zip
	file
Message-ID: <9b1b11990801020807u136721b8g1efbc2a678a1b348@mail.gmail.com>

Hello,

I'm a newbie here, but I have a problem decrypting a zip file encrypted with
pgp. I was trying to subscribe to the gpg group, but it didn't reply, so I
couldn't post there.  So I thought I'd ask the folks here.

The problem is this, I generate a standard 2048-bit ELG-E key and sent off
the public part to the client.
Similarly they sent me a 1024D (1024bit?) key which I was able to import
successfully

They then uploaded a file reportedly encrypted with their key. I take
the file, decrypt it, and it seems to decrypt successfully (just a warning
that it was not integrity protected).  This results in a zip file

However, when I try to uncompress the zip file, it would not decrypt Winzip
would complain that it is an invalid archive

I'm using GPG 1.4.7
I don't know what the client is using, but they required a DH/DSS key
from me (though this should have nothing to do with the file that they
send me, right?)

The symptom seem to match a little with what was described in:
http://marc.info/?l=gnupg-users&m=104982312123419&w=2
But, as that was supposed to be resolved 4 years ago, I hope that this
is just some user error on my part.
Cheers,
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080102/43733360/attachment.htm>

From wk at gnupg.org  Wed Jan  2 18:33:41 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 02 Jan 2008 18:33:41 +0100
Subject: Ignoring expiration dates
In-Reply-To: <82fxxgthoj.fsf@mid.bfk.de> (Florian Weimer's message of "Wed, 02
	Jan 2008 15:39:56 +0100")
References: <82ir2cwqqz.fsf@mid.bfk.de> <87y7b8jt7o.fsf@wheatstone.g10code.de>
	<82tzlwtmm3.fsf@mid.bfk.de> <87r6h0i9st.fsf@wheatstone.g10code.de>
	<82fxxgthoj.fsf@mid.bfk.de>
Message-ID: <87bq84dte2.fsf@wheatstone.g10code.de>

On Wed,  2 Jan 2008 15:39, fweimer at bfk.de said:

> Actually, this is a very old discussion.  I've come to accept that
> it's okay to choose the maximum, but I still don't buy that's the only
> choice.  8-)

Okay.  We have have hard expiration dates on the todo list but nothing
you will see any time soon.

> Okay.  I guess I need some form for my employer.  Would you send it to
> me, please?

Please take this to assign at gnu org and tell that that you need a new
form for your current employer.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From lowbassman at gmail.com  Wed Jan  2 21:14:58 2008
From: lowbassman at gmail.com (Matt Alexander)
Date: Wed, 2 Jan 2008 13:14:58 -0700
Subject: Where can I buy OpenPGP smartcards?
Message-ID: <9e0a35780801021214o16ff1ff7l1f90cd5ecaa9041f@mail.gmail.com>

Does anyone know if any of the following cards are OpenPGP compatible and
will work with GnuPG?

     http://smartcardfocus.com/shop/ilp/se~5/p/index.shtml

Or is the card at...

     http://www.kernelconcepts.de/en/shop/products/security.shtml?hardware

The only option?

Are there any other companies that also make OpenPGP compatible cards?

I'm looking at a possible deployment of OpenPGP smartcards at my company and
want to ensure that I have multiple vendors.
Thanks!
~Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080102/3953224a/attachment.htm>

From alexander.janssen at gmail.com  Wed Jan  2 19:35:02 2008
From: alexander.janssen at gmail.com (Alexander W. Janssen)
Date: Wed, 02 Jan 2008 19:35:02 +0100
Subject: Generic question: Correct content-type?
Message-ID: <477BD956.9090908@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this is a more generic question. I use Thunderbird + Enigmail on several
machines. I never touched any of the advanced features and never got
problems with someone until now.

I've sent an encrypted email - as inline PGP - and my buddy's Mutt
couldn't deal with the encrypted message. My friend claims this is
because I've sending inline-PGP messages with Content-type text/plain.

He says that I need to configure my MUA so that it sends something like:

Content-Type: multipart/encrypted;
 protocol="application/pgp-encrypted";
 boundary="------------enig

- From what I know (I'm just a user when it comes to email and I bribe
students with beer to set up my sendmails) this is just used if you're
sending multipart-messages, like a plaintext and a HTML-version of the
same email.

1) Am I correct setting Content-Type text/plain?
2) If I'm wrong and need to set application/pgp-encrypted, do I need to
tell that my MUA/Enigmail or do I need to give gpg some parameters? (I
bet it's the MUA)

Thanks for considering this pretty off-topic and crappy question.. :-)

Cheers, Alex.

P.S.: I already searched the Enigmail FAQ and haven't made it yet to
other FAQs... So if it's in the GPG-FAQ, just drop me a RTFM :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBR3vZVBYlVVSQ3uFxAQI09wP/QMNTZ7HXqW19ngd59RO1osxGRJavuK2x
iGRvD0t/mG4Srhenu6MSssI+2Flag+5aXG/ApbUaHxwiVDas1f+tTPsVnMQ3KfXp
X4J+bEp2Eg3Nq9GbPUdyh/LvVaOGRwyTZJ4mTGHJrXjV5omtnxb48InMMKpd9Bp2
WWGuXjXjk9k=
=nsNf
-----END PGP SIGNATURE-----


From byte8bits at gmail.com  Wed Jan  2 17:10:42 2008
From: byte8bits at gmail.com (Brad Tilley)
Date: Wed, 2 Jan 2008 11:10:42 -0500
Subject: pipes cgi and gnupg
In-Reply-To: <873atgmx87.fsf@wheatstone.g10code.de>
References: <3ac86fa70712281903o4e41f56ex8bb366d7a893610a@mail.gmail.com>
	<873atgmx87.fsf@wheatstone.g10code.de>
Message-ID: <3ac86fa70801020810o310ee2fj9f831b2a37e48b61@mail.gmail.com>

On linux, would it be possible to use the Linux Key retention service
to overcome this:

http://www.ibm.com/developerworks/linux/library/l-key-retention.html

On Jan 2, 2008 3:46 AM, Werner Koch <wk at gnupg.org> wrote:

> Note that all users on the machine will see the passphrase in the output
> of ps(1).  You are better ofd not using a passphrase at all or by using
> --passphrase-file.


From alon.barlev at gmail.com  Thu Jan  3 07:24:37 2008
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Thu, 3 Jan 2008 08:24:37 +0200
Subject: Where can I buy OpenPGP smartcards?
In-Reply-To: <9e0a35780801021214o16ff1ff7l1f90cd5ecaa9041f@mail.gmail.com>
References: <9e0a35780801021214o16ff1ff7l1f90cd5ecaa9041f@mail.gmail.com>
Message-ID: <9e0cf0bf0801022224n50579bd4s58d09a5f1f643093@mail.gmail.com>

On 1/2/08, Matt Alexander <lowbassman at gmail.com> wrote:
> I'm looking at a possible deployment of OpenPGP smartcards at my company and
> want to ensure that I have multiple vendors.
> Thanks!
> ~Matt

Hello,

You can use almost any PKCS#11 enabled smartcard if you use:
http://gnupg-pkcs11.sourceforge.net/

Using PKCS#11 will enable you to use the same card for other
applications as well.

Best Regards,
Alon Bar-Lev.


From fweimer at bfk.de  Thu Jan  3 09:40:05 2008
From: fweimer at bfk.de (Florian Weimer)
Date: Thu, 03 Jan 2008 09:40:05 +0100
Subject: Generic question: Correct content-type?
In-Reply-To: <477BD956.9090908@gmail.com> (Alexander W. Janssen's message of
	"Wed, 02 Jan 2008 19:35:02 +0100")
References: <477BD956.9090908@gmail.com>
Message-ID: <82wsqrnvyy.fsf@mid.bfk.de>

* Alexander W. Janssen:

> I've sent an encrypted email - as inline PGP - and my buddy's Mutt
> couldn't deal with the encrypted message. My friend claims this is
> because I've sending inline-PGP messages with Content-type text/plain.

Tell your friend about Esc-P.

He probably wants you to send your message in OpenPGP/MIME format.
This is the better choice for various reasons, but it's still less
supported in the field.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra?e 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


From sk at intertivity.com  Thu Jan  3 10:47:22 2008
From: sk at intertivity.com (Sascha Kiefer)
Date: Thu, 3 Jan 2008 13:47:22 +0400
Subject: Where can I buy OpenPGP smartcards?
In-Reply-To: <9e0cf0bf0801022224n50579bd4s58d09a5f1f643093@mail.gmail.com>
Message-ID: <001f01c84ded$a49a1b50$8a02a8c0@saschaxp1>

http://www.smartcardfocus.com/ is a good place.

Regards,
Sascha Kiefer

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Alon Bar-Lev
Sent: Donnerstag, 3. Januar 2008 10:25
To: Matt Alexander
Cc: gnupg-users at gnupg.org
Subject: Re: Where can I buy OpenPGP smartcards?


On 1/2/08, Matt Alexander <lowbassman at gmail.com> wrote:
> I'm looking at a possible deployment of OpenPGP smartcards at my 
> company and want to ensure that I have multiple vendors. Thanks!
> ~Matt

Hello,

You can use almost any PKCS#11 enabled smartcard if you use:
http://gnupg-pkcs11.sourceforge.net/

Using PKCS#11 will enable you to use the same card for other
applications as well.

Best Regards,
Alon Bar-Lev.

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



From y-ooshima at hitachi-system.co.jp  Fri Jan  4 03:23:05 2008
From: y-ooshima at hitachi-system.co.jp (y-ooshima at hitachi-system.co.jp)
Date: Fri, 4 Jan 2008 11:23:05 +0900
Subject: Has Vista been already included in support OS?
References: <XNM2$6$0$0$$5$6$2$A$3000451U476b5b9c@hitachi-system.co.jp> 
	<476B7AE1.3090603@tx.rr.com> <87fxxw44bq.fsf@wheatstone.g10code.de>
Message-ID: <XNM2$6$0$0$$5$6$2$A$3000454U477d9874@hitachi-system.co.jp>

Hi,

wk at gnupg.org wrote:
>On Fri, 21 Dec 2007 09:35, JPClizbe at tx.rr.com said:
>>> It seems that installing GnuPG on Vista is OK.

>> Oversight in the README. The problem that Vista had with launching the keyserver

>Right.  I have not tocuhed that README for a long time.  Will chnage it
>for the next release. 

I see, thankyou.
Would you please update a webpage http://www.gnupg.org/download/supported_systems.en.html, too?

BTW, 
the following message appeared when running gpg.exe at the only first time on Vista.

| gpg: DBG: rndw32: get performance data problem

In detail, it will be output before creating the random_seed file.
and this message disappears when turn-off UAC from Vista's control panel.

>From source code in cipher/rndw32.c:

static void
slow_gatherer_windowsNT(void (*add)(const void*, size_t, int), int requester )
{

    (snip)

            status = RegQueryValueEx (HKEY_PERFORMANCE_DATA, "Global", NULL,
                                      NULL, (LPBYTE) pPerfData, &dwSize);
            if (status == ERROR_SUCCESS) {
    (snip)

            }
            else {
                g10_log_debug ( "rndw32: get performance data problem\n");
                break;
            }

Under the environment with UAC on Vista, it will be refused to access 
HKEY_PERFORMACE_DATA even if user has administrator privilege. 
I think this is not serious problem, because a random_seed is made from
another part.

Is this right?

Thanks.



From marcus.brinkmann at ruhr-uni-bochum.de  Fri Jan  4 15:50:43 2008
From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann)
Date: Fri, 04 Jan 2008 15:50:43 +0100
Subject: [Announce]  GPGME 1.1.6 released
Message-ID: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de>

Hi,

We are pleased to announce version 1.1.6 of GnuPG Made Easy,
a library designed to make access to GnuPG easier for applications.
It may be found in the file (about 939 KB/730 KB compressed)
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2

The following files are also available:
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz.sig
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2.sig
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.5-1.1.6.diff.gz

It should soon appear on the mirrors listed at:
http://www.gnupg.org/mirrors.html

Bug reports and requests for assistance should be sent to:
gnupg-devel at gnupg.org

The sha1sum checksums for this distibution are
ed2c9699367d1be32f84bf154673becd16deba0a  gpgme-1.1.5-1.1.6.diff.gz
05218df939d72c2fd6d74f22c2b5d5ade0718b7a  gpgme-1.1.6.tar.bz2
2c2994d98ab545d1bced14c0554f4a50fd8e0878  gpgme-1.1.6.tar.bz2.sig
8dee551f362fc428c25c9bd542ce944ac916347d  gpgme-1.1.6.tar.gz
996e0b48a4f5e0ce3029e95c310ae64af92a6131  gpgme-1.1.6.tar.gz.sig


Noteworthy changes in version 1.1.6 (2008-01-04)
------------------------------------------------

 * Bug fixes for for W32.

 * A new, experimental (and thus undocumented and potentially
   unstable) interface for accessing gpg-conf through GPGME has been
   added.

 * Interface changes relative to the 1.1.1 release:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 gpgme_signature_t               EXTENDED: New field chain_model.
 gpgme_op_getauditlog_start      NEW.
 gpgme_op_getauditlog            NEW.
 GPGME_AUDITLOG_HTML             NEW.
 GPGME_AUDITLOG_WITH_HELP        NEW.


Marcus Brinkmann
mb at g10code.de

--
g10 Code GmbH       http://g10code.com      AmtsGer. Wuppertal HRB 14459
H?ttenstr. 61                               Gesch?ftsf?hrung Werner Koch
D-40699 Erkrath  -=- The GnuPG Experts -=-  USt-Id DE215605608


_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From dshaw at jabberwocky.com  Sat Jan  5 03:14:08 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 4 Jan 2008 21:14:08 -0500
Subject: pipes cgi and gnupg
In-Reply-To: <3ac86fa70801020810o310ee2fj9f831b2a37e48b61@mail.gmail.com>
References: <3ac86fa70712281903o4e41f56ex8bb366d7a893610a@mail.gmail.com>
	<873atgmx87.fsf@wheatstone.g10code.de>
	<3ac86fa70801020810o310ee2fj9f831b2a37e48b61@mail.gmail.com>
Message-ID: <C35C7EEB-431C-438A-BFF1-1D3A95084111@jabberwocky.com>

On Jan 2, 2008, at 11:10 AM, Brad Tilley wrote:

> On linux, would it be possible to use the Linux Key retention service
> to overcome this:
>
> http://www.ibm.com/developerworks/linux/library/l-key-retention.html

Not well.  The Linux key retention service (while very neat) doesn't  
really solve the problem - GPG needs to be as platform-independent as  
possible, which precludes solutions that are only available on Linux.

David



From hidekis at gmail.com  Sat Jan  5 06:04:18 2008
From: hidekis at gmail.com (Hideki Saito)
Date: Fri, 4 Jan 2008 21:04:18 -0800
Subject: GnuPG wikia
Message-ID: <f49fc4840801042104i6f3dece5t72fe30d68886bcb8@mail.gmail.com>

I've started up GnuPG wiki on Wikia.
http://gnupg.wikia.com/wiki/Main_Page

I will be posting contents from my Japanese GnuPG page shortly...
-- 
Hideki Saito


From 210525p42015 at denstarfarm.us  Sat Jan  5 11:43:37 2008
From: 210525p42015 at denstarfarm.us (Robert D.)
Date: Sat, 05 Jan 2008 05:43:37 -0500
Subject: Trimming Per Recipient Rules list
Message-ID: <477F5F59.9010702@denstarfarm.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I noticed today that my Per Recipient Rules list is in sad disarray.
Furthermore, the list is huge, by my standards and patience level.

I would like to push all those entries that have a "Key" associated, up
into the top of the list, but rapidly, not "Move-Up ,, Move-Up"

I would like to delete all the rest, if that makes sense to do ...I am
using Thunderbird and am not sure if and how the remainder of the list
is used .... those entries where there is no key and the rule states to
move on to next recipient .... because I am getting a wee bit impatient
with Thunderbird locking herself up for long periods and was working on
trimming things down ... compacting, expunging rules, and so forth ...
and came across the Rules List.


Thanks for any help.

- --
Apple OS/X
-----BEGIN PGP SIGNATURE-----
Comment: www.denstarfarm.us/Public/P3x759.html

iQIcBAEBCgAGBQJHf19YAAoJEM+FBuO1wKhL2t4P/i/vfN/+cTqpeFbqtEZC7ZE5
MUyF8SD+hxLZuvTPbsgHogA6LCqRCXCUCpWR5mD0ZozmGgj1s6JWYJHQpAtHrW1w
a6RleTiIpnm8FM59YBDNJczVaaYPEYhNR3FExZAcArE+e5sl0HPdA/Aw0T5fhmW0
+fFzfGuYbcqbqTdYTl6cR94LtfolMIZziPWghnJBXL6m+TBwBpn6d/flbHq8WDgV
TnRYOrV72YnpakJE/F9U5LjKer/JWh+qKUOSrz4QIHCcIC8tHmwK9+B1KL7V9Iyi
GKiEn3hMSnlL6WQDEYdO6PB11+1XT1nYCq2m5RagimweOAlKbVY2bpoOwq1RXN8L
Fh2kqpotgG0a3r0zZ9NWswXrKlZlXN3o9JorN3k3PlMyxbJ5Eoc+rTAj6BIrFCrQ
Au5Pof0h1amz3/XHe5OzvgnTetPUvyKCDRmJ6wY8PxC/TBLzEB1+QmubINEDXN/9
UBCsmOktsUtiZw2uTNFzhto2r5034hEuO6LWCCDu/ebU2yaIjJD/wi/AaQvuxpsh
IcKw2I4LamixdzYXhMkbsFumDPyd5CkP5YB1LLt2mxcVSkd2Pvx3JhpbUSFK9v4e
IUxjyyqE5ngV6qD6rcEeHx1PneUBEoE/2YEjqBeO1cX4XwZPUa66rEYrUjOEpgv2
wAQZilz78et0SCvsG3+X
=v9G9
-----END PGP SIGNATURE-----


From shavital at mac.com  Sat Jan  5 13:33:27 2008
From: shavital at mac.com (Charly Avital)
Date: Sat, 05 Jan 2008 07:33:27 -0500
Subject: Trimming Per Recipient Rules list
In-Reply-To: <477F5F59.9010702@denstarfarm.us>
References: <477F5F59.9010702@denstarfarm.us>
Message-ID: <477F7917.4000907@mac.com>

Robert D. <210525p42015 at denstarfarm.us> wrote the following on 1/5/08 
5:43 AM:
> I noticed today that my Per Recipient Rules list is in sad disarray.
> Furthermore, the list is huge, by my standards and patience level.
> 
> I would like to push all those entries that have a "Key" associated, up
> into the top of the list, but rapidly, not "Move-Up ,, Move-Up"

I couldn't find any work around the gradual moving (up or down) of each 
entry by entry. Trying to select several entries together is not possible.

Maybe you could find some information in user specific files. From 
Enigmail help pages:

     * The settings are stored in an XML file in your profile folder 
called pgprules.xml.
       If you delete your profile for any reason, you should be sure to 
back this file up along with your mail, user.js, etc.


> I would like to delete all the rest, if that makes sense to do

I believe you can do it, there's a button for that. I suppose that the 
next time you want to send an e-mail to any of the recipients, whose 
rule has been deleted, Enigmail will prompt you to set a rule, unless 
you disable the automatic creation of per recipient rules, in OpenPGP 
Preferences > Key Selection (see further)

  ...I am
> using Thunderbird and am not sure if and how the remainder of the list
> is used .... those entries where there is no key and the rule states to
> move on to next recipient .... because I am getting a wee bit impatient
> with Thunderbird locking herself up for long periods and was working on
> trimming things down ... compacting, expunging rules, and so forth ...
> and came across the Rules List.

Good move, but I believe that trimming Thunderbird's Inbox to zero 
entries might improve Thunderbird's performance, by saving indexing time.

If it was possible to disable the function 'automatically download keys 
for signature verification' that would be a good thing. I haven't found 
the ways to do it, maybe in pgprules.xml.

Alternatively, it is possible to disable OpenPGP>Automatically 
Decrypt/Verify Messages. I suggested, some time ago, to condition this 
rule to be "Automatically Decrypt/Verify Messages, *unless already read*.

Maybe you could also use the following (from Enigmail Help)

Tips and Tricks
If you wish to send a mail to somebody for whom you don't have a rule, 
and you wish to manually turn on signing, encryption, or PGP/MIME, it 
will be overridden by the settings in the Enigmail > Preferences > 
OpenPGP Security tab and the Per-Recipient Rules, and the message will 
be sent in plain text.

To get around this, add a new rule.

     * In the Set OpenPGP Rules for field enter @
     * Set Apply rule if recipient to Contains
     * Set Continue with the next rule for the matching address
     * Do not add any keys
     * Set Signing, Encryption, and PGP/MIME to Yes, if selected in message
     * Save the rule and ensure that it is at the bottom of the list of 
rules.

> Thanks for any help.

I am not sure I helped.

Charly





From yalla at fsfe.org  Mon Jan  7 09:27:31 2008
From: yalla at fsfe.org (Alexander W. Janssen)
Date: Mon, 07 Jan 2008 09:27:31 +0100
Subject: Setting proxy through command-line parameters?
Message-ID: <4781E273.7030204@fsfe.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I know how to set my Proxy in the appropriate config-files, but is there
also a possibility to set the proxy on the command-line?

Background: I'm using Thunderbird/Enigmail in different
network-environments and it'd be neat if Enigmail could take the current
proxy-configuration from the Thunderbird settings, and applying it to
the command-line parameters of GPG.

Oh, and it's a socks-proxy as well which complicates the situation...

Alex.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQCVAwUBR4HicRYlVVSQ3uFxAQK6wgP5AVyVWPysxLDZl3jKbGrpH6mB2LJW0aEF
njOrrzZ1zGY0+GocF/D1NRsuhjUFDy7fCQ9WM4mgtEkqFwUN/8JiRijznqNV6JXP
iZCYXEHRd8UxoVwa5ww0bfxBUcQT2yIXNkXdIrPkUCE0uj59jowe27AUhuyVbL4o
biRxeoVAheE=
=DDHC
-----END PGP SIGNATURE-----


From lowbassman at gmail.com  Mon Jan  7 19:36:41 2008
From: lowbassman at gmail.com (Matt Alexander)
Date: Mon, 7 Jan 2008 11:36:41 -0700
Subject: Where can I buy OpenPGP smartcards?
In-Reply-To: <9e0cf0bf0801022224n50579bd4s58d09a5f1f643093@mail.gmail.com>
References: <9e0a35780801021214o16ff1ff7l1f90cd5ecaa9041f@mail.gmail.com>
	<9e0cf0bf0801022224n50579bd4s58d09a5f1f643093@mail.gmail.com>
Message-ID: <9e0a35780801071036q4b01da53j956913d3070655ed@mail.gmail.com>

Wow, that's cool.  That definitely would simplify things for me.  Are there
plans in the future to incorporate PKCS#11 support into the main GnuPG
source?



On Jan 2, 2008 11:24 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:

> On 1/2/08, Matt Alexander <lowbassman at gmail.com> wrote:
> > I'm looking at a possible deployment of OpenPGP smartcards at my company
> and
> > want to ensure that I have multiple vendors.
> > Thanks!
> > ~Matt
>
> Hello,
>
> You can use almost any PKCS#11 enabled smartcard if you use:
> http://gnupg-pkcs11.sourceforge.net/
>
> Using PKCS#11 will enable you to use the same card for other
> applications as well.
>
> Best Regards,
> Alon Bar-Lev.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080107/73041f18/attachment.htm>

From alon.barlev at gmail.com  Mon Jan  7 19:38:49 2008
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Mon, 7 Jan 2008 20:38:49 +0200
Subject: Where can I buy OpenPGP smartcards?
In-Reply-To: <9e0a35780801071036q4b01da53j956913d3070655ed@mail.gmail.com>
References: <9e0a35780801021214o16ff1ff7l1f90cd5ecaa9041f@mail.gmail.com>
	<9e0cf0bf0801022224n50579bd4s58d09a5f1f643093@mail.gmail.com>
	<9e0a35780801071036q4b01da53j956913d3070655ed@mail.gmail.com>
Message-ID: <9e0cf0bf0801071038u48039531k1a7ee23d7fc21480@mail.gmail.com>

The chances are slim... Because of this we forked the scdaemon...

On Jan 7, 2008 8:36 PM, Matt Alexander <lowbassman at gmail.com> wrote:
> Wow, that's cool.  That definitely would simplify things for me.  Are there
> plans in the future to incorporate PKCS#11 support into the main GnuPG
> source?
>
>
>
>
>
> On Jan 2, 2008 11:24 PM, Alon Bar-Lev < alon.barlev at gmail.com> wrote:
> >
> > On 1/2/08, Matt Alexander <lowbassman at gmail.com> wrote:
> > > I'm looking at a possible deployment of OpenPGP smartcards at my company
> and
> > > want to ensure that I have multiple vendors.
> > > Thanks!
> > > ~Matt
> >
> > Hello,
> >
> > You can use almost any PKCS#11 enabled smartcard if you use:
> > http://gnupg-pkcs11.sourceforge.net/
> >
> > Using PKCS#11 will enable you to use the same card for other
> > applications as well.
> >
> > Best Regards,
> > Alon Bar-Lev.
> >
>
>


From abdalma1 at yahoo.de  Tue Jan  8 17:19:53 2008
From: abdalma1 at yahoo.de (Abd-Al-Latif Mahmud)
Date: Tue, 8 Jan 2008 17:19:53 +0100 (CET)
Subject: GPG 2.0.8 compilation: ok, execution: error
Message-ID: <381351.38965.qm@web23402.mail.ird.yahoo.com>

Hi,


I am trying to compile GPG 2.0.8 on my Mac. The
compilation itself seemed to work flawlessly, but
p.ex. upon decrypting a text, I get following error:

MacBook:bin foo$ ./gpg2 --homedir=/Users/foo/.gnupg/
-d /Users/foo/some-encrypted-file.gpg 

You need a passphrase to unlock the secret key for
user: "foo bar <foo at bar>"
1024-bit ELG key, ID 01234567, created 1970-01-01
(main key ID 76543210)

can't connect to `/Users/foo/.gnupg//S.gpg-agent': No
such file or directory
gpg-agent[65520]: directory
`/Users/foo/.gnupg/private-keys-v1.d' created
gpg-agent[65520]: can't connect server: `ERR 67109133
can't exec `/Users/foo/Downloads/built': Permission
denied'
gpg-agent[65520]: can't connect to the PIN entry
module: IPC connect call failed
gpg-agent[65520]: command get_passphrase failed: No
pinentry
gpg: problem with the agent: No pinentry
gpg: encrypted with 1024-bit ELG key, ID 01234567,
created 2001-01-01
      "foo bar <foo at bar>"
gpg: public key decryption failed: General error
gpg: decryption failed: No secret key

In the compilation process, pinentry has of course
been compiled (with ncurses only). I have installed
(i.e. "--prefix=...") everything in a subdirectory of
my home - don't know if that matters.

Any idea on how to fix the error?
Thanks

Mit freundlichen Gr?ssen

Abd-Al-Latif Mahmud


      Machen Sie Yahoo! zu Ihrer Startseite. Los geht's: 
http://de.yahoo.com/set



From pneukom at gmail.com  Wed Jan  9 03:10:03 2008
From: pneukom at gmail.com (Philip Neukom)
Date: Tue, 08 Jan 2008 21:10:03 -0500
Subject: gpg: waiting for lock (held by 1529 - probably dead)?
Message-ID: <47842CFB.3060403@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I'm back and updating my key for new email accounts after a long absence.

But am running a problem and getting the following error.  I did a
Google search but didn't find anything yet.

Could someone please explain what the error means?  And, if there is
obvious place to look for such info that I don't know about, please let
me know where I can look.

Error
- ---cut---
gpg: waiting for lock (held by 1529 - probably dead) ...
- ---cut---

MacOSx 10.4.11
macgpg 1.4.8
keyserver: mit

Thank you in advance
Philip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBR4Qs+77LWbdllVmZAQJTGgQAiHhDq1zJKA7xDz5puMCoAsnbP8idDN+D
1Q+VbtjyVNvmUJfsU+4vJauQEMmOZKC0CgITKH2tsvndsZmUv3VMOAtRmoBdauDD
igdPFhP6kGjdeHxr57zAN3s0OjUtBOkNI+xMmj7IXXOeZ/2fZR697ieFRamrGxfV
krEoSSuXm90=
=CkQx
-----END PGP SIGNATURE-----


From shavital at mac.com  Wed Jan  9 13:08:41 2008
From: shavital at mac.com (Charly Avital)
Date: Wed, 09 Jan 2008 07:08:41 -0500
Subject: gpg: waiting for lock (held by 1529 - probably dead)?
In-Reply-To: <47842CFB.3060403@gmail.com>
References: <47842CFB.3060403@gmail.com>
Message-ID: <4784B949.80701@mac.com>

Philip Neukom wrote the following on 1/8/08 9:10 PM:
> Hi!
> 
> I'm back and updating my key for new email accounts after a long absence.

Welcome back.
> 
> But am running a problem and getting the following error.  I did a
> Google search but didn't find anything yet.
> 
> Could someone please explain what the error means?  And, if there is
> obvious place to look for such info that I don't know about, please let
> me know where I can look.
> 
> Error
> ---cut---
> gpg: waiting for lock (held by 1529 - probably dead) ...
> ---cut---

I remember having had that kind of problem.

Please point your browser to:
<http://lists.gnupg.org/pipermail/gnupg-users/2000-December/007196.html>.

All I can understand is that gpg started a process that it couldn't 
complete, and/or crashed. I very vaguely remember that the crash was due 
to a missing hash SHA224 (H11); but don't take me to my word, launch 
Terminal and type gpg -v --version, and see what you get.

The crash, or whatever it was resulted in the creation in ~/.gnupg of a 
file named secring.gpg.lock or trustdb.gpg.lock, any file with the 
extension .....gpg.lock. Remove that file, it should solve the problem.

By the way, an unrelated question: how did you install 1.4.8? Compiled 
src, or used the binary installer available at 
<http://macgpg.sourceforge.net/>?

Charly
MacOSX 10.5.1
gpg 1.4.8, gpg2 2.0.7 with gpg-agent.

> 
> MacOSx 10.4.11
> macgpg 1.4.8
> keyserver: mit
> 
> Thank you in advance
> Philip

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users




From pneukom at gmail.com  Wed Jan  9 14:10:19 2008
From: pneukom at gmail.com (Philip Neukom)
Date: Wed, 09 Jan 2008 08:10:19 -0500
Subject: gpg: waiting for lock (held by 1529 - probably dead)?
In-Reply-To: <4784B949.80701@mac.com>
References: <47842CFB.3060403@gmail.com> <4784B949.80701@mac.com>
Message-ID: <4784C7BB.1050008@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charly, thank you for your reply.  And especially for the direct 
response.  I forgot to mention that I am on digest mode. (oophs).

Thank you for the link.  I didn't think to look for a "lock" file in 
~.gnupg.  I just deleted those files and will try to get the uid updated 
again.

Is there a "search" page for all the archives?  I have just found a page 
that lists all the discussions by month.  I think you would need to 
select and search each month.  That would be tedious.  Doesn't Google 
index these forums?

I was running the binary MacGPG version 1.4.8 but since my original keys 
were created using IDEA, I couldn't run it properly.   I tried to 
compile a  plug-in but that was beyond my limited ability.

Luckily for me, Robert Hansen was able to give me some help and I 
compiled the complete 1.4.8 with IDEA by myself!!  So right now, I am 
running v 1.4.8 compiled from source.

Thanks again.
Philip

Charly Avital wrote:
| Philip Neukom wrote the following on 1/8/08 9:10 PM:
|> Hi!
|>
|> I'm back and updating my key for new email accounts after a long absence.
|
| Welcome back.
|>
|> But am running a problem and getting the following error.  I did a
|> Google search but didn't find anything yet.
|>
|> Could someone please explain what the error means?  And, if there is
|> obvious place to look for such info that I don't know about, please let
|> me know where I can look.
|>
|> Error
|> ---cut---
|> gpg: waiting for lock (held by 1529 - probably dead) ...
|> ---cut---
|
| I remember having had that kind of problem.
|
| Please point your browser to:
| <http://lists.gnupg.org/pipermail/gnupg-users/2000-December/007196.html>.
|
| All I can understand is that gpg started a process that it couldn't 
complete, and/or crashed. I very vaguely remember that the crash was due 
to a missing hash SHA224 (H11); but don't take me to my word, launch 
Terminal and type gpg -v --version, and see what you get.
|
| The crash, or whatever it was resulted in the creation in ~/.gnupg of 
a file named secring.gpg.lock or trustdb.gpg.lock, any file with the 
extension .....gpg.lock. Remove that file, it should solve the problem.
|
| By the way, an unrelated question: how did you install 1.4.8? Compiled 
src, or used the binary installer available at 
<http://macgpg.sourceforge.net/>?
|
| Charly
| MacOSX 10.5.1
| gpg 1.4.8, gpg2 2.0.7 with gpg-agent.
|
|>
|> MacOSx 10.4.11
|> macgpg 1.4.8
|> keyserver: mit
|>
|> Thank you in advance
|> Philip
|
| _______________________________________________
| Gnupg-users mailing list
| Gnupg-users at gnupg.org
| http://lists.gnupg.org/mailman/listinfo/gnupg-users
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBR4THu77LWbdllVmZAQIEYQQAlzlP8rYDZfpiThtLn9tnpY686ujNSKVV
Wt4+LRLS32pZF7U2SBPLXlkl9vqItycE1Rde2jyBf0/ndWZRtKkAkmbasxeOxMj+
WJk+bicop0JVmzk3nfT7l4rlzOvDn2qhYvKNm6qSjB1+ksgJFIhEDZAiHioVhOxF
h49CNRrSlUc=
=7s1n
-----END PGP SIGNATURE-----



From paul.crittenden at simpson.edu  Wed Jan  9 23:28:46 2008
From: paul.crittenden at simpson.edu (Paul Crittenden)
Date: Wed, 9 Jan 2008 16:28:46 -0600
Subject: Decryption error
Message-ID: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>

I am using gpg for encryption with Amanda, a disk backup utility. It
backups up just fine but when I try to restore I get the error:

 

ld.so.1: gpg: fatal: libgcc_s.so.1: open failed: No such file or
directory

 

I have set environment variables both when I compiled gpg and when I run
the restore utility but I can't seem to get past this error.

I have worked with the Amanda folks but still haven't figured this one
out.

 

Any ideas would be appreciated.

 

Paul Crittenden

Computer Systems Manager

Simpson College

Phone: 515-961-1680

Email: paul.crittenden at simpson.edu

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080109/79db43c9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 4219 bytes
Desc: image001.gif
URL: </pipermail/attachments/20080109/79db43c9/attachment-0001.gif>

From dshaw at jabberwocky.com  Thu Jan 10 04:26:14 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 9 Jan 2008 22:26:14 -0500
Subject: Decryption error
In-Reply-To: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>
References: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>
Message-ID: <20080110032614.GA18701@jabberwocky.com>

On Wed, Jan 09, 2008 at 04:28:46PM -0600, Paul Crittenden wrote:
> I am using gpg for encryption with Amanda, a disk backup utility. It
> backups up just fine but when I try to restore I get the error:
> 
>  
> 
> ld.so.1: gpg: fatal: libgcc_s.so.1: open failed: No such file or
> directory
> 
>  
> 
> I have set environment variables both when I compiled gpg and when I run
> the restore utility but I can't seem to get past this error.
> 
> I have worked with the Amanda folks but still haven't figured this one
> out.

This isn't an Amanda issue or a GPG issue.  Rather, it's a regular old
Unix-ish shared library issue.  The error means that the gpg binary
was compiled on a system that could find libgcc_s.so.1, but is now
being run on a system that cannot.

Does the libgcc_s.so.1 file exist at all on your machine?

David


From dshaw at jabberwocky.com  Thu Jan 10 04:38:18 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 9 Jan 2008 22:38:18 -0500
Subject: Setting proxy through command-line parameters?
In-Reply-To: <4781E273.7030204@fsfe.org>
References: <4781E273.7030204@fsfe.org>
Message-ID: <20080110033818.GB18701@jabberwocky.com>

On Mon, Jan 07, 2008 at 09:27:31AM +0100, Alexander W. Janssen wrote:
> Hi,
> 
> I know how to set my Proxy in the appropriate config-files, but is there
> also a possibility to set the proxy on the command-line?

I assume you mean the HTTP proxy for keyserver access?  If so, then
yes.  Add something like this to your command line:

   --keyserver-options "http-proxy=http://my.proxy.example.com"

David


From paul.crittenden at simpson.edu  Thu Jan 10 15:32:31 2008
From: paul.crittenden at simpson.edu (Paul Crittenden)
Date: Thu, 10 Jan 2008 08:32:31 -0600
Subject: Decryption error
In-Reply-To: <20080110032614.GA18701@jabberwocky.com>
References: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>
	<20080110032614.GA18701@jabberwocky.com>
Message-ID: <319C97430831164E90F66B72B419713D39D0DA@MAIL.sc.loc>

I ran ldd against the binary gpg and it found the file.

# ldd /usr/bin/gpg
        libiconv.so.2 =>         /usr/local/lib/libiconv.so.2
        libresolv.so.2 =>        /usr/lib/libresolv.so.2
        libz.so.1 =>     /usr/lib/libz.so.1
        libreadline.so.5 =>      /usr/local/lib/libreadline.so.5
        libcurses.so.1 =>        /usr/lib/libcurses.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        /usr/platform/SUNW,Sun-Fire-V890/lib/libc_psr.so.1

Paul Crittenden
Computer Systems Manager
Simpson College
Phone: 515-961-1680
Email: paul.crittenden at simpson.edu

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Shaw
Sent: Wednesday, January 09, 2008 9:26 PM
To: gnupg-users at gnupg.org
Subject: Re: Decryption error

On Wed, Jan 09, 2008 at 04:28:46PM -0600, Paul Crittenden wrote:
> I am using gpg for encryption with Amanda, a disk backup utility. It
> backups up just fine but when I try to restore I get the error:
> 
>  
> 
> ld.so.1: gpg: fatal: libgcc_s.so.1: open failed: No such file or
> directory
> 
>  
> 
> I have set environment variables both when I compiled gpg and when I
run
> the restore utility but I can't seem to get past this error.
> 
> I have worked with the Amanda folks but still haven't figured this one
> out.

