From ramon.loureiro at upf.edu Thu May 1 00:25:51 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Thu, 01 May 2008 00:25:51 +0200 Subject: Revoking keys... Message-ID: <4818F1EF.1020808@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I'd like to delete one of the two emails asociated to my KEYID Do I need to revoke the KEY? Does it mind that the key is "destroyed"? What will happen with the signed emails I have sent? Thanks in advance ___ ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGPHtAAoJEMVZKsuAx9ZH6awH/1ZsXHewui+zz74h8jo2UNkh Fdx5F2zvYx6CQ3HCYvwEcG0VDRjWDbW7dx0SJL5OD3harBheBgLyKqDiLc1sMdZj Zm0PfOw4MHixBLt70Nyw5Ydx+wLdgHngsmquAbMvDdWUXVsZ2q/tuCcHLlMEQtep OKL6BCaWgvJbMpfm+2IS4nbRr+GHTKuWk3Ck+/1yZZwZDtKPoWDIWYSBnuOx6b23 h/zYLiPj5vjk7XoI2NEso7cV5iDzlwW4Rszpg3gY14NhDRKL4zbVEGxJnZXxgeBg 1EdQXeLBbHKgQXYYKUi1tHtaNtkDxeamJBsji/r0ITNWSZinz20vG86627lNWDo= =ihzu -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Thu May 1 00:46:18 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 30 Apr 2008 17:46:18 -0500 Subject: Merging trusts... In-Reply-To: <4818BCFD.9070300@upf.edu> References: <4818BCFD.9070300@upf.edu> Message-ID: <4818F6BA.6040508@tx.rr.com> Ramon Loureiro wrote: > > Hi! > I'm new with GPG so excuse if my question is stupid or ridiculous... > I use to read my IMAP email at home and at work. In both machines I use > Enigmail with Thunderbird Your question is neither stupid nor ridiculous. > Is it possible to have an unique trustdb file, so that I've the same > trusted signatures in both computers? > Is there a way to synchronize them? You can copy trustdb.gpg along with pubring.gpg and secring.gpg. It's a good application for a USB drive: you can copy the files to the USB drive and redirect GnuPG to use the keyring files on that drive. You can copy the first set and then use --import to merge in the keys from the second keyring to form the common keyring. You'll have to set ownertrust individually, I don't believe there's a way to merge trustdb values. You'll want to use strong passphrases and keep a backup copy (or two) in case the USB drive gets lost or damaged. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp:/keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From JPClizbe at tx.rr.com Thu May 1 00:54:50 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 30 Apr 2008 17:54:50 -0500 Subject: Revoking keys... In-Reply-To: <4818F1EF.1020808@upf.edu> References: <4818F1EF.1020808@upf.edu> Message-ID: <4818F8BA.5080005@tx.rr.com> Ramon Loureiro wrote: > > Hi! > I'd like to delete one of the two emails asociated to my KEYID > Do I need to revoke the KEY? > Does it mind that the key is "destroyed"? > What will happen with the signed emails I have sent? There is no need to revoke the key. All you need do is revoke the UID with the email address you no longer wish associated with your key. gpg --edit-key 0x80c7d647 enter the number associatied witht he ID you wish to revoke. Then issue the 'revuid' command and answer the confirmation question. 