This isn't an Amanda issue or a GPG issue.  Rather, it's a regular old
Unix-ish shared library issue.  The error means that the gpg binary
was compiled on a system that could find libgcc_s.so.1, but is now
being run on a system that cannot.

Does the libgcc_s.so.1 file exist at all on your machine?

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------

NOTE: This message was trained as non-spam.  If this is wrong,
please correct the training as soon as possible.

Teach CanIt if this mail (ID 17778430) is spam:
Spam:
https://storm.simpson.edu/canit/b.php?i=17778430&m=1223e5389390&c=s
Not spam:
https://storm.simpson.edu/canit/b.php?i=17778430&m=1223e5389390&c=n
Forget vote:
https://storm.simpson.edu/canit/b.php?i=17778430&m=1223e5389390&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS



From paul.crittenden at simpson.edu  Thu Jan 10 16:22:54 2008
From: paul.crittenden at simpson.edu (Paul Crittenden)
Date: Thu, 10 Jan 2008 09:22:54 -0600
Subject: Decryption error
In-Reply-To: <20080110032614.GA18701@jabberwocky.com>
References: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>
	<20080110032614.GA18701@jabberwocky.com>
Message-ID: <319C97430831164E90F66B72B419713D39D0E0@MAIL.sc.loc>

I fixed it, perhaps not the proper fix but it now works. I made a link
from /usr/local/lib/libgcc... to /usr/lib/libgcc...


Paul Crittenden
Computer Systems Manager
Simpson College
Phone: 515-961-1680
Email: paul.crittenden at simpson.edu

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Shaw
Sent: Wednesday, January 09, 2008 9:26 PM
To: gnupg-users at gnupg.org
Subject: Re: Decryption error

On Wed, Jan 09, 2008 at 04:28:46PM -0600, Paul Crittenden wrote:
> I am using gpg for encryption with Amanda, a disk backup utility. It
> backups up just fine but when I try to restore I get the error:
> 
>  
> 
> ld.so.1: gpg: fatal: libgcc_s.so.1: open failed: No such file or
> directory
> 
>  
> 
> I have set environment variables both when I compiled gpg and when I
run
> the restore utility but I can't seem to get past this error.
> 
> I have worked with the Amanda folks but still haven't figured this one
> out.

This isn't an Amanda issue or a GPG issue.  Rather, it's a regular old
Unix-ish shared library issue.  The error means that the gpg binary
was compiled on a system that could find libgcc_s.so.1, but is now
being run on a system that cannot.

Does the libgcc_s.so.1 file exist at all on your machine?

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------

NOTE: This message was trained as non-spam.  If this is wrong,
please correct the training as soon as possible.

Teach CanIt if this mail (ID 17778430) is spam:
Spam:
https://storm.simpson.edu/canit/b.php?i=17778430&m=1223e5389390&c=s
Not spam:
https://storm.simpson.edu/canit/b.php?i=17778430&m=1223e5389390&c=n
Forget vote:
https://storm.simpson.edu/canit/b.php?i=17778430&m=1223e5389390&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS



From shavital at mac.com  Thu Jan 10 16:56:31 2008
From: shavital at mac.com (Charly Avital)
Date: Thu, 10 Jan 2008 10:56:31 -0500
Subject: gpg2 2.0.8
Message-ID: <4786402F.4030604@mac.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


After checking which libraries where already in my system (from previous
installations) I downloaded gnupg-2.0.8 from gnupg.org's site, verified
the signature, and compiled the source code, using the usual commands.

At the end of ./configure:

GnuPG v2.0.8 has been configured as follows:

~        Platform:  Darwin (i386-apple-darwin9.1.0)

~        OpenPGP:   yes
~        S/MIME:    yes
~        Agent:     yes
~        Smartcard: yes (without internal CCID driver)

~        Protect tool:      (default)
~        Default agent:     (default)
~        Default pinentry:  (default)
~        Default scdaemon:  (default)
~        Default dirmngr:   (default)

~        PKITS based tests: no


I have now:

$ gpg2 --version
gpg (GnuPG) 2.0.8
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Used libraries: gcrypt(1.4.0)

Question: why 'Used libraries: gcrypt(1.4.0)?

Charly

~  Model Name:	MacBook
~  Model Identifier:	MacBook2,1
~  Processor Name:	Intel Core 2 Duo
~  Processor Speed:	2 GHz
~  Number Of Processors:	1
~  Total Number Of Cores:	2
~  L2 Cache:	4 MB
~  Memory:	2 GB
~  Bus Speed:	667 MHz
~  Boot ROM Version:	MB21.00A5.B07
~  SMC Version:	1.13f3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJHhkAmAAoJEM3GMi2FW4Pv8G8IAISGHRmnr+gPmNdvqJEOO/0B
8gxqAQqn729amuHyZZ+XU8qmUxxtXNJpCQktvl9vJ3jikrKij279/tscE8Nbsdq0
rBHHUXb5uUbx9JciY6Yr6qDySPprd8VbUQcAt/TCD50M3CwtPry1rukbD17gDgk/
qX0Wlfh+yHkMDJLS29aWPNyKLccqec7DDq9PfGZ7nSs9T2ZOHwJY7WRBrabaJfdP
zDHxFcLQh3UMqI7mmKJyrW8U9pPhbL7U2IJ8lX8b0k21UrUSHRx9cOM/9qyri0ql
4NoHb0WINcN3Vq1lNhkk7ANzE5mxJyIHsRxYRZf7LQQdI758Ake1E3uoDDAvOLQ=
=lCJo
-----END PGP SIGNATURE-----


From yalla at fsfe.org  Thu Jan 10 16:34:10 2008
From: yalla at fsfe.org (Alexander W. Janssen)
Date: Thu, 10 Jan 2008 16:34:10 +0100
Subject: Decryption error
In-Reply-To: <319C97430831164E90F66B72B419713D39D0E0@MAIL.sc.loc>
References: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>	<20080110032614.GA18701@jabberwocky.com>
	<319C97430831164E90F66B72B419713D39D0E0@MAIL.sc.loc>
Message-ID: <47863AF2.2070202@fsfe.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Crittenden wrote:
| I fixed it, perhaps not the proper fix but it now works. I made a link
| from /usr/local/lib/libgcc... to /usr/lib/libgcc...

If it's a Linux-system add /usr/local/lib to the file /etc/ld.so.conf
and run the command ldconfig once.

In Solaris you need to use the crle-tool, I've found instructions here
so I don't have to type it:
http://bwachter.lart.info/solaris/solfaq.html - Section "Configure the
dynamic linker"

Both commands have the same result, to tell your system where to look
for libraries. If you system doesn't look into /usr/local/lib because it
isn't configured to do so, you run into the problem you have.

HTH, Alex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQCVAwUBR4Y68BYlVVSQ3uFxAQKwHwP+NuL80m/mstGuT4d2zXF1rAQp9rbGqoLY
9sSaEGBcupJUeG5otHr+EWL3TOmflMBUXeBEDZ9SfX1qETdSkxZgayGk2znenWkY
l8scDtXqXtDCzbZcJFVQzYMvESQY5e2iW29oCiwdrj15eKaEJtdz6ILntwWpqgVn
X4G3lPlEQ8Y=
=ZxY6
-----END PGP SIGNATURE-----


From paul.crittenden at simpson.edu  Thu Jan 10 20:28:01 2008
From: paul.crittenden at simpson.edu (Paul Crittenden)
Date: Thu, 10 Jan 2008 13:28:01 -0600
Subject: Decryption error
In-Reply-To: <47863AF2.2070202@fsfe.org>
References: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>	<20080110032614.GA18701@jabberwocky.com><319C97430831164E90F66B72B419713D39D0E0@MAIL.sc.loc>
	<47863AF2.2070202@fsfe.org>
Message-ID: <319C97430831164E90F66B72B419713D39D0E6@MAIL.sc.loc>

Thanks, this fixed the problem, the correct way.

Paul Crittenden
Computer Systems Manager
Simpson College
Phone: 515-961-1680
Email: paul.crittenden at simpson.edu

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Alexander W. Janssen
Sent: Thursday, January 10, 2008 9:34 AM
To: gnupg-users
Subject: Re: Decryption error

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Crittenden wrote:
| I fixed it, perhaps not the proper fix but it now works. I made a link
| from /usr/local/lib/libgcc... to /usr/lib/libgcc...

If it's a Linux-system add /usr/local/lib to the file /etc/ld.so.conf
and run the command ldconfig once.

In Solaris you need to use the crle-tool, I've found instructions here
so I don't have to type it:
http://bwachter.lart.info/solaris/solfaq.html - Section "Configure the
dynamic linker"

Both commands have the same result, to tell your system where to look
for libraries. If you system doesn't look into /usr/local/lib because it
isn't configured to do so, you run into the problem you have.

HTH, Alex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQCVAwUBR4Y68BYlVVSQ3uFxAQKwHwP+NuL80m/mstGuT4d2zXF1rAQp9rbGqoLY
9sSaEGBcupJUeG5otHr+EWL3TOmflMBUXeBEDZ9SfX1qETdSkxZgayGk2znenWkY
l8scDtXqXtDCzbZcJFVQzYMvESQY5e2iW29oCiwdrj15eKaEJtdz6ILntwWpqgVn
X4G3lPlEQ8Y=
=ZxY6
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From s_protsman at yahoo.com  Fri Jan 11 01:55:09 2008
From: s_protsman at yahoo.com (Shawn Protsman)
Date: Thu, 10 Jan 2008 16:55:09 -0800 (PST)
Subject: export keys and import to pgp 7
Message-ID: <792710.5744.qm@web30814.mail.mud.yahoo.com>

I'm running some tests and exported some keys from my gpg 1.4.7 instance using the instructions here:

http://gnupg.org/documentation/faqs.en.html#q5.7

I then attempted to import into an older PGP 7.01 (command line) installation:

Now, when I receive a file and attempt to decrypt that file with PGP 7 it still doesn't accept my passphrase. Does anyone know of a workaround? 

--Shawn




      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080110/edad7890/attachment-0001.htm>

From landes_eric at yahoo.fr  Sat Jan 12 13:49:49 2008
From: landes_eric at yahoo.fr (ERIC LANDES)
Date: Sat, 12 Jan 2008 13:49:49 +0100 (CET)
Subject: Checking expiration date automatically
Message-ID: <834779.75600.qm@web27612.mail.ukl.yahoo.com>


Hello,

I use gnupg with a software I write and it needs a gpg key with expiration date. 
As I do not myself manage this software, I would like to provide a shell script on 
Linux (e.g. launched every day with cron) which would check for the expiration date and send 
a warning if key expires within a given time (15 days for example). 

Does there exist an option which would give the expiration date of a key, if such date exists ? 
I saw nothing on man gpg. 


It is possible to retrieve the expiration date on Linux with a 
command line, as shown below, but the command is ugly, not totally safe 
(because of the grep) and may not work on all versions of gpg. 


Having these keys : 
# LANG=C gpg --list-keys 
/root/.gnupg/pubring.gpg
------------------------
pub   1024D/E5F2C00E 2008-01-12 [expires: 2009-01-11]
uid                  test date (test) <test at date>
sub   2048g/7C17580B 2008-01-12 [expires: 2009-01-11]

pub   1024D/16B870A6 2008-01-12
uid                  aaaaaa (fdsfsd) <a at a.a>
sub   2048g/B2526B84 2008-01-12

Expiration date of key test at date is : 
# LANG=C gpg --list-keys test at date | grep "\[expires:" | cut -d ":" -f 2 | cut -d " " -f 2 | cut -d "]" -f 1 | head -n 1
2009-01-11


Thanks, 
Eric LANDES



             
---------------------------------
 Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080112/952bb02a/attachment.htm>

From dshaw at jabberwocky.com  Sat Jan 12 15:53:11 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 12 Jan 2008 09:53:11 -0500
Subject: Checking expiration date automatically
In-Reply-To: <834779.75600.qm@web27612.mail.ukl.yahoo.com>
References: <834779.75600.qm@web27612.mail.ukl.yahoo.com>
Message-ID: <20080112145311.GA28425@jabberwocky.com>

On Sat, Jan 12, 2008 at 01:49:49PM +0100, ERIC LANDES wrote:
> 
> Hello,
> 
> I use gnupg with a software I write and it needs a gpg key with expiration date. 
> As I do not myself manage this software, I would like to provide a shell script on 
> Linux (e.g. launched every day with cron) which would check for the expiration date and send 
> a warning if key expires within a given time (15 days for example). 
> 
> Does there exist an option which would give the expiration date of a key, if such date exists ? 
> I saw nothing on man gpg. 
> 
> 
> It is possible to retrieve the expiration date on Linux with a 
> command line, as shown below, but the command is ugly, not totally safe 
> (because of the grep) and may not work on all versions of gpg. 
> 
> 
> Having these keys : 
> # LANG=C gpg --list-keys 
> /root/.gnupg/pubring.gpg
> ------------------------
> pub   1024D/E5F2C00E 2008-01-12 [expires: 2009-01-11]
> uid                  test date (test) <test at date>
> sub   2048g/7C17580B 2008-01-12 [expires: 2009-01-11]
> 
> pub   1024D/16B870A6 2008-01-12
> uid                  aaaaaa (fdsfsd) <a at a.a>
> sub   2048g/B2526B84 2008-01-12
> 
> Expiration date of key test at date is : 
> # LANG=C gpg --list-keys test at date | grep "\[expires:" | cut -d ":" -f 2 | cut -d " " -f 2 | cut -d "]" -f 1 | head -n 1
> 2009-01-11

See the file DETAILS in the doc/ directory.  Something like:

  gpg --with-colons --fixed-list-mode --list-keys test at date | cut -d: -f7

should do what you want.

The number is the expiration date (if any) expressed as the number of
seconds since 1/1/1970.

Daxvid


From stefanmalte at gmail.com  Sat Jan 12 21:14:00 2008
From: stefanmalte at gmail.com (Stefan Malte Schumacher)
Date: Sat, 12 Jan 2008 21:14:00 +0100
Subject: Compiling libgcrypt
Message-ID: <fc1b0e2b0801121214n51d7b134i4ded78768f84565f@mail.gmail.com>

Hello

I am currently trying to build GnuPG 2.08 from the source. I have compiled
and installed the latest versions of the necessary libraries (libksba-1.0.2,
libgpg-error-1.6,  libassuan-1.0.4 and pth-2.0.7) except libgcrypt
1.4.0which unfortunately aborts during the compile process. I have
tried to
install an older version (1.2.2) but it also aborted with an error in
rijndael.lol . I am using GNU Make 3.80 and gcc (GCC) 3.3.3 (SuSE Linux).
Below are the outputs of make and the configure-script while trying to build
libgcrypt 1.4.0. How can I get this working ?

Yours sincerely
Stefan Malte Schumacher

This is the make output :

/bin/sh ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..
-I../src -I../src   -I/usr/local/include -g -O2 -Wall -Wpointer-arith -MT
rijndael.lo -MD -MP -MF .deps/rijndael.Tpo -c -o rijndael.lo rijndael.c
 gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I/usr/local/include -g -O2
-Wall -Wpointer-arith -MT rijndael.lo -MD -MP -MF .deps/rijndael.Tpo -c
rijndael.c  -fPIC -DPIC -o .libs/rijndael.o
 gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I/usr/local/include -g -O2
-Wall -Wpointer-arith -MT rijndael.lo -MD -MP -MF .deps/rijndael.Tpo -c
rijndael.c -o rijndael.o >/dev/null 2>&1
make[2]: *** [rijndael.lo] Fehler 1
make[2]: Leaving directory `/home/stefan/Software/Packed/libgcrypt-1.4.0
/cipher'
make[1]: *** [all-recursive] Fehler 1
make[1]: Leaving directory `/home/stefan/Software/Packed/libgcrypt- 1.4.0'
make: *** [all] Fehler 2

And this is the output of configure :

checking for mmap... yes
checking for getpagesize... yes
checking for sysconf... yes
checking for waitpid... yes
checking for wait4... yes
checking for gettimeofday... yes
checking for getrusage... yes
checking for gethrtime... no
checking for clock_gettime... no
checking for fcntl... yes
checking for ftruncate... yes
checking for mlock... yes
checking for sysconf... (cached) yes
checking for getpagesize... (cached) yes
checking whether mlock is broken... no
checking for random device... yes
checking for _ prefix in compiled symbols... no
checking for mpi assembler functions... done
checking if gcc supports -Wpointer-arith... yes
checking whether non excutable stack support is requested... yes
checking whether assembler supports --noexecstack option... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating m4/Makefile
config.status: creating mpi/Makefile
config.status: creating cipher/Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating src/gcrypt.h
config.status: creating src/libgcrypt-config
config.status: creating src/versioninfo.rc
config.status: creating tests/Makefile
config.status: creating config.h
config.status : config.h is unchanged
config.status: linking ./mpi/i386/mpih-add1.S to mpi/mpih-add1-asm.S
config.status: linking ./mpi/i386/mpih-sub1.S to mpi/mpih-sub1-asm.S
config.status: linking ./mpi/i386/mpih-mul1.S to mpi/mpih- mul1-asm.S
config.status: linking ./mpi/i386/mpih-mul2.S to mpi/mpih-mul2-asm.S
config.status: linking ./mpi/i386/mpih-mul3.S to mpi/mpih-mul3-asm.S
config.status: linking ./mpi/i386/mpih-lshift.S to mpi/mpih-lshift-asm.S
config.status: linking ./mpi/i386/mpih-rshift.S to mpi/mpih-rshift-asm.S
config.status: linking ./mpi/generic/mpi-asm-defs.h to mpi/mpi-asm-defs.h
config.status: executing depfiles commands
config.status: executing gcrypt-conf commands

                Configured for: GNU/Linux (i686-pc-linux-gnu)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080112/c0bf0d92/attachment.htm>

From dirk at dirkeinecke.de  Sun Jan 13 17:38:46 2008
From: dirk at dirkeinecke.de (Dirk Einecke)
Date: Sun, 13 Jan 2008 17:38:46 +0100
Subject: Backup my key (private/public)
Message-ID: <381F2DE3-93E6-418C-AC97-D84D80BC6E49@dirkeinecke.de>

Hi,

I want to backup my public and my private key. Is it right that I've  
only to backup my private key? I do it with this command:

gpg --armor --output _secret.asc --export-secret-key max at mustermann.de

The result for importing (gpg --import) the backup file is my public  
and my private key. Is the private key automatically re-generated from  
the private key?

greetings
Dirk Einecke


From dshaw at jabberwocky.com  Sun Jan 13 19:56:07 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 13 Jan 2008 13:56:07 -0500
Subject: Backup my key (private/public)
In-Reply-To: <381F2DE3-93E6-418C-AC97-D84D80BC6E49@dirkeinecke.de>
References: <381F2DE3-93E6-418C-AC97-D84D80BC6E49@dirkeinecke.de>
Message-ID: <20080113185607.GA3258@jabberwocky.com>

On Sun, Jan 13, 2008 at 05:38:46PM +0100, Dirk Einecke wrote:
> Hi,
>
> I want to backup my public and my private key. Is it right that I've only 
> to backup my private key? I do it with this command:
>
> gpg --armor --output _secret.asc --export-secret-key max at mustermann.de

That is a fine way to back it up.  See also
http://www.jabberwocky.com/software/paperkey/ for another way to do
it.

> The result for importing (gpg --import) the backup file is my public and my 
> private key. Is the private key automatically re-generated from the private 
> key?

A public key can be automatically regenerated from your private key.

David


From kevhilton at gmail.com  Mon Jan 14 00:39:01 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 13 Jan 2008 17:39:01 -0600
Subject: Question about history of hash and cipher collections
Message-ID: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>

Here was I was able to find about the current hash and cipher choices with gpg

    Pref Code (n)  	Algorithm (name)  	PGP 2  	PGP 5  	PGP 6  	PGP 7
	PGP 6.5.8ckt  	GPG 1.0.6
    s1 * 	IDEA 	X 	X 	X 	X 	X 	X *
    s2 	3DES 	--- 	X 	X 	X 	X 	X
    s3 	CAST5 	--- 	X 	X 	X 	X 	X
    s4 	Blowfish 	--- 	--- 	--- 	-- 	X (03) 	X
    s7 	AES (128) 	--- 	--- 	--- 	X (7.0.1) 	X (03) 	X
    s8 	AES192 	--- 	--- 	--- 	X (7.0.1) 	X (03) 	X
    s9 	AES256 	--- 	--- 	--- 	X (7.0.1) 	X (03) 	X
    s10 	Twofish 	--- 	--- 	--- 	X 	X (03) 	X
    s11  Camellia128
    s12  Camellia256

    * only with IDEA module

    Digest (Hash) Algorithms
    Pref Code (n) 	Algorithm (name) 	PGP 2 	PGP 5 	PGP 6 	PGP 7 	PGP
6.5.8ckt 	GPG 1.0.6
    h1 	MD5 	X 	X 	X 	X 	X 	X
    h2 	SHA1 	--- 	X 	X 	X 	X 	X
    h3 	RIPEMD160 	--- 	X 	X 	X 	X 	X
    h6 + 	TIGER192 	--- 	--- 	--- 	--- 	X (08) 	X +
    h8 * 	SHA256 	--- 	--- 	--- 	--- 	X (07) 	X *
    h9 * 	SHA384 	--- 	--- 	--- 	--- 	X (07) 	X *
    h10 * 	SHA512 	--- 	--- 	--- 	--- 	X (07) 	X *

Just a few questions,

#1 - How can I generate this list with newer versions of gpg -- is
their an internal command that cross-references the s or h numbers
with the specific ciphers/hashes that are compiled into the module --
something I can type at the command line?

#2 Historically, what ciphers were eliminated -- For example what
ciphers were in the s5, s6 slots?  Same with the hashes.  I believe
the TIGER has was equal to s5.  What happened to that hash choice?

Thanks for your help

-- 
Kevin Hilton


From dshaw at jabberwocky.com  Mon Jan 14 02:33:33 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 13 Jan 2008 20:33:33 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
Message-ID: <20080114013332.GA7602@jabberwocky.com>

On Sun, Jan 13, 2008 at 05:39:01PM -0600, Kevin Hilton wrote:
> Here was I was able to find about the current hash and cipher choices with gpg
> 
>     Pref Code (n)  	Algorithm (name)  	PGP 2  	PGP 5  	PGP 6  	PGP 7
> 	PGP 6.5.8ckt  	GPG 1.0.6
>     s1 * 	IDEA 	X 	X 	X 	X 	X 	X *
>     s2 	3DES 	--- 	X 	X 	X 	X 	X
>     s3 	CAST5 	--- 	X 	X 	X 	X 	X
>     s4 	Blowfish 	--- 	--- 	--- 	-- 	X (03) 	X
>     s7 	AES (128) 	--- 	--- 	--- 	X (7.0.1) 	X (03) 	X
>     s8 	AES192 	--- 	--- 	--- 	X (7.0.1) 	X (03) 	X
>     s9 	AES256 	--- 	--- 	--- 	X (7.0.1) 	X (03) 	X
>     s10 	Twofish 	--- 	--- 	--- 	X 	X (03) 	X
>     s11  Camellia128
>     s12  Camellia256
> 
>     * only with IDEA module
> 
>     Digest (Hash) Algorithms
>     Pref Code (n) 	Algorithm (name) 	PGP 2 	PGP 5 	PGP 6 	PGP 7 	PGP
> 6.5.8ckt 	GPG 1.0.6
>     h1 	MD5 	X 	X 	X 	X 	X 	X
>     h2 	SHA1 	--- 	X 	X 	X 	X 	X
>     h3 	RIPEMD160 	--- 	X 	X 	X 	X 	X
>     h6 + 	TIGER192 	--- 	--- 	--- 	--- 	X (08) 	X +
>     h8 * 	SHA256 	--- 	--- 	--- 	--- 	X (07) 	X *
>     h9 * 	SHA384 	--- 	--- 	--- 	--- 	X (07) 	X *
>     h10 * 	SHA512 	--- 	--- 	--- 	--- 	X (07) 	X *
> 
> Just a few questions,
> 

I'm afraid the chart you made was somewhat eaten by word wrap, but it
seems basically sane.  Note that Camellia is not a standard algorithm,
and while it will probably be one eventually, it isn't today.

> #1 - How can I generate this list with newer versions of gpg -- is
> their an internal command that cross-references the s or h numbers
> with the specific ciphers/hashes that are compiled into the module --
> something I can type at the command line?

Yes.  "gpg -v --version" will give you the algorithm numbers along
with the algorithm names.  However, the algorithm numbers are not
really relevant to anything unless you're writing OpenPGP software.
For years now, all programs have referred to AES256 as "AES256" and
not "cipher 9".

> #2 Historically, what ciphers were eliminated -- For example what
> ciphers were in the s5, s6 slots?  Same with the hashes.  I believe
> the TIGER has was equal to s5.  What happened to that hash choice?

S5 was SAFER-SK128 and S6 was reserved for DES/SK.  SAFER was dropped
and nobody ever implemented it.  DES/SK was never even allocated.

You can see the history between RFC-2440 and RFC-4880.  A good number
of algorithms were cleaned up between the two: if it wasn't actually
being used, it got dropped.

David


From kevhilton at gmail.com  Mon Jan 14 04:15:21 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 13 Jan 2008 21:15:21 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080114013332.GA7602@jabberwocky.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
Message-ID: <96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>

Sorry about my post

Whatever happened to the tiger hash??

Lastly, do you know the reason that the serpent cipher algorithm never
made it into gpg.  From the NSA competition, I thought the serpent
algorithm came in second --- again Im not sure of the criteria that
was used to judge strength -- but wasnt it from this competition that
the US gov adopted AES as the national standard?  Ive seen


From kevhilton at gmail.com  Mon Jan 14 04:15:42 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 13 Jan 2008 21:15:42 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
Message-ID: <96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>

Sorry the last post was cut off

Sorry about my post

I can see you seem to know a lot about gpg -- thanks.

Whatever happened to the tiger hash??

Lastly, do you know the reason that the serpent cipher algorithm never
made it into gpg.  From the NSA competition, I thought the serpent
algorithm came in second --- again Im not sure of the criteria that
was used to judge strength -- but wasnt it from this competition that
the US gov adopted AES as the national standard?  Just a question, b/c
from my very elementary understanding of ciphers, it seems like
serpent is a very secure standard.  I believe looking at the source
code (either in pgg or pgp2 -- I cant remember) I even saw a serpent.c
file.

Thanks for your input


From dshaw at jabberwocky.com  Mon Jan 14 05:24:23 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 13 Jan 2008 23:24:23 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
Message-ID: <20080114042423.GA8227@jabberwocky.com>

On Sun, Jan 13, 2008 at 09:15:42PM -0600, Kevin Hilton wrote:
> Sorry the last post was cut off
> 
> Sorry about my post
> 
> I can see you seem to know a lot about gpg -- thanks.
> 
> Whatever happened to the tiger hash??

Tiger was never really a part of OpenPGP.  RFC-2440 reserved an
algorithm ID number for it, but Tiger wasn't fully specified at the
time, so was not usable (the algorithm was specified, but an OID
number was never allocated).  It was dropped as part of RFC-4880 as it
was never widely implemented, and sort of missed its chance - it was
okay back when 2440 was published, but at only 192 bits, it's too
small for the modern 4880 era.

> Lastly, do you know the reason that the serpent cipher algorithm never
> made it into gpg.  From the NSA competition, I thought the serpent
> algorithm came in second --- again Im not sure of the criteria that
> was used to judge strength -- but wasnt it from this competition that
> the US gov adopted AES as the national standard?  Just a question, b/c
> from my very elementary understanding of ciphers, it seems like
> serpent is a very secure standard.  I believe looking at the source
> code (either in pgg or pgp2 -- I cant remember) I even saw a serpent.c
> file.

Serpent was never put in the OpenPGP standard, so GnuPG won't use it.
There isn't a really dramatic reason for it.  Adding algorithms to
OpenPGP involves a rough consensus among the OpenPGP working group.
With Serpent, that consensus never really happened.

David


From rjh at sixdemonbag.org  Mon Jan 14 05:40:00 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 13 Jan 2008 22:40:00 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
Message-ID: <478AE7A0.7060604@sixdemonbag.org>

Kevin Hilton wrote:
> Whatever happened to the tiger hash??

The OpenPGP Working Group decided that it didn't bring anything new to 
the table, especially in light of SHA256 and SHA512.

Strong arguments (IMO, very strong!) can be made that OpenPGP supports 
way too many algorithms.  Even with as many algorithms as OpenPGP 
supports, though, the line still has to be drawn somewhere.

> Lastly, do you know the reason that the serpent cipher algorithm never
> made it into gpg.

Yes.  It never made it into the OpenPGP RFC (RFC2440 and later RFC4880). 
  If the WG had decided to include Serpent, GnuPG would support Serpent.

>  From the NSA competition, I thought the serpent
> algorithm came in second

There was no second place finisher.  AES won, and everyone else was an 
also-ran.



From rjh at sixdemonbag.org  Mon Jan 14 05:46:18 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 13 Jan 2008 22:46:18 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	<20080114013332.GA7602@jabberwocky.com>	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
Message-ID: <478AE91A.7050608@sixdemonbag.org>

Kevin Hilton wrote:
> I can see you seem to know a lot about gpg -- thanks.

He should; he's one of the GnuPG authors.

> Just a question, b/c from my very elementary understanding of
> ciphers, it seems like serpent is a very secure standard.

Serpent was developed by some very smart people.  However, /all/ the AES
finalists were considered to be very competent designs.  What caused
NIST to select Rijndael over Serpent were factors other than
security--speed, ability to fit in a smart card, key agility, etc.

(Rijndael, pronounced "rain-doll", was ultimately selected to become
AES.  When talking about the history of AES, it's helpful to call it by
its old name.)

> I believe looking at the source code (either in pgg or pgp2 -- I cant
> remember) I even saw a serpent.c file.

It wasn't in pgp 2.x, since Serpent came out almost a decade after pgp
2.x.  There has never been an official GnuPG build that has supported
Serpent, to the best of my knowledge.



From aolsen at standard.com  Mon Jan 14 18:09:40 2008
From: aolsen at standard.com (Alan Olsen)
Date: Mon, 14 Jan 2008 09:09:40 -0800
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080114013332.GA7602@jabberwocky.com>
Message-ID: <92A893260738B0408497A64189BC1E62032CE41F@MSEXCHANGE305.corp.standard.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


> From: David Shaw

> Yes.  "gpg -v --version" will give you the algorithm numbers along
> with the algorithm names.  However, the algorithm numbers are not
> really relevant to anything unless you're writing OpenPGP software.
> For years now, all programs have referred to AES256 as "AES256"
> and not "cipher 9".

Version will not report it that way, but decryption errors will.  If you have an older version of GPG that does not know about the newer cypher or hash, it will report "cypher n" or "hash n".  I have encountered this on systems that have not been upgraded for a while.  (And, yes, there is an upgrade in process.)  The information is useful in that case when you are trying to explain to production people what happened when their file decryption failed.
-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBR4uXVGqdmbpu7ejzAQrxzQf6A+V0Y0//VmtM2T5phkihrEPl//7qMr7y
oWntZ8qBUlg2DJuChcY2KVUp7Se7y6wmikTrcdJfF9M0FxAWJ7IsVo1dxg9GDq0y
qGJmeVlUYWHjeDw22UdwzR3xVeaJdssz2NUwlYCxRTFT0PJVfggltzREqqlrQ11I
G9+vUUgXTdH/tHDDII++RloPO+ixWbHW2bl16wSOOIPhXx+Mmu8mqiErGUjz2BAf
JRg45D8Oz7w7+qmRmo7wZmjKncrxYgqKYuE2ThNDdQCkS38IgAmXx6I01Fi8IE6d
MAd0pwrrm037N19Sk1aQnlsBoSLQISvlHCas09TfV1r/54w3kp50aQ==
=tKlq
-----END PGP SIGNATURE-----


From dshaw at jabberwocky.com  Mon Jan 14 18:24:39 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 14 Jan 2008 12:24:39 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <92A893260738B0408497A64189BC1E62032CE41F@MSEXCHANGE305.corp.standard.com>
References: <20080114013332.GA7602@jabberwocky.com>
	<92A893260738B0408497A64189BC1E62032CE41F@MSEXCHANGE305.corp.standard.com>
Message-ID: <20080114172439.GA11213@jabberwocky.com>

On Mon, Jan 14, 2008 at 09:09:40AM -0800, Alan Olsen wrote:
> 
> > From: David Shaw
> 
> > Yes.  "gpg -v --version" will give you the algorithm numbers along
> > with the algorithm names.  However, the algorithm numbers are not
> > really relevant to anything unless you're writing OpenPGP software.
> > For years now, all programs have referred to AES256 as "AES256"
> > and not "cipher 9".
> 
> Version will not report it that way, but decryption errors will.

Version does report it that way.

$ gpg -v --version
gpg (GnuPG) 1.4.7
Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), 
        AES256 (S9), TWOFISH (S10)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), 
      SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)

David


From aolsen at standard.com  Mon Jan 14 18:49:00 2008
From: aolsen at standard.com (Alan Olsen)
Date: Mon, 14 Jan 2008 09:49:00 -0800
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080114172439.GA11213@jabberwocky.com>
Message-ID: <92A893260738B0408497A64189BC1E62032CE422@MSEXCHANGE305.corp.standard.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> From David Shaw
>On Mon, Jan 14, 2008 at 09:09:40AM -0800, Alan Olsen wrote:
>> 
>> > From: David Shaw
>> 
>> > Yes.  "gpg -v --version" will give you the algorithm numbers along 
>> > with the algorithm names.  However, the algorithm numbers are not 
>> > really relevant to anything unless you're writing OpenPGP software. 
>> > For years now, all programs have referred to AES256 as "AES256" and 
>> > not "cipher 9".
>> 
>> Version will not report it that way, but decryption errors will.

>Version does report it that way.

Not quite what I meant.  (I should really not post on a Monday until I am fully awake.  Which means posting on Tuesday.)

Actually what I meant to say is that the cypher numbers is actually useful if you are trying to figure out what you are missing from older versions.

-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBR4ugjGqdmbpu7ejzAQoIBQgAvGyNRh78yDtBILGiX/RO2XpCuwzVip4M
1RQ4e/G0pNUwOiA578RAjI2d0wNKMlQ3GiDBm/JsxmIioWhcZKBj7UBgQvkvttuY
HVvfq0Ua2AM8z8ubedWsTufV3bX3oOZmnYIpgZRHLLpUI1C8AWtFmvi7B1BrU7KQ
Fg/+ISnJzIaNL3YpwdhDuCLLfQBeesgeQULdhf6YtKYOEThhxinXSOG8NR1ot84G
SrJrekpzo4CmH+glj2Sff4l2oaiBih+8PGurt4d0HjgSn/KCst0HpDtlLV0A+X5d
eagjcQYREASiark45PijfmJMnCzWfd+dj0E2oEQS5ac+133Pl1eyhQ==
=kWzA
-----END PGP SIGNATURE-----


From wk at gnupg.org  Mon Jan 14 19:40:14 2008
From: wk at gnupg.org (Werner Koch)
Date: Mon, 14 Jan 2008 19:40:14 +0100
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080114042423.GA8227@jabberwocky.com> (David Shaw's message of
	"Sun, 13 Jan 2008 23:24:23 -0500")
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<20080114042423.GA8227@jabberwocky.com>
Message-ID: <87r6gkl08h.fsf@wheatstone.g10code.de>

On Mon, 14 Jan 2008 05:24, dshaw at jabberwocky.com said:

> There isn't a really dramatic reason for it.  Adding algorithms to
> OpenPGP involves a rough consensus among the OpenPGP working group.
> With Serpent, that consensus never really happened.

FWIW, about 7 years ago we had an informal meeting of OpenPGP
implementors and we agreed that we should try to keep the list of
supported algorithms short.  Meanwhile it had turned out the the
preference system works quite well and that for political reasons
(e.g. national regulations) we may need to add other algorithms in the
future.  That is actually not new thing, RIPEMD-160 has been in OpenPGP
since the early days because European telcos and governments like that
algorithms.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From pehr at alumni.utexas.net  Mon Jan 14 19:58:57 2008
From: pehr at alumni.utexas.net (Pehr Jansson)
Date: Mon, 14 Jan 2008 12:58:57 -0600
Subject: Fwd: Question about history of hash and cipher collections
References: <92A893260738B0408497A64189BC1E62032CE422@MSEXCHANGE305.corp.standard.com>
Message-ID: <FD587869-21BE-4574-9055-FFDFAFE27D41@alumni.utexas.net>

please remove me from this mailing list.

Begin forwarded message:

> From: "Alan Olsen" <aolsen at standard.com>
> Date: January 14, 2008 11:49:00 AM CST
> To: "David Shaw" <dshaw at jabberwocky.com>, <gnupg-users at gnupg.org>
> Subject: RE: Question about history of hash and cipher collections
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>> From David Shaw
>> On Mon, Jan 14, 2008 at 09:09:40AM -0800, Alan Olsen wrote:
>>>
>>>> From: David Shaw
>>>
>>>> Yes.  "gpg -v --version" will give you the algorithm numbers along
>>>> with the algorithm names.  However, the algorithm numbers are not
>>>> really relevant to anything unless you're writing OpenPGP software.
>>>> For years now, all programs have referred to AES256 as "AES256" and
>>>> not "cipher 9".
>>>
>>> Version will not report it that way, but decryption errors will.
>
>> Version does report it that way.
>
> Not quite what I meant.  (I should really not post on a Monday  
> until I am fully awake.  Which means posting on Tuesday.)
>
> Actually what I meant to say is that the cypher numbers is actually  
> useful if you are trying to figure out what you are missing from  
> older versions.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 9.5.3 (Build 5003)
>
> wsBVAwUBR4ugjGqdmbpu7ejzAQoIBQgAvGyNRh78yDtBILGiX/RO2XpCuwzVip4M
> 1RQ4e/G0pNUwOiA578RAjI2d0wNKMlQ3GiDBm/JsxmIioWhcZKBj7UBgQvkvttuY
> HVvfq0Ua2AM8z8ubedWsTufV3bX3oOZmnYIpgZRHLLpUI1C8AWtFmvi7B1BrU7KQ
> Fg/+ISnJzIaNL3YpwdhDuCLLfQBeesgeQULdhf6YtKYOEThhxinXSOG8NR1ot84G
> SrJrekpzo4CmH+glj2Sff4l2oaiBih+8PGurt4d0HjgSn/KCst0HpDtlLV0A+X5d
> eagjcQYREASiark45PijfmJMnCzWfd+dj0E2oEQS5ac+133Pl1eyhQ==
> =kWzA
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080114/caeee15d/attachment.htm>

From pehr at alumni.utexas.net  Mon Jan 14 19:59:18 2008
From: pehr at alumni.utexas.net (Pehr Jansson)
Date: Mon, 14 Jan 2008 12:59:18 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080114172439.GA11213@jabberwocky.com>
References: <20080114013332.GA7602@jabberwocky.com>
	<92A893260738B0408497A64189BC1E62032CE41F@MSEXCHANGE305.corp.standard.com>
	<20080114172439.GA11213@jabberwocky.com>
Message-ID: <7774A238-8832-4604-84DF-18C58E9B7508@alumni.utexas.net>

Please remove me from this mailing list.

On Jan 14, 2008, at 11:24 AM, David Shaw wrote:

> On Mon, Jan 14, 2008 at 09:09:40AM -0800, Alan Olsen wrote:
>>
>>> From: David Shaw
>>
>>> Yes.  "gpg -v --version" will give you the algorithm numbers along
>>> with the algorithm names.  However, the algorithm numbers are not
>>> really relevant to anything unless you're writing OpenPGP software.
>>> For years now, all programs have referred to AES256 as "AES256"
>>> and not "cipher 9".
>>
>> Version will not report it that way, but decryption errors will.
>
> Version does report it that way.
>
> $ gpg -v --version
> gpg (GnuPG) 1.4.7
> Copyright (C) 2006 Free Software Foundation, Inc.
> This program comes with ABSOLUTELY NO WARRANTY.
> This is free software, and you are welcome to redistribute it
> under certain conditions. See the file COPYING for details.
>
> Home: ~/.gnupg
> Supported algorithms:
> Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
> Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
>         AES256 (S9), TWOFISH (S10)
> Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
>       SHA512 (H10), SHA224 (H11)
> Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



From pehr at alumni.utexas.net  Mon Jan 14 19:59:33 2008
From: pehr at alumni.utexas.net (Pehr Jansson)
Date: Mon, 14 Jan 2008 12:59:33 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <92A893260738B0408497A64189BC1E62032CE41F@MSEXCHANGE305.corp.standard.com>
References: <92A893260738B0408497A64189BC1E62032CE41F@MSEXCHANGE305.corp.standard.com>
Message-ID: <7400EABE-A152-45B0-AA8B-78864E425601@alumni.utexas.net>

Please remove me from this mailing list.

On Jan 14, 2008, at 11:09 AM, Alan Olsen wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
>> From: David Shaw
>
>> Yes.  "gpg -v --version" will give you the algorithm numbers along
>> with the algorithm names.  However, the algorithm numbers are not
>> really relevant to anything unless you're writing OpenPGP software.
>> For years now, all programs have referred to AES256 as "AES256"
>> and not "cipher 9".
>
> Version will not report it that way, but decryption errors will.   
> If you have an older version of GPG that does not know about the  
> newer cypher or hash, it will report "cypher n" or "hash n".  I  
> have encountered this on systems that have not been upgraded for a  
> while.  (And, yes, there is an upgrade in process.)  The  
> information is useful in that case when you are trying to explain  
> to production people what happened when their file decryption failed.
> -----BEGIN PGP SIGNATURE-----
> Version: 9.5.3 (Build 5003)
>
> wsBVAwUBR4uXVGqdmbpu7ejzAQrxzQf6A+V0Y0//VmtM2T5phkihrEPl//7qMr7y
> oWntZ8qBUlg2DJuChcY2KVUp7Se7y6wmikTrcdJfF9M0FxAWJ7IsVo1dxg9GDq0y
> qGJmeVlUYWHjeDw22UdwzR3xVeaJdssz2NUwlYCxRTFT0PJVfggltzREqqlrQ11I
> G9+vUUgXTdH/tHDDII++RloPO+ixWbHW2bl16wSOOIPhXx+Mmu8mqiErGUjz2BAf
> JRg45D8Oz7w7+qmRmo7wZmjKncrxYgqKYuE2ThNDdQCkS38IgAmXx6I01Fi8IE6d
> MAd0pwrrm037N19Sk1aQnlsBoSLQISvlHCas09TfV1r/54w3kp50aQ==
> =tKlq
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



From landes_eric at yahoo.fr  Mon Jan 14 19:59:40 2008
From: landes_eric at yahoo.fr (ERIC LANDES)
Date: Mon, 14 Jan 2008 19:59:40 +0100 (CET)
Subject: Checking expiration date automatically
In-Reply-To: <mailman.185.1200274068.2242.gnupg-users@gnupg.org>
Message-ID: <587859.15083.qm@web27604.mail.ukl.yahoo.com>

> > Does there exist an option which would give the expiration date of a
>  key, if such date exists ? 
> 
> See the file DETAILS in the doc/ directory.  Something like:
> 
>   gpg --with-colons --fixed-list-mode --list-keys test at date | cut -d:
>  -f7
> 
> should do what you want.
> 
> The number is the expiration date (if any) expressed as the number of
> seconds since 1/1/1970.
> 
Thanks, it is a command I can rely on ! And it gives an epoch time which can be easily processed. 
For those interested, I just added a -- grep -E "^pub:" -- to get only one date. 

Eric LANDES


             
---------------------------------
 Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080114/2ddeacce/attachment.htm>

From pehr at alumni.utexas.net  Mon Jan 14 19:59:58 2008
From: pehr at alumni.utexas.net (Pehr Jansson)
Date: Mon, 14 Jan 2008 12:59:58 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <87r6gkl08h.fsf@wheatstone.g10code.de>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<20080114042423.GA8227@jabberwocky.com>
	<87r6gkl08h.fsf@wheatstone.g10code.de>
Message-ID: <394FD844-8A88-405D-B6C3-FF2D965AFEDD@alumni.utexas.net>

Please remove me from this mailing list.

On Jan 14, 2008, at 12:40 PM, Werner Koch wrote:

> On Mon, 14 Jan 2008 05:24, dshaw at jabberwocky.com said:
>
>> There isn't a really dramatic reason for it.  Adding algorithms to
>> OpenPGP involves a rough consensus among the OpenPGP working group.
>> With Serpent, that consensus never really happened.
>
> FWIW, about 7 years ago we had an informal meeting of OpenPGP
> implementors and we agreed that we should try to keep the list of
> supported algorithms short.  Meanwhile it had turned out the the
> preference system works quite well and that for political reasons
> (e.g. national regulations) we may need to add other algorithms in the
> future.  That is actually not new thing, RIPEMD-160 has been in  
> OpenPGP
> since the early days because European telcos and governments like that
> algorithms.
>
>
> Salam-Shalom,
>
>    Werner
>
> -- 
> Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



From zvrba at globalnet.hr  Mon Jan 14 21:04:27 2008
From: zvrba at globalnet.hr (Zeljko Vrba)
Date: Mon, 14 Jan 2008 21:04:27 +0100
Subject: Question about history of hash and cipher collections
In-Reply-To: <394FD844-8A88-405D-B6C3-FF2D965AFEDD@alumni.utexas.net>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	<20080114013332.GA7602@jabberwocky.com>	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>	<20080114042423.GA8227@jabberwocky.com>	<87r6gkl08h.fsf@wheatstone.g10code.de>
	<394FD844-8A88-405D-B6C3-FF2D965AFEDD@alumni.utexas.net>
Message-ID: <478BC04B.3000509@globalnet.hr>

Pehr Jansson wrote:
> Please remove me from this mailing list.
>
Visit the URL that is written at the bottom of each message sent to the
list and remove yourself.


From j.lysdal at gmail.com  Mon Jan 14 22:17:24 2008
From: j.lysdal at gmail.com (Jorgen Christiansen Lysdal)
Date: Mon, 14 Jan 2008 22:17:24 +0100
Subject: Question about history of hash and cipher collections
In-Reply-To: <87r6gkl08h.fsf@wheatstone.g10code.de>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	<20080114013332.GA7602@jabberwocky.com>	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>	<20080114042423.GA8227@jabberwocky.com>
	<87r6gkl08h.fsf@wheatstone.g10code.de>
Message-ID: <478BD164.70508@gmail.com>

Werner Koch wrote:
> Meanwhile it had turned out the the
> preference system works quite well ...)
> 

Which leads me to a question. Since I don't like that gpg falls back to 
3DES, if a cipher cannot be agreed opon. Would it be possible to change 
it to AES256 or something, in a relative easy way? Maybe a small change 
to source, and building myself? (BTW, thanks for gpg4win making it easy)


From rjh at sixdemonbag.org  Mon Jan 14 23:40:49 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 14 Jan 2008 16:40:49 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <478BD164.70508@gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	<20080114013332.GA7602@jabberwocky.com>	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>	<20080114042423.GA8227@jabberwocky.com>	<87r6gkl08h.fsf@wheatstone.g10code.de>
	<478BD164.70508@gmail.com>
Message-ID: <478BE4F1.60208@sixdemonbag.org>

Jorgen Christiansen Lysdal wrote:
> Which leads me to a question. Since I don't like that gpg falls back to 
> 3DES, if a cipher cannot be agreed opon. Would it be possible to change 
> it to AES256 or something, in a relative easy way? Maybe a small change 
> to source, and building myself? (BTW, thanks for gpg4win making it easy)

What's wrong with 3DES?  It's ridiculously slow, of course, but even 
after all these years it's still sturdy as a Soviet workers' housing bloc.

Anyway, to answer your question... not in a way which will interoperate 
well.  According to 2440, 3DES is the only MUST symmetric algorithm, 
which means it will be supported by all clients.

If you're willing to take the interoperability hit, I would suggest 
looking into g10/pkclist.c line 1263, "select_algo_from_prefs".  That 
appears to be the best place to hack in what you have in mind.



From dshaw at jabberwocky.com  Mon Jan 14 23:56:35 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 14 Jan 2008 17:56:35 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <478BD164.70508@gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<20080114042423.GA8227@jabberwocky.com>
	<87r6gkl08h.fsf@wheatstone.g10code.de> <478BD164.70508@gmail.com>
Message-ID: <20080114225635.GA13260@jabberwocky.com>

On Mon, Jan 14, 2008 at 10:17:24PM +0100, Jorgen Christiansen Lysdal wrote:
> Werner Koch wrote:
>> Meanwhile it had turned out the the
>> preference system works quite well ...)
>
> Which leads me to a question. Since I don't like that gpg falls back to 
> 3DES, if a cipher cannot be agreed opon. Would it be possible to change it 
> to AES256 or something, in a relative easy way? Maybe a small change to 
> source, and building myself? (BTW, thanks for gpg4win making it easy)

You could, but the end result would not interoperate with the rest of
the world.

For example, if you tried to send an encrypted message to someone who
hadn't hacked their GPG and had preferences of (for example) "TWOFISH,
CAST5, IDEA", your copy would pick AES256... and your message would
not be readable.

It doesn't matter all that much what the "cipher of last resort"
actually *is*, but it's absolutely vital that everyone has the *same*
one.  RFC-2440 and 4880 require 3DES for this reason.

Besides, 3DES has been around for longer than any other cipher in
OpenPGP, been studied and attacked far more, and still hasn't fallen.
The only thing wrong with it is that it's slow.  And I doubt you'd
notice the speed issue unless you're running on a very slow machine,
or sending very large messages.

David


From kevhilton at gmail.com  Tue Jan 15 05:05:54 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Mon, 14 Jan 2008 22:05:54 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
Message-ID: <96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>

I can see NIST is calling for entries for a competition to discover a
new hash function:
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

I was hoping they would name the winner of this contest the ASS
(American Signing Standard), but see the winner will be referred to as
the SHA-3 (Secure Hash Algorithm version 3).  No doubt the winner of
this consult will eventually be added to the gpg standard.


From rjh at sixdemonbag.org  Tue Jan 15 05:32:36 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 14 Jan 2008 22:32:36 -0600
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	<20080114013332.GA7602@jabberwocky.com>	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
Message-ID: <478C3764.90000@sixdemonbag.org>

Kevin Hilton wrote:
> I can see NIST is calling for entries for a competition to discover a
> new hash function:

Yeah, it's been underway for a while now.  It's been known for years
that the SHA-3 competition was going to happen; now it's actually started.

> No doubt the winner of this consult will eventually be added to the
> gpg standard.

My take on the IETF OpenPGP working group is that a lot of people have
some serious concerns that RFC2440 and RFC4880 include /way/ too many
algorithms.  While I imagine there is a broad desire among WG
participants to see SHA-3 added, I think some hash algorithms may have
to be dropped.  The way I read the tea leaves, we should expect to see
some tumult in the list of algorithms.

Pretty much everyone agrees that we have too many algorithms.  Hardly 
anyone can agree on which algorithms should be dropped.  Even TIGER192 
(a remarkably useless addition which was mercifully axed from the RFC 
shortly after introduction) has partisans who think its exclusion is 
unfair and that it should be reinstated.

If you have strong feelings on this issue, the right place to bring them
up is on the IETF OpenPGP working group mailing list.



From kevhilton at gmail.com  Tue Jan 15 16:12:08 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Tue, 15 Jan 2008 08:12:08 -0700
Subject: Question about history of hash and cipher collections
In-Reply-To: <478C3764.90000@sixdemonbag.org>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
	<478C3764.90000@sixdemonbag.org>
Message-ID: <96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>

I dont have any feelings or objections about any of the ciphers or
hashes included or excluded (ok maybe serpent should be included),
however I can imagine that deleting old ciphers and hashes would cause
a problem with backwards compatibility.  Why md5 and cast5 are still
included is beyond me, other than for backwards compatibility.

Lastly, who is this governing body that decides what algorithms should
be included? The IETF OpenPGP group?  As a regular user of gpg, but
novice when it comes to the history of PGP/GPG this discussion on the
history/politics of GPG/PGP has been very interesting for me.


From vedaal at hush.com  Tue Jan 15 17:08:28 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 15 Jan 2008 11:08:28 -0500
Subject: Question about history of hash and cipher collections
Message-ID: <20080115160829.2CB8F1A0039@mailserver8.hushmail.com>

David Shaw dshaw at jabberwocky.com
wrote on Mon Jan 14 23:56:35 CET 2008 :

>It doesn't matter all that much what the "cipher of last resort"
>actually *is*, but it's absolutely vital that everyone has the 
*same*
>one.  RFC-2440 and 4880 require 3DES for this reason.


have often wondered about this,

if this is so,
wouldn't it make more sense to have gnupg use 3DES as the default 
cipher instead of CAST-5

it might have made sense historically when pgp moved to version 5 +,
and used CAST-5 as default, that gnupg used CAST-5 as the default 
cipher to protect the secret key, and also the default cipher for 
encryption,

(i haven't used pgp for a long time now,
[ since 8.x ],
so i don't know for sure, 
but i don't think they still use CAST-5 as a default,

but in any event,
if 3-DES is the 'open-pgp must implement'
it would make more sense to start using it as the secret key 
default,
(or at least, as the symmetrical encryption default, unbundled from 
being the same as the cipher for the secret key) )


for practical purposes, it can be done easily enough by using gnupg 
options,
and isn't a 'priority' issue,
but was curious if there is any reason that gnupg doesn't want to 
make 
3-DES the default


--
Boost your business with a small business loan. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4euXyjScQGkinXXJUT3b7oEb6kcTwjhkvW9f7XRbvuM1Ikyz/
vedaal



From dshaw at jabberwocky.com  Tue Jan 15 17:52:04 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 15 Jan 2008 11:52:04 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
	<478C3764.90000@sixdemonbag.org>
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
Message-ID: <20080115165203.GA26411@jabberwocky.com>

On Tue, Jan 15, 2008 at 08:12:08AM -0700, Kevin Hilton wrote:
> I dont have any feelings or objections about any of the ciphers or
> hashes included or excluded (ok maybe serpent should be included),
> however I can imagine that deleting old ciphers and hashes would cause
> a problem with backwards compatibility.  Why md5 and cast5 are still
> included is beyond me, other than for backwards compatibility.

Choosing algorithms in OpenPGP is always a delicate balancing act
between technical issues, politics, and market forces.

Is the algorithm strong[1]?  Is the key length long enough?  Has it
been used in the past and a zillion keys have it in their preferences?
Will inclusion of the algorithm into OpenPGP allow use of OpenPGP in a
new industry (some industries in some countries have legally-mandated
algorithms), and so on.

CAST5 is a fine cipher and meets all the above criteria.  Don't assume
that just because it's older than AES, it's worth removing.  3DES is
the oldest cipher in OpenPGP (dating back to the 1970s) and it still
meets all the above criteria.  Arguably, it's better in some ways than
the newer ciphers as it's been actively studied and attacked since the
1970s and still hasn't fallen.

MD5 was effectively removed from OpenPGP.  RFC-4880 says:

  Implementations MUST NOT generate new signatures using MD5 as a hash
  function. They MAY continue to consider old signatures that used MD5
  as valid.

That's as close as removal as is realistic, given the huge number of
existing signatures using MD5 that are out there.

> Lastly, who is this governing body that decides what algorithms should
> be included? The IETF OpenPGP group?  As a regular user of gpg, but
> novice when it comes to the history of PGP/GPG this discussion on the
> history/politics of GPG/PGP has been very interesting for me.

http://www.ietf.org/html.charters/openpgp-charter.html

David

[1] I'm defining "strong" here in the loose sense of there are no
    workable attacks against it.  Remember that SHA-1 was broken, but
    it still in daily use as the break didn't reduce its strength
    enough for a workable attack.


From dshaw at jabberwocky.com  Tue Jan 15 18:09:49 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 15 Jan 2008 12:09:49 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080115160829.2CB8F1A0039@mailserver8.hushmail.com>
References: <20080115160829.2CB8F1A0039@mailserver8.hushmail.com>
Message-ID: <20080115170949.GB26574@jabberwocky.com>

On Tue, Jan 15, 2008 at 11:08:28AM -0500, vedaal at hush.com wrote:
> David Shaw dshaw at jabberwocky.com
> wrote on Mon Jan 14 23:56:35 CET 2008 :
> 
> >It doesn't matter all that much what the "cipher of last resort"
> >actually *is*, but it's absolutely vital that everyone has the 
> *same*
> >one.  RFC-2440 and 4880 require 3DES for this reason.
> 
> 
> have often wondered about this,
> 
> if this is so,
> wouldn't it make more sense to have gnupg use 3DES as the default 
> cipher instead of CAST-5
> 
> it might have made sense historically when pgp moved to version 5 +,
> and used CAST-5 as default, that gnupg used CAST-5 as the default 
> cipher to protect the secret key, and also the default cipher for 
> encryption,

GPG does use 3DES as the default cipher for encryption.  That behavior
is required by OpenPGP.

There is no OpenPGP requirement for secret key protection (there are
few interoperability issues there), so CAST5 is as good as anything
else.  For what it's worth, if you set --openpgp mode, the secret key
protection cipher does switch to 3DES.

David


From vedaal at hush.com  Tue Jan 15 18:57:42 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 15 Jan 2008 12:57:42 -0500
Subject: Question about history of hash and cipher collections
Message-ID: <20080115175742.E16481A0039@mailserver8.hushmail.com>

David Shaw dshaw at jabberwocky.com
wrote on Tue Jan 15 18:09:49 CET 2008 :

>GPG does use 3DES as the default cipher for encryption.  That 
>behavior
>is required by OpenPGP.


does it?

this is what i get when i try a symmetrical encryption using the 
defaults:

c:\gnupg>gpg -c -a c:\jat.txt
gpg: using cipher CAST5
gpg: writing to `c:\jat.txt.asc'

here is the output:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul
passphrase: jat

jA0EAwMC1u7kYt5GDPpgySjAcWW2AhrskPs0zteJPzScCwtwqsgEYdYQeY7Tq9sQ
4NKAHU4Urql+
=3qDE
-----END PGP MESSAGE-----


here is the gpg.conf i'm using, in case i overlooked something:

##gpg2go  drive
comment "Acts of Kindness better the World, and protect the Soul"
keyring v:\z\147\home\pubring.gpg
secret-keyring v:\z\147\home\secring.gpg
no-default-keyring
trustdb-name v:\z\147\home\trustdb.gpg
#cipher-algo TWOFISH
#digest-algo SHA256
#compress-algo ZIP
load-extension v:\z\147\idea.dll
homedir v:\z\147\home
local-user 0x5AA20C866A589A97!
#hidden-encrypt-to 0x5AA20C866A589A97
#s2k-cipher-algo twofish

#s2k-digest-algo SHA256
#
#cert-digest-algo SHA256
#digest-algo sha1
#digest-algo ripemd160
verbose
verbose
ignore-crc-error
ignore-mdc-error
show-session-key
expert
#throw-keyids
#try-all-secrets
#default-key 6A589A97!


it has been my experience that the cipher used for symmetric 
encryption is the one that is named in s2k-cipher-algo  unless 
otherwise specified,
and if unspecified, and no s2k-cipher-algo is specified either,
then it reverts to CAST-5

(the above test was done using gnupg 1.4.8,
haven't gotten around to changing the folder names yet ;-) )

vedaal



From dshaw at jabberwocky.com  Tue Jan 15 19:07:41 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 15 Jan 2008 13:07:41 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080115175742.E16481A0039@mailserver8.hushmail.com>
References: <20080115175742.E16481A0039@mailserver8.hushmail.com>
Message-ID: <20080115180741.GC26574@jabberwocky.com>

On Tue, Jan 15, 2008 at 12:57:42PM -0500, vedaal at hush.com wrote:
> David Shaw dshaw at jabberwocky.com
> wrote on Tue Jan 15 18:09:49 CET 2008 :
> 
> >GPG does use 3DES as the default cipher for encryption.  That 
> >behavior
> >is required by OpenPGP.
> 
> 
> does it?
> 
> this is what i get when i try a symmetrical encryption using the 
> defaults:
> 
> c:\gnupg>gpg -c -a c:\jat.txt
> gpg: using cipher CAST5
> gpg: writing to `c:\jat.txt.asc'

It uses 3DES for symmetric encryption to a recipient as required.
Straight symmetric encryption you're allowed to use anything.

David


From kevhilton at gmail.com  Tue Jan 15 19:09:16 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Tue, 15 Jan 2008 11:09:16 -0700
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
	<478C3764.90000@sixdemonbag.org>
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
Message-ID: <96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>

>From what you are saying about cipher/hashes, it sounds as an end user
of gnupg, it would be best to regularly rotate my personal cipher/hash
preferences.


And lastly, not to be a conspiracy theorist, but how certain can I be
that the NSA (who probably employs the single largest collection of
cryptographers) hasn't discovered "back-doors" or cracks in the
encryption algorithms?  I always get asked this by my brother, and I'm
not sure how best to respond.


From rjh at sixdemonbag.org  Tue Jan 15 20:01:53 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 15 Jan 2008 14:01:53 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	
	<20080114013332.GA7602@jabberwocky.com>	
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>	
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>	
	<478C3764.90000@sixdemonbag.org>	
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
	<96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>
Message-ID: <478D0321.6070109@sixdemonbag.org>

Kevin Hilton wrote:
> From what you are saying about cipher/hashes, it sounds as an end user
> of gnupg, it would be best to regularly rotate my personal cipher/hash
> preferences.

Ack!  No.  No.  No.

My advice has been the same for years: unless you know precisely what 
you're doing and why, stick with the defaults.  GnuPG's defaults are 
excellent.  They make good sense.  They interoperate well.  Don't mess 
with them unless you know precisely what you're doing and why.

> And lastly, not to be a conspiracy theorist, but how certain can I be
> that the NSA (who probably employs the single largest collection of
> cryptographers) hasn't discovered "back-doors" or cracks in the
> encryption algorithms?  I always get asked this by my brother, and I'm
> not sure how best to respond.

I get asked this question a lot.  The full answer can be found at:

	http://sixdemonbag.org/cryptofaq.html#agencies


From jmoore3rd at bellsouth.net  Tue Jan 15 21:14:26 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Tue, 15 Jan 2008 15:14:26 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <20080115175742.E16481A0039@mailserver8.hushmail.com>
References: <20080115175742.E16481A0039@mailserver8.hushmail.com>
Message-ID: <478D1422.3030209@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

vedaal at hush.com wrote:

> here is the gpg.conf i'm using, in case i overlooked something:

openpgp

The above line needs to be added to Your gpg.conf & You'll be using 3DES.

JOHN ;)
Timestamp: Tuesday 15 Jan 2008, 15:14  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8-svn4658: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/9ubue

iQEcBAEBCgAGBQJHjRQgAAoJEBCGy9eAtCsPapsH/3t5/X3lOqlkgOvKMweO8B/S
GySCmWgWajzunD6JRCadmLjvTgK3OFh4LC/1juXoJJcadTTnQIIskpjm4Wt2BvsC
IhOypEXQ1YjEDe5JLsozV9e5tB/+B7TayerDH/Cptx9XFs48Xj+COTYiIgy7b+CY
qwHYR0frRuQnoBlWVyVuMx+yR15QZNvbR/VZg/FMWFm6KrN2Nh5BMcXVJw7BgB9p
EETauYFkeSf0A3INcNP3J7a2EbZQn1sbgVfErx63bY9ZblQdZUDmOWsgKzv4MILG
6ME4OL2LHxgdxBa2ARLZyQY4TyC9uX0BvbPA0ScV+Qkp8q75vuIMgquIzJYfmAM=
=tJpy
-----END PGP SIGNATURE-----


From kevhilton at gmail.com  Wed Jan 16 03:48:20 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Tue, 15 Jan 2008 19:48:20 -0700
Subject: Question about history of hash and cipher collections
In-Reply-To: <1200437607.6565.9.camel@carbon>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<20080114013332.GA7602@jabberwocky.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
	<478C3764.90000@sixdemonbag.org>
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
	<96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>
	<1200437607.6565.9.camel@carbon>
Message-ID: <96c450350801151848p50e1e673oe110cf62c279e55d@mail.gmail.com>

Just a few follow-up points

Quote:
My advice has been the same for years: unless you know precisely what
you're doing and why, stick with the defaults.  GnuPG's defaults are
excellent.  They make good sense.  They interoperate well.  Don't mess
with them unless you know precisely what you're doing and why.

However in your link: http://sixdemonbag.org/cryptofaq.html#agencies,
you recommend other things (as discussed below).

>From my limited knowledge, the default GnuPG settings are to create a
1024-bit DSA signing key, a 1024-bit ElGamal encryption key, a 3DES
symmetric cipher, and SHA-1 hash.

In your link however, you recommend the creation of 1024 or 2048 RSA
signing and encryption keys (or DSA2 signing key with RSA encryption
key??), and to choose something else other than the SHA-1 hash.

It would seem from your the information in your link, it would not be
best to follow the default settings in terms of signing/encryption key
creation, and hash algorithm.  What hash algorithm should I be using,
if SHA-1 is not preferred? SHA512??

Who chooses the defaults in terms of DSA/ElGamal signing/encryption
keys?  Is this set by the GnuPG programmers or they OpenGPG standard?


From rjh at sixdemonbag.org  Wed Jan 16 04:23:58 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 15 Jan 2008 22:23:58 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801151848p50e1e673oe110cf62c279e55d@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	
	<20080114013332.GA7602@jabberwocky.com>	
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>	
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>	
	<478C3764.90000@sixdemonbag.org>	
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>	
	<96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>	
	<1200437607.6565.9.camel@carbon>
	<96c450350801151848p50e1e673oe110cf62c279e55d@mail.gmail.com>
Message-ID: <478D78CE.1010102@sixdemonbag.org>

Kevin Hilton wrote:
> In your link however, you recommend the creation of 1024 or 2048 RSA
> signing and encryption keys (or DSA2 signing key with RSA encryption
> key??), and to choose something else other than the SHA-1 hash.

And I also say "unless you know exactly what you're doing and why, use 
the defaults."

It's true that I am not fond of kilobit keys, for reasons I won't go 
into right now.  I am far, far less fond of people who do not know what 
they are doing, or why they are doing it, tinkering around with deep 
magics beyond their kenning.

A Formula-1 race mechanic may be able to tweak a car engine to get a few 
more percent out of it than the factory settings allow.  Your average 
driver should not attempt this, because they have better odds of cutting 
their own brake lines by accident than by realizing any marginal 
improvement.

Prudence demands that drivers be strongly encouraged to just drive the car.

> creation, and hash algorithm.  What hash algorithm should I be using,
> if SHA-1 is not preferred? SHA512??

Unless you know exactly what you're doing and why, use the defaults. 
That is all the advice you will get from me.

> Who chooses the defaults in terms of DSA/ElGamal signing/encryption
> keys?  Is this set by the GnuPG programmers or they OpenGPG standard?

The OpenPGP standard specifies what algorithms must be present, and to 
an extent what the defaults must be.  The GnuPG crew is free to exceed 
those standards.


From kevhilton at gmail.com  Wed Jan 16 04:29:36 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Tue, 15 Jan 2008 20:29:36 -0700
Subject: Question about history of hash and cipher collections
In-Reply-To: <478D78CE.1010102@sixdemonbag.org>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>
	<478C3764.90000@sixdemonbag.org>
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>
	<96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>
	<1200437607.6565.9.camel@carbon>
	<96c450350801151848p50e1e673oe110cf62c279e55d@mail.gmail.com>
	<478D78CE.1010102@sixdemonbag.org>
Message-ID: <96c450350801151929m1733787as4d075d1f7f449998@mail.gmail.com>

>Unless you know exactly what you're doing and why, use the defaults.
>That is all the advice you will get from me.

Hmm, not the answer I was quite expecting.

Thanks again for all your time.  You have greatly enlightened me and
reinforced my love for gnupg.


From rjh at sixdemonbag.org  Wed Jan 16 07:22:27 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 16 Jan 2008 01:22:27 -0500
Subject: Question about history of hash and cipher collections
In-Reply-To: <96c450350801151848p50e1e673oe110cf62c279e55d@mail.gmail.com>
References: <96c450350801131539o18438c61g7709b9de86752a0f@mail.gmail.com>	
	<20080114013332.GA7602@jabberwocky.com>	
	<96c450350801131915m5d4a97ado3aa33a9737bff2a7@mail.gmail.com>	
	<96c450350801131915q4a30155dwaf8300a2f1ee7dbe@mail.gmail.com>	
	<96c450350801142005p131e15ffi7f34a58de7e8e6ed@mail.gmail.com>	
	<478C3764.90000@sixdemonbag.org>	
	<96c450350801150712q7d1a659exb1275891f7a12c5f@mail.gmail.com>	
	<96c450350801151009m27f36e6cw690e180d31799a16@mail.gmail.com>	
	<1200437607.6565.9.camel@carbon>
	<96c450350801151848p50e1e673oe110cf62c279e55d@mail.gmail.com>
Message-ID: <478DA2A3.2030004@sixdemonbag.org>

Kevin Hilton wrote:
> From my limited knowledge, the default GnuPG settings are to create a
> 1024-bit DSA signing key, a 1024-bit ElGamal encryption key, a 3DES
> symmetric cipher, and SHA-1 hash.

Incidentally, with 1.4.8 it defaults to a 2048-bit DSA/Elg keypair and 
SHA256.  There is no contradiction between what you read and my "use the 
defaults!" creed.

That page was written before DSA2 was widespread, and right after some 
major cracks were showing in SHA-1.  I should update the page to reflect 
the changes since then.




From max.allan at nbs.co.uk  Thu Jan 10 09:35:27 2008
From: max.allan at nbs.co.uk (Max Allan)
Date: Thu, 10 Jan 2008 08:35:27 +0000
Subject: Decryption error
In-Reply-To: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>
References: <319C97430831164E90F66B72B419713D39D0D5@MAIL.sc.loc>
Message-ID: <008101c85363$c090ec50$5dc810ac@maxpc>

You can try to run ldd on the binary (use the full path to gpg, ldd won't search $PATH for you). That will show all libraries the
binary wants and if they aren't found. 
This might save you some repeated copying libs one by one onto the box!
It will also show that if you know libgcc is somewhere on the box but fails to be found, then you need to set your library search
path again (this env var varies depending what OS you're on. Solaris uses LD_LIBRARY_PATH).
 
I'm being a bit vague about the answer because the exact command you need will depend on the OS and the shell. You said you'd
already set some environment variables so I assume you know how to do it. 
In case you don't, here is a clue : if you're running sh then the assignment command needs to be followed by an 'export' for future
shell scripts to find it. If you're running bash/csh/ksh you can do it all in one.
Check it's properly set by doing an echo in a new shell (example in sh) :
$ VAR=val
$ echo $VAR
val
$ sh
$ echo $VAR
 
$ exit
$ export VAR
$ sh
$ echo $VAR
val

Every time you logout, you'll need to reset it. To make it permanent, it'll need to go in one of your dot files (.profile, .login,
.cshrc etc)
 
More unix training is available at my normal hourly rate ;-)
 
Max
 


 

 

ld.so.1: gpg: fatal: libgcc_s.so.1: open failed: No such file or directory

 

I have set environment variables both when I compiled gpg and when I run the restore utility but I can't seem to get past this
error.

I have worked with the Amanda folks but still haven't figured this one out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080110/9f6b999d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20080110/9f6b999d/attachment.pgp>

From a.cloos at webspeed.dk  Sun Jan 13 12:46:32 2008
From: a.cloos at webspeed.dk (A C)
Date: Sun, 13 Jan 2008 12:46:32 +0100
Subject: Problem getting smartcard reader working !!!
Message-ID: <200801131246.32667.a.cloos@webspeed.dk>

	Hi Werner.

  I am having trouble getting my smartcard reader working.  At present I am 
using SuSE 10.3, and apparently it does identify the hardware ( combined 
keyboard and reader (  http://www.athena-scs.com/product.asp?pid=2 )).  I am 
sure that the RPM's are installed correctly, and the PCSC dameon is started.  
The card I am using is a Gemalto GemSafeXpresso 32 Kb.  Do you have any idea 
as to what the problem is?

	Thanks in advance

		Allan Cloos





 The output is as follows:

acl at linux-s33r:~> gpg --card-status
gpg: OpenPGP card not available: Card error


[2008-01-13T12:25:13] Log started
[client at fd 4 connected]
  4 - 2008-01-13 12:25:50 gpg-agent[5127]: handler 0x808b878 for fd 6 started
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK Pleased to meet you
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- RESET
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- OPTION display=:0.0
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- OPTION ttyname=/dev/pts/1
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- OPTION ttytype=xterm
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- OPTION 
lc-ctype=en_US.UTF-8
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- OPTION 
lc-messages=en_US.UTF-8
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: -> OK
[client at fd 5 connected]
  4 - 2008-01-13 12:25:50 gpg-agent[5127.6] DBG: <- LEARN --send
  4 - 2008-01-13 12:25:50 gpg-agent[5127]: no running SCdaemon - starting it
  5 - 2008-01-13 12:25:50 scdaemon[5347]: listening on socket 
`/tmp/gpg-HUYTOJ/S.scdaemon'
  5 - 2008-01-13 12:25:50 scdaemon[5347]: handler for fd -1 started
  5 - 2008-01-13 12:25:51 scdaemon[5347]: reader slot 0: active protocol:
  5 - 2008-01-13 12:25:51 scdaemon[5347]: slot 0: ATR=3B 6D 00 00 80 31 80 65 
B0 83 01 02 90 83 00 90 00 00
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: -> OK GNU Privacy Guard's 
Smartcard server ready
  4 - 2008-01-13 12:25:51 gpg-agent[5127]: DBG: first connection to SCdaemon 
established
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: <- GETINFO socket_name
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: -> 
D /tmp/gpg-HUYTOJ/S.scdaemon
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: -> OK
  4 - 2008-01-13 12:25:51 gpg-agent[5127]: DBG: additional connections at 
`/tmp/gpg-HUYTOJ/S.scdaemon'
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: <- OPTION event-signal=12
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: -> OK
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: <- SERIALNO
  5 - 2008-01-13 12:25:51 scdaemon[5347]: no supported card application found: 
Card error
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: -> ERR 100663404 Card error 
  4 - 2008-01-13 12:25:51 gpg-agent[5127]: command learn failed: Card error
  4 - 2008-01-13 12:25:51 gpg-agent[5127.6] DBG: -> ERR 100663404 Card error 
  4 - 2008-01-13 12:25:51 gpg-agent[5127.6] DBG: <- [EOF]
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: <- RESTART
  5 - 2008-01-13 12:25:51 scdaemon[5347.0] DBG: -> OK
  4 - 2008-01-13 12:25:51 gpg-agent[5127]: handler 0x808b878 for fd 6 
terminated
  5 - 2008-01-13 12:25:52 scdaemon[5347]: updating status of slot 0 to 0x0007
  5 - 2008-01-13 12:25:52 scdaemon[5347]: client pid is 5127, sending signal 
12
  4 - 2008-01-13 12:25:52 gpg-agent[5127]: SIGUSR2 received - checking 
smartcard status


----> And as supervisor:

linux-s33r:~ # testpcsc

MUSCLE PC/SC Lite unitary test Program

THIS PROGRAM IS NOT DESIGNED AS A TESTING TOOL FOR END USERS!
Do NOT use it unless you really know what you do.