'save' to exit -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Thu May 1 01:00:30 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 30 Apr 2008 19:00:30 -0400 Subject: Revoking keys... In-Reply-To: <4818F1EF.1020808@upf.edu> References: <4818F1EF.1020808@upf.edu> Message-ID: <4818FA0E.80901@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Ramon Loureiro wrote: > I'd like to delete one of the two emails asociated to my KEYID > Do I need to revoke the KEY? These 2 Questions both require knowing whether You mean the actual Key or User ID's on the Key. It might be important to Note here that a single Key can support many different Email Addresses through the use of multiple UID's. [User ID] There is no reason to create a separate Key for each Email Address. > Does it mind that the key is "destroyed"? Yes, it matters! Without the Secret half of the Key a Revocation Certificate _cannot_ be generated. Best Practice dictates that whenever a Key is created/generated that a Revocation Certificate be immediately created and stored in a Secure Location should the need to use it ever arise. [this is particularly true if the reason revocation is needed is due to a forgotten or compromised passphrase] > What will happen with the signed emails I have sent? Absolutely nothing. JOHN ;) Timestamp: Wednesday 30 Apr 2008, 18:57 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4748: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIGPoNAAoJEBCGy9eAtCsPBPAH/2gGYlfygysHeQ3poUV73yyK OR22E71lTFKdjd/NXAZtYPi4AlOxHR6l67+jWuxegw9No3eSBMJtUCYBmetCNkMi NLpkiWNU22eI6aUgIdJNqOHHftdZgR8FpjJDijzihGCOK4+HHts4LfwREDOm/d0W uUy1GijszOpxHdpGuwsi21sZpopzKWXDyV7WYWHpyN9h1XFvtSz6aH1m5UCNlR5D E4keW3ZOUaLHDENP5z/60qNmGT/qz+gOy9f2bf7E2eNBB418+S1LpAbSsfDUmawl 2vubEVD7ZwiIT8UjL/mcNvRJEnOfq2yQx2ciUCLWT5ZAEKKW+wXoY/3U/CY/XIk= =WGxM -----END PGP SIGNATURE----- From david at miradoiro.com Thu May 1 00:32:12 2008 From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Thu, 1 May 2008 00:32:12 +0200 Subject: Revoking keys... References: <4818F1EF.1020808@upf.edu> Message-ID: <002101c8ab12$0bd15b90$0302a8c0@Nautilus> > I'd like to delete one of the two emails asociated to my KEYID > Do I need to revoke the KEY? No, just revoke the ID. From the edit-key menu, choose the ID with uid n, and then revsig iirc. > What will happen with the signed emails I have sent? They'll still verify OK I think. --David. From jmoore3rd at bellsouth.net Thu May 1 01:45:18 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 30 Apr 2008 19:45:18 -0400 Subject: Revoking keys... In-Reply-To: <002101c8ab12$0bd15b90$0302a8c0@Nautilus> References: <4818F1EF.1020808@upf.edu> <002101c8ab12$0bd15b90$0302a8c0@Nautilus> Message-ID: <4819048E.6010606@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 David Pic?n ?lvarez wrote: > No, just revoke the ID. From the edit-key menu, choose the ID with uid > n, and then revsig iirc. NOPE! The Command is revuid *not* revsig ;) JOHN 8-) Timestamp: Wednesday 30 Apr 2008, 19:44 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIGQSNAAoJEBCGy9eAtCsPof8H/0X+881vP6Y/fIlWc0fywm/D Mza7S0NW6XRqbuKzaLSD31ZztR1YOcd487jfP9sEzMoW7fbM7pb0P+4PbbJcFa/2 uO1g9R5GGd962LBK2wzxUwKjVtzJs5aY0tHn6gBq0F5gTyJDaUC2JkapKHr0cMS8 NgRGsCxQaLtiZpETA9p6cTJOBDWfemDZ7YjWxSSwQMzAJTlThI5wPYtoXAqH1EQP H4b0Ec6otDmtSIB26m+rXrq7R8rhZG0e82XHzRkWcl0NqaMbmKaonQ2I/75/UiNT M6mp7cXokWHH/bIUwSKVZozucQ2Zm0J0z/fLuDujLF1kunjcwHqiYC39RHiIRBg= =COmX -----END PGP SIGNATURE----- From laurent.jumet at skynet.be Thu May 1 00:54:47 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 01 May 2008 00:54:47 +0200 Subject: Revoking keys... In-Reply-To: <4818F1EF.1020808@upf.