Testing SCardEstablishContext   : Command successful.
Testing SCardIsValidContext     : Command successful.
Testing SCardIsValidContext     : Invalid handle. (don't panic)
Testing SCardGetStatusChange
Please insert a working reader  : Command successful.
Testing SCardListReaderGroups   : Command successful.
Command successful.
Group 01: SCard$DefaultReaders
Testing SCardListReaders        : Command successful.
Command successful.
Reader 01: AseIIIeUSB KB 00 00
Waiting for card insertion      : Command successful.
Testing SCardConnect            : Command successful.
Select file:  00 A4 00 00 02 3F 00
Testing SCardTransmit           : Command successful.
 card response: 67 00
Testing SCardControl            : ?
                                   ?vfKCS-15 Command successful.
Testing SCardGetAttrib          : Feature not supported. (don't panic)
Testing SCardGetAttrib          : Feature not supported. (don't panic)
Testing SCardGetAttrib          : Feature not supported. (don't panic)
Testing SCardGetAttrib          : Feature not supported. (don't panic)
Testing SCardGetAttrib          : Feature not supported. (don't panic)
Testing SCardSetAttrib          : Command successful.
Testing SCardStatus             : Command successful.
Current Reader Name             : AseIIIeUSB KB 00 00
Current Reader State            : 0x20034
Current Reader Protocol         : T=0
Current Reader ATR Size         : 18 bytes
Current Reader ATR Value        : 3B 7D 94 00 00 80 31 80 65 B0 83 01 02 90 83 
0                                       0 90 00
Press enter:
Testing SCardReconnect          : Command successful.
Testing SCardDisconnect         : Command successful.
Testing SCardReleaseContext     : Command successful.

PC/SC Test Completed Successfully !



linux-s33r:~ # gpg --card-status
can't connect to `/tmp/gpg-9Hf97V/S.gpg-agent': No such file or directory
gpg: can't connect to the agent - trying fall back
scdaemon[4976]: no supported card application found: Card error
gpg-agent[4975]: command learn failed: Card error
gpg: OpenPGP card not available: Card error
scdaemon[4976]: updating status of slot 0 to 0x0007
scdaemon[4976]: client pid is 4975, sending signal 12
linux-s33r:~ # scdaemon[4976]: scdaemon (GnuPG) 2.0.4-svn0 stopped


From anderskitson at gmail.com  Mon Jan 14 21:58:09 2008
From: anderskitson at gmail.com (Anders Kitson)
Date: Mon, 14 Jan 2008 13:58:09 -0700
Subject: GpG warning
Message-ID: <70eeb81c0801141258s45fc9526x8263e2ecc2efcafb@mail.gmail.com>

 I get This Error when encrypting a file, everything works fine the file is
encrypted, and I can unencrypt it.

  You did not specify a user ID. (you may use "-r")
>
> Current recipients:
>
> Enter the user ID. End with an empty line:
> No such user ID.
>


 Just Wondering what this means
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080114/cc2292d2/attachment.htm>

From joerg at schmitz-linneweber.de  Thu Jan 17 11:01:07 2008
From: joerg at schmitz-linneweber.de (=?utf-8?q?J=C3=B6rg_Schmitz-Linneweber?=)
Date: Thu, 17 Jan 2008 11:01:07 +0100
Subject: Problem getting smartcard reader working !!!
In-Reply-To: <200801131246.32667.a.cloos@webspeed.dk>
References: <200801131246.32667.a.cloos@webspeed.dk>
Message-ID: <200801171101.16559.joerg@schmitz-linneweber.de>

Hello Allan,

Am Sonntag, 13. Januar 2008 12:46 schrieb A C:
> ...
>   I am having trouble getting my smartcard reader working.  At present I am
> using SuSE 10.3, and apparently it does identify the hardware ( combined
> keyboard and reader (  http://www.athena-scs.com/product.asp?pid=2 )).  I
> am sure that the RPM's are installed correctly, and the PCSC dameon is
> started. The card I am using is a Gemalto GemSafeXpresso 32 Kb.  Do you
> have any idea as to what the problem is?
Your card reader and your config are fine.

>   5 - 2008-01-13 12:25:51 scdaemon[5347]: no supported card application
> found: Card error
This error message says it all! :-)

Your Gemalto card is lacking the OpenPGP (card) application.
The only known card which supports the OpenPGP card application is the OpenPGP 
card and the FSEcard...
[ http://www.kernelconcepts.de/shop/products/security.shtml?hardware ]
[ https://www.fsfe.org/card/ ]

You'll need such a card if you intend to use gpg whith smartcards.

HTH. Salut, J?rg

-- 
gpg/pgp key # 0xd7fa4512
fingerprint 4e89 6967 9cb2 f548 a806 ?7e8b fcf4 2053 d7fa 4512
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080117/46938f12/attachment.pgp>

From rac at bnl.gov  Fri Jan 18 17:21:46 2008
From: rac at bnl.gov (Richard Casella)
Date: Fri, 18 Jan 2008 11:21:46 -0500
Subject: Synchronizing keychains
Message-ID: <4790D21A.8050809@bnl.gov>

Sorry if this has been posted before, but for some reason I can't
get to the list archive and I couldn't find anything about it in
the How-tos.

I have a need to synchronize gpg keychains on two machines that
are decrypting messages behind a VIP load-balancer. Anyone have
any ideas on a good way to do this?

I have people registering their keys via email and they will get
to one or the other machine. I can forward the email to the other
machine, but I'm sure they will still get out of sync for one reason
or another and would like to maintain two identical keychains on
both machines.
-- 
Richard Casella
CS Operations, Brookhaven National Laboratory
IT Division, Bldg. 515, Upton, NY 11973
Phone: 631 344-7975     mailto: rac at bnl.gov     http://www.bnl.gov/itd


From sattva at pgpru.com  Fri Jan 18 19:47:29 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Sat, 19 Jan 2008 00:47:29 +0600
Subject: Synchronizing keychains
In-Reply-To: <4790D21A.8050809@bnl.gov>
References: <4790D21A.8050809@bnl.gov>
Message-ID: <4790F441.4030603@pgpru.com>

Richard Casella wrote on 18.01.2008 22:21:
> Sorry if this has been posted before, but for some reason I can't
> get to the list archive and I couldn't find anything about it in
> the How-tos.
> 
> I have a need to synchronize gpg keychains on two machines that
> are decrypting messages behind a VIP load-balancer. Anyone have
> any ideas on a good way to do this?

Because key import operations are additive, do like this: Copy both
public keyring files from both machines to one another; don't overwrite
original keyrings, place files in temp locations. Then --import them to
original keyrings. That's all, now both keyrings are identical.

> I have people registering their keys via email and they will get
> to one or the other machine. I can forward the email to the other
> machine, but I'm sure they will still get out of sync for one reason
> or another and would like to maintain two identical keychains on
> both machines.


-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com



From bhagany at gofox.com  Fri Jan 18 21:39:39 2008
From: bhagany at gofox.com (Brent Hagany)
Date: Fri, 18 Jan 2008 14:39:39 -0600
Subject: Exit code 2 from PHP script
Message-ID: <BC7FD23F981A6940A0E96DD6B05E95950464F9F6@foxbx.FOXWORLD.local>

Hello,

This issue has been addressed several times on this list, but after
several hours of searching, I cannot find a solution that works for me.
Here's a simple test case that I cannot get to work:

$out = exec("/usr/bin/gpg --list-keys",$output,$return);

This, and everything like it, except "gpg --help" returns an exit code
of 2, with nothing in the output.

Ultimately, I want to encrypt a message and then email it, but I reduced
it to this simple case in an attempt to get it to work.  Now, some other
things: I can successfully do pretty much anything with gpg by running a
PHP script from the command line, as the same user that Apache runs
under (daemon, on my machine).  I have changed the permissions on
everything in daemon's .gnupg folder to 777.  I have confirmed that the
path to gpg is correct.  I've also tried every flag that looks like it
might remotely be of use.  Does anybody have any ideas about something
else I could try?  I feel like I've pretty much ruled out user-related
and permission-related problems - what are the other candidates for the
source of this kind of thing?

Thanks for taking the time, I appreciate it.

Brent


From JPClizbe at tx.rr.com  Fri Jan 18 22:25:17 2008
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Fri, 18 Jan 2008 15:25:17 -0600
Subject: Synchronizing keychains
In-Reply-To: <4790D21A.8050809@bnl.gov>
References: <4790D21A.8050809@bnl.gov>
Message-ID: <4791193D.30409@tx.rr.com>

Richard Casella wrote:
> Sorry if this has been posted before, but for some reason I can't
> get to the list archive and I couldn't find anything about it in
> the How-tos.
> 
> I have a need to synchronize gpg keychains on two machines that
> are decrypting messages behind a VIP load-balancer. Anyone have
> any ideas on a good way to do this?
> 
> I have people registering their keys via email and they will get
> to one or the other machine. I can forward the email to the other
> machine, but I'm sure they will still get out of sync for one reason
> or another and would like to maintain two identical keychains on
> both machines.

Machine A imports machine B's keyrings

when complete, machine B imports machine A's keyrings


-- 
John P. Clizbe                   Inet:   JPClizbe(at) tx DAWT rr DAHT com
Ginger Bear Networks             hkp://keyserver.gingerbear.net
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080118/f088d806/attachment.pgp>

From genix01 at gmail.com  Fri Jan 18 22:29:50 2008
From: genix01 at gmail.com (shane howard)
Date: Sat, 19 Jan 2008 08:29:50 +1100
Subject: turning off gpg-agent
Message-ID: <2adb28b10801181329p6443ccdcu696fbbf58bf0afdc@mail.gmail.com>

I just did a fresh install of gpg and everything went well , except that
whenever i try to decrypt something it says
can't connect to `/home/hellman/.gnupg/S.gpg-agent': No such file or
directory
it does however decrypt the message. I assume that what gpg is trying to do
is save the password via the agent and
it cant find the socket file? I would attempt to get the agent working to
remove the error messages but as it is i don't want this
functionality, i would prefer to enter my pass phrase every time. The
question is, how do i stop gpg from trying to contact the agent?
I did have a look int ~/.gnupg?gpg.conf for the line user-agent to take it
out of there , but it;s not in there so being really new to gpg i am at
a loss of what to do. Any information on removing this behavior will be
highly appreciated
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080119/16f014ac/attachment.htm>

From hs2412 at gmail.com  Sat Jan 19 11:09:56 2008
From: hs2412 at gmail.com (Hardeep Singh)
Date: Sat, 19 Jan 2008 15:39:56 +0530
Subject: Prime searching
Message-ID: <d7a3cfdf0801190209w2cf005b2q5e055ae6ab8d19ea@mail.gmail.com>

Hi

Could any one tell me the high-level prime search method employed by
GPG? Is it something like this:

- generate a random number
- is it prime? if yes, use it
- if not, continue adding ones to it until a prime number is found

Also, which algorithm is used by GPG for testing primality?

Regards
Hardeep Singh


From sattva at pgpru.com  Sat Jan 19 11:28:48 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Sat, 19 Jan 2008 16:28:48 +0600
Subject: Exit code 2 from PHP script
In-Reply-To: <BC7FD23F981A6940A0E96DD6B05E95950464F9F6@foxbx.FOXWORLD.local>
References: <BC7FD23F981A6940A0E96DD6B05E95950464F9F6@foxbx.FOXWORLD.local>
Message-ID: <4791D0E0.3070203@pgpru.com>

Brent Hagany wrote on 19.01.2008 02:39:
> Hello,
> 
> This issue has been addressed several times on this list, but after
> several hours of searching, I cannot find a solution that works for me.
> Here's a simple test case that I cannot get to work:
> 
> $out = exec("/usr/bin/gpg --list-keys",$output,$return);
> 
> This, and everything like it, except "gpg --help" returns an exit code
> of 2, with nothing in the output.
> 
> Ultimately, I want to encrypt a message and then email it, but I reduced
> it to this simple case in an attempt to get it to work.  Now, some other
> things: I can successfully do pretty much anything with gpg by running a
> PHP script from the command line, as the same user that Apache runs
> under (daemon, on my machine).  I have changed the permissions on
> everything in daemon's .gnupg folder to 777.  I have confirmed that the
> path to gpg is correct.  I've also tried every flag that looks like it
> might remotely be of use.  Does anybody have any ideas about something
> else I could try?  I feel like I've pretty much ruled out user-related
> and permission-related problems - what are the other candidates for the
> source of this kind of thing?

You don't have to specify full path to the executable if it's in your
system PATH. As to the specific problem, try to use system() instead of
exec(), however if playing with process handles don't scares you,
consider proc_open().

> Thanks for taking the time, I appreciate it.
> 
> Brent

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080119/5732c64f/attachment.pgp>

From sattva at pgpru.com  Sat Jan 19 12:01:14 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Sat, 19 Jan 2008 17:01:14 +0600
Subject: Keyservers mangle with subkey binding sigs
Message-ID: <4791D87A.7060001@pgpru.com>

While I understand that this place isn't the best for PKS bug reports,
I'm still not sure of what's happening (except it's quite weird). My key
0x8443620A consists of a main certification key and two subkeys: one for
encryption and one for signing.

Both subkeys have expired in the end of the last year, but I've chosen
not to generate new and to simply extend life of existing subkeys for
another few years, so I've re-signed them with extended expiration date
and updated to keyservers. A few days later one of my correspondents
contacted me saying that my key is expired and unusable. I've looked at
keyservers, and was very surprised that they're not reflecting the
changes made!

Here for example (in the bottom) you may see two subkeys with binding
signatures expired at 2007-12-31:
http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex

But if you look at the original copy you'll see that all regenerated
sigs are in place:
http://www.vladmiller.info/contacts/openpgp.txt

sattva at localhost ~ $ cat openpgp.txt | gpg --list-packets
[snip]
:signature packet: algo 1, keyid FAEB26F78443620A
        version 4, created 1199529401, md5len 0, sigclass 0x18
        digest algo 2, begin of digest 1f 06
        hashed subpkt 26 len 45 (policy:
        http://www.vladmiller.info/services/cert.html)
        hashed subpkt 27 len 1 (key flags: 0C)
  >>>>  hashed subpkt 2 len 4 (sig created 2008-01-05)       <<<<
  >>>>  hashed subpkt 9 len 4 (key expires after 3y11d13h6m) <<<<
        subpkt 16 len 8 (issuer key ID FAEB26F78443620A)
        data: [4095 bits]

If I understand this correctly and not missing something terribly here,
keyservers just looked at newly uploaded key, thought "huh? I already
have that subkey in place, and this 0x18 sig too!", and discarded it
without going into much trouble of analyzing any binding sigs'
timestamps (maybe marking them as duplicates).

Could anyone confirm this behavior?

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080119/07615182/attachment.pgp>

From simon at josefsson.org  Sat Jan 19 12:15:30 2008
From: simon at josefsson.org (Simon Josefsson)
Date: Sat, 19 Jan 2008 12:15:30 +0100
Subject: Keyservers mangle with subkey binding sigs
In-Reply-To: <4791D87A.7060001__16161.6394100294$1200740670$gmane$org@pgpru.com>
	(Vlad Miller's message of "Sat, 19 Jan 2008 17:01:14 +0600")
References: <4791D87A.7060001__16161.6394100294$1200740670$gmane$org@pgpru.com>
Message-ID: <87zlv2vzfx.fsf@mocca.josefsson.org>

"Vlad \"SATtva\" Miller" <sattva at pgpru.com> writes:

> While I understand that this place isn't the best for PKS bug reports,
> I'm still not sure of what's happening (except it's quite weird). My key
> 0x8443620A consists of a main certification key and two subkeys: one for
> encryption and one for signing.
>
> Both subkeys have expired in the end of the last year, but I've chosen
> not to generate new and to simply extend life of existing subkeys for
> another few years, so I've re-signed them with extended expiration date
> and updated to keyservers. A few days later one of my correspondents
> contacted me saying that my key is expired and unusable. I've looked at
> keyservers, and was very surprised that they're not reflecting the
> changes made!
>
> Here for example (in the bottom) you may see two subkeys with binding
> signatures expired at 2007-12-31:
> http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex
>
> But if you look at the original copy you'll see that all regenerated
> sigs are in place:
> http://www.vladmiller.info/contacts/openpgp.txt
>
> sattva at localhost ~ $ cat openpgp.txt | gpg --list-packets
> [snip]
> :signature packet: algo 1, keyid FAEB26F78443620A
>         version 4, created 1199529401, md5len 0, sigclass 0x18
>         digest algo 2, begin of digest 1f 06
>         hashed subpkt 26 len 45 (policy:
>         http://www.vladmiller.info/services/cert.html)
>         hashed subpkt 27 len 1 (key flags: 0C)
>   >>>>  hashed subpkt 2 len 4 (sig created 2008-01-05)       <<<<
>   >>>>  hashed subpkt 9 len 4 (key expires after 3y11d13h6m) <<<<
>         subpkt 16 len 8 (issuer key ID FAEB26F78443620A)
>         data: [4095 bits]
>
> If I understand this correctly and not missing something terribly here,
> keyservers just looked at newly uploaded key, thought "huh? I already
> have that subkey in place, and this 0x18 sig too!", and discarded it
> without going into much trouble of analyzing any binding sigs'
> timestamps (maybe marking them as duplicates).
>
> Could anyone confirm this behavior?

I had similar problems with many key servers, until I switched to
subkeys.pgp.net which is (if I understand correctly) documented to only
point to key servers with full subkey support.

/Simon


From sattva at pgpru.com  Sat Jan 19 13:08:30 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Sat, 19 Jan 2008 18:08:30 +0600
Subject: Keyservers mangle with subkey binding sigs
In-Reply-To: <87zlv2vzfx.fsf@mocca.josefsson.org>
References: <4791D87A.7060001__16161.6394100294$1200740670$gmane$org@pgpru.com>
	<87zlv2vzfx.fsf@mocca.josefsson.org>
Message-ID: <4791E83E.7040703@pgpru.com>

Simon Josefsson wrote on 19.01.2008 17:15:
> "Vlad \"SATtva\" Miller" <sattva at pgpru.com> writes:
[snip]
>> If I understand this correctly and not missing something terribly here,
>> keyservers just looked at newly uploaded key, thought "huh? I already
>> have that subkey in place, and this 0x18 sig too!", and discarded it
>> without going into much trouble of analyzing any binding sigs'
>> timestamps (maybe marking them as duplicates).
>>
>> Could anyone confirm this behavior?
> 
> I had similar problems with many key servers, until I switched to
> subkeys.pgp.net which is (if I understand correctly) documented to only
> point to key servers with full subkey support.

subkeys.pgp.net is the first server I send keys to. However, as you can
see, it's subkeys support isn't enough:
http://subkeys.pgp.net:11371/pks/lookup?search=0x8443620A&op=vindex

sub  2048R/070E0B73 2006-12-21
sig sbind  8443620A 2006-12-21 __________ 2007-12-31 []        <<<<
    Policy URL: http://www.vladmiller.info/services/cert.html

sub  2048R/7D57ED51 2006-12-21
sig sbind  8443620A 2006-12-21 __________ 2007-12-31 []        <<<<
    Policy URL: http://www.vladmiller.info/services/cert.html

And it's not just an output bug. If you import that key it'll end up
like this:

gpg: NOTE: signature key 070E0B73 expired Tue 01 Jan 2008 03:26:21 NOVT
pub   4096R/8443620A 2006-12-21
uid                  Vladislav V. Miller (aka SATtva)
uid                  Vladislav V. Miller (aka SATtva) <@>
uid                  Vladislav V. Miller (aka SATtva) <@>
uid                  SATtva (openPGP in Russia project admin) <@>
uid                  Vlad Miller (for private contacts only) <@>
uid                  [jpeg image of size 7403]
sub   2048R/070E0B73 2006-12-21 [expired: 2007-12-31]          <<<<
sub   2048R/7D57ED51 2006-12-21 [expired: 2007-12-31]          <<<<

> /Simon
> 
> 


-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080119/6df5221f/attachment.pgp>

From shavital at mac.com  Sat Jan 19 13:26:04 2008
From: shavital at mac.com (Charly Avital)
Date: Sat, 19 Jan 2008 07:26:04 -0500
Subject: Keyservers mangle with subkey binding sigs
In-Reply-To: <4791D87A.7060001@pgpru.com>
References: <4791D87A.7060001@pgpru.com>
Message-ID: <4791EC5C.1080007@mac.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Vlad "SATtva" Miller wrote the following on 1/19/08 6:01 AM:
[...]
| Here for example (in the bottom) you may see two subkeys with binding
| signatures expired at 2007-12-31:
|
http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex

So it is.

| But if you look at the original copy you'll see that all regenerated
| sigs are in place:
| http://www.vladmiller.info/contacts/openpgp.txt

After importing that keyblock:

gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 13 new signatures
gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 11 signatures cleaned
gpg: Total number processed: 1
gpg:         new signatures: 13
gpg:     signatures cleaned: 11
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:  30  signed: 105  trust: 0-, 0q, 0n, 0m, 0f, 30u
gpg: depth: 1  valid: 105  signed:  54  trust: 0-, 3q, 0n, 33m, 69f, 0u
gpg: depth: 2  valid:  40  signed:  92  trust: 0-, 1q, 2n, 21m, 16f, 0u
gpg: depth: 3  valid:   4  signed:  12  trust: 1-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 4  valid:   3  signed:   4  trust: 0-, 0q, 0n, 1m, 2f, 0u
gpg: next trustdb check due at 2008-02-13

[name]$ gpg --edit-key 8443620A
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/8443620A  created: 2006-12-21  expires: never       usage: SC
~                     trust: unknown       validity: unknown
sub  2048R/070E0B73  created: 2006-12-21  expires: 2010-01-01  usage: S
sub  2048R/7D57ED51  created: 2006-12-21  expires: 2010-01-01  usage: E
[ unknown] (1). Vladislav V. Miller (aka SATtva)
[ unknown] (2)  Vladislav V. Miller (aka SATtva) <sattva at pgpru.com>
[ unknown] (3)  Vladislav V. Miller (aka SATtva) <sattva at vladmiller.info>
[ unknown] (4)  SATtva (openPGP in Russia project admin) <project at pgpru.com>
[ unknown] (5)  Vlad Miller (for private contacts only) <vladtepesh at mail.ru>
[ unknown] (6)  [jpeg image of size 7403]
[ unknown] (7)  [jpeg image of size 7403]

In my system now:

I have not signed your key
Your signature verifies (no longer "..with expired key...".
Two user photos are invoked and displayed, one of them shows a person,
the other one displays an interrogation mark.

After signing (locally) your key, there is no change, still two photos
displayed, one is a person, the other one displays an interrogation mark.



| sattva at localhost ~ $ cat openpgp.txt | gpg --list-packets
| [snip]
| :signature packet: algo 1, keyid FAEB26F78443620A
|         version 4, created 1199529401, md5len 0, sigclass 0x18
|         digest algo 2, begin of digest 1f 06
|         hashed subpkt 26 len 45 (policy:
|         http://www.vladmiller.info/services/cert.html)
|         hashed subpkt 27 len 1 (key flags: 0C)
|   >>>>  hashed subpkt 2 len 4 (sig created 2008-01-05)       <<<<
|   >>>>  hashed subpkt 9 len 4 (key expires after 3y11d13h6m) <<<<
|         subpkt 16 len 8 (issuer key ID FAEB26F78443620A)
|         data: [4095 bits]
|
| If I understand this correctly and not missing something terribly here,
| keyservers just looked at newly uploaded key, thought "huh? I already
| have that subkey in place, and this 0x18 sig too!", and discarded it
| without going into much trouble of analyzing any binding sigs'
| timestamps (maybe marking them as duplicates).

I lack the knowledge and background to comment.

Charly
MacOS X 10.5.1 - GnuPG 1.4.8 - GPG2 2.0.8 with gpg-agent - Thunderbird
2.0.0.9 with Enigmail 0.95.6 - Primary key A57A8EFA - Signing subkey
855B83EF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJHkexVAAoJEM3GMi2FW4PvpLYH/j4v8ZTd1kFItLk33fJW/Dot
pOd1IwCHFYMB05FlNYGcmY5NnI1I1za2aCM4I13W28e3/ZV8v8sKjcSodg8b/lQb
hvME3BrfgWiCbDjkoMpv3Z4HHGe/e75byVT6nOMOA77n5mCOCwZxUADb+hJ7zfQ/
6poCh1qW3GRdD0JfttcFx77W7AMNMQSqJ+4WQmuPfyHHqt+/1mbjSA88aVS9KO85
q0v6xatOBZ0WfcbJKsUSTEtZp+8DELzWrZz6sZTmpEQcOhdjzqAs4gx2QU4idd6F
GQtuF0eHjLCpvZl4DX5aDVhXSGHnuAi1mX10RH8WbNJwXXuAlUgv7Vi25dzvdVs=
=Af0l
-----END PGP SIGNATURE-----


From sattva at pgpru.com  Sat Jan 19 14:38:50 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Sat, 19 Jan 2008 19:38:50 +0600
Subject: Keyservers mangle with subkey binding sigs
In-Reply-To: <4791EC5C.1080007@mac.com>
References: <4791D87A.7060001@pgpru.com> <4791EC5C.1080007@mac.com>
Message-ID: <4791FD6A.7090808@pgpru.com>

Charly Avital wrote on 19.01.2008 18:26:
> Vlad "SATtva" Miller wrote the following on 1/19/08 6:01 AM:
> [...]
> | Here for example (in the bottom) you may see two subkeys with binding
> | signatures expired at 2007-12-31:
> |
> http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex
> 
> So it is.
> 
> | But if you look at the original copy you'll see that all regenerated
> | sigs are in place:
> | http://www.vladmiller.info/contacts/openpgp.txt
> 
> After importing that keyblock:
[snip]
> [name]$ gpg --edit-key 8443620A
> gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> 
> pub  4096R/8443620A  created: 2006-12-21  expires: never       usage: SC
> ~                     trust: unknown       validity: unknown

.                                           vvvvvvvvvvvvvvvvvvv
> sub  2048R/070E0B73  created: 2006-12-21  expires: 2010-01-01  usage: S
> sub  2048R/7D57ED51  created: 2006-12-21  expires: 2010-01-01  usage: E
.                                           ^^^^^^^^^^^^^^^^^^^

So here's an explicit distinction between what we got from a keyserver
and from the gpg output.

[snip]
> In my system now:
> 
> I have not signed your key

And you should not.

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080119/a966d944/attachment.pgp>

From ggreenberg at responsys.com  Fri Jan 18 07:09:04 2008
From: ggreenberg at responsys.com (Gary Greenberg)
Date: Thu, 17 Jan 2008 22:09:04 -0800
Subject: Why gpg complains?
Message-ID: <117D13228FBF5442A8D54364B3FCBFD0029736@tomcat.us.responsys.com>

I imported into GPG public keys that were generated by another
application.

Keys were accepted with no problem but when I am trying to encrypt with
these keys GPG gives me the following:

 

C:\Program Files\GNU\GnuPG>gpg -a -r utest3 -o
C:\sites\local\dig\test33.csv.gpg

 -e C:\sites\local\dig\loadSample.csv

gpg: 4985F643: There is no assurance this key belongs to the named user

 

pub  1024R/4985F643 2008-01-16 utest3 <foo at responsys.com>

 Primary key fingerprint: 1113 FC70 96BC DA77 E113  9805 F426 E5B2 4985
F643

 

It is NOT certain that the key belongs to the person named

in the user ID.  If you *really* know what you are doing,

you may answer the next question with yes.

 

Use this key anyway? (y/N) y

 

I did type 'Y" and file was successfully encrypted and later similarly
successfully decrypted.

Can someone tells me why it complains and how can I make GPG happy?

Thank you,

            Gary

 

P.S. Please CC me in your response, as I am not subscribed to that list.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080117/f567d0fd/attachment.htm>

From gonzalob at gonz0.com.ar  Sat Jan 19 16:21:54 2008
From: gonzalob at gonz0.com.ar (Gonzalo =?ISO-8859-1?Q?Berm=FAdez?=)
Date: Sat, 19 Jan 2008 13:21:54 -0200
Subject: Why gpg complains?
In-Reply-To: <117D13228FBF5442A8D54364B3FCBFD0029736@tomcat.us.responsys.com>
References: <117D13228FBF5442A8D54364B3FCBFD0029736@tomcat.us.responsys.com>
Message-ID: <1200756114.4132.14.camel@gonzalo.b.home.local>

GnuPG is warning you since you seem to have not signed the Key.
IF you trust the key (i.e. you are sure to a reasonable degree that the
key owner is who he claims to be), then you should sign it and the
warning will go away.
To do so from the command line:

gpg --edit-key <key id>
> sign (1)
> save

(1) This step's output depends on some local config, so follow the
onscreen instructions.

This is a mini, nano, really short HOWTO. Before doing any of this you
should read and understand the GnuPG Privacy Handbook
(http://gnupg.org/documentation/guides.en.html), after which all will be
clearer.

On Thu, 2008-01-17 at 22:09 -0800, Gary Greenberg wrote:
> I imported into GPG public keys that were generated by another
> application.
> 
> Keys were accepted with no problem but when I am trying to encrypt
> with these keys GPG gives me the following:
> 
>  
> 
> C:\Program Files\GNU\GnuPG>gpg -a -r utest3 -o C:\sites\local\dig
> \test33.csv.gpg
> 
>  -e C:\sites\local\dig\loadSample.csv
> 
> gpg: 4985F643: There is no assurance this key belongs to the named
> user
> 
>  
> 
> pub  1024R/4985F643 2008-01-16 utest3 <foo at responsys.com>
> 
>  Primary key fingerprint: 1113 FC70 96BC DA77 E113  9805 F426 E5B2
> 4985 F643
> 
>  
> 
> It is NOT certain that the key belongs to the person named
> 
> in the user ID.  If you *really* know what you are doing,
> 
> you may answer the next question with yes.
> 
>  
> 
> Use this key anyway? (y/N) y
> 
>  
> 
> I did type ?Y? and file was successfully encrypted and later similarly
> successfully decrypted.
> 
> Can someone tells me why it complains and how can I make GPG happy?
> 
> Thank you,
> 
>             Gary
> 
>  
> 
> P.S. Please CC me in your response, as I am not subscribed to that
> list.
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- 
Saludos
Gonzalo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20080119/30771757/attachment.pgp>

From shavital at mac.com  Sat Jan 19 18:31:44 2008
From: shavital at mac.com (Charly Avital)
Date: Sat, 19 Jan 2008 12:31:44 -0500
Subject: Keyservers mangle with subkey binding sigs
In-Reply-To: <4791FD6A.7090808@pgpru.com>
References: <4791D87A.7060001@pgpru.com> <4791EC5C.1080007@mac.com>
	<4791FD6A.7090808@pgpru.com>
Message-ID: <47923400.9020101@mac.com>

Vlad "SATtva" Miller wrote the following on 1/19/08 8:38 AM:
[...]

> 
> So here's an explicit distinction between what we got from a keyserver
> and from the gpg output.

As far as I am concerned, that's  what I got from the keyserver I used, 
yes.

I believe <steffenjan at web.de> posted that:
"I'm not too deep into subkeys, but I just downloaded your key 
0x8443620A from a keyserver and it had tow subkeys 0x070E0B73 and 
0x7D57ED51 both valid till 1.1.2010.
But the self-signs on all the different Sub-IDs are expired on 5.1.2008.
All this didn't change when I imported the key from www.vladmiller.info

So my hint is to sign all the IDs too."


> [snip]
>> In my system now:
>>
>> I have not signed your key
> 
> And you should not.

Thank you for telling me what I should not, I know the protocol.

There is such a thing named 'local sign', that makes a local signature 
non-exportable, not that I intend to upload your key, that just isn't done.

As I indicated in my complete post, I signed (local signature) just in 
order to find out whether it would make the interrogation point on your 
*second* "photo" go away, which it didn't, not unexpectedly.

Best regards,
Charly



From me at greenest.org  Sat Jan 19 18:33:57 2008
From: me at greenest.org (me at greenest.org)
Date: Sat, 19 Jan 2008 18:33:57 +0100
Subject: Fwd: is there any remote possibility to recover passphrase?
Message-ID: <200801191833.57687.me@greenest.org>

Hi all and thank you for GnuPG!

I was wondering whether one attacker who'd be in possess of my private and 
public keys, my entire archive of encrypted data, and a common file which for 
sure is just plain the same as an encrypted one of my backup, could in some 
way and time recover my passphrase.

Let's suppose I am a developer which shares some pieces of a project and 
doesn't some others, as such some of the files are plainly available to the 
attacker, and even if I crypt all the files at once with a strong algo and 
gpg, but let my keys available to the attacker, would he theorically be able 
to crack my passphrase and recover all of my archive?

Regards,
greenest


From david at miradoiro.com  Sat Jan 19 19:41:23 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Sat, 19 Jan 2008 19:41:23 +0100
Subject: is there any remote possibility to recover passphrase?
References: <200801191833.57687.me@greenest.org>
Message-ID: <000b01c85aca$e44c2bf0$c1413cd5@Nautilus>

When in doubt, use brute force. So, the answer is, it depends on the 
strenght of your passphrase.

--David.


From me at greenest.org  Sat Jan 19 20:54:26 2008
From: me at greenest.org (me at greenest.org)
Date: Sat, 19 Jan 2008 20:54:26 +0100
Subject: is there any remote possibility to recover passphrase?
In-Reply-To: <000b01c85aca$e44c2bf0$c1413cd5@Nautilus>
References: <200801191833.57687.me@greenest.org>
	<000b01c85aca$e44c2bf0$c1413cd5@Nautilus>
Message-ID: <200801192054.27397.me@greenest.org>

=~~=~=~=~=~=~=~=~=~=~=~=~=~~=
19:41 (sabato), David Pic?n ?lvarez:

> When in doubt, use brute force. So, the answer is, it depends on the
> strenght of your passphrase.
>
> --David.

So if the strenght of passphrase is something like 25 chars (a-Z,0-9,non 
alphanumeric) I can rest assured nobody today or in a year could possibly 
decrypt even someone with a distributed super calculus hardware power, is it? 
Thanks

GnuPG is above all!!!


From robbat2 at gentoo.org  Sun Jan 20 00:40:39 2008
From: robbat2 at gentoo.org (Robin H. Johnson)
Date: Sat, 19 Jan 2008 15:40:39 -0800
Subject: is there any remote possibility to recover passphrase?
In-Reply-To: <200801192054.27397.me@greenest.org>
References: <200801191833.57687.me@greenest.org>
	<000b01c85aca$e44c2bf0$c1413cd5@Nautilus>
	<200801192054.27397.me@greenest.org>
Message-ID: <20080119234039.GS5504@curie-int.orbis-terrarum.net>

On Sat, Jan 19, 2008 at 08:54:26PM +0100, me at greenest.org wrote:
> =~~=~=~=~=~=~=~=~=~=~=~=~=~~=
> 19:41 (sabato), David Pic?n ?lvarez:
> > When in doubt, use brute force. So, the answer is, it depends on the
> > strenght of your passphrase.
> >
> > --David.
> So if the strenght of passphrase is something like 25 chars (a-Z,0-9,non 
> alphanumeric) I can rest assured nobody today or in a year could possibly 
> decrypt even someone with a distributed super calculus hardware power, is it? 
> Thanks
Reduce the input size smartly if you know some parts of your own
paraphrase. I had to do that a while ago after a bad bit of mistyping
(don't set a passphrase on a brand new keyboard with a slightly
different layout than you are used to).

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2 at gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 329 bytes
Desc: not available
URL: </pipermail/attachments/20080119/3ddf8a6f/attachment.pgp>

From rjh at sixdemonbag.org  Sun Jan 20 03:12:09 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 19 Jan 2008 20:12:09 -0600
Subject: Fwd: is there any remote possibility to recover passphrase?
In-Reply-To: <200801191833.57687.me@greenest.org>
References: <200801191833.57687.me@greenest.org>
Message-ID: <4792ADF9.3000102@sixdemonbag.org>

me at greenest.org wrote:
> gpg, but let my keys available to the attacker, would he theorically be able 
> to crack my passphrase and recover all of my archive?

Yes.

Please note how you qualified that: /theoretically./  In practice, given 
a good passphrase, this is highly nontrivial.


From rjh at sixdemonbag.org  Sun Jan 20 03:14:36 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 19 Jan 2008 20:14:36 -0600
Subject: is there any remote possibility to recover passphrase?
In-Reply-To: <200801192054.27397.me@greenest.org>
References: <200801191833.57687.me@greenest.org>	<000b01c85aca$e44c2bf0$c1413cd5@Nautilus>
	<200801192054.27397.me@greenest.org>
Message-ID: <4792AE8C.1020302@sixdemonbag.org>

me at greenest.org wrote:
> So if the strenght of passphrase is something like 25 chars (a-Z,0-9,non 
> alphanumeric) I can rest assured nobody today or in a year could possibly 
> decrypt even someone with a distributed super calculus hardware power, is it? 

Depends.  English text has about 1.5 bits of entropy per glyph, so this 
is about 37 bits of entropy, assuming English text.  That can be 
exhausted via brute force.

If the passphrase is totally random, then you're looking at about 150 
bits of entropy, which is impractical to exhaust via brute force, ever.

As with so many things in crypto, the answer here is "it depends."



From sattva at pgpru.com  Mon Jan 21 13:32:48 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Mon, 21 Jan 2008 18:32:48 +0600
Subject: [Enigmail] Keyservers mangle with subkey binding sigs - FIXED
	(was Re:	Sub-Key Look-Up)
In-Reply-To: <479104F3.5040606@pgpru.com>
References: <4790DD0E.2010502@bellsouth.net> <479104F3.5040606@pgpru.com>
Message-ID: <479490F0.6060908@pgpru.com>

Vlad "SATtva" Miller wrote on 19.01.2008 01:58:
[snip]
> Both subkeys have expired in the end of the last year, but I've chosen
> not to generate new and to simply extend life of existing subkeys for
> another few years, so I've re-signed them with extended expiration date
> and updated to keyservers. A few days later one of my correspondents
> contacted me saying that my key is expired and unusable. I've looked at
> keyservers, and was very surprised that they're not reflecting the
> changes made!
> 
> Here for example (in the bottom) you may see two subkeys with binding
> signatures expired at 2007-12-31:
> http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex

Many thanks for all input. The problem disappeared in the same way it
was encountered. Another attempt to search keyservers showed that
everything is fine now, both subkeys have all the most recent 0x18
binding sigs. I can't discount the fact that it was I messing here
something badly, however this is quite unlikely...

Cheers,

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080121/c97a1496/attachment.pgp>

From bhagany at gofox.com  Mon Jan 21 17:02:02 2008
From: bhagany at gofox.com (Brent Hagany)
Date: Mon, 21 Jan 2008 10:02:02 -0600
Subject: Exit code 2 from PHP script
In-Reply-To: <4791D0E0.3070203@pgpru.com>
References: <BC7FD23F981A6940A0E96DD6B05E95950464F9F6@foxbx.FOXWORLD.local>
	<4791D0E0.3070203@pgpru.com>
Message-ID: <BC7FD23F981A6940A0E96DD6B05E959504650394@foxbx.FOXWORLD.local>

Apologies for the delay, it was a busy weekend.

> You don't have to specify full path to the executable if it's in your
> system PATH.

I'm aware, I just thought it would head off the "make sure it's in your
path" suggestions.

Anyway, I tried system(); it gave the same result, so I went about
playing with proc_open() like so:

$message = "This is a test message";
$process = proc_open("/usr/bin/gpg",
                     array(0 => array("pipe","r"),
                           1 => array("pipe","w"),
                           2 => array("file","errors.log","a")),
                     $pipes);

if(is_resource($process)) {
  fwrite($pipes[0], "--list-keys --homedir=/home/daemon");
  fclose($pipes[0]);

  echo stream_get_contents($pipes[1]);
  fclose($pipes[1]);

  echo proc_close($process);
}

This still doesn't work, but at least I get a somewhat helpful error
message in the log file:

gpg: fatal: can't create directory `//.gnupg': Permission denied
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

Anybody know why it's trying to write to /, and how to stop it?  I tried
adding the --homedir flag above, but that did not work.  Also, this is
my first time using proc_open(), so I'm not sure that my usage is 100%
correct.

Thanks much,
Brent

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Vlad "SATtva" Miller
Sent: Saturday, January 19, 2008 4:29 AM
To: Gnupg-users
Subject: Re: Exit code 2 from PHP script

Brent Hagany wrote on 19.01.2008 02:39:
> Hello,
> 
> This issue has been addressed several times on this list, but after
> several hours of searching, I cannot find a solution that works for
me.
> Here's a simple test case that I cannot get to work:
> 
> $out = exec("/usr/bin/gpg --list-keys",$output,$return);
> 
> This, and everything like it, except "gpg --help" returns an exit code
> of 2, with nothing in the output.
> 
> Ultimately, I want to encrypt a message and then email it, but I
reduced
> it to this simple case in an attempt to get it to work.  Now, some
other
> things: I can successfully do pretty much anything with gpg by running
a
> PHP script from the command line, as the same user that Apache runs
> under (daemon, on my machine).  I have changed the permissions on
> everything in daemon's .gnupg folder to 777.  I have confirmed that
the
> path to gpg is correct.  I've also tried every flag that looks like it
> might remotely be of use.  Does anybody have any ideas about something
> else I could try?  I feel like I've pretty much ruled out user-related
> and permission-related problems - what are the other candidates for
the
> source of this kind of thing?

You don't have to specify full path to the executable if it's in your
system PATH. As to the specific problem, try to use system() instead of
exec(), however if playing with process handles don't scares you,
consider proc_open().

> Thanks for taking the time, I appreciate it.
> 
> Brent

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com




From bhagany at gofox.com  Mon Jan 21 20:10:12 2008
From: bhagany at gofox.com (Brent Hagany)
Date: Mon, 21 Jan 2008 13:10:12 -0600
Subject: Exit code 2 from PHP script
In-Reply-To: <BC7FD23F981A6940A0E96DD6B05E959504650394@foxbx.FOXWORLD.local>
References: <BC7FD23F981A6940A0E96DD6B05E95950464F9F6@foxbx.FOXWORLD.local><4791D0E0.3070203@pgpru.com>
	<BC7FD23F981A6940A0E96DD6B05E959504650394@foxbx.FOXWORLD.local>
Message-ID: <BC7FD23F981A6940A0E96DD6B05E9595046724B5@foxbx.FOXWORLD.local>

I have found and corrected the problem: it should be
"--homedir=/home/daemon/.gnupg".  Also, for some reason, setting
GNUPGHOME directly does not work.

Getting a useful error message was a great help.  Thanks again, Vlad.

-----Original Message-----
From: gnupg-users-bounces+bhagany=gofox.com at gnupg.org
[mailto:gnupg-users-bounces+bhagany=gofox.com at gnupg.org] On Behalf Of
Brent Hagany
Sent: Monday, January 21, 2008 10:02 AM
To: Gnupg-users
Subject: RE: Exit code 2 from PHP script

Apologies for the delay, it was a busy weekend.

> You don't have to specify full path to the executable if it's in your
> system PATH.

I'm aware, I just thought it would head off the "make sure it's in your
path" suggestions.

Anyway, I tried system(); it gave the same result, so I went about
playing with proc_open() like so:

$message = "This is a test message";
$process = proc_open("/usr/bin/gpg",
                     array(0 => array("pipe","r"),
                           1 => array("pipe","w"),
                           2 => array("file","errors.log","a")),
                     $pipes);

if(is_resource($process)) {
  fwrite($pipes[0], "--list-keys --homedir=/home/daemon");
  fclose($pipes[0]);

  echo stream_get_contents($pipes[1]);
  fclose($pipes[1]);

  echo proc_close($process);
}

This still doesn't work, but at least I get a somewhat helpful error
message in the log file:

gpg: fatal: can't create directory `//.gnupg': Permission denied
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

Anybody know why it's trying to write to /, and how to stop it?  I tried
adding the --homedir flag above, but that did not work.  Also, this is
my first time using proc_open(), so I'm not sure that my usage is 100%
correct.

Thanks much,
Brent

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Vlad "SATtva" Miller
Sent: Saturday, January 19, 2008 4:29 AM
To: Gnupg-users
Subject: Re: Exit code 2 from PHP script

Brent Hagany wrote on 19.01.2008 02:39:
> Hello,
> 
> This issue has been addressed several times on this list, but after
> several hours of searching, I cannot find a solution that works for
me.
> Here's a simple test case that I cannot get to work:
> 
> $out = exec("/usr/bin/gpg --list-keys",$output,$return);
> 
> This, and everything like it, except "gpg --help" returns an exit code
> of 2, with nothing in the output.
> 
> Ultimately, I want to encrypt a message and then email it, but I
reduced
> it to this simple case in an attempt to get it to work.  Now, some
other
> things: I can successfully do pretty much anything with gpg by running
a
> PHP script from the command line, as the same user that Apache runs
> under (daemon, on my machine).  I have changed the permissions on
> everything in daemon's .gnupg folder to 777.  I have confirmed that
the
> path to gpg is correct.  I've also tried every flag that looks like it
> might remotely be of use.  Does anybody have any ideas about something
> else I could try?  I feel like I've pretty much ruled out user-related
> and permission-related problems - what are the other candidates for
the
> source of this kind of thing?

You don't have to specify full path to the executable if it's in your
system PATH. As to the specific problem, try to use system() instead of
exec(), however if playing with process handles don't scares you,
consider proc_open().

> Thanks for taking the time, I appreciate it.
> 
> Brent

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com



_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From aolsen at standard.com  Tue Jan 22 00:15:22 2008
From: aolsen at standard.com (Alan Olsen)
Date: Mon, 21 Jan 2008 15:15:22 -0800
Subject: IDEA licensing issues
Message-ID: <92A893260738B0408497A64189BC1E62032CE45D@MSEXCHANGE305.corp.standard.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have been trying to find what it takes to get a license for using IDEA with gpg.

All attempts to connect to www.mediacrypt.com have been unsuccesful.

Anyone know what is going on with this company?

Thanks.
-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBR5Unhmqdmbpu7ejzAQpWcQf6AiXklEgzcl85sPMgxsyNX9Wwa9xDRmfW
9Wqtixx85UbWaVXJarDgpPedemL4OQ3CBkNlMhxBqPcx1jcHtpdgSAs3WP5Qs7tB
lhHZKhB7pu+OV6OYlrAK28egYfbH9NGE5lxzQYEBWxwAdT9lHEDJNhfOyWFgcMTs
Tq+vZrrP2OphNP2/BXSeb+AmzAj5+eNkGHPZYO1M2+vVZmN6RG6pVNbrsPIsQri+
BHbxL9FtwArbxruXfVVYzBc78Se/5UWTiJ/spfLEzgyG7MHej6vICs3wKZlWgmY5
gd1SJ7Ob8Jse/Jr8kzy89hyMJ0+oeyQsL84p6BkBliweaIrPk4M4WQ==
=ohbY
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Tue Jan 22 00:23:21 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 21 Jan 2008 17:23:21 -0600
Subject: IDEA licensing issues
In-Reply-To: <92A893260738B0408497A64189BC1E62032CE45D@MSEXCHANGE305.corp.standard.com>
References: <92A893260738B0408497A64189BC1E62032CE45D@MSEXCHANGE305.corp.standard.com>
Message-ID: <47952969.4070407@sixdemonbag.org>

Alan Olsen wrote:
> I have been trying to find what it takes to get a license for using
> IDEA with gpg.

The first question is why you need IDEA in the first place.  It's a 
usable cipher, but it's hardly a paragon of modern design.  Better than 
brute force attacks exist against at least 4.5 of its eight rounds, and 
more may have been discovered since I last read the literature.

Assuming you need IDEA, the last I heard the terms of the patent license 
involved it being free for noncommercial use.

The easiest way to get a license for IDEA for commercial use--and 
probably the cheapest--is to buy a copy of the lowest-end PGP product. 
Presto, you have a license to use IDEA for commercial purposes.  Compile 
the idea.c code, drop it in GnuPG, and you're off to the races.

Warning: I am not an IP lawyer, I am not even the equivalent of a drunk 
IP lawyer.  Consult your own legal counsel.




From dshaw at jabberwocky.com  Tue Jan 22 15:11:24 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 22 Jan 2008 09:11:24 -0500
Subject: IDEA licensing issues
In-Reply-To: <47952969.4070407@sixdemonbag.org>
References: <92A893260738B0408497A64189BC1E62032CE45D@MSEXCHANGE305.corp.standard.com>
	<47952969.4070407@sixdemonbag.org>
Message-ID: <20080122141124.GB13078@jabberwocky.com>

On Mon, Jan 21, 2008 at 05:23:21PM -0600, Robert J. Hansen wrote:
> Alan Olsen wrote:
>> I have been trying to find what it takes to get a license for using
>> IDEA with gpg.
>
> The first question is why you need IDEA in the first place.  It's a usable 
> cipher, but it's hardly a paragon of modern design.  Better than brute 
> force attacks exist against at least 4.5 of its eight rounds, and more may 
> have been discovered since I last read the literature.

Indeed.  Pretty much the only reason to use IDEA in the OpenPGP
context in this day and age is because you want some level of
compatibility with PGP 2.x or are similarly being forced into it for
other (non-crypto) reasons.  I try hard to stay out of the
newer=better discussions, but I believe it is safe to say that AES is
"better" than IDEA for pretty much any crypto criteria you'd normally
use, and most of the non-crypto criteria as well.  Plus, you don't
need a license for it.

> Assuming you need IDEA, the last I heard the terms of the patent license 
> involved it being free for noncommercial use.

It looks like the Mediacrypt people are having some problems.
www.mediacrypt.com is down and idea (@) mediacrypt.com bounces.

DAvid


From bjr149 at hotmail.com  Mon Jan 21 22:07:10 2008
From: bjr149 at hotmail.com (bjr149)
Date: Mon, 21 Jan 2008 13:07:10 -0800 (PST)
Subject: GPG Home Directory
Message-ID: <15006448.post@talk.nabble.com>


I cna't seem to get the directory to change where gpg looks for the keyring
files.

I ran the following

C:\GNUPG>gpg --homedir C:\GNUPG\
gpg: keyring `C:/GNUPG/\secring.gpg' created
gpg: keyring `C:/GNUPG/\pubring.gpg' created
gpg: Go ahead and type your message ...

Then when I run --list-keys its still points to the original directory.

C:\GNUPG>gpg --list-keys
C:/Documents and Settings/webmethods/Application Data/gnupg\pubring.gpg
--------------------------------------------------------------------------------


What am I doing wrong?

Thanks.
-- 
View this message in context: http://www.nabble.com/GPG-Home-Directory-tp15006448p15006448.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From sattva at pgpru.com  Tue Jan 22 18:28:34 2008
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Tue, 22 Jan 2008 23:28:34 +0600
Subject: Exit code 2 from PHP script
In-Reply-To: <BC7FD23F981A6940A0E96DD6B05E9595046724B5@foxbx.FOXWORLD.local>
References: <BC7FD23F981A6940A0E96DD6B05E95950464F9F6@foxbx.FOXWORLD.local><4791D0E0.3070203@pgpru.com>	<BC7FD23F981A6940A0E96DD6B05E959504650394@foxbx.FOXWORLD.local>
	<BC7FD23F981A6940A0E96DD6B05E9595046724B5@foxbx.FOXWORLD.local>
Message-ID: <479627C2.7070009@pgpru.com>

Brent Hagany wrote on 22.01.2008 01:10:
> I have found and corrected the problem: it should be
> "--homedir=/home/daemon/.gnupg".  Also, for some reason, setting
> GNUPGHOME directly does not work.
> 
> Getting a useful error message was a great help.  Thanks again, Vlad.

Glad to help you. I'm using similar scheme in a couple of web
applications, and was unaware that not specifying a --homedir could lead
to such problems.

> -----Original Message-----
> From: gnupg-users-bounces+bhagany=gofox.com at gnupg.org
> [mailto:gnupg-users-bounces+bhagany=gofox.com at gnupg.org] On Behalf Of
> Brent Hagany
> Sent: Monday, January 21, 2008 10:02 AM
> To: Gnupg-users
> Subject: RE: Exit code 2 from PHP script
> 
> Apologies for the delay, it was a busy weekend.
> 
>> You don't have to specify full path to the executable if it's in your
>> system PATH.
> 
> I'm aware, I just thought it would head off the "make sure it's in your
> path" suggestions.
> 
> Anyway, I tried system(); it gave the same result, so I went about
> playing with proc_open() like so:
> 
> $message = "This is a test message";
> $process = proc_open("/usr/bin/gpg",
>                      array(0 => array("pipe","r"),
>                            1 => array("pipe","w"),
>                            2 => array("file","errors.log","a")),
>                      $pipes);
> 
> if(is_resource($process)) {
>   fwrite($pipes[0], "--list-keys --homedir=/home/daemon");
>   fclose($pipes[0]);
> 
>   echo stream_get_contents($pipes[1]);
>   fclose($pipes[1]);
> 
>   echo proc_close($process);
> }
> 
> This still doesn't work, but at least I get a somewhat helpful error
> message in the log file:
> 
> gpg: fatal: can't create directory `//.gnupg': Permission denied
> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
[snip]


-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080122/8bcca412/attachment.pgp>

From John at Mozilla-Enigmail.org  Tue Jan 22 21:04:02 2008
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Tue, 22 Jan 2008 14:04:02 -0600
Subject: GPG Home Directory
In-Reply-To: <15006448.post@talk.nabble.com>
References: <15006448.post@talk.nabble.com>
Message-ID: <47964C32.1090300@Mozilla-Enigmail.org>

bjr149 wrote:
> I can't seem to get the directory to change where gpg looks for the keyring
> files.
> 
> I ran the following
> 
> C:\GNUPG>gpg --homedir C:\GNUPG\
> gpg: keyring `C:/GNUPG/\secring.gpg' created
> gpg: keyring `C:/GNUPG/\pubring.gpg' created
> gpg: Go ahead and type your message ...
> 
> Then when I run --list-keys its still points to the original directory.
> 
> C:\GNUPG>gpg --list-keys
> C:/Documents and Settings/webmethods/Application Data/gnupg\pubring.gpg
> --------------------------------------------------------------------------------
> 
> 
> What am I doing wrong?

Not telling us your overall goal in changing from the defaults is usually the
first part of that answer - it requires responders to divine your intentions
(I'm low on tea leaves and n00b entrails aren't as easy to obtain as they used
to be).

Using --homedir will require that you specify it each and every time you issue a
gpg command.

Alternatively, you could leave gpg.conf in %APPDATA%\GnuPG and redirect GnuPG to
the alternate location for the keyring and trustdb files. (This is the approach
I use with removable media and IMHO the most sensible.)

Just for reference, here's a relevant chunk of docs\README.W32 (README-W32.txt)
which the installer includes with the binaries:
  Home directory:
  ===============
  GnuPG makes use of a per user home directory to store its keys as well
  as configuration files.  The default home directory is a directory
  named "gnupg" below the application data directory of the user.  This
  directory will be created if it does not exist.  Being only a default,
  it may be changed by setting the name of the home directory into the
  Registry under the key HKEY_CURRENT_USER\Software\GNU\GnuPG using the
  name "HomeDir".  If an environment variable "GNUPGHOME" exists, this
  even overrides the registry setting.  The command line option
  "--homedir" may be used to override all other settings of the home
  directory.

and the file NEWS (docs\NEWS.txt) in the section for 1.4.1 gives the search
algorithm:
  * [W32] The algorithm for the default home directory changed:
    First we look at the environment variable GNUPGHOME, if this one
    is not set, we check whether the registry entry
    {HKCU,HKLM}\Software\GNU\GnuPG:HomeDir has been set. If this
    fails we use a GnuPG directory below the standard application
    data directory (APPDATA) of the current user. Only in the case
    that this directory cannot be determined, the old default of
    c:\gnupg will be used.  The option --homedir still overrides all
    of them.

So to use C:\GNUPG, you may (select one)
  a) set a user-level environment variable, GNUPGHOME
  b) edit the registry value HKCU\Software\GNU\GnuPG:HomeDir
  c) edit the registry to remove any reference to Software\GNU\GnuPG:HomeDir
     in both HKCU and HKLM. It looks like you might need to also remove the
     %APPDATA%\GnuPG directory. Praying the fall through logic never changes
     would probably also be beneficial.

There's not a lot to gain from using C:\GNUPG which is one of the reasons it was
changed for the installer. Ditto the executables in \Program Files\Gnu\GnuPG.
There is, however, an amount to say against using it, especially on a multiuser
machine.

If all you are attempting to do is examine a server process' keyring, you want
to look at the command line options --no-default-keyring and --keyring <file>

-- 
John P. Clizbe                      Inet:   John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?"        / "two words: good decisions."
"what's the key to good decisions?" /  "one word: experience."
"how do i get experience?"          / "two words: bad decisions."

"Just how do the residents of Haiku, Hawai'i hold conversations?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080122/d7e946f4/attachment.pgp>

From SeidlS at schneider.com  Tue Jan 22 18:46:59 2008
From: SeidlS at schneider.com (SeidlS at schneider.com)
Date: Tue, 22 Jan 2008 11:46:59 -0600
Subject: GPG Home Directory
In-Reply-To: <15006448.post@talk.nabble.com>
Message-ID: <OFE12C8091.A2E117DC-ON862573D8.00618533-862573D8.0061AF84@schneider.com>

Are you running this as 2 seperate commands?  It needs to be just one
command like:

 C:\GNUPG>gpg --homedir C:\GNUPG\ --list-keys



Thanks


                                                                           
             bjr149                                                        
             <bjr149 at hotmail.c                                             
             om>                                                        To 
             Sent by:                  gnupg-users at gnupg.org               
             gnupg-users-bounc                                          cc 
             es at gnupg.org                                                  
                                                                   Subject 
                                       GPG Home Directory                  
             01/21/2008 03:07                                              
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           





I cna't seem to get the directory to change where gpg looks for the keyring
files.

I ran the following

C:\GNUPG>gpg --homedir C:\GNUPG\
gpg: keyring `C:/GNUPG/\secring.gpg' created
gpg: keyring `C:/GNUPG/\pubring.gpg' created
gpg: Go ahead and type your message ...

Then when I run --list-keys its still points to the original directory.

C:\GNUPG>gpg --list-keys
C:/Documents and Settings/webmethods/Application Data/gnupg\pubring.gpg
--------------------------------------------------------------------------------



What am I doing wrong?

Thanks.
--
View this message in context:
http://www.nabble.com/GPG-Home-Directory-tp15006448p15006448.html
Sent from the GnuPG - User mailing list archive at Nabble.com.


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users




From vedaal at hush.com  Wed Jan 23 01:12:46 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 22 Jan 2008 19:12:46 -0500
Subject: new key
Message-ID: <20080123001246.8CBCB2003A@mailserver7.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

have finally decided to upgrade my v4 key, 
as the old one was a vintage v4 key,
with a signing and encrypting subkey, 
which i couldn't get to backsign the primary key,
#
so have generated a new rsa v4 key using gnupg 1.4.8,
signed it with my two other keys,
and posted it here:
http://www.angelfire.com/pr/pgpf/mykeys.html
#
it is the third key listed,
pub 4096R/D35FB186 1/22/2008 vedaal nistar 
(no subkeys // same key for both signing and encrypting) 
<vedaal at hush.com>
Primary key fingerprint:  
C982 4216 3053 B6F3 62F2 7DC0 506F 4FA1 D35F B186 
#
am signing this message with all 3 of my keys
#
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul

iQEVAwUBR5aFK2oFoLeFMG0lAQi0xwf/bUSTTAY3UkIWSPVy4cA6dahyZRv59t66
jWapgl8nluPkyTTFEQZsUJNOfDcWSu08aGvaiZU1U+0hN49/XSZwHBXEdoYmlSBA
G9q2ybuJgEaJci1srO2RaCkY37Z0OCY3xeimkbYRBMgNlm70EkYQTrV9zK9hcpCa
A8iOWdOdq1kQbu3wzI+jyCVQM8R/VMZoVbGVQGCTRHTb924qN7bOKt6LMDTxlGpT
WvrHnykLhzRBEj3p3JhcsFXp+vSHRQ4QhXH3uoueTFW/a9bbJYAslST7rnZ88QaK
ULRa5pNR/7bJLGz/LX5BJSRSwQbz5v3xPQhYkd7mTPjF0hzu9mtLJ4kCHAQBAQgA
BgUCR5aFKwAKCRBaogyGalial2/CD/98jsI9Vwc3PXmDJy1j3qre9dgxVgj2sd+K
X4qsXwT0uEnS42gLe/5sQl1RIHAQim5ZFmauI30cKJtHNbYNlnRp1N88Gu3XPAF9
vueo/UGodGhVAGTj2O0ye0Lmzgs4uiFkGcYm+OnFLJP1WtRoDzU18HIPlftJKX9w
Aiuic3j4zFsLn08G/w4ghfomb5fivvleKEh4XHvotUF/ohd5ATcEJLPpn0rElRAA
IMkKeUVUqQGxaeFogqzdtX/TXbtGMoaqtC6/ix6Zi3ZuDNuO3+ArPY6ioo6DI/3D
KukdxnfHuFT3MqUY4wxTB6ow0YaSGATKya3PtX1iZe9k2MjlP7xV/aNPYpJyShqr
7DR3RQKoqdhs94Z0zJ7DWjy5PCULggJPFoYb96ZtPYoQNMDGnDW+eRUb8fJSNmDH
QjPHWoyFG+1LiMLIIPelNCAjZeVKWNgvFWubGSMOb2rzDPuK3XcLMQPpKIuf6XXk
W44I9Jv7TfUGbuY3KeLcla7o0g5qXas8UlPrSUwQGm7qiTnhnt0ZedpaAijigE+0
FawQ560S60XTtFFYhv03cpw4MAjfY/Ek0zgAQATHb4HaOAxwHaOpCL6Q9obtBxCu
6mDlUyMuikjT/nhy74bUKjNH0UuB3ej3Ii9fCjU0mufz23bjzhw1oN2O0FT+DOw5
8uxQMjKLzIkCHAQBAQgABgUCR5aFKwAKCRBQb0+h01+xhm/CD/9YjcAoBmi4nwWn
trUw96DMgAEN0LpMIWO1IcbP0oGXGvIEJtMM+OXgRUP+oqHvngttzebgc8KBCQVa
rChrleBVnqY1JV9Q4lAirGDM3PTuChRRwQqtNKcghkFpJCkbZMX68d4K99KDZxDu
anK8aILHdUoPKBrl5JiJ/1DltxGjXiQdaVze0ogncDTJPjRdhsX4Um6T7d2o45JI
Hh6ga3wFmlUktsLwgqk6CDPA7Bn/eaOegxexRnUO+0gCu18bqL0LzeH/UUz4Tmde
wDsbMfVWGiFO8oVnivfhFSm+TU6XEF1YqX1aoJeXtRv/GVqFr6UQIkvP/RIz9kJU
KKTt6dJixnd2yKLGWGKfg+d7eH35sqKux+MWunsjqTd5dtjuIM1Vdzx3eiXyq744
IaGwzeyH+Hg+6zq2Xjm7ZmI6b9EjeHJz6G2CsK9wKMzGpqRQ8jF5t9avY/bfeJAj
Rt7Mmk7RZx/+u58X1w+3VPER4t55LctxIm7Ri2TYSEPUo9k20pka8hb07CZlu5CD
jUiEbei6p8hemVCdLlZ6Q64+hP4yPYsJu2QBDeBCfFzzZSq8JhSmiTCuRuDH/HR6
HpPdrPu+OxmrSBW8LvDTJA56826Xmsnvd8ZErqcDIn/RyuLsLlY3vZIc+jdbC1at
WlqcBACSJjF77Qil3LbGoc8eyMDVxA==
=gTLd
-----END PGP SIGNATURE-----

--
Get Pre-Approved Now.  Government Loans. Click here.
http://tagline.hushmail.com/fc/Ioyw6h4dQHOGTDMZAaZMUHk9iagZQXt03ZgVgYrUFXgXGxYll3fMI3/



From volker at ixolution.de  Wed Jan 23 01:24:18 2008
From: volker at ixolution.de (Volker Dormeyer)
Date: Wed, 23 Jan 2008 01:24:18 +0100
Subject: Decryption using Smartcard using CCID and PCSCD driver
In-Reply-To: <200712102155.13128.volker@ixolution.de>
References: <200711010807.26154.volker@ixolution.de>
	<8763z6pnec.fsf@wheatstone.g10code.de>
	<200712102155.13128.volker@ixolution.de>
Message-ID: <200801230124.18960.volker@ixolution.de>

 * On Monday 10 December 2007 21:55:12,
 * Volker Dormeyer <volker at ixolution.de> wrote:

 > I plan to try the version in SVN within the next days.

Although I am very late, I was able to test decryption with GnuPG 1.4.8/2.0.8. 
I can confirm, decryption is working fine, now.

 >  * On Monday 10 December 2007 16:42:03,
 >  * Werner Koch <wk at gnupg.org> wrote:

 >  > it took quite some time but I fixed it today. The solution is in the
 >  > SVN and will go into 1.4.8 and 2.0.8.  Both to be released before
 >  > Christmas.

Thanks and regards,
Volker


From vedaal at hush.com  Wed Jan 23 01:26:06 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 22 Jan 2008 19:26:06 -0500
Subject: new key  //  sorry, bad sig
Message-ID: <20080123002607.6FD5E2003C@mailserver7.hushmail.com>

sorry,
forgot that this list changes the email address
by replacing the @ with the word 'at'
so the previous clearsigned post came out bad,
;-((

am trying again:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

have finally decided to upgrade my v4 key, 
as the old one was a vintage v4 key,
with a signing and encrypting subkey, 
which i couldn't get to backsign the primary key,
#
so have generated a new rsa v4 key using gnupg 1.4.8,
signed it with my two other keys,
and posted it here:
http://www.angelfire.com/pr/pgpf/mykeys.html
#
it is the third key listed,
pub 4096R/D35FB186 1/22/2008 vedaal nistar 
(no subkeys // same key for both signing and encrypting) 
[vedaal at hush.com]
Primary key fingerprint:  
C982 4216 3053 B6F3 62F2 7DC0 506F 4FA1 D35F B186 
#
am signing this message with all 3 of my keys
#
vedaal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul

iQEVAwUBR5aIlmoFoLeFMG0lAQjmZwf+MSxt8+7R+WFM5dbpaYneYE7J5pMzyfpe
7+lbGFxqDGxgHYiK6TcWzeztbompmqGqtT5qUozIlp+dHHVu/2HE1Tpep2O+BQhH
6t7BZ/bNjItlYBUqtR4SfWov7zZ+57X+rWlEs7QE9th4i4rVDUxWjgeKPt9vleYU
G9rlk5rhsCGoRb5KhgJ2sUJ3zH3sGApFEucA+5mFiJEmAnArVOsXJqzx1yaKq5LI
TpEAYDaImyMq/UaYE0VXC9yhZRT3tYm0uAHvP5hKxBrICLt5fUeebBdKGCTydMLM
4eu7OjTmVbVCSt1Vg0v2jbJ7w1oH/XXU1Ze0881ZTp7+jBz7Hvp7W4kCHAQBAQgA
BgUCR5aIlgAKCRBaogyGalial1FdD/9OfHNqLsbjDSZtlNoOlSr4FOXSOTFOi7/w
oErQh4IwJA6JkPHg6lfYPkngXJt6PvjNGkNICbJKZFKlHGWlicpAGFfhXqs8LGUI
qJKcO6aTHf3lPAxBwaXhl95ybfLaVB4g2VbP0995yDx4RN4tDFXiMeaZuD/jWVJD
7YQLJnZNxMDNDfP5Fy8rGjiSlilUWSESFh606SzGYHqKT5X4jPEB/uwq8S7L2XV4
uS+qlzQD2i5nKXXvvInajmZWIyH31zAMWRFvHy5jR668Ku+G1KkavWp5woU9Aq4J
Ip4vtI6AwW4VNACeFBc9GsyhWBBnZ7bNvnmZhQaaIALxbKopQM9zSQPXKWYycoyr
0MYnBrYCoou7f7jvJoIIRINE9KQC34huROjpCs2mcQmOMiVLsdrhq5wX92wD1Wwa
ovfb7lsb7DiTxJ0fvor1PqQRxAHGHMiU7cfeQT/g7r/hoKtqkFJeZwxuq/8xbhjy
Wpup58/1ElTS9v23EKcnU0HYIRWug43QAKi2zUuzp9sJajVUIMzrDw8BgWGpl1Bu
YnT6RDFLvJ9ZShfzxylJVqcfSMNK3fCnArHkq+PiPMGNdYNuzn0ZgqVqdBAwmuKm
oiq4JcRXQLPedAXaBSOl/zUeR5e4xdoJTDMn+qD1J9+1cE9AuQb3yu7LJOjE5ptn
f25ONI6RD4kCHAQBAQgABgUCR5aIlgAKCRBQb0+h01+xhlFdD/wPMqIjOIjzc6uX
F8x/yx8uzgAfNRzjJv/Ay2QIHLC/IkoTRXW8t+cm9ZhxiUfOSTEvZeoYRyIOWdgk
HW2LUY7fMcu+Fo53G9ZAteL3psyaDurwUgNzVPiJ0AON7A2cz3vdK/kARXES6HQ0
TEso0Fw57bt82VJtbw++t+4y2A4oT6puL8l6YBzciDxBpO6KLqtLvht11t8gsUjW
ywu2JyaiHdvXCZNhPdce/LUnYWdG374GM7Fi6KRCvbpyfFQZnIAWpmdAbtrkVBs3
Y7QgttkRT3HDHod5XxxsPJm5MpeAHcCTVsBkEXhwieBPfjeYISG7/o1YHD3in7jG
3BTnzbG2iJ7bj7Mx0XAN37ysS5HJUoA38GGfr4qsIdSuko9A7yShYubsWQY8n+L5
gAY+PvcqRRis8eGBT5ROBXG1sNICjM0Z68+U6J8hkp+gSDnlx4O9HKXbwaUNEtNs
mfX2KPrlDW4cRKNbZLy/f6g4qrA0YoY+BLo8BX1zkAQvoEncCkRTC9kTZARtTvv0
Z0OqijRAjVY6HFOfD+sVA7tZTqVbFfP3hGm8npcSIMRmcGSA1g7wFxl0Mtqx2GLD
v2DnPiN8fA4dvV126FIaaSpO3GYkiesd6s/XF9em3VETfyHbYDJ84qcRc5grebwg
CSFLzj7EkECgZ2ugBhfwgjIWQ+Jm4Q==
=HEAb
-----END PGP SIGNATURE-----

--
Click here to lower your monthly payments.  Act now and save!
http://tagline.hushmail.com/fc/Ioyw6h4fRfiu0HZvprfXUzgQ2UkXUKjhjXn381QOrAtHMU1sPIgAFZ/



From Marshall.McDougall at gov.mb.ca  Wed Jan 23 18:42:36 2008
From: Marshall.McDougall at gov.mb.ca (McDougall, Marshall (STEM))
Date: Wed, 23 Jan 2008 11:42:36 -0600
Subject: IDEA
Message-ID: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>

Hi All.

First post....be gentle :-}

I have a RHEL server and I am having difficulty decrypting a pgp
encrypted file.  Near as I can tell, I need the IDEA cipher.  

[user at myserver]# gpg --decrypt myfile.txt 
gpg: protection algorithm 1 (IDEA) is not supported
gpg: the IDEA cipher plugin is not present
gpg: please see http://www.gnupg.org/why-not-idea.html for more
information
gpg: encrypted with 1024-bit RSA key, ID C0A298D3, created 2004-07-13
      "one_of_my_keys"
gpg: public key decryption failed: unknown cipher algorithm
gpg: decryption failed: secret key not available

I roamed around the GNUPG site and found the "idea.c.gz" downloads, but
the instructions allude to directories that don't exist on my server.
Has anyone added IDEA to an existing canned redhat installation?  I am
open to any suggestion.  Thanks.

Regards, Marshall


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080123/abdcc569/attachment.htm>

From alon.barlev at gmail.com  Wed Jan 23 20:08:54 2008
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Wed, 23 Jan 2008 21:08:54 +0200
Subject: IDEA
In-Reply-To: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
Message-ID: <9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>

You can use Gentoo patches...
For libgcrypt:
http://gentoo.osuosl.org/distfiles/libgcrypt-1.4.0-idea.diff.bz2

For gnupg-2:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.4-idea.patch?rev=1.1&view=markup

Alon.

On 1/23/08, McDougall, Marshall (STEM) <Marshall.McDougall at gov.mb.ca> wrote:
>
>
>
> Hi All.
>
> First post....be gentle :-}
>
> I have a RHEL server and I am having difficulty decrypting a pgp encrypted
> file.  Near as I can tell, I need the IDEA cipher.
>
> [user at myserver]# gpg --decrypt myfile.txt
> gpg: protection algorithm 1 (IDEA) is not supported
> gpg: the IDEA cipher plugin is not present
> gpg: please see
> http://www.gnupg.org/why-not-idea.html
> for more information
> gpg: encrypted with 1024-bit RSA key, ID C0A298D3, created 2004-07-13
>       "one_of_my_keys"
> gpg: public key decryption failed: unknown cipher algorithm
> gpg: decryption failed: secret key not available
>
> I roamed around the GNUPG site and found the "idea.c.gz" downloads, but the
> instructions allude to directories that don't exist on my server.  Has
> anyone added IDEA to an existing canned redhat installation?  I am open to
> any suggestion.  Thanks.
>
> Regards, Marshall
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


From tmz at pobox.com  Wed Jan 23 20:47:27 2008
From: tmz at pobox.com (Todd Zullinger)
Date: Wed, 23 Jan 2008 14:47:27 -0500
Subject: IDEA
In-Reply-To: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
Message-ID: <20080123194727.GC3136@inocybe.teonanacatl.org>

McDougall, Marshall (STEM) wrote:
> Hi All.
> 
> First post....be gentle :-}
> 
> I have a RHEL server and I am having difficulty decrypting a pgp
> encrypted file.  Near as I can tell, I need the IDEA cipher.  
> 
> [user at myserver]# gpg --decrypt myfile.txt 
> gpg: protection algorithm 1 (IDEA) is not supported
> gpg: the IDEA cipher plugin is not present
> gpg: please see http://www.gnupg.org/why-not-idea.html for more
> information
> gpg: encrypted with 1024-bit RSA key, ID C0A298D3, created 2004-07-13
>      "one_of_my_keys"
> gpg: public key decryption failed: unknown cipher algorithm
> gpg: decryption failed: secret key not available
> 
> I roamed around the GNUPG site and found the "idea.c.gz" downloads, but
> the instructions allude to directories that don't exist on my server.
> Has anyone added IDEA to an existing canned redhat installation?  I am
> open to any suggestion.  Thanks.

You can rebuild the gnupg srpm and add idea.  A few small changes to
the spec file (like in the attached diff) should do what you want.

A better solution would be to have sender encrypt the file to you
using a cipher that you can use without any patents or other
encumbrances.  Does your key have a cipher pref for IDEA?  If so, you
should fix that so other people don't encrypt things to you that you
can't easily decrypt.  You can view your prefs with:

$ gpg --edit-key C0A298D3 showpref quit

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I never met a morphosis I didn't like.

-------------- next part --------------
--- gnupg.spec~	2007-03-01 07:47:37.000000000 -0500
+++ gnupg.spec	2008-01-23 14:40:16.000000000 -0500
@@ -1,12 +1,13 @@
 Summary: A GNU utility for secure communication and data storage.
 Name: gnupg
 Version: 1.4.5
-Release: 13
+Release: 13.1
 License: GPL
 Group: Applications/System
 Source0: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2
 Source1: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
 Source2: gnupg-shm-coprocessing.expect
+Source3: ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz
 Patch0: gnupg-1.4.1-gcc.patch
 Patch1: gnupg-1.4.2-curl.patch
 Patch2: gnupg-1.4.5-CVE-2006-6169.patch
@@ -42,6 +43,7 @@
 %patch4 -p0 -b .CVE-2006-6235
 popd
 %patch5 -p2 -b .multiple-message
+gunzip -c %{SOURCE3} > cipher/idea.c
 autoreconf
 
 %build
@@ -109,6 +111,9 @@
 %{_mandir}/man7/*
 
 %changelog
+* Wed Jan 23 2008 Todd Zullinger <tmz at pobox.com> - 1.4.5-13.1
+- include the IDEA cipher
+
 * Thu Mar  1 2007 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-13
 - incorporate patch from Werner to work around clients which
   can't tell that multiple plain messages have been processed (#230457)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: </pipermail/attachments/20080123/42ce6c9f/attachment.pgp>

From telegraph at gmx.net  Thu Jan 24 14:35:21 2008
From: telegraph at gmx.net (Gregor Zattler)
Date: Thu, 24 Jan 2008 14:35:21 +0100
Subject: turning off gpg-agent
In-Reply-To: <2adb28b10801181329p6443ccdcu696fbbf58bf0afdc@mail.gmail.com>
References: <2adb28b10801181329p6443ccdcu696fbbf58bf0afdc@mail.gmail.com>
Message-ID: <20080124133521.GC6284@pit>

Hi Shane,
* shane howard <genix01 at gmail.com> [19. Jan. 2008]:
> but as it is i don't want this functionality, i would prefer to
> enter my pass phrase every time. The question is, how do i stop
> gpg from trying to contact the agent?  I did have a look int
> ~/.gnupg?gpg.conf for the line user-agent to take it out of
> there , but it;s not in there 

It's "use-agent", not "user-agent".  If you want to disable the
agent put
no-use-agent
in gpg.conf

This is described in the gpg man page, on the command line do:
man gpg
search for "agent".


Ciao, Gregor
-- 
 -... --- .-. . -.. ..--.. ...-.-


From bernhard at intevation.de  Thu Jan 24 14:43:09 2008
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 24 Jan 2008 14:43:09 +0100
Subject: GnuPG Summer Riddle 2007
Message-ID: <200801241443.13838.bernhard@intevation.de>

Interested in sharping your intellect with a strange Gnupg effect?
Check out the:

http://ftp.intevation.de/users/bernhard/gnupg/gnupg-summer-riddle-2007/

Happy hacking,
Bernhard
-- 
Managing Director - Owner: www.intevation.net       (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080124/e6fa62aa/attachment.pgp>

From narkewoody at gmail.com  Thu Jan 24 14:38:33 2008
From: narkewoody at gmail.com (Steven Woody)
Date: Thu, 24 Jan 2008 21:38:33 +0800
Subject: Need tips on how to backup my keys
Message-ID: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>

hi,

When one day my hardisk go bad and I can not access my keys, theose
files I encrypted for myself would never be opened for me.  I don't
want that, then I believe I need to make a copy of my keys ( the whole
of ~/.gnugp directory, right? ).  But where should I keep the copy?
It gets chance exposuring to public if I put in on a USB disk.  I like
to hear what the method you used.

thanks.

-- 
woody

then sun rose thinly from the sea and the old man could see the other
boats, low on the water and well in toward the shore, spread out
across the current.


From rjh at sixdemonbag.org  Thu Jan 24 16:05:47 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 24 Jan 2008 09:05:47 -0600
Subject: Need tips on how to backup my keys
In-Reply-To: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
References: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
Message-ID: <4798A94B.900@sixdemonbag.org>

Steven Woody wrote:
> the whole of ~/.gnugp directory, right?

Yep.

 > But where should I keep the copy?

I keep mine in a safe deposit box in a manila envelope addressed to my 
best friend.  Also in the envelope are hardcopies of my private keys, my 
passphrase, and some instructions.

In the event of my untimely death, my lawyer hands off the envelope to 
my best friend, who gets access to my keys and passphrase and follows 
the instructions I've left him.

> It gets chance exposuring to public if I put in on a USB disk.

I think you are badly misunderstanding the problem.  Public exposure is 
not a big deal as long as you have a strong passphrase on your key. 
With a strong passphrase you can publish it in an OCR-friendly font in a 
full-page ad in the _New York Times_ and feel safe in the 
confidentiality of your messages.

People advocate keeping your private key private and also using a strong 
passphrase for a simple reason.  If we advocate only one, then people 
will screw it up and not do it at all.  If we advocate both, then people 
can screw one up.  No passphrase?  No problem, as long as you keep your 
key secret.  Share your key?  No problem, as long as you have a strong 
passphrase.

In any case, a CD-ROM can be stolen, lost and/or misplaced just as 
easily as a USB drive.  No matter what mechanism you use for those 
backups, those backups can be mislaid or taken away from you.  Best to 
make backups and keep them somewhere it is very unlikely anyone will be 
able to get them.  Like I said above, I use a safe deposit box at my 
bank.  Other people I know keep copies with their attorneys.



From yalla at fsfe.org  Thu Jan 24 16:09:06 2008
From: yalla at fsfe.org (Alexander W. Janssen)
Date: Thu, 24 Jan 2008 16:09:06 +0100
Subject: Need tips on how to backup my keys
In-Reply-To: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
References: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
Message-ID: <4798AA12.4090705@fsfe.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Woody schrieb:
> hi,

[...]

> I like to hear what the method you used.

Burned onto CD and printed out in someone else's safe (someone I trust).

> thanks.

Alex.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBR5iqEBYlVVSQ3uFxAQI6aQP/Q7GXHZfuVj1p6ddz4tIedKqaXEYiAebX
6G6H2OCQXcUf/k4wW0roE++q3erVvYQ9bU4xkmnVp7rgpY0V0+nCFT/naQ8Ny6y6
1LjnmnLtIPYf6KjlTRR8b2OC1x6ewuAQIGUS7ib7m73kf+zFH4kNdNHGdlrtibje
88sGsUZCW2M=
=a3BH
-----END PGP SIGNATURE-----


From m.mansfeld at mansfeld-elektronik.de  Thu Jan 24 16:07:36 2008
From: m.mansfeld at mansfeld-elektronik.de (Matthias Mansfeld)
Date: Thu, 24 Jan 2008 16:07:36 +0100
Subject: Need tips on how to backup my keys
In-Reply-To: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
References: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
Message-ID: <4798B7C8.208.17E59215@m.mansfeld.mansfeld-elektronik.de>

On 24 Jan 2008 at 21:38, Steven Woody wrote:

> hi,
> 
> When one day my hardisk go bad and I can not access my keys, theose
> files I encrypted for myself would never be opened for me.  I don't
> want that, then I believe I need to make a copy of my keys ( the whole
> of ~/.gnugp directory, right? ).  But where should I keep the copy?
> It gets chance exposuring to public if I put in on a USB disk.  I like
> to hear what the method you used.

Not the whole directory is necessary, just export your private keys 
(publik keys not necessary, they are included) and/or if you like, 
your whole keyring, store it on a floppy disk or USB-stick or CD-ROM 
or anywhere else or just print it out on a sheet of paper (you would 
be able to retype it in or OCR it again in an *.asc-File). And don't 
forget to store a revocation certificate together with your backup 
copy together with your keys or better additionally at another 
location.

Even if somebody else gets your private keys, they aren't worth 
anything for him as long as he hasn't your passphrases.

Best wishes
Matthias

-- 
Matthias Mansfeld Elektronik * Leiterplattenlayout
Neithardtstr. 3, 85540 Haar; Tel.: 089/4620 093-7, Fax: -8
Internet: http://www.mansfeld-elektronik.de
GPG http://www.mansfeld-elektronik.de/gnupgkey/mansfeld.asc



From jmoore3rd at bellsouth.net  Thu Jan 24 17:46:42 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Thu, 24 Jan 2008 11:46:42 -0500
Subject: Need tips on how to backup my keys
In-Reply-To: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
References: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
Message-ID: <4798C0F2.2090900@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------- Original Message  --------
Subject: Need tips on how to backup my keys
From: Steven Woody <narkewoody at gmail.com>
To: gnupg-users at gnupg.org
Date: Thursday, January 24, 2008 8:38:33 AM


> When one day my hardisk go bad and I can not access my keys, theose
> files I encrypted for myself would never be opened for me.  I don't
> want that, then I believe I need to make a copy of my keys ( the whole
> of ~/.gnugp directory, right? ).  But where should I keep the copy?
> It gets chance exposuring to public if I put in on a USB disk.  I like
> to hear what the method you used.

Speaking just for Myself; I have a 64MB SD card that I use for weekly
back-ups of My pubring & secring + trust.db and which I keep in a
secure, fireproof location "just in case" I ever need to recreate My GPG
installation.  I do not need to back-up the entire GnuPG directory
because it can be easily recreated from existing Web based Applications.
 The 3 items listed above are the only things I cannot restore without
back-ups.

HTH

JOHN 8-)
Timestamp: Thursday 24 Jan 2008, 11:46  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9-svn4675: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/9ubue

iQEcBAEBCgAGBQJHmMDuAAoJEBCGy9eAtCsP38QIAKJFHY1Vi2X3q1NduiDEcKhE
r+N8BNuZWrTe5sum8oHDXSeiJi3OiToOyL5kDObXhJRWWzQPNoO/PGRCQ8dzQ0YX
K6AdDQqSnmVSQbuUVCH/3triiquuX0OBQPjBYLdBxbnu90xia9nrAyaAGlwXUZRN
ti7EcT5a16LG6tHxtHlfknwJMpnCspnpbUtz5kcrnqEPFK7ULOdZZ9NmfqA3CU2Z
xfZjtVnQNxxgOKoENBPNy/0+bNTwb8cf4BjZVKvYYiC0R/dFoYX0l5gXKTJ8NkPM
ZrctvzEa6EfTw8A+A0St3EUMikN3GQr4J0L+tkLwkk3dykmC+sMsj7KTZDXou0w=
=C7dD
-----END PGP SIGNATURE-----


From reynt0 at cs.albany.edu  Thu Jan 24 19:56:42 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Thu, 24 Jan 2008 13:56:42 -0500 (EST)
Subject: Need tips on how to backup my keys
In-Reply-To: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
References: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
Message-ID: <Pine.GSO.4.61.0801241321180.27945@dionne.cs.albany.edu>

On Thu, 24 Jan 2008, Steven Woody wrote:
  . . .
>  But where should I keep the copy?
  . . .

One distinction is a place you control versus a place you
don't control.  For the latter, there is likely to be a
distinction about how much they are like being under your
own control.  A bank box to which you are the only person
holding a necessary key is supposed to be under your
control although in someone else's location; but your box
is exactly identifiable in bank records as being your stuff 
and the bank may have another key or the lock can be drilled.
An attorney--in the USA, traditionally--is supposed to be
acting as your surrogate and to be legally able to resist
attempts to have the attorney act against your intentions;
but probably maintains labeling of what stuff belongs to whom.
A friend is just that, a personal rather than commercial
relation, whom you are trusting to do what you want; for
that reason may not have to identify your stuff externally as
yours, relying instead on his or her own memory, and probably
would be harder to identify as someone who might have stuff
of yours than a bank or attorney would be (unless Google's
possible attempts to do universal tracing of affinity groups
are successful).  In any case, a strong passphrase is like
you having final control over access; and if you want to
backup the passphrase, you don't have to do that with the 
same combination of control and identification as you use
for the key info backup.



From kloecker at kde.org  Thu Jan 24 21:09:48 2008
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Thu, 24 Jan 2008 21:09:48 +0100
Subject: new key  //  sorry, bad sig
In-Reply-To: <20080123002607.6FD5E2003C@mailserver7.hushmail.com>
References: <20080123002607.6FD5E2003C@mailserver7.hushmail.com>
Message-ID: <200801242109.51542@erwin.ingo-kloecker.de>

Hi,

on Wednesday 23 January 2008, vedaal at hush.com wrote:
> sorry,
> forgot that this list changes the email address
> by replacing the @ with the word 'at'
> so the previous clearsigned post came out bad,
> ;-((

This list doesn't do such a thing. Your messages arrived with a good 
signature in my inbox.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080124/f38ff694/attachment.pgp>

From Marshall.McDougall at gov.mb.ca  Thu Jan 24 21:15:53 2008
From: Marshall.McDougall at gov.mb.ca (McDougall, Marshall (STEM))
Date: Thu, 24 Jan 2008 14:15:53 -0600
Subject: IDEA
In-Reply-To: <20080123194727.GC3136@inocybe.teonanacatl.org>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<20080123194727.GC3136@inocybe.teonanacatl.org>
Message-ID: <EE67DCEEDE1E3041B14A823288AFB0630130F77A@OC1EX01.ME.MBGOV.CA>

Thanks to all who responded.  It looks like we are making the decision
to dump IDEA as it's not an officially supported cipher in our
environment.

Regards, Marshall 

>-----Original Message-----
>From: gnupg-users-bounces at gnupg.org 
>[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Todd Zullinger
>Sent: Wednesday, January 23, 2008 1:47 PM
>To: gnupg-users at gnupg.org
>Subject: Re: IDEA
>
>McDougall, Marshall (STEM) wrote:
>> Hi All.
>> 
>> First post....be gentle :-}
>> 
>> I have a RHEL server and I am having difficulty decrypting a pgp
>> encrypted file.  Near as I can tell, I need the IDEA cipher.  
>> 
>> [user at myserver]# gpg --decrypt myfile.txt 
>> gpg: protection algorithm 1 (IDEA) is not supported
>> gpg: the IDEA cipher plugin is not present
>> gpg: please see http://www.gnupg.org/why-not-idea.html for more
>> information
>> gpg: encrypted with 1024-bit RSA key, ID C0A298D3, created 2004-07-13
>>      "one_of_my_keys"
>> gpg: public key decryption failed: unknown cipher algorithm
>> gpg: decryption failed: secret key not available
>> 
>> I roamed around the GNUPG site and found the "idea.c.gz" 
>downloads, but
>> the instructions allude to directories that don't exist on my server.
>> Has anyone added IDEA to an existing canned redhat 
>installation?  I am
>> open to any suggestion.  Thanks.
>
>You can rebuild the gnupg srpm and add idea.  A few small changes to
>the spec file (like in the attached diff) should do what you want.
>
>A better solution would be to have sender encrypt the file to you
>using a cipher that you can use without any patents or other
>encumbrances.  Does your key have a cipher pref for IDEA?  If so, you
>should fix that so other people don't encrypt things to you that you
>can't easily decrypt.  You can view your prefs with:
>
>$ gpg --edit-key C0A298D3 showpref quit
>
>-- 
>Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>I never met a morphosis I didn't like.
>
>


From vedaal at hush.com  Thu Jan 24 21:46:00 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Thu, 24 Jan 2008 15:46:00 -0500
Subject: new key // sorry, bad sig
Message-ID: <20080124204600.2F91F11803C@mailserver5.hushmail.com>

Ingo Kl?cker kloecker at kde.org wrote on
Thu Jan 24 21:09:48 CET 2008

> This list doesn't do such a thing. 
>Your messages arrived with a good 
>signature in my inbox.

yes,
in the e-mailing it is ok

i posted the second one long before the list's digest form of the e-
mail went out, and generally read the posts from the web, not by e-
mail

viewing the first post on the gnupg website:
http://lists.gnupg.org/pipermail/gnupg-users/2008-
January/032439.html

the sig is bad,
and it is because of the protection of the e-mail addresses against 
spammers, changing the address form to <vedaal at hush.com>
(btw, a considerate measure,
but one which requires posters to be aware of it when clearsigning 
a post that includes an e-mail address)

sorry for the double posting


--
Click here to lower your monthly payments.  Act now and save!
http://tagline.hushmail.com/fc/Ioyw6h4fRfjQIC4q25BCkBZDfJbugQlAytmgIGy7WJocbRCoto5ckv/
vedaal



From wilde at sha-bang.de  Thu Jan 24 22:03:04 2008
From: wilde at sha-bang.de (Sascha Wilde)
Date: Thu, 24 Jan 2008 22:03:04 +0100
Subject: GnuPG Summer Riddle 2007 [SOLUTION]
In-Reply-To: <200801241443.13838.bernhard@intevation.de> (Bernhard Reiter's
	message of "Thu, 24 Jan 2008 14:43:09 +0100")
References: <200801241443.13838.bernhard@intevation.de>
Message-ID: <m2wspzkkc7.fsf@kenny.sha-bang.de>

Bernhard Reiter <bernhard at intevation.de> wrote:

SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING

                                SOLUTION

SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING

> http://ftp.intevation.de/users/bernhard/gnupg/gnupg-summer-riddle-2007/

Disclaimer: as suggested in rule c) I did _not_ look at the app files an
therefore did not verify my theory.

Here is my idea:

The signature provided is a text mode signature, therefore CRLF and LF
are handles the same and all files only differing by these sorts of
line breaks match the same signature.  Even worse: the used type of
line break doesn't have to be consistent within one file.

Proof of concept:

The attached files (using my favorite language) both match the same
textmode signature (attached for reference, too) but yield different
output:

wilde at kenny[~/tmp/gsr]% gpg2 --verify proof1.lisp.sig proof1.lisp
gpg: Signature made Thu Jan 24 21:45:40 2008 CET using DSA key ID 69115024
gpg: Good signature from "Sascha Wilde <swilde at sha-bang.de>"
gpg:                 aka "Sascha Wilde <wilde at sha-bang.de>"
wilde at kenny[~/tmp/gsr]% gpg2 --verify proof1.lisp.sig proof2.lisp
gpg: Signature made Thu Jan 24 21:45:40 2008 CET using DSA key ID 69115024
gpg: Good signature from "Sascha Wilde <swilde at sha-bang.de>"
gpg:                 aka "Sascha Wilde <wilde at sha-bang.de>"
wilde at kenny[~/tmp/gsr]% sbcl --noinform --noprint <proof1.lisp
bar
wilde at kenny[~/tmp/gsr]% sbcl --noinform --noprint <proof2.lisp
foo

cheers
sascha

-------------- next part --------------
A non-text attachment was scrubbed...
Name: proof1.lisp
Type: application/octet-stream
Size: 126 bytes
Desc: not available
URL: </pipermail/attachments/20080124/ee36d974/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proof2.lisp
Type: application/octet-stream
Size: 126 bytes
Desc: not available
URL: </pipermail/attachments/20080124/ee36d974/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proof1.lisp.sig
Type: application/octet-stream
Size: 65 bytes
Desc: not available
URL: </pipermail/attachments/20080124/ee36d974/attachment-0005.obj>
-------------- next part --------------
-- 
Sascha Wilde 
- no sig today... sorry!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: </pipermail/attachments/20080124/ee36d974/attachment-0001.pgp>

From kloecker at kde.org  Thu Jan 24 23:10:46 2008
From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=)
Date: Thu, 24 Jan 2008 23:10:46 +0100
Subject: GnuPG Summer Riddle 2007 [SOLUTION]
In-Reply-To: <m2wspzkkc7.fsf@kenny.sha-bang.de>
References: <200801241443.13838.bernhard@intevation.de>
	<m2wspzkkc7.fsf@kenny.sha-bang.de>
Message-ID: <200801242310.50193@erwin.ingo-kloecker.de>

On Thursday 24 January 2008, Sascha Wilde wrote:
> Bernhard Reiter <bernhard at intevation.de> wrote:
>
> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING
>
>                                 SOLUTION
>
> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING
>
> > http://ftp.intevation.de/users/bernhard/gnupg/gnupg-summer-riddle-2
> >007/
>
> Disclaimer: as suggested in rule c) I did _not_ look at the app files
> an therefore did not verify my theory.
>
> Here is my idea:
> 
> The signature provided is a text mode signature, therefore CRLF and
> LF are handles the same and all files only differing by these sorts
> of line breaks match the same signature.  Even worse: the used type
> of line break doesn't have to be consistent within one file.

Having a quick look at RFC 2440 and the signature file ( c) talks about 
the application files, but not about the signature file) verifies that 
the signature is of type 0x01:

0x01: Signature of a canonical text document.
         Typically, this means the signer owns it, created it, or
         certifies that it has not been modified.  The signature is
         calculated over the text data with its line endings converted
         to <CR><LF> and trailing blanks removed.

So it's not just line endings but also trailing blanks.


> Proof of concept:
>
> The attached files (using my favorite language) both match the same
> textmode signature (attached for reference, too) but yield different
> output:
>
> wilde at kenny[~/tmp/gsr]% gpg2 --verify proof1.lisp.sig proof1.lisp
> gpg: Signature made Thu Jan 24 21:45:40 2008 CET using DSA key ID
> 69115024 gpg: Good signature from "Sascha Wilde <swilde at sha-bang.de>"
> gpg:                 aka "Sascha Wilde <wilde at sha-bang.de>"
> wilde at kenny[~/tmp/gsr]% gpg2 --verify proof1.lisp.sig proof2.lisp
> gpg: Signature made Thu Jan 24 21:45:40 2008 CET using DSA key ID
> 69115024 gpg: Good signature from "Sascha Wilde <swilde at sha-bang.de>"
> gpg:                 aka "Sascha Wilde <wilde at sha-bang.de>"
> wilde at kenny[~/tmp/gsr]% sbcl --noinform --noprint <proof1.lisp
> bar
> wilde at kenny[~/tmp/gsr]% sbcl --noinform --noprint <proof2.lisp
> foo

Nice. The attached files are my crude bash-based proof of concept.

ingo at thufir:~/temp/gnupg-summer-riddle-2007> gpg2 --verify app4.sh.sig 
app4.sh
gpg: Signature made Thu 24 Jan 2008 10:45:49 PM CET using DSA key ID 
30E0B9D8
gpg: Good signature from "Ingo Kl?cker <kloecker at kde.org>"
gpg:                 aka "Ingo H. Kl?cker <ingo.kloecker at web.de>"
gpg:                 aka "Ingo H. Kl?cker 
<ingo.kloecker at matha.rwth-aachen.de>"
ingo at thufir:~/temp/gnupg-summer-riddle-2007> gpg2 --verify app4.sh.sig 
app5.sh
gpg: Signature made Thu 24 Jan 2008 10:45:49 PM CET using DSA key ID 
30E0B9D8
gpg: Good signature from "Ingo Kl?cker <kloecker at kde.org>"
gpg:                 aka "Ingo H. Kl?cker <ingo.kloecker at web.de>"
gpg:                 aka "Ingo H. Kl?cker 
<ingo.kloecker at matha.rwth-aachen.de>"
ingo at thufir:~/temp/gnupg-summer-riddle-2007> ./app4.sh
Hi, I'm your app tonight.
ingo at thufir:~/temp/gnupg-summer-riddle-2007> ./app5.sh
Showing resistors is futile, you will be policed!


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gsr2007-bash.tar
Type: application/x-tar
Size: 10240 bytes
Desc: not available
URL: </pipermail/attachments/20080124/3549bfa2/attachment.tar>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080124/3549bfa2/attachment.pgp>

From vedaal at hush.com  Thu Jan 24 23:42:44 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Thu, 24 Jan 2008 17:42:44 -0500
Subject: Need tips on how to backup my keys
Message-ID: <20080124224244.9BFEF11803D@mailserver5.hushmail.com>

Steven Woody narkewoody at gmail.com wrote on
Thu Jan 24 14:38:33 CET 2008 :

>I believe I need to make a copy of my keys 
>( the whole of ~/.gnugp directory, right? ).

no,
just:
pubring.gpg 
secring.gpg
trustdb.gpg


>But where should I keep the copy?


if you need access on a 24/7 basis,
*and* you use a good random passphrase

(http://world.std.com/~reinhold/diceware.html

use at least 10 diceware words if you are planning the following,
20 words if you want the full complexity of a 256 bit symmetrical 
algorithm)

then you can zip the files together,
and symmetrically encrypt them in armored form,
and keep it in your gmail mailbox as an unsent draft

(make sure you remember your passphrase ;-))

vedaal

--
Stop foreclosure.  Click here to stay in your home and rebuild credit.
http://tagline.hushmail.com/fc/Ioyw6h4djyJ7p9XV18V3btvb4sYtDFwnNKHfmduQgrGe7SFsTPI0gP/



From alex323 at gmail.com  Thu Jan 24 23:29:45 2008
From: alex323 at gmail.com (Alex)
Date: Thu, 24 Jan 2008 17:29:45 -0500
Subject: Problem with keys imported via DNS CERT
Message-ID: <20080124172945.39f76af3@mx.google.com>

Hey everyone. I am using gnupg 2.0.8 and libgcrypt 1.4.0. I just added
a DNS CERT record to my zone file and tried importing the key into my keyring
to test to make sure everything is working properly. When I attempt it
though, I get a warning that says there is no assurance that my key
belongs to me. See below:

$> gpg2 --auto-key-locate cert --recipient email at address.com --encrypt -a
[...]
gpg: key 09BBC7F2: public key "My Name <email at address.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: automatically retrieved `email at address.com' via DNS CERT
gpg: AF19F7E3: There is no assurance this key belongs to the named user

[...]

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) 
gpg: [stdin]: encryption failed: Unusable public key

==========================================================

I've read that this is caused by unsigned public keys. However, both my DSA
and RSA keys appear to be signed:
-----------------------------
pub   3072D/XXX 2008-01-23
uid                          My Name <email at address.com>
sig 3        XXX 2008-01-23 never       My Name <email at address.com>
sub   4096R/XXX 2008-01-23 [expires: 2008-06-21]
sig          XXX 2008-01-23 never       My Name <email at address.com>

Is there something I am doing wrong? Thank you.

-- 
Alex


From david at miradoiro.com  Fri Jan 25 01:13:47 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Fri, 25 Jan 2008 01:13:47 +0100
Subject: Problem with keys imported via DNS CERT
References: <20080124172945.39f76af3@mx.google.com>
Message-ID: <002b01c85ee7$27775f10$0202a8c0@Nautilus>

Do you have the key marked as trusted?

--David.


From dshaw at jabberwocky.com  Fri Jan 25 02:06:24 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 24 Jan 2008 20:06:24 -0500
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <20080124172945.39f76af3@mx.google.com>
References: <20080124172945.39f76af3@mx.google.com>
Message-ID: <20080125010624.GA30006@jabberwocky.com>

On Thu, Jan 24, 2008 at 05:29:45PM -0500, Alex wrote:
> Hey everyone. I am using gnupg 2.0.8 and libgcrypt 1.4.0. I just added
> a DNS CERT record to my zone file and tried importing the key into my keyring
> to test to make sure everything is working properly. When I attempt it
> though, I get a warning that says there is no assurance that my key
> belongs to me. See below:
> 
> $> gpg2 --auto-key-locate cert --recipient email at address.com --encrypt -a
> [...]
> gpg: key 09BBC7F2: public key "My Name <email at address.com>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: automatically retrieved `email at address.com' via DNS CERT
> gpg: AF19F7E3: There is no assurance this key belongs to the named user
> 
> [...]
> 
> It is NOT certain that the key belongs to the person named
> in the user ID.  If you *really* know what you are doing,
> you may answer the next question with yes.
> 
> Use this key anyway? (y/N) 
> gpg: [stdin]: encryption failed: Unusable public key
> 
> ==========================================================
> 
> I've read that this is caused by unsigned public keys. However, both my DSA
> and RSA keys appear to be signed:
> -----------------------------
> pub   3072D/XXX 2008-01-23
> uid                          My Name <email at address.com>
> sig 3        XXX 2008-01-23 never       My Name <email at address.com>
> sub   4096R/XXX 2008-01-23 [expires: 2008-06-21]
> sig          XXX 2008-01-23 never       My Name <email at address.com>
> 
> Is there something I am doing wrong? Thank you.

I'm afraid you've redacted so much information (no real email address,
no real key ID) that it's not really possible to help you.

David


From lowbassman at gmail.com  Fri Jan 25 02:29:17 2008
From: lowbassman at gmail.com (Matt Alexander)
Date: Thu, 24 Jan 2008 18:29:17 -0700
Subject: generate command fails on OpenPGP cards
Message-ID: <9e0a35780801241729m6e880966gac3fdb6129b2fbe3@mail.gmail.com>

I created a test key pair on an OpenPGP card.  When I try to run generate
again to replace the test key pair, I get the following error:

  gpg: existing key will be replaced
  gpg: please wait while key is being generated ...
  gpg: pcsc_transmit failed: not transacted (0x80100016)
  gpg: apdu_send_simple(0) failed: card I/O error
  gpg: generating key failed
  gpg: key generation failed: general error
  Key generation failed: general error

This is on an Ubuntu Dapper box:
gnupg: 1.4.2.2-1ubuntu2.5
pcscd: 1.2.9-beta9-1
libpcsclite1: 1.2.9-beta9-1

Any ideas what the problem might be?
Thanks,
~Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080124/cc952f82/attachment.htm>

From alex323 at gmail.com  Fri Jan 25 03:42:53 2008
From: alex323 at gmail.com (Alex)
Date: Thu, 24 Jan 2008 21:42:53 -0500
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <002b01c85ee7$27775f10$0202a8c0@Nautilus>
References: <20080124172945.39f76af3@mx.google.com>
	<002b01c85ee7$27775f10$0202a8c0@Nautilus>
Message-ID: <20080124214253.74c3f917@mx.google.com>

On Fri, 25 Jan 2008 01:13:47 +0100
David Pic?n ?lvarez <david at miradoiro.com> wrote:

> Do you have the key marked as trusted?
> 
> --David.
> 

No, I am starting out with a clean ~/.gnupg folder.

-- 
Alex


From rjh at sixdemonbag.org  Fri Jan 25 04:47:33 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 24 Jan 2008 21:47:33 -0600
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <20080124214253.74c3f917@mx.google.com>
References: <20080124172945.39f76af3@mx.google.com>	<002b01c85ee7$27775f10$0202a8c0@Nautilus>
	<20080124214253.74c3f917@mx.google.com>
Message-ID: <47995BD5.7000405@sixdemonbag.org>

Alex wrote:
> No, I am starting out with a clean ~/.gnupg folder.

There's your problem.  Set the key to implicit trust and see if the 
problem goes away.


From david at miradoiro.com  Fri Jan 25 07:32:44 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Fri, 25 Jan 2008 07:32:44 +0100
Subject: Problem with keys imported via DNS CERT
References: <20080124172945.39f76af3@mx.google.com><002b01c85ee7$27775f10$0202a8c0@Nautilus>
	<20080124214253.74c3f917@mx.google.com>
Message-ID: <001d01c85f1c$1b9ee3e0$0202a8c0@Nautilus>

> No, I am starting out with a clean ~/.gnupg folder.

That's it then, if your key is not marked as trusted, or the keys which sign 
it, how do you expect GnuPG to consider it a valid key?

--David.


From wilde at sha-bang.de  Fri Jan 25 08:28:32 2008
From: wilde at sha-bang.de (Sascha Wilde)
Date: Fri, 25 Jan 2008 08:28:32 +0100
Subject: GnuPG Summer Riddle 2007 [SOLUTION]
In-Reply-To: <200801242310.50193@erwin.ingo-kloecker.de> ("Ingo
	=?iso-8859-1?Q?Kl=F6cker=22's?=
	message of "Thu, 24 Jan 2008 23:10:46 +0100")
References: <200801241443.13838.bernhard@intevation.de>
	<m2wspzkkc7.fsf@kenny.sha-bang.de>
	<200801242310.50193@erwin.ingo-kloecker.de>
Message-ID: <m2r6g6jrdr.fsf@kenny.sha-bang.de>

Ingo Kl?cker <kloecker at kde.org> wrote:
> On Thursday 24 January 2008, Sascha Wilde wrote:
>> Bernhard Reiter <bernhard at intevation.de> wrote:
>>
>> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING
>>
>>                                 SOLUTION
>>
>> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING

> 0x01: Signature of a canonical text document.
>          Typically, this means the signer owns it, created it, or
>          certifies that it has not been modified.  The signature is
>          calculated over the text data with its line endings converted
>          to <CR><LF> and trailing blanks removed.
>
> So it's not just line endings but also trailing blanks.

True.  So it seems that whitespace[0] programs are the ideal target for
forged signatures of this kind...

> Nice. The attached files are my crude bash-based proof of concept.

From your POC:

  appname=`basename "$0"`
  if [ "$appname" == "app4.sh" ]; then

:-)

Actually this was my very first thought when reading the riddle, too.
But Bernhard told me that it is not the solution and that he would
considers this a breach of "do not depend on external factors" (part of
rule b) ).

Maybe it should have been added to the description, that the two app
files differ (have different md5sums).

cheers
sascha

[0] http://compsoc.dur.ac.uk/whitespace/index.php
-- 
Sascha Wilde

If you think technology can solve your problems you don't understand
technology and you don't understand your problems.  (Bruce Schneier)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: </pipermail/attachments/20080125/af3c390d/attachment.pgp>

From alex323 at gmail.com  Fri Jan 25 13:02:39 2008
From: alex323 at gmail.com (Alex)
Date: Fri, 25 Jan 2008 07:02:39 -0500
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <001d01c85f1c$1b9ee3e0$0202a8c0@Nautilus>
References: <20080124172945.39f76af3@mx.google.com>
	<002b01c85ee7$27775f10$0202a8c0@Nautilus>
	<20080124214253.74c3f917@mx.google.com>
	<001d01c85f1c$1b9ee3e0$0202a8c0@Nautilus>
Message-ID: <20080125070239.03d11542@mx.google.com>

On Fri, 25 Jan 2008 07:32:44 +0100
David Pic?n ?lvarez <david at miradoiro.com> wrote:

> > No, I am starting out with a clean ~/.gnupg folder.
> 
> That's it then, if your key is not marked as trusted, or the keys
> which sign it, how do you expect GnuPG to consider it a valid key?
> 
> --David.
> 

If a key is marked as trusted then it is already in my keyring and
never needs to be imported in the first place.

I imported a friend's key from a keyserver and it never gave me that
warning. The key was not marked as trusted because I never had it in
the first place. :/

-- 
Alex


From mkallas at schokokeks.org  Fri Jan 25 14:09:33 2008
From: mkallas at schokokeks.org (Michael Kesper)
Date: Fri, 25 Jan 2008 14:09:33 +0100
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <20080125070239.03d11542@mx.google.com>
References: <20080124172945.39f76af3@mx.google.com>
	<002b01c85ee7$27775f10$0202a8c0@Nautilus>
	<20080124214253.74c3f917@mx.google.com>
	<001d01c85f1c$1b9ee3e0$0202a8c0@Nautilus>
	<20080125070239.03d11542@mx.google.com>
Message-ID: <20080125130933.GB3394@kol06wsthv-it22.kaufhof.net>

Hi,

On Fri, Jan 25, 2008 at 07:02:39AM -0500, Alex wrote:
> On Fri, 25 Jan 2008 07:32:44 +0100
> David Pic?n ?lvarez <david at miradoiro.com> wrote:
> 
> > > No, I am starting out with a clean ~/.gnupg folder.
> > 
> > That's it then, if your key is not marked as trusted, or the keys
> > which sign it, how do you expect GnuPG to consider it a valid key?
> > 
> > --David.
> > 
> 
> If a key is marked as trusted then it is already in my keyring and
> never needs to be imported in the first place.

That's why you should have your own key in your keyring when you start.
Classical bootstrap problem.

Best wishes
Michael
-- 
Free Software Foundation Europe (FSFE) []         (http://fsfeurope.org)
Join the Fellowship of FSFE!         [][][]       (http://fsfe.org/join)
Your donation powers our work!         []  (http://fsfeurope.org/donate)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
URL: </pipermail/attachments/20080125/095e5c96/attachment.pgp>

From alex323 at gmail.com  Fri Jan 25 16:03:06 2008
From: alex323 at gmail.com (Alex)
Date: Fri, 25 Jan 2008 10:03:06 -0500
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <20080125130933.GB3394@kol06wsthv-it22.kaufhof.net>
References: <20080124172945.39f76af3@mx.google.com>
	<002b01c85ee7$27775f10$0202a8c0@Nautilus>
	<20080124214253.74c3f917@mx.google.com>
	<001d01c85f1c$1b9ee3e0$0202a8c0@Nautilus>
	<20080125070239.03d11542@mx.google.com>
	<20080125130933.GB3394@kol06wsthv-it22.kaufhof.net>
Message-ID: <20080125100306.397bfadc@mx.google.com>

On Fri, 25 Jan 2008 14:09:33 +0100
Michael Kesper <mkallas at schokokeks.org> wrote:

> Hi,
> 
> On Fri, Jan 25, 2008 at 07:02:39AM -0500, Alex wrote:
> > On Fri, 25 Jan 2008 07:32:44 +0100
> > David Pic?n ?lvarez <david at miradoiro.com> wrote:
> > 
> > > > No, I am starting out with a clean ~/.gnupg folder.
> > > 
> > > That's it then, if your key is not marked as trusted, or the keys
> > > which sign it, how do you expect GnuPG to consider it a valid key?
> > > 
> > > --David.
> > > 
> > 
> > If a key is marked as trusted then it is already in my keyring and
> > never needs to be imported in the first place.
> 
> That's why you should have your own key in your keyring when you
> start. Classical bootstrap problem.
> 
> Best wishes
> Michael

Based on what everyone is saying, the following warning,
"There is no assurance this key belongs to the named user"
should appear for _every_ key I import if the key is not in the keyring.

-- 
Alex


From aolsen at standard.com  Fri Jan 25 18:05:47 2008
From: aolsen at standard.com (Alan Olsen)
Date: Fri, 25 Jan 2008 09:05:47 -0800
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <20080125100306.397bfadc@mx.google.com>
Message-ID: <92A893260738B0408497A64189BC1E62032CE46E@MSEXCHANGE305.corp.standard.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



> From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Alex

>Based on what everyone is saying, the following warning,
>"There is no assurance this key belongs to the named user" should appear for _every_ key I import if the key is not in the keyring.

Not really.  If it is signed by enough people in your web of trust or by a "trusted introducer" you will not get that message.  It really depends on how many signatures there are on the particular key and who the signatures are from.
-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBR5oW/2qdmbpu7ejzAQqUQgf/VwQ0OSPLQjnBi8dh2tCVi2FTHV/JZMiZ
0fYmhYv6M0HyMC+vfGvOKsGEf6g4YrR5RQljrqOj7EPNwoNGzHNJItSSCVT+C0fh
0LB44y064AxPSkW3X4MAwcVnhwkIMsFx4mUbFo1cVoL3gFwEnuLMuqmnGYslVMTJ
CpLhXOcLzXAhdrST46OuBXCHgwrhaHi5c1OG3JPD97lt/MLvtiHWz1iGdWFMbWip
uJs1rNP0OahjN800YpfFcAOed+zM2C/6BZ4nXxNCwkAYve0mzRaEdvcbvvCH+X4v
GhDT8cQFVPoliwzMzAV28mhj6TsLUr/ymGhpy4jXdOVt//bZmNr85w==
=XSGm
-----END PGP SIGNATURE-----


From wk at gnupg.org  Fri Jan 25 20:46:47 2008
From: wk at gnupg.org (Werner Koch)
Date: Fri, 25 Jan 2008 20:46:47 +0100
Subject: IDEA
In-Reply-To: <9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	(Alon Bar-Lev's message of "Wed, 23 Jan 2008 21:08:54 +0200")
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
Message-ID: <874pd14riw.fsf@wheatstone.g10code.de>

On Wed, 23 Jan 2008 20:08, alon.barlev at gmail.com said:

> For gnupg-2:
> http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.4-idea.patch?rev=1.1&view=markup

It seems that Gentoo is violating the GPL (section 7) by providing a
IDEA riddled GnuPG.


Shalom-Salam,

   Werner



-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From alon.barlev at gmail.com  Fri Jan 25 20:59:42 2008
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Fri, 25 Jan 2008 21:59:42 +0200
Subject: IDEA
In-Reply-To: <874pd14riw.fsf@wheatstone.g10code.de>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
Message-ID: <9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>

On 1/25/08, Werner Koch <wk at gnupg.org> wrote:
> On Wed, 23 Jan 2008 20:08, alon.barlev at gmail.com said:
>
> > For gnupg-2:
> > http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.4-idea.patch?rev=1.1&view=markup
>
> It seems that Gentoo is violating the GPL (section 7) by providing a
> IDEA riddled GnuPG.

No.
Gentoo is providing this only if a user specify build from source and
ask idea explicitly.
Also Gentoo enforces dropping idea when binary redistribution is made.

Please refer to:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/libgcrypt/libgcrypt-1.4.0-r1.ebuild?rev=1.8&view=markup

I will appreciate any way to improve this.

I hope this helps,
Alon.


From kloecker at kde.org  Sat Jan 26 00:48:18 2008
From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=)
Date: Sat, 26 Jan 2008 00:48:18 +0100
Subject: GnuPG Summer Riddle 2007 [SOLUTION]
In-Reply-To: <m2r6g6jrdr.fsf@kenny.sha-bang.de>
References: <200801241443.13838.bernhard@intevation.de>
	<200801242310.50193@erwin.ingo-kloecker.de>
	<m2r6g6jrdr.fsf@kenny.sha-bang.de>
Message-ID: <200801260048.19335@erwin.ingo-kloecker.de>

On Friday 25 January 2008, Sascha Wilde wrote:
> Ingo Kl?cker <kloecker at kde.org> wrote:
> > On Thursday 24 January 2008, Sascha Wilde wrote:
> >> Bernhard Reiter <bernhard at intevation.de> wrote:
> >>
> >> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER
> >> WARNING
> >>
> >>                                 SOLUTION
> >>
> >> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER
> >> WARNING
> >
> > 0x01: Signature of a canonical text document.
> >          Typically, this means the signer owns it, created it, or
> >          certifies that it has not been modified.  The signature is
> >          calculated over the text data with its line endings
> > converted to <CR><LF> and trailing blanks removed.
> >
> > So it's not just line endings but also trailing blanks.
>
> True.  So it seems that whitespace[0] programs are the ideal target
> for forged signatures of this kind...

Yeah, I had the same thought.


> > Nice. The attached files are my crude bash-based proof of concept.
>
> From your POC:
>
>   appname=`basename "$0"`
>   if [ "$appname" == "app4.sh" ]; then
>
> :-)
>
> Actually this was my very first thought when reading the riddle, too.
> But Bernhard told me that it is not the solution and that he would
> considers this a breach of "do not depend on external factors" (part
> of rule b) ).
>
> Maybe it should have been added to the description, that the two app
> files differ (have different md5sums).

In fact, I ran md5sum on the two files to check this. Also I renamed 
app4.py to app5.py and vice versa to check the theory of an app name 
dependant output. I have to admit that my PoC is pretty lame.

For the fun of it I've written a generator for python apps printing an 
arbitrary string. All generated apps verify against the attached 
signature file. And as a plus each generated app is again a generator, 
i.e. the generator is self-replicating (albeit in the most simple way).

Example usage:
# python app-generator.py "Hi, I'm your app tonight." >app4-gen.py
# python app-generator.py 'Showing resistors is futile, you will be 
policed!' >app5-gen.py
# python app4-gen.py
Hi, I'm your app tonight.
# python app5-gen.py
Showing resistors is futile, you will be policed!
# gpg2 --verify app-generator.py.sig app4-gen.py
gpg: Signature made Sat 26 Jan 2008 12:32:39 AM CET using DSA key ID 
30E0B9D8
gpg: please do a --check-trustdb
gpg: Good signature from "Ingo Kl?cker <kloecker at kde.org>"
gpg:                 aka "Ingo H. Kl?cker <ingo.kloecker at web.de>"
gpg:                 aka "Ingo H. Kl?cker 
<ingo.kloecker at matha.rwth-aachen.de>"
# gpg2 --verify app-generator.py.sig app5-gen.py
gpg: Signature made Sat 26 Jan 2008 12:32:39 AM CET using DSA key ID 
30E0B9D8
gpg: please do a --check-trustdb
gpg: Good signature from "Ingo Kl?cker <kloecker at kde.org>"
gpg:                 aka "Ingo H. Kl?cker <ingo.kloecker at web.de>"
gpg:                 aka "Ingo H. Kl?cker 
<ingo.kloecker at matha.rwth-aachen.de>"

Have fun!


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-generator.py
Type: application/x-python
Size: 557 bytes
Desc: not available
URL: </pipermail/attachments/20080126/0c66dc23/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-generator.py.sig
Type: application/octet-stream
Size: 65 bytes
Desc: not available
URL: </pipermail/attachments/20080126/0c66dc23/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080126/0c66dc23/attachment.pgp>

From alex323 at gmail.com  Sat Jan 26 03:31:54 2008
From: alex323 at gmail.com (Alex)
Date: Fri, 25 Jan 2008 21:31:54 -0500
Subject: Problem with keys imported via DNS CERT
In-Reply-To: <92A893260738B0408497A64189BC1E62032CE46C@MSEXCHANGE305.corp.standard.com>
References: <20080125100306.397bfadc@mx.google.com>
	<92A893260738B0408497A64189BC1E62032CE46C@MSEXCHANGE305.corp.standard.com>
Message-ID: <20080125213154.45d2d3d7@mx.google.com>

On Fri, 25 Jan 2008 09:05:47 -0800
"Alan Olsen" <aolsen at standard.com> wrote:

> 
> 
> > From: gnupg-users-bounces at gnupg.org
> [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Alex
> 
> >Based on what everyone is saying, the following warning,
> >"There is no assurance this key belongs to the named user" should
> appear for _every_ key I import if the key is not in the keyring.
> 
> Not really.  If it is signed by enough people in your web of trust or
> by a "trusted introducer" you will not get that message.  It really
> depends on how many signatures there are on the particular key and
> who the signatures are from.

Ok, that is a better explanation. Thank you.

-- 
Alex


From wk at gnupg.org  Sat Jan 26 17:59:09 2008
From: wk at gnupg.org (Werner Koch)
Date: Sat, 26 Jan 2008 17:59:09 +0100
Subject: Prime searching
In-Reply-To: <d7a3cfdf0801190209w2cf005b2q5e055ae6ab8d19ea@mail.gmail.com>
	(Hardeep Singh's message of "Sat, 19 Jan 2008 15:39:56 +0530")
References: <d7a3cfdf0801190209w2cf005b2q5e055ae6ab8d19ea@mail.gmail.com>
Message-ID: <87abms34ma.fsf@wheatstone.g10code.de>

On Sat, 19 Jan 2008 11:09, hs2412 at gmail.com said:

> Could any one tell me the high-level prime search method employed by
> GPG? Is it something like this:
>
> - generate a random number
> - is it prime? if yes, use it
> - if not, continue adding ones to it until a prime number is found

Well adding two of course.

> Also, which algorithm is used by GPG for testing primality?

Rabin Miller as usual.  See also Lim and Lee in the CRYPTO '97
proceedings (ISBN3540633847) page 260.


Shalom-Salam,

   Werner



-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From henkdebruijn at gswot.org  Sat Jan 26 19:54:45 2008
From: henkdebruijn at gswot.org (Henk M. de Bruijn)
Date: Sat, 26 Jan 2008 19:54:45 +0100
Subject: SVN 4679
Message-ID: <1231621589.20080126195445@gswot.org>

I noticed SVN 4679 today. Is this 1.4.9 svn 4679 or an 1.4.8 update?

-- 
Henk M. de Bruijn
_____________________________________________________________________
The Bat! E-Mail System version 4.0.0.14 (ALPHA) Pro on Windows XP SP2
Thawte notary, CAcert assurer, GSWoT introducer
Gossamer Spider Web of Trust http://www.gswot.org
Please consider the environment before printing this e-mail, save paper, save trees!





From wilde at sha-bang.de  Sat Jan 26 20:37:02 2008
From: wilde at sha-bang.de (Sascha Wilde)
Date: Sat, 26 Jan 2008 20:37:02 +0100
Subject: GnuPG Summer Riddle 2007 [SOLUTION]
In-Reply-To: <200801260048.19335@erwin.ingo-kloecker.de> ("Ingo
	=?iso-8859-1?Q?Kl=F6cker=22's?=
	message of "Sat, 26 Jan 2008 00:48:18 +0100")
References: <200801241443.13838.bernhard@intevation.de>
	<200801242310.50193@erwin.ingo-kloecker.de>
	<m2r6g6jrdr.fsf@kenny.sha-bang.de>
	<200801260048.19335@erwin.ingo-kloecker.de>
Message-ID: <m28x2ctm3l.fsf@kenny.sha-bang.de>

Ingo Kl?cker <kloecker at kde.org> wrote:
> On Friday 25 January 2008, Sascha Wilde wrote:
>> Ingo Kl?cker <kloecker at kde.org> wrote:
>> > On Thursday 24 January 2008, Sascha Wilde wrote:
>> >> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER
>> >>
>> >>                                 SOLUTION
>> >>
>> >> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER

> For the fun of it I've written a generator for python apps printing an
> arbitrary string. All generated apps verify against the attached
> signature file. And as a plus each generated app is again a generator,
> i.e. the generator is self-replicating (albeit in the most simple way).

Sweet!  Sure enough I had to write a version in common lisp, which I
attached (including sig of cause).

New features/changes in the lisp implementation:

1. It's a real quine -- so it generates its source in stead of copying
   from the source-file.
2. Instead of printing a simple string the generated app can execute any
   arbitrary lisp form.  :-)

Ok, here is the usage example:

wilde at kenny% sbcl --noinform --no-userinit --load app-generator.lisp >app2.lisp
(dotimes (n 10) (format t "~a~%" n))
wilde at kenny% sbcl --noinform --no-userinit --load app2.lisp
0
1
2
3
4
5
6
7
8
9

And of cause one sig fits all:

wilde at kenny% gpg2 --verify app-generator.lisp.sig app-generator.lisp
gpg: Signature made Sat Jan 26 19:55:27 2008 CET using DSA key ID 69115024
gpg: Good signature from "Sascha Wilde <swilde at sha-bang.de>"
gpg:                 aka "Sascha Wilde <wilde at sha-bang.de>"
wilde at kenny% gpg2 --verify app-generator.lisp.sig app2.lisp
gpg: Signature made Sat Jan 26 19:55:27 2008 CET using DSA key ID 69115024
gpg: Good signature from "Sascha Wilde <swilde at sha-bang.de>"
gpg:                 aka "Sascha Wilde <wilde at sha-bang.de>"

And here are the files:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-generator.lisp
Type: application/octet-stream
Size: 1013 bytes
Desc: not available
URL: </pipermail/attachments/20080126/8fef623b/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-generator.lisp.sig
Type: application/octet-stream
Size: 65 bytes
Desc: not available
URL: </pipermail/attachments/20080126/8fef623b/attachment-0001.obj>
-------------- next part --------------

cheers
sascha
--
Sascha Wilde
    "Computers are good at following instructions,
     but not at reading your mind."
    D. E. Knuth, The TeXbook, Addison-Wesley 1984, 1986, 1996, p. 9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: </pipermail/attachments/20080126/8fef623b/attachment.pgp>

From netanswers at gmail.com  Sat Jan 26 22:15:23 2008
From: netanswers at gmail.com (Raygene)
Date: Sat, 26 Jan 2008 13:15:23 -0800 (PST)
Subject: How true can this be?
Message-ID: <15112665.post@talk.nabble.com>


While discussing GnuPG on MacNN forum, someone posted the following message:

Tonight I met this guy who works for an internet security company. they help
governments/law agencies, what he told me is so depressing. apparently, big
brother has the decryption keys for most internet algorithms, they basically
can record the information and decrypt it in %95 of the cases... I am no
security/privacy expert, but its shocking to know that. The guy did not want
to speak much, but he said that mac is the most secure platform from all
operating systems?..... does anyone know more about this?

Does this hold water or was that so-called security expert full of it?

Cheers
RG
-- 
View this message in context: http://www.nabble.com/How-true-can-this-be--tp15112665p15112665.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From dshaw at jabberwocky.com  Sat Jan 26 22:41:02 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 26 Jan 2008 16:41:02 -0500
Subject: How true can this be?
In-Reply-To: <15112665.post@talk.nabble.com>
References: <15112665.post@talk.nabble.com>
Message-ID: <20080126214102.GA8455@jabberwocky.com>

On Sat, Jan 26, 2008 at 01:15:23PM -0800, Raygene wrote:
> 
> While discussing GnuPG on MacNN forum, someone posted the following message:
> 
> Tonight I met this guy who works for an internet security company. they help
> governments/law agencies, what he told me is so depressing. apparently, big
> brother has the decryption keys for most internet algorithms, they basically
> can record the information and decrypt it in %95 of the cases... I am no
> security/privacy expert, but its shocking to know that. The guy did not want
> to speak much, but he said that mac is the most secure platform from all
> operating systems?..... does anyone know more about this?
> 
> Does this hold water or was that so-called security expert full of it?

On the whole, the words of some random guy on some random web page
quoting some other random guy that he just happened to meet might not
be your best source of information.

David


From netanswers at gmail.com  Sat Jan 26 23:51:49 2008
From: netanswers at gmail.com (Raygene)
Date: Sat, 26 Jan 2008 14:51:49 -0800 (PST)
Subject: How true can this be?
In-Reply-To: <20080126214102.GA8455@jabberwocky.com>
References: <15112665.post@talk.nabble.com>
	<20080126214102.GA8455@jabberwocky.com>
Message-ID: <15113566.post@talk.nabble.com>



David Shaw wrote:
> 
> On Sat, Jan 26, 2008 at 01:15:23PM -0800, Raygene wrote:
>> 
>> While discussing GnuPG on MacNN forum, someone posted the following
>> message:
>> 
>> Tonight I met this guy who works for an internet security company. they
>> help
>> governments/law agencies, what he told me is so depressing. apparently,
>> big
>> brother has the decryption keys for most internet algorithms, they
>> basically
>> can record the information and decrypt it in %95 of the cases... I am no
>> security/privacy expert, but its shocking to know that. The guy did not
>> want
>> to speak much, but he said that mac is the most secure platform from all
>> operating systems?..... does anyone know more about this?
>> 
>> Does this hold water or was that so-called security expert full of it?
> 
>>> On the whole, the words of some random guy on some random web page
>>> quoting some other random guy that he just happened to meet might not
>>> be your best source of information.
> 
> Thanks David,
> 
> I do admit that this is all random and anyone can claim to be a so-called
> expert on something or other (then again, there are the know-it-alls and
> phonies) but how true is that claim? We all know that the various
> "Agencies" have super computers and some of the best programmers and
> internet security experts in the country, have you ever heard of some
> agency actually cracking a lot of people's encrypted emails or files? Is
> encryption as safe as claimed?
> 
> Newbie paranoia, just installed MacPG and playing around with it... :-/
> 
> Cheers,
> Gene
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 

-- 
View this message in context: http://www.nabble.com/How-true-can-this-be--tp15112665p15113566.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From rjh at sixdemonbag.org  Sun Jan 27 00:19:31 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 26 Jan 2008 17:19:31 -0600
Subject: How true can this be?
In-Reply-To: <15113566.post@talk.nabble.com>
References: <15112665.post@talk.nabble.com>	<20080126214102.GA8455@jabberwocky.com>
	<15113566.post@talk.nabble.com>
Message-ID: <479BC003.60503@sixdemonbag.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Raygene wrote:
| I do admit that this is all random and anyone can claim to be a
| so-called expert on something or other (then again, there are the
| know-it-alls and phonies) but how true is that claim?

~  1. Completely true.
~  2. Completely false.
~  3. Somewhere in between.
~  4. A quixotically jocular zephyr named "oblong threnody".
~  5. Colorless green ideas sleep furiously.
~  6. The business of the book sleeps eternally.

There is signal and there is noise.  At present, you do not have any way
of distinguishing the two.  That means it's all noise, and the last
three answers are just as meaningful as the first three.

You are looking for simple and pat answers.  They do not exist.  You
need to do a good bit of reading if you want to have a good handle on
this question.

| We all know that the various "Agencies" have super computers and some
|  of the best programmers and internet security experts in the country
|  ... have you ever heard of some agency actually cracking a lot of
| people's encrypted emails or files? Is encryption as safe as claimed?

I sent you (off-list) a link to a web page that talks about this in some
detail: the Landauer Bound, the Margolus-Levitin Limit, the
thermodynamic and quantum information theoretical limits of crypto. You
may find some useful information in there. I would suggest two things:

~  1. Read it skeptically.
~  2. Whatever else, don't believe it just because I wrote it.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iFYEAREIAAYFAkebwAMACgkQf2XByo0Cu7NHOADffx0SSCJzSDqT+nrMvTMDxPki
tnRRZxDwtd9oGwDgk0jZPqh4FNWRWUSfztXWUiQQE7vv6BsRfdt5GIkBHAQBAQgA
BgUCR5vAAwAKCRC3APSC/q+BCVL8B/0THUOdaBInO13oMgAlm6J9aft9sXWy7pJB
/8qqOAL/gJZ1zBAPhBb6j5Txgfz1PDkTOl10A4hK8YxktNZTqJ5iKM8rmHmindfZ
wtq1ZdyEhTbsCXK1hVkQMxPjNDsghhdnygo0tPeipD9Wu9jdyjG+llBWL+CXcXbO
ZwqL0wNgJynvvGhkkiwUMqHFCdU4F5xbpe49pCHmMGcIZGFJYLvCqTpZvaw+/Evu
U/+Hj+WMAJ6HGnwnEjrMdHhfXYTJ1pCeFqgt4db3HL87VqgJfMVD799I6fu/XZWX
f1+ehTsNGFrsEzNKajyx8aGNYIKyA5MHXR4v2/FosH1v2lrQDutm
=YRas
-----END PGP SIGNATURE-----


From netanswers at gmail.com  Sun Jan 27 04:30:04 2008
From: netanswers at gmail.com (Raygene)
Date: Sat, 26 Jan 2008 19:30:04 -0800 (PST)
Subject: How true can this be?
In-Reply-To: <479BC003.60503@sixdemonbag.org>
References: <15112665.post@talk.nabble.com>
	<20080126214102.GA8455@jabberwocky.com>
	<15113566.post@talk.nabble.com> <479BC003.60503@sixdemonbag.org>
Message-ID: <15115629.post@talk.nabble.com>



Robert J. Hansen-3 wrote:
> 
>> I sent you (off-list) a link to a web page that talks about this in some
>> detail: the Landauer Bound, the Margolus-Levitin Limit, the
>> thermodynamic and quantum information theoretical limits of crypto. You
>> may find some useful information in there. I would suggest two things:
> 
>> ~  1. Read it skeptically.
>> ~  2. Whatever else, don't believe it just because I wrote it.
> 

Thanks Robert.

Just read the following about the Echelon Project:

National Security Agency (US)

The prime mover in the UKUSA arrangement is undeniably the National Security
Agency (NSA). The majority of funds for joint projects and facilities
(discussed below) as well as the direction for intelligence gathering
operations are issued primarily through the NSA. The participating agencies
frequently exchange personnel, divide up intelligence collection tasks and
establish common guidelines for classifying and protecting shared
information. However, the NSA utilizes its role as the largest spy agency in
the world to have its international intelligence partners do its bidding.

President Harry Truman established the NSA in 1952 with a presidential
directive that remains classified to this day. The US government did not
acknowledge the existence of the NSA until 1957. Its original mission was to
conduct the signal intelligence (SIGINT) and communications security
(COMSEC) for the US. President Ronald Reagan added the tasks of information
systems security and operations security training in 1984 and 1988
respectively. A 1986 law charged the NSA with supporting combat operations
for the Department of Defense.<7>

Headquartered at Fort George Meade, located between Washington D.C. and
Baltimore, Maryland, the NSA boasts the most enviable array of intelligence
equipment and personnel in the world. The NSA is the largest global employer
of mathematicians, featuring the best teams of codemakers and codebreakers
ever assembled. The latter's job is to crack the encryption codes of foreign
and domestic electronic communications, forwarding the revealed messages to
their enormous team of skilled linguists to review and analyze the messages
in over 100 languages. The NSA is also responsible for creating the
encryption codes that protect the US government?s communications.

In its role as gang leader for UKUSA, the NSA is primarily involved with
creating new surveillance and codebreaking technology, directing the other
cooperating agencies to their targets, and providing them with training and
tools to intercept, process and analyze enormous amounts of signals
intelligence. By possessing what is arguably the most technologically
advanced communications, computer and codebreaking equipment of any
government agency in the world, the NSA serves as a competent and capable
taskmaster for UKUSA. 

http://home.hiwaay.net/~pspoole/echelon.html The Echelon Project 

Darn it, we sure live in dangerous times, don't we...

Thanks,
Gene

-- 
View this message in context: http://www.nabble.com/How-true-can-this-be--tp15112665p15115629.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From allen.schultz at gmail.com  Sun Jan 27 04:50:14 2008
From: allen.schultz at gmail.com (Allen Schultz)
Date: Sat, 26 Jan 2008 20:50:14 -0700
Subject: Changing hash on Windows Vista with gpg4win v1.1.3
Message-ID: <3f34f8420801261950o72e32fd3u9bb493e45c8866a8@mail.gmail.com>

How change I change the hash used on the full package that came in
GPG4Win ver. 1.1.3? I cant seem to find it under WinPT Preferences.


From rjh at sixdemonbag.org  Sun Jan 27 08:18:07 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 27 Jan 2008 01:18:07 -0600
Subject: Changing hash on Windows Vista with gpg4win v1.1.3
In-Reply-To: <3f34f8420801261950o72e32fd3u9bb493e45c8866a8@mail.gmail.com>
References: <3f34f8420801261950o72e32fd3u9bb493e45c8866a8@mail.gmail.com>
Message-ID: <479C302F.8070901@sixdemonbag.org>

Allen Schultz wrote:
> How change I change the hash used on the full package that came in
> GPG4Win ver. 1.1.3? I cant seem to find it under WinPT Preferences.

Add to your gpg.conf file the line:

personal-digest-preferences SHA256 SHA1

... or whatever your preferences are.  :)



From alex at bofh.net.pl  Sun Jan 27 19:39:04 2008
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Sun, 27 Jan 2008 19:39:04 +0100
Subject: How true can this be?
In-Reply-To: <15112665.post@talk.nabble.com>
References: <15112665.post@talk.nabble.com>
Message-ID: <20080127183904.GA9019@hell.pl>

On Sat, Jan 26, 2008 at 01:15:23PM -0800, Raygene wrote:
> 
> While discussing GnuPG on MacNN forum, someone posted the following message:
> 
> Tonight I met this guy who works for an internet security company. they help
> governments/law agencies, what he told me is so depressing. apparently, big
> brother has the decryption keys for most internet algorithms, they basically
> can record the information and decrypt it in %95 of the cases... I am no
> security/privacy expert, but its shocking to know that. The guy did not want
> to speak much, but he said that mac is the most secure platform from all
> operating systems?..... does anyone know more about this?
> 
> Does this hold water or was that so-called security expert full of it?

both yes and no

spooks don't need to break your ciphers to get your encrypted stuff, the
simplest technical measure is to inject a trojan into your system that will
siphon off what's needed, then there is traffic analysis, TEMPEST, etc etc

BTW: I really doubt that if there is a classified shortcut to solve RSA, a
random guy from a random security firm would a) know it (COMSEC/INFOSEC is
usually classified TOP SECRET as it is conidered of vital importance to
state security), and b) he would blabber about it to anyone who would care
to listen

if a), then b) would land him in jail, quickly
 
Alex
-- 
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
 -- Czerski


From jmoore3rd at bellsouth.net  Sun Jan 27 22:23:06 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 27 Jan 2008 16:23:06 -0500
Subject: How true can this be?
In-Reply-To: <20080127183904.GA9019@hell.pl>
References: <15112665.post@talk.nabble.com> <20080127183904.GA9019@hell.pl>
Message-ID: <479CF63A.9050402@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------- Original Message  --------
Subject: Re: How true can this be?
From: Janusz A. Urbanowicz <alex at bofh.net.pl>
To: Raygene <netanswers at gmail.com>
Cc: gnupg-users at gnupg.org
Date: Sunday, January 27, 2008 1:39:04 PM


> if a), then b) would land him in jail, quickly

More likely a fatal traffic accident or victim of a street mugging with
similar outcome.  People communicate in and from Jails.

JOHN ;)
Timestamp: Sunday 27 Jan 2008, 16:22  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9-svn4675: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/9ubue

iQEcBAEBCgAGBQJHnPY4AAoJEBCGy9eAtCsPXI4H/Ryk+Mb9sn8yPhVH+igLsVwj
SjEmdYlZlzFnynqZCNFih8R/XBxGTPnpcpdcPWJEOx8MKvrfavg8diAv3qfTEGxO
csUXaBjWi+xuUyzoJs1iwBCAE+ycibUbWX3X/nHDCYC29QHoZGVMxTraNDxf0/7r
sakxRn3TqihbLND5/1ACohRctCfxuqCyl1U5aMRQqcxC42THmB1ZcYJjnjnnbkJe
u+RR2dmDY/k8zX53O4Y8rHzWGw5Dt6XkMXqpADBnYMiep5j8mhX0Qc/DwIwzIk6g
saycj1YjtEc/JEnp5EHawTk6bk+dWfUEHdwRMmcMZWIasS5hVAKJvofL5gekdkA=
=gTY2
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Sun Jan 27 22:39:20 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 27 Jan 2008 15:39:20 -0600
Subject: How true can this be?
In-Reply-To: <479CF63A.9050402@bellsouth.net>
References: <15112665.post@talk.nabble.com> <20080127183904.GA9019@hell.pl>
	<479CF63A.9050402@bellsouth.net>
Message-ID: <479CFA08.2090007@sixdemonbag.org>

John W. Moore III wrote:
> More likely a fatal traffic accident or victim of a street mugging with
> similar outcome.  People communicate in and from Jails.

I hate to rain on people's parades, but that sort of James Bond stuff 
tends to draw a lot more attention.  Assassination is an extremely 
ineffective form of censorship.  Historically speaking, effective 
governments have relied on discredit more than death for controlling 
their secrets--if someone gets a reputation in the field for being 
crazy, for being unstable, for being whatever, then nobody will listen 
to them anyway, so who cares if they're blabbing secrets?

That said, I agree with the claim that it's very unlikely that someone 
with the clearance to know about the NSA's latest crypto research would 
talk about it with others who weren't cleared.  Far, far more likely 
that someone was trying to impress others with a "if only you knew what 
I knew" fish story.






From hoempi at hoempi.de  Thu Jan 24 10:48:57 2008
From: hoempi at hoempi.de (Thomas Hempen)
Date: Thu, 24 Jan 2008 10:48:57 +0100
Subject: Multiple PCs
Message-ID: <47985F09.7090300@hoempi.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi folks,

some days ago I migrated my laptop to OpenSuSe 10.3 and installed 
Thunderbird. I was pleased to find that GnuPG and Enigmail were already 
part of the installation.

So today I created signatures for both my private and work mail 
addresses. Then I exported the keys (public and secret) and transferred 
them to my windows-powered desktop computer, installed GPG4Win and 
Enigmail there. Using Enigmail once more I imported both key pairs and 
everything seemed fine. I send signed, unencrypted test messages from 
one mail address to another and my Windows machine stated good 
signatures both ways.

But when I checked on my laptop, where I created the key pairs I get an 
"Error - signature verification failed".

Did anyone ever encounter something like this or has any idea how to fix it?

Kind Regards,
Thomas Hempen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFHmF8JDj9yvpI1LxkRAh7/AKDPPScxO8hd49AzWwQgpS3aikUwlgCgwWBp
IRHzCnww45UdUrXB0gwD7/w=
=we9z
-----END PGP SIGNATURE-----



From brad at black.cirt.vt.edu  Thu Jan 24 15:53:37 2008
From: brad at black.cirt.vt.edu (Brad Tilley)
Date: Thu, 24 Jan 2008 09:53:37 -0500
Subject: Need tips on how to backup my keys
In-Reply-To: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
References: <ed4892840801240538k9dc206fo138971d1a95587b6@mail.gmail.com>
Message-ID: <3ac86fa70801240653g26b2a8dbh7195c05b47b6a9e2@mail.gmail.com>

Tar it up and symmetrically encrypt it. Use a strong pass phrase.
Store the encrypted tar file in various places (USB, gmail, bank
safety deposit box, lawyers office, girlfriend's house, etc.) Write
the pass phrase down and keep it in your bank box.

I (personally) don't do this. I just tar up .gnupg with no symmetric
encryption. In theory, this is a bad idea.  With a good pass phrase
however, in practice, there is nothing wrong with it. The weak link is
the pass phrase, so use a good one and don't worry too much.

Brad

On Jan 24, 2008 8:38 AM, Steven Woody <narkewoody at gmail.com> wrote:
> hi,
>
> When one day my hardisk go bad and I can not access my keys, theose
> files I encrypted for myself would never be opened for me.  I don't
> want that, then I believe I need to make a copy of my keys ( the whole
> of ~/.gnugp directory, right? ).  But where should I keep the copy?
> It gets chance exposuring to public if I put in on a USB disk.  I like
> to hear what the method you used.
>
> thanks.
>
> --
> woody
>
> then sun rose thinly from the sea and the old man could see the other
> boats, low on the water and well in toward the shore, spread out
> across the current.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From alex at bofh.net.pl  Mon Jan 28 12:58:27 2008
From: alex at bofh.net.pl (Janusz A. Urbanowicz)
Date: Mon, 28 Jan 2008 12:58:27 +0100
Subject: How true can this be?
In-Reply-To: <479CF63A.9050402@bellsouth.net>
References: <15112665.post@talk.nabble.com> <20080127183904.GA9019@hell.pl>
	<479CF63A.9050402@bellsouth.net>
Message-ID: <20080128115827.GB9019@hell.pl>

On Sun, Jan 27, 2008 at 04:23:06PM -0500, John W. Moore III wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> - -------- Original Message  --------
> Subject: Re: How true can this be?
> From: Janusz A. Urbanowicz <alex at bofh.net.pl>
> To: Raygene <netanswers at gmail.com>
> Cc: gnupg-users at gnupg.org
> Date: Sunday, January 27, 2008 1:39:04 PM
> 
> 
> > if a), then b) would land him in jail, quickly
> 
> More likely a fatal traffic accident or victim of a street mugging with
> similar outcome.  People communicate in and from Jails.

Blabbering about classified stuff is a breach of security procedures and
NDA-s, that leads to administrative action, prosecution and usually jail
sentence (or a hefty fine).

The approach you mention would be probably used on someone who would like to
play the game (as in sell the info to another country), not for some random
blabberer.

Alex
-- 
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze
 -- Czerski


From narkewoody at gmail.com  Mon Jan 28 14:24:04 2008
From: narkewoody at gmail.com (Steven Woody)
Date: Mon, 28 Jan 2008 21:24:04 +0800
Subject: keypair to/from armor format
Message-ID: <ed4892840801280524i5d64289brf8c624fba9baab28@mail.gmail.com>

Hi, list

I don't trust any electrical medium ( USB disk, DVD-R and so on ) as
backup copy of my keypairs. I think I want hardcopy of my keys.  In
the user manual, however, I learned how to export/import public keys (
in armor mode ). but I don't see how to do the same on the private
key. Is it possible? Thanks.

-- 
woody

then sun rose thinly from the sea and the old man could see the other
boats, low on the water and well in toward the shore, spread out
across the current.


From david at miradoiro.com  Mon Jan 28 14:45:11 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Mon, 28 Jan 2008 14:45:11 +0100
Subject: keypair to/from armor format
References: <ed4892840801280524i5d64289brf8c624fba9baab28@mail.gmail.com>
Message-ID: <001201c861b4$00b94ad0$0302a8c0@Nautilus>

> I don't trust any electrical medium ( USB disk, DVD-R and so on ) as
> backup copy of my keypairs. I think I want hardcopy of my keys.  In
> the user manual, however, I learned how to export/import public keys (
> in armor mode ). but I don't see how to do the same on the private
> key. Is it possible? Thanks.

Same way. The --armor or -a options are available pretty much for any 
command that produces keys, messages, signatures, etc.

--David.


From yalla at fsfe.org  Mon Jan 28 14:53:55 2008
From: yalla at fsfe.org (Alexander W. Janssen)
Date: Mon, 28 Jan 2008 14:53:55 +0100
Subject: Multiple PCs
In-Reply-To: <47985F09.7090300@hoempi.de>
References: <47985F09.7090300@hoempi.de>
Message-ID: <479DDE73.40509@fsfe.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Hempen wrote:
> But when I checked on my laptop, where I created the key pairs I get an
> "Error - signature verification failed".
> 
> Did anyone ever encounter something like this or has any idea how to fix
> it?

Enigmail has some known and dodgy errors, especially when it comes to
verifying signatures. I upgraded to the latest Enigmail nightly build
which worked for me.

http://enigmail.mozdev.org/download/nightly.php

> Kind Regards,
> Thomas Hempen

Hope that helps,
Alex.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQCVAwUBR53ecRYlVVSQ3uFxAQIJCgP9E7No7NV8VDsmwoHNOT/DmXK46sX7CKjQ
GZu1PodElYNsz9MJWDdE5voqC1cx3OO9qNUlHdwCXPa1/zNJNdD3l58wjvRbj4iJ
Zu4Z4GuW7QI5K1+ISzeSVMq7L2GaQNIPQNuQbvX4DUTVBKxab+MgajwE0MS46cgQ
P8dsLAYnMl0=
=rtfV
-----END PGP SIGNATURE-----


From tmz at pobox.com  Tue Jan 29 05:15:47 2008
From: tmz at pobox.com (Todd Zullinger)
Date: Mon, 28 Jan 2008 23:15:47 -0500
Subject: keypair to/from armor format
In-Reply-To: <ed4892840801280524i5d64289brf8c624fba9baab28@mail.gmail.com>
References: <ed4892840801280524i5d64289brf8c624fba9baab28@mail.gmail.com>
Message-ID: <20080129041547.GH3082@inocybe.teonanacatl.org>

Steven Woody wrote:
> I don't trust any electrical medium ( USB disk, DVD-R and so on ) as
> backup copy of my keypairs. I think I want hardcopy of my keys.  In
> the user manual, however, I learned how to export/import public keys
> ( in armor mode ). but I don't see how to do the same on the private
> key. Is it possible? Thanks.

For a hardcopy backup of your secret key, you might also find paperkey
(which David wrote) useful:

http://www.jabberwocky.com/software/paperkey/

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I do not pretend to know where many ignorant men are sure - that is
all that agnosticism means.
    -- Clarence Darrow

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: </pipermail/attachments/20080128/7733ff48/attachment.pgp>

From narkewoody at gmail.com  Tue Jan 29 07:54:47 2008
From: narkewoody at gmail.com (Steven Woody)
Date: Tue, 29 Jan 2008 14:54:47 +0800
Subject: How to export/import my private key
Message-ID: <ed4892840801282254g38a85d6buac7a03440bd0f59c@mail.gmail.com>

Hi,

I searched through the manual but have not found commands which used
to export/import private key.  The manual mentioned --export/--import
commands but they are likely used to export/import public keys. Am i
right?

Thanks.

-- 
woody

then sun rose thinly from the sea and the old man could see the other
boats, low on the water and well in toward the shore, spread out
across the current.


From laurent.jumet at skynet.be  Tue Jan 29 10:33:55 2008
From: laurent.jumet at skynet.be (Laurent Jumet)
Date: Tue, 29 Jan 2008 10:33:55 +0100
Subject: How to export/import my private key
In-Reply-To: <ed4892840801282254g38a85d6buac7a03440bd0f59c@mail.gmail.com>
Message-ID: <GED479EF337@laurent.jumet.skynet.be>


Hello Steven !

"Steven Woody" <narkewoody at gmail.com> wrote:

> I searched through the manual but have not found commands which used
> to export/import private key.  The manual mentioned --export/--import
> commands but they are likely used to export/import public keys. Am i
> right?

--export-secret-keys
--export-secret-subkeys

-- 
Laurent Jumet
      KeyID: 0xCFAF704C


From david at miradoiro.com  Tue Jan 29 12:41:33 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Tue, 29 Jan 2008 12:41:33 +0100
Subject: How to export/import my private key
References: <ed4892840801282254g38a85d6buac7a03440bd0f59c@mail.gmail.com>
Message-ID: <001301c8626b$e87566d0$0302a8c0@Nautilus>

Speaking from memory here, but I think the right command 
is --export-secret-key

--David.


From wk at gnupg.org  Tue Jan 29 19:39:57 2008
From: wk at gnupg.org (Werner Koch)
Date: Tue, 29 Jan 2008 19:39:57 +0100
Subject: IDEA
In-Reply-To: <9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	(Alon Bar-Lev's message of "Fri, 25 Jan 2008 21:59:42 +0200")
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
Message-ID: <871w80earm.fsf@wheatstone.g10code.de>

On Fri, 25 Jan 2008 20:59, alon.barlev at gmail.com said:

> Gentoo is providing this only if a user specify build from source and
> ask idea explicitly.
> Also Gentoo enforces dropping idea when binary redistribution is made.

This has nothing to do with binary vs. source distribution. The GPL
clearly states that you can't distribute it as part of it.  We all know
that IDEA is patented because it was the main motivation to write gpg.

I suggest to remove all that idea stuff.  If someone needs it for a
crypto workbench, the modules feature of libgcrypt can be used for that.

I also consider helping an idea patenter by linking to his web site a
bad idea.  That company has several times tried to force me to advertise
that the gnupg docs should mention that idea can be bought from them.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From yalla at fsfe.org  Tue Jan 29 19:55:24 2008
From: yalla at fsfe.org (Alexander W. Janssen)
Date: Tue, 29 Jan 2008 19:55:24 +0100
Subject: IDEA
In-Reply-To: <871w80earm.fsf@wheatstone.g10code.de>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>	<874pd14riw.fsf@wheatstone.g10code.de>	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	<871w80earm.fsf@wheatstone.g10code.de>
Message-ID: <479F769C.8050900@fsfe.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Werner Koch schrieb:
> [... IDEA/GPL woes ...]

Though I recently had a valid reason; I was in posession of a very old
legacy RSA-keypair which I created quite a long time ago with PGP
2.something.

I just wanted to revoke that key, but in order to create the revocation
certificate I had to search my way through all defunct websites,
outdated documentation and borked plugins/DLLs for IDEA.
On a sidenote, I only managed to get it running on Windows, which I take
as an personal insult ;)

Whatever, my point is that documentation as such is not bad. I think you
can migrate your old IDEA-encumbered RSA-Key to one which uses a
non-patented algorithm - didn't follow that idea 'cause I just wanted to
revoke anyway.
But that'd be worthy a couple of lines, wouldn't it?

Alex.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBR592mhYlVVSQ3uFxAQIK2AP/Wn4tpkbuN16WMJn2ZbXrRMEAoCwcSvO3
Sl9DnQZdM01/AwWj6vCNYYEM3NhnIEDpACzCbEvKJBP/yWwgbpzogkk/k5YFQdrK
UHJBDjfXLJxCgYZgacPLcTjJ5kX3e2b56PboRY9iZDinEVd+oPDW7CmtRBVNmtAJ
7djxxy4GLfs=
=5qFL
-----END PGP SIGNATURE-----


From kevhilton at gmail.com  Tue Jan 29 20:32:51 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Tue, 29 Jan 2008 13:32:51 -0600
Subject: IDEA
Message-ID: <96c450350801291132j777a31caj93023fe336b00789@mail.gmail.com>

Hope I don't get in trouble for posting this, however the idea module
can be found here:
wget ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz

-- 
Kevin Hilton


From alon.barlev at gmail.com  Tue Jan 29 20:33:59 2008
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Tue, 29 Jan 2008 21:33:59 +0200
Subject: IDEA
In-Reply-To: <871w80earm.fsf@wheatstone.g10code.de>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	<871w80earm.fsf@wheatstone.g10code.de>
Message-ID: <9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>

On 1/29/08, Werner Koch <wk at gnupg.org> wrote:
> On Fri, 25 Jan 2008 20:59, alon.barlev at gmail.com said:
>
> > Gentoo is providing this only if a user specify build from source and
> > ask idea explicitly.
> > Also Gentoo enforces dropping idea when binary redistribution is made.
>
> This has nothing to do with binary vs. source distribution. The GPL
> clearly states that you can't distribute it as part of it.  We all know
> that IDEA is patented because it was the main motivation to write gpg.

Gentoo does not distribute gnupg or IDEA.
Gentoo provides the instructions of how to build these components from source.
Gentoo is not distribution in the usual sense, but meta-distribution...
If one distribute a pre-built packages he set the bindist USE flag,
and IDEA is disabled.
As far as people checked (for this and other packages) this is valid
and confirms to GPL.

> I suggest to remove all that idea stuff.  If someone needs it for a
> crypto workbench, the modules feature of libgcrypt can be used for that.

There are people with IDEA keys, they would like to continue using these keys.
As long as they are leagalley entitled to, I don't see why this should
not be allowed.

> I also consider helping an idea patenter by linking to his web site a
> bad idea.  That company has several times tried to force me to advertise
> that the gnupg docs should mention that idea can be bought from them.

The information is correct. Whoever want to use IDEA should be exposed
to this information.
However... I cannot access this URL anymore.

Regards,
Alon Bar-Lev.


From alon.barlev at gmail.com  Tue Jan 29 20:51:19 2008
From: alon.barlev at gmail.com (Alon Bar-Lev)
Date: Tue, 29 Jan 2008 21:51:19 +0200
Subject: IDEA
In-Reply-To: <9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	<871w80earm.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>
Message-ID: <9e0cf0bf0801291151l7436aa9fy4624256ca5c5698@mail.gmail.com>

On 1/29/08, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> > I also consider helping an idea patenter by linking to his web site a
> > bad idea.  That company has several times tried to force me to advertise
> > that the gnupg docs should mention that idea can be bought from them.
>
> The information is correct. Whoever want to use IDEA should be exposed
> to this information.
> However... I cannot access this URL anymore.

Changed to:
http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm#Security

Alon.


From ale at pcartwright.com  Tue Jan 29 21:11:00 2008
From: ale at pcartwright.com (Paul Cartwright)
Date: Tue, 29 Jan 2008 15:11:00 -0500
Subject: adding a new email to a key
Message-ID: <200801291511.06160.ale@pcartwright.com>

  I am new on the list, so point me to the right documentation. I am using 
Debian Lenny, and I have Kgpg installed.
right now I have a keypair for my main email address of paul (at) 
pcartwright.com

I wanted to add another email address to that key, ale (at) pcartwright.com

I'm not real sure of the sequence or path to take to accomplish this. I tried 
adding another uid, I tried adding a subkey. but both times I ended up with 
Kgpg showing the new email as the primary, instead of as uid#2.

thanks!

-- 
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080129/9eb3453f/attachment.pgp>

From aolsen at standard.com  Tue Jan 29 21:59:35 2008
From: aolsen at standard.com (Alan Olsen)
Date: Tue, 29 Jan 2008 12:59:35 -0800
Subject: IDEA
In-Reply-To: <871w80earm.fsf@wheatstone.g10code.de>
Message-ID: <92A893260738B0408497A64189BC1E62032CE47C@MSEXCHANGE305.corp.standard.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


>From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Werner Koch

>I also consider helping an idea patenter by linking to his web site a bad idea. 
> That company has several times tried to force me to advertise that the gnupg
> docs should mention that idea can be bought from them.

Not that it would help.  Their web site has been pretty much FUBARed for the last few weeks.

The reduced rounds issue is enough of an excuse to get me to recommend that our customers upgrade.
-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBR5+Tymqdmbpu7ejzAQqmpQgAmw3zM3BHonxJ2JlrW7i2l21iH8V4B84Z
z/J2zTe3tsc6ZMiuamkoygDuVruA8SuB6NITsM6CNizUJMiQatD7+tPHlctkUalY
we/jhtAv2Rvu5v+oe8v/aaz1chcnRF9mdcudP7lL96R3OKpNxB6wKG4qpjuhq47g
cfwhUE4l+ClYZH839piBIcm75rbh3+2m6/zSoHGIEaHXSnF7h6FTjVGucXKzjSt5
sGMoO7oOWrvc7kn7O6uIJDbvoul2orEAE8HvX09TUayk1oBH02yLFW4NdvyJxr11
sq33jcb9a1+zvbT+5eOM0xvKs1NZ9llEZv5LrdU6O5XZxnAe4gJ6XQ==
=kg/G
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Tue Jan 29 22:22:26 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 29 Jan 2008 15:22:26 -0600
Subject: IDEA
In-Reply-To: <92A893260738B0408497A64189BC1E62032CE47C@MSEXCHANGE305.corp.standard.com>
References: <92A893260738B0408497A64189BC1E62032CE47C@MSEXCHANGE305.corp.standard.com>
Message-ID: <479F9912.4010601@sixdemonbag.org>

Alan Olsen wrote:
> The reduced rounds issue is enough of an excuse to get me to
> recommend that our customers upgrade.

If your customers are businesses, the upgrade pill can be made easier to
swallow by pointing out that AES is a NIST standard and may be required
by future government regulations for some kinds of transactions.  Pitch
it as "we should look into migrating to AES now, rather than do a rushed
job of it at the last minute" and you may find things easier.

While IDEA is for time being a safe choice, it is not a government
standard and is unlikely to ever play a major role in NIST, SEC, NBS,
etc. standards for data protection.




From mwood at IUPUI.Edu  Tue Jan 29 22:58:13 2008
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Tue, 29 Jan 2008 16:58:13 -0500
Subject: IDEA
In-Reply-To: <9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	<871w80earm.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>
Message-ID: <20080129215813.GA24734@IUPUI.Edu>

On Tue, Jan 29, 2008 at 09:33:59PM +0200, Alon Bar-Lev wrote:
> On 1/29/08, Werner Koch <wk at gnupg.org> wrote:
> > On Fri, 25 Jan 2008 20:59, alon.barlev at gmail.com said:
> >
> > > Gentoo is providing this only if a user specify build from source and
> > > ask idea explicitly.
> > > Also Gentoo enforces dropping idea when binary redistribution is made.
> >
> > This has nothing to do with binary vs. source distribution. The GPL
> > clearly states that you can't distribute it as part of it.  We all know
> > that IDEA is patented because it was the main motivation to write gpg.
> 
> Gentoo does not distribute gnupg or IDEA.

That is not precisely correct.  A source kit for GnuPG can be found in e.g.

  /usr/portage/distfiles/gnupg-2.0.7.tar.bz2

while the IDEA patch is found in e.g.

  /usr/portage/app-crypt/gnupg/files/gnupg-2.0.4-idea.patch

It would be correct to say that Gentoo does not distribute GnuPG
binaries, with or without IDEA.  The package management system
(portage) gathers tarballs, patches, etc., constructs a source tree,
and compiles it on the target system.

> Gentoo provides the instructions of how to build these components from source.

The "instructions", to be clear, are the ebuild file that portage uses
to automagically build the software for you.

I can state that I have GnuPG built by portage on my Gentoo systems,
and it does not include IDEA.

  mwood at mhw ~ $ gpg --version
  gpg (GnuPG) 2.0.7
  Copyright (C) 2007 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later
  <http://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  Home: ~/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ELG
  Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
  Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

A quick look at the 2.0.7 ebuild suggests that portage will apply the
IDEA patch but not enable IDEA.  But I'm nothing like a portage
expert, so don't give my analysis of ebuilds too much weight.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080129/74aa404f/attachment-0001.pgp>

From rjh at sixdemonbag.org  Tue Jan 29 23:36:46 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 29 Jan 2008 16:36:46 -0600
Subject: adding a new email to a key
In-Reply-To: <200801291511.06160.ale@pcartwright.com>
References: <200801291511.06160.ale@pcartwright.com>
Message-ID: <479FAA7E.9000702@sixdemonbag.org>

Paul Cartwright wrote:
> I wanted to add another email address to that key, ale (at) pcartwright.com
> 
> I'm not real sure of the sequence or path to take to accomplish this. I tried 
> adding another uid, I tried adding a subkey. but both times I ended up with 
> Kgpg showing the new email as the primary, instead of as uid#2.

I understand what you're saying, but I don't see the problem.  If you
want to add another user ID (what people usually mean when they say "add
another email address"), then you add another user ID.  Apparently from
your message, you can add user IDs just fine--so where's the problem?

By default, GnuPG will always make a newly-created user ID the primary
user ID.  However, this really shouldn't matter to you--what matters
most is that the user IDs you want listed on your key are on your key.



From dshaw at jabberwocky.com  Wed Jan 30 00:11:54 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 29 Jan 2008 18:11:54 -0500
Subject: adding a new email to a key
In-Reply-To: <200801291511.06160.ale@pcartwright.com>
References: <200801291511.06160.ale@pcartwright.com>
Message-ID: <20080129231154.GB11438@jabberwocky.com>

On Tue, Jan 29, 2008 at 03:11:00PM -0500, Paul Cartwright wrote:
>   I am new on the list, so point me to the right documentation. I am using 
> Debian Lenny, and I have Kgpg installed.
> right now I have a keypair for my main email address of paul (at) 
> pcartwright.com
> 
> I wanted to add another email address to that key, ale (at) pcartwright.com
> 
> I'm not real sure of the sequence or path to take to accomplish
> this. I tried adding another uid, I tried adding a subkey. but both
> times I ended up with Kgpg showing the new email as the primary,
> instead of as uid#2.

You want to add a new UID, as that is what contains an email address.
A subkey is a different thing altogether.

The reason the new UID is listed first is that, by default, GPG treats
the most recent UID as the primary one.  This is because the more
recent email address generally is the more useful one.

That said, you can change it via the "primary" command in the "gpg
--edit-key" menu.  I don't know if kgpg makes this command available
via the GUI or not.

Note, though, that the notion of primary UID is almost completely
cosmetic.  It doesn't really matter much in practice UID is listed
first.

David


From ale at pcartwright.com  Wed Jan 30 00:29:00 2008
From: ale at pcartwright.com (Paul Cartwright)
Date: Tue, 29 Jan 2008 18:29:00 -0500
Subject: adding a new email to a key
In-Reply-To: <479FAA7E.9000702@sixdemonbag.org>
References: <200801291511.06160.ale@pcartwright.com>
	<479FAA7E.9000702@sixdemonbag.org>
Message-ID: <200801291829.00520.ale@pcartwright.com>

On Tue January 29 2008, you wrote:
> I understand what you're saying, but I don't see the problem. ?If you
> want to add another user ID (what people usually mean when they say "add
> another email address"), then you add another user ID. ?Apparently from
> your message, you can add user IDs just fine--so where's the problem?
>
> By default, GnuPG will always make a newly-created user ID the primary
> user ID. ?However, this really shouldn't matter to you--what matters
> most is that the user IDs you want listed on your key are on your key.

I guess it is more a perception problem than an issue then. My concern was 
that my original key, the primary email address was changed. Both email 
addresses were still in the key, so I guess it isn't a problem so much as an 
aesthetic issue. Now I'll go back and add the UID for the second email,
thanks for clarifying!

-- 
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459


From JPClizbe at tx.rr.com  Wed Jan 30 03:54:50 2008
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Tue, 29 Jan 2008 20:54:50 -0600
Subject: adding a new email to a key
In-Reply-To: <200801291829.00520.ale@pcartwright.com>
References: <200801291511.06160.ale@pcartwright.com>	<479FAA7E.9000702@sixdemonbag.org>
	<200801291829.00520.ale@pcartwright.com>
Message-ID: <479FE6FA.200@tx.rr.com>

Paul Cartwright wrote:
> On Tue January 29 2008, Robert Hansen wrote:
>> I understand what you're saying, but I don't see the problem.  If you
>> want to add another user ID (what people usually mean when they say "add
>> another email address"), then you add another user ID.  Apparently from
>> your message, you can add user IDs just fine--so where's the problem?
>>
>> By default, GnuPG will always make a newly-created user ID the primary
>> user ID.  However, this really shouldn't matter to you--what matters
>> most is that the user IDs you want listed on your key are on your key.
> 
> I guess it is more a perception problem than an issue then. My concern was 
> that my original key, the primary email address was changed. Both email 
> addresses were still in the key, so I guess it isn't a problem so much as an 
> aesthetic issue. Now I'll go back and add the UID for the second email,
> thanks for clarifying!

If the original email address is no longer valid, you can revoke the UID it's on.

-- 
John P. Clizbe                   Inet:   JPClizbe (a) tx DAWT rr DAHT com
Ginger Bear Networks             hkp://keyserver.gingerbear.net
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080129/44eedadb/attachment.pgp>

From wk at gnupg.org  Wed Jan 30 11:13:53 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 30 Jan 2008 11:13:53 +0100
Subject: IDEA
In-Reply-To: <20080129215813.GA24734@IUPUI.Edu> (Mark H. Wood's message of
	"Tue, 29 Jan 2008 16:58:13 -0500")
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	<871w80earm.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>
	<20080129215813.GA24734@IUPUI.Edu>
Message-ID: <87sl0faae6.fsf@wheatstone.g10code.de>

On Tue, 29 Jan 2008 22:58, mwood at IUPUI.Edu said:

> It would be correct to say that Gentoo does not distribute GnuPG
> binaries, with or without IDEA.  The package management system
> (portage) gathers tarballs, patches, etc., constructs a source tree,
> and compiles it on the target system.

Well I originally wrote "seems to".  With this new information I retract
my statement of a GPL violation because I am not anymore able to decide
this.

Let that idea rest in peace,

  Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From wk at gnupg.org  Wed Jan 30 11:15:01 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 30 Jan 2008 11:15:01 +0100
Subject: IDEA
In-Reply-To: <9e0cf0bf0801291151l7436aa9fy4624256ca5c5698@mail.gmail.com>
	(Alon Bar-Lev's message of "Tue, 29 Jan 2008 21:51:19 +0200")
References: <EE67DCEEDE1E3041B14A823288AFB0630130F680@OC1EX01.ME.MBGOV.CA>
	<9e0cf0bf0801231108w49a3a908yaeb9ca21be27c36@mail.gmail.com>
	<874pd14riw.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801251159j3f02ad3ejad271a20268bf9ef@mail.gmail.com>
	<871w80earm.fsf@wheatstone.g10code.de>
	<9e0cf0bf0801291133i1da7d34avcac42ef582b5fef7@mail.gmail.com>
	<9e0cf0bf0801291151l7436aa9fy4624256ca5c5698@mail.gmail.com>
Message-ID: <87lk67aaca.fsf@wheatstone.g10code.de>

On Tue, 29 Jan 2008 20:51, alon.barlev at gmail.com said:

> Changed to:
> http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm#Security

Thanks, RMS should be proud of you ;-).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From wk at gnupg.org  Wed Jan 30 11:17:48 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 30 Jan 2008 11:17:48 +0100
Subject: IDEA
In-Reply-To: <96c450350801291132j777a31caj93023fe336b00789@mail.gmail.com>
	(Kevin Hilton's message of "Tue, 29 Jan 2008 13:32:51 -0600")
References: <96c450350801291132j777a31caj93023fe336b00789@mail.gmail.com>
Message-ID: <87hcgvaa7n.fsf@wheatstone.g10code.de>

On Tue, 29 Jan 2008 20:32, kevhilton at gmail.com said:

> Hope I don't get in trouble for posting this, however the idea module

Noproblem, that information is anyway available at gnupg.org:

  http://www.gnupg.org/faq/why-not-idea.html



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From laurent.jumet at skynet.be  Wed Jan 30 12:12:26 2008
From: laurent.jumet at skynet.be (Laurent Jumet)
Date: Wed, 30 Jan 2008 12:12:26 +0100
Subject: IDEA
In-Reply-To: <87sl0faae6.fsf@wheatstone.g10code.de>
Message-ID: <GED47A05C75@laurent.jumet.skynet.be>


Hello Werner !

Werner Koch <wk at gnupg.org> wrote:

    ...about IDEA.DLL and GnuPG 1.4.8 :

    I still have LoadExtension c:\lib\gnupg\idea.dll in my config. Is this obsolete?

-- 
Laurent Jumet
      KeyID: 0xCFAF704C


From sf181257 at students.mimuw.edu.pl  Wed Jan 30 13:01:01 2008
From: sf181257 at students.mimuw.edu.pl (=?ISO-8859-2?Q?=22Stanis=B3aw_T=2E_Findeisen=22?=)
Date: Wed, 30 Jan 2008 13:01:01 +0100
Subject: UID order
Message-ID: <47A066FD.2090902@students.mimuw.edu.pl>

Hello

How to change UID order in (your own) key?

Thanks

STF


From ale at pcartwright.com  Wed Jan 30 13:32:03 2008
From: ale at pcartwright.com (Paul Cartwright)
Date: Wed, 30 Jan 2008 07:32:03 -0500
Subject: adding a new email to a key
In-Reply-To: <479FE6FA.200@tx.rr.com>
References: <200801291511.06160.ale@pcartwright.com>
	<200801291829.00520.ale@pcartwright.com> <479FE6FA.200@tx.rr.com>
Message-ID: <200801300732.03804.ale@pcartwright.com>

On Tue January 29 2008, John Clizbe wrote:
> > I guess it is more a perception problem than an issue then. My concern
> > was that my original key, the primary email address was changed. Both
> > email addresses were still in the key, so I guess it isn't a problem so
> > much as an aesthetic issue. Now I'll go back and add the UID for the
> > second email, thanks for clarifying!
>
> If the original email address is no longer valid, you can revoke the UID
> it's on.

I understand that. It wasn't a revoke-type issue, I was just trying to figure 
out exactly how things worked.. I didn't know about the 2nd email becoming 
primary.. ( say newbie).
I'm still learning the difference between addition emails ( UID) and subkeys.
My situation is, I have an ISP, and I don't use their email, except for one 
list that kept bouncing my domain email.
I have my domain, my main email, and a bunch of addresses I use for different 
lists.
I also have a yahoo email account that is almost as old as Yahoo.
I have a work email account, for when I travel on business.

so what is the appropriate way to add all those, or should I even do that?

-- 
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459


From alexander.janssen at gmail.com  Mon Jan 28 14:57:59 2008
From: alexander.janssen at gmail.com (Alexander W. Janssen)
Date: Mon, 28 Jan 2008 14:57:59 +0100
Subject: Multiple PCs
In-Reply-To: <479DDE73.40509@fsfe.org>
References: <47985F09.7090300@hoempi.de> <479DDE73.40509@fsfe.org>
Message-ID: <479DDF67.5010200@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander W. Janssen wrote:
> Enigmail has some known and dodgy errors, especially when it comes to
> verifying signatures. I upgraded to the latest Enigmail nightly build
> which worked for me.

...on a related note you can just export the Email to a plaintext-file
and try to run gpg --verify manually over that file to check if it's ok.
It bet it'll be ok. If it's ok, it's a problem with Enigmail. But
upgrade Enigmail anyway.

Alex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQCVAwUBR53fIRYlVVSQ3uFxAQJf5wP9GKhW72tLtz6QAw9nVTvHLahJiaJdzSqd
gO4Rn/O3il8yzieH1uNrqeEaKVWosx3xuH3wA0Kx5GbfpWyeKF1hv6da/hmoN7EJ
PkaPxe67U+g2YbmLR0pyUDh2dyhLrMQ4AH/cx2wB4ccD5pQeMH1e0Rq5EbPfo1W4
8nDJVSfpGtk=
=iy4G
-----END PGP SIGNATURE-----


From sven at radde.name  Mon Jan 28 15:03:24 2008
From: sven at radde.name (Sven Radde)
Date: Mon, 28 Jan 2008 15:03:24 +0100
Subject: keypair to/from armor format
In-Reply-To: <ed4892840801280524i5d64289brf8c624fba9baab28@mail.gmail.com>
References: <ed4892840801280524i5d64289brf8c624fba9baab28@mail.gmail.com>
Message-ID: <479DE0AC.8080404@radde.name>

Hi!

Steven Woody schrieb:
> I don't trust any electrical medium ( USB disk, DVD-R and so on ) as
> backup copy of my keypairs. I think I want hardcopy of my keys.
You may want to have a look at David Shaw's Paperkey :
<http://www.jabberwocky.com/software/paperkey/>

HTH, Sven


From paul at pcartwright.com  Tue Jan 29 20:12:28 2008
From: paul at pcartwright.com (Paul Cartwright)
Date: Tue, 29 Jan 2008 14:12:28 -0500
Subject: adding a simple email address to a key
Message-ID: <200801291412.33183.paul@pcartwright.com>

I am new on the list, so point me to the right documentation. I am using 
Debian Lenny, and I have Kgpg installed.
right now I have a keypair for my main email address of paul (at) 
pcartwright.com

I wanted to add another email address to that key, ale (at) pcartwright.com

I'm not real sure of the sequence or path to take to accomplish this. I tried 
adding another uid, I tried adding a subkey. but both times I ended up with 
Kgpg showing the new email as the primary, instead of as uid#2.

thanks!
-- 
Paul Cartwright
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080129/3cf65677/attachment.pgp>

From paul at pcartwright.com  Wed Jan 30 00:44:58 2008
From: paul at pcartwright.com (Paul Cartwright)
Date: Tue, 29 Jan 2008 18:44:58 -0500
Subject: adding a new email to a key
In-Reply-To: <20080129231154.GB11438@jabberwocky.com>
References: <200801291511.06160.ale@pcartwright.com>
	<20080129231154.GB11438@jabberwocky.com>
Message-ID: <200801291845.01796.paul@pcartwright.com>

On Tue January 29 2008, David Shaw wrote:
> You want to add a new UID, as that is what contains an email address.
> A subkey is a different thing altogether.
got it.

>
> The reason the new UID is listed first is that, by default, GPG treats
> the most recent UID as the primary one. ?This is because the more
> recent email address generally is the more useful one.
>
> That said, you can change it via the "primary" command in the "gpg
> --edit-key" menu. ?I don't know if kgpg makes this command available
> via the GUI or not.

yes, the edit key in terminal has primary. SO, I added a new email, selected 
uid 1, then said "primary".. too easy!

>
> Note, though, that the notion of primary UID is almost completely
> cosmetic. ?It doesn't really matter much in practice UID is listed
> first.

cosmetic, but it makes me feel better:)
thanks for the easy to follow instructions!



-- 
Paul Cartwright
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080129/f9846b4e/attachment.pgp>

From sinux at fsfe.org  Wed Jan 30 13:54:55 2008
From: sinux at fsfe.org (Sebastien Chassot)
Date: Wed, 30 Jan 2008 13:54:55 +0100
Subject: adding a new email to a key
In-Reply-To: <200801291829.00520.ale@pcartwright.com>
References: <200801291511.06160.ale@pcartwright.com>
	<479FAA7E.9000702@sixdemonbag.org>
	<200801291829.00520.ale@pcartwright.com>
Message-ID: <1201697695.1015.88.camel@dell.sinux.seb>


On Tue, 2008-01-29 at 18:29 -0500, Paul Cartwright wrote:
> On Tue January 29 2008, you wrote:
> > I understand what you're saying, but I don't see the problem.  If you
> > want to add another user ID (what people usually mean when they say "add
> > another email address"), then you add another user ID.  Apparently from
> > your message, you can add user IDs just fine--so where's the problem?
> >
> > By default, GnuPG will always make a newly-created user ID the primary
> > user ID.  However, this really shouldn't matter to you--what matters
> > most is that the user IDs you want listed on your key are on your key.
> 
> I guess it is more a perception problem than an issue then. My concern was 
> that my original key, the primary email address was changed. Both email 
> addresses were still in the key, so I guess it isn't a problem so much as an 
> aesthetic issue. Now I'll go back and add the UID for the second email,
> thanks for clarifying!
> 


I had same confusion at beginning. I wanted have one private key and two
separate identities (one personal and one for work.) There is no sens
with that. The private key is your identity. You can have several email
but you're always "you" ;)  Having more that one email address mean
somebody know,trust and sign uid+email#1 and someone else know,trust and
sign uid+email#2 but not necessary uid+email#1.

One uid can have several "web of trust" (identified by email address)
and they're all listed in public key.

You can generate two key-pair (I don't now if it's a good idea?).One
uid#1+email#2 and one uid#3+email#4 that's two identities, two public
key,... much work, much problems, no sens(!?)...



-- 

     Sebastien



From dshaw at jabberwocky.com  Wed Jan 30 14:43:56 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 30 Jan 2008 08:43:56 -0500
Subject: UID order
In-Reply-To: <47A066FD.2090902@students.mimuw.edu.pl>
References: <47A066FD.2090902@students.mimuw.edu.pl>
Message-ID: <20080130134355.GB12180@jabberwocky.com>

On Wed, Jan 30, 2008 at 01:01:01PM +0100, "Stanis?aw T. Findeisen" wrote:
> Hello
>
> How to change UID order in (your own) key?

 gpg --edit-key (the key id)
 uid X (where X is the uid number you want to be the first)
 primary
 save

Note that this is really a cosmetic thing, and has little impact aside
from that.

David


From ivalladt at gmail.com  Wed Jan 30 15:01:59 2008
From: ivalladt at gmail.com (Ismael Valladolid Torres)
Date: Wed, 30 Jan 2008 15:01:59 +0100
Subject: UID order
In-Reply-To: <20080130134355.GB12180@jabberwocky.com>
References: <47A066FD.2090902@students.mimuw.edu.pl>
	<20080130134355.GB12180@jabberwocky.com>
Message-ID: <a6ac48e0801300601m418de43at2bb4b06c8982a750@mail.gmail.com>

On Wed, Jan 30, 2008 at 2:43 PM, David Shaw <dshaw at jabberwocky.com> wrote:
>  Note that this is really a cosmetic thing, and has little impact aside
>  from that.

I agree with this indeed many support requests on GnuPG just commit to
cosmetic issues, just like that "I want to delete my public key from
servers!"


From s_protsman at yahoo.com  Wed Jan 30 23:17:58 2008
From: s_protsman at yahoo.com (Shawn Protsman)
Date: Wed, 30 Jan 2008 14:17:58 -0800 (PST)
Subject: export/import additional user id
Message-ID: <272151.43676.qm@web30802.mail.mud.yahoo.com>

I have a user that has two email addresses attached to their key:

pub   1024D/630934DC 2007-08-27
uid                  Mike <mike at foo.com>
uid                  Mike <mike.h at foobar.com>
sub   2048g/113A7E70 2007-08-27

They exported with the following:

$ gpg --armor --ouput mike.asc --export Mike

When I import I only get mike.h at foobar.com and not the first one. Therefore I cannot encrypt to the first address. Any idea on what we are doing wrong? I've tried "--export mike at foo.com" and all sorts of combinations.

--Shawn




      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080130/2216a302/attachment.htm>

From dshaw at jabberwocky.com  Thu Jan 31 00:31:56 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 30 Jan 2008 18:31:56 -0500
Subject: export/import additional user id
In-Reply-To: <272151.43676.qm@web30802.mail.mud.yahoo.com>
References: <272151.43676.qm@web30802.mail.mud.yahoo.com>
Message-ID: <20080130233156.GC15357@jabberwocky.com>

On Wed, Jan 30, 2008 at 02:17:58PM -0800, Shawn Protsman wrote:
> I have a user that has two email addresses attached to their key:
> 
> pub   1024D/630934DC 2007-08-27
> uid                  Mike <mike at foo.com>
> uid                  Mike <mike.h at foobar.com>
> sub   2048g/113A7E70 2007-08-27
> 
> They exported with the following:
> 
> $ gpg --armor --ouput mike.asc --export Mike
> 
> When I import I only get mike.h at foobar.com and not the first
> one.

Both addresses are still there.  It just doesn't show you both when
you import.

David


From s_protsman at yahoo.com  Thu Jan 31 02:02:49 2008
From: s_protsman at yahoo.com (Shawn Protsman)
Date: Wed, 30 Jan 2008 17:02:49 -0800 (PST)
Subject: export/import additional user id
Message-ID: <639486.4931.qm@web30805.mail.mud.yahoo.com>

My work around (which I hope there is a simpler way) was to extract the text I wanted to encrypt, paste it into a text file, encrypt that file with --armor, cut and paste the encrypted text out of the temporary file and back into the email, then send to the correct email address. I'd love to know of a more efficient way of doing this.

--Shawn

----- Original Message ----
From: Shawn Protsman <s_protsman at yahoo.com>
To: David Shaw <dshaw at jabberwocky.com>
Sent: Wednesday, January 30, 2008 4:55:31 PM
Subject: Re: export/import additional user id


Thanks David,

That is fine but this still leaves me with a problem. I compose a new email message (in this case with Mail.app), select Encrypt, but cannot address it to the first email address because gpg doesn't seem to see that address in the keyring. I am forced to select the email address that I'd prefer not to use. Any ideas?

--Shawn

----- Original Message ----
From: David Shaw <dshaw at jabberwocky.com>
To: gnupg-users at gnupg.org
Sent: Wednesday, January 30, 2008 3:31:56 PM
Subject: Re: export/import additional user id


On 
Wed, 
Jan 
30, 
2008 
at 
02:17:58PM 
-0800, 
Shawn 
Protsman 
wrote:
> 
I 
have 
a 
user 
that 
has 
two 
email 
addresses 
attached 
to 
their 
key:
> 
> 
pub  
 
1024D/630934DC 
2007-08-27
> 
uid  
  
  
  
  
  
  
  
  
Mike 
<mike at foo.com>
> 
uid  
  
  
  
  
  
  
  
  
Mike 
<mike.h at foobar.com>
> 
sub  
 
2048g/113A7E70 
2007-08-27
> 
> 
They 
exported 
with 
the 
following:
> 
> 
$ 
gpg 
--armor 
--ouput 
mike.asc 
--export 
Mike
> 
> 
When 
I 
import 
I 
only 
get 
mike.h at foobar.com 
and 
not 
the 
first
> 
one.

Both 
addresses 
are 
still 
there.  
It 
just 
doesn't 
show 
you 
both 
when
you 
import.






      Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.





      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080130/c3ee1539/attachment.htm>

From dshaw at jabberwocky.com  Thu Jan 31 02:17:27 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 30 Jan 2008 20:17:27 -0500
Subject: export/import additional user id
In-Reply-To: <639486.4931.qm@web30805.mail.mud.yahoo.com>
References: <639486.4931.qm@web30805.mail.mud.yahoo.com>
Message-ID: <20080131011726.GA25898@jabberwocky.com>

On Wed, Jan 30, 2008 at 05:02:49PM -0800, Shawn Protsman wrote:
> My work around (which I hope there is a simpler way) was to extract
> the text I wanted to encrypt, paste it into a text file, encrypt
> that file with --armor, cut and paste the encrypted text out of the
> temporary file and back into the email, then send to the correct
> email address. I'd love to know of a more efficient way of doing
> this.

Again, GPG supports any number of email addresses.  If some other
program that calls GPG chooses to ignore any after the first, there
isn't much that GPG can do about it.

Are you really sure that what is happening is what you think is
happening?  I'd be very surprised to hear that the Mail.app plugin
only supported the first address.

David


From nikola.lecic at anthesphoria.net  Thu Jan 31 02:37:10 2008
From: nikola.lecic at anthesphoria.net (Nikola =?UTF-8?B?TGXEjWnEhw==?=)
Date: Thu, 31 Jan 2008 02:37:10 +0100
Subject: Orphaned secret subkeys
Message-ID: <20080131023710.2061a1d8@anthesphoria.net>

Hello,

[GnuPG-2.0.4 on FreeBSD]

I wasn't aware that one had to 'save' a key immediately after deleting
a subkey (using delkey) in order to replace that subkey with a new one
(using addkey). Now I have this situation:

%gpg --edit-key 7B063EAA
[...]
Secret key is available.

gpg: using PGP trust model
pub  2048R/7B063EAA  created: 2008-01-30  expires: never       usage:
SCA trust: ultimate      validity: ultimate
sub  1024R/35E8152C  created: 2008-01-30  expires: 2018-01-28  usage:
S sub  2048R/AE444AB1  created: 2008-01-30  expires: 2018-01-28  usage:
A sub  2048R/C0AD5BE4  created: 2008-01-31  expires: never       usage:
E [ultimate] (1). ..........]

Command> toggle

sec  2048R/7B063EAA  created: 2008-01-30  expires: never     
ssb  1024R/35E8152C  created: 2008-01-30  expires: never
ssb  2048R/AE444AB1  created: 2008-01-30  expires: never
ssb  1024g/FA352C19  created: 2008-01-30  expires: never    <------
ssb  1024R/44EDC121  created: 2008-01-30  expires: never    <------
sub  2048R/C0AD5BE4  created: 2008-01-30  expires: never

i.e. I have two orphaned secret subkeys. How can I delete them? And does
their presence matter at all (because, although regenerable AFAIK, their
public parts will never be exported to public keyserver)? Is this
behaviour intentional?

-- 
Nikola Le?i? :: ?????? ?????