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Ramon ! Ramon Loureiro wrote: > I'd like to delete one of the two emails asociated to my KEYID > Do I need to revoke the KEY? > Does it mind that the key is "destroyed"? > What will happen with the signed emails I have sent? In the --edit-key menu, you can use "deluid". Note that it's not possible to delete an uid once it has been sent to the public; you should than use "revuid". The key itself is not affected. It would be in same conditions as above, if you use "delkey" and "revkey". - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iHEEAREDADEFAkgY+g8qGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMwNgAnjdU3UA1JBgzpshjuijJaKD+B6CBAJ4u MIyHhdi0ouOJBk25RD+VRLqmqw== =5KwS -----END PGP SIGNATURE----- From wk at gnupg.org Thu May 1 14:26:59 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 01 May 2008 14:26:59 +0200 Subject: Open Pgp Smartcard ssh authentication Woes :( In-Reply-To: <4817665E.1030603@gmail.com> (Edward Robinson's message of "Tue, 29 Apr 2008 19:18:06 +0100") References: <4817665E.1030603@gmail.com> Message-ID: <874p9itdkc.fsf@wheatstone.g10code.de> On Tue, 29 Apr 2008 20:18, eddrobinson at gmail.com said: > identities'. I have done no end of fiddling to get this working. Here > is a list of things that I think may be relevant and that I have Please try this $ gpg-connect-agent SCD serialno does it return something? Next test is to $ pkill scdaemon $ pkill scdaemon $ scdaemon --server --debug-ccid-driver --debug 2048 serialno You should get a lot of debugging output. Note that if you are suing "log-file" in scdaemon.conf, this will be redirected to that file (or socket). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu May 1 14:56:08 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 01 May 2008 14:56:08 +0200 Subject: Merging trusts... In-Reply-To: <4818F6BA.6040508@tx.rr.com> (John Clizbe's message of "Wed, 30 Apr 2008 17:46:18 -0500") References: <4818BCFD.9070300@upf.edu> <4818F6BA.6040508@tx.rr.com> Message-ID: <87zlrarxnb.fsf@wheatstone.g10code.de> On Thu, 1 May 2008 00:46, JPClizbe at tx.rr.com said: > from the second keyring to form the common keyring. You'll have to set > ownertrust individually, I don't believe there's a way to merge trustdb Tehre is an --export-ownertrust and an --import-ownertrust command. The format they use is very traighforward but not officially documented: 0011223344556677889900112233445566778899:1: fingerprint of the key ownertrust value Merging two files is possible but you need to decide what to do with different ownertrust values. Importing one after the other will oeverwrite existing values. The code for export/import is in g10/dbdump.c. The ownertrust values are: #define TRUST_MASK 15 #define TRUST_UNDEFINED 2 #define TRUST_NEVER 3 #define TRUST_MARGINAL 4 #define TRUST_FULLY 5 #define TRUST_ULTIMATE 6 /* Trust values not covered by the mask. */ #define TRUST_FLAG_REVOKED 32 /* r: revoked */ #define TRUST_FLAG_SUB_REVOKED 64 /* r: revoked but for subkeys */ #define TRUST_FLAG_DISABLED 128 /* d: key/uid disabled */ #define TRUST_FLAG_PENDING_CHECK 256 /* a check-trustdb is pending */ A merge strategy (A,B->R) for the ownertrust value might be: if( and( A , TRUST_MASK ) > and( B, TRUST_MASK ) ) { R = or( A , and( B, compl( TRUST_MASK )) ) } else { R = or( B , and( A, compl( TRUST_MASK )) ) } That keeps the highest assigned ownertrust value as well as any revoked and disabled flags. The above code snippet might work with a decent GNU awk; just add a sort and duplicate fingerprint detection. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From laurent.jumet at skynet.be Thu May 1 16:10:59 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 01 May 2008 16:10:59 +0200 Subject: Manual GnuPG 1.4.9 ... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! Here you can download the manual for GnuPG 1.4.9 in a 14 pages convenient mode for printing: In PDF: http://users.skynet.be/laurent.jumet/MyMan_GnuPG-149.pdf In .DOC: http://users.skynet.be/laurent.jumet/MyMan_GnuPG-149.doc - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iHEEAREDADEFAkgZ0IcqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMy0kAn0uwl2X9dy5NpXm0ijb0fGVL7ZCiAKDS 5cvIXzRnXCfo5vyGekVl+8M0og== =aj7Q -----END PGP SIGNATURE----- From sjlopezb at hackindex.com Thu May 1 16:19:39 2008 From: sjlopezb at hackindex.com (=?ISO-8859-15?Q?Santiago_Jos=E9_L=F3pez_Borraz=E1s?=) Date: Thu, 01 May 2008 16:19:39 +0200 Subject: Manual GnuPG 1.4.9 ... In-Reply-To: References: Message-ID: <4819D17B.8000102@foo.hackindex.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 El 01/05/08 16:10, Laurent Jumet escribi?: > In PDF: http://users.skynet.be/laurent.jumet/MyMan_GnuPG-149.pdf > In .DOC: http://users.skynet.be/laurent.jumet/MyMan_GnuPG-149.doc Thank's!!!! :-) - -- Slds de Santiago Jos? L?pez Borraz?s Conocimientos avanzados en seguridad inform?tica. Conocimientos avanzados en redes. -----BEGIN PGP SIGNATURE----- iQIVAwUBSBnRe7uF9/q6J55WAQqAsg//QuA2RUyVdyRx/ucheIB+Q8BKxQVHPbsA v6fknEmI2Zi+msrcIXDybrNTXGaC2BqrpY+C6LLYke+7fcsRixkvd4FfHSpr3UQM /xTUILd21Uuxvtn/uDhIRoutKE52tOXeRXwpMbZQofCwEDZfF+An83dzBY6z488L +Es3mstiFOvN1rdGy7zzvg7CX804olzcPKeJ5IWh1BUmWhiWDowjmsnSKl7xxn+x tZkj5Hw5zwm19qXO4cr3C92tdenP92IBgB0cUOGpHHqKug7/L/91URvIh8XNsaWg SfjyBKIOoKCBqGNnesKxA0xe+S6F3kBQ2+iutETaDtibqXH6JincAacLLDChc4s5 bVef8O0FKmZWHuT0sq2a3a3zg8+KNfsb4CQSwFZHgBhW1/0txlFDsbzE4aM/eCF1 7tMJbKfhtbkxjmVMJxT3aCMNLatHMeXvYcMVV0EZFw7PZy/DxhcdPt24jNocOxm1 qpJ3QTqPLnTLss/iVf6+L1C1sRAlkhnI75uo4fHLe87TaguKOuVI2SEBwctWMaR4 HGtQEaKiW/efDFYiwo4sdVA94cgZbyjN+xdMwwiQNerJ+tL91FMuUg4+m+X4aVCv TOANMEQYY0nX9H1SA0f7IkOtGdYyUooNuG9nXmin4tSWT+KiSJp2hjElejaOczdL 8yOggUsy2QI= =H4LU -----END PGP SIGNATURE----- From mpant at ncsa.uiuc.edu Thu May 1 19:13:34 2008 From: mpant at ncsa.uiuc.edu (Meenal Pant) Date: Thu, 01 May 2008 12:13:34 -0500 Subject: Version 4 / Version 3 keys Message-ID: <4819FA3E.7050701@ncsa.uiuc.edu> Are V3 keys commonly used or do all latest versions of GPG and PGP support V4 keys only? Thanks Meenal From mpant at ncsa.uiuc.edu Thu May 1 19:21:43 2008 From: mpant at ncsa.uiuc.edu (Meenal Pant) Date: Thu, 01 May 2008 12:21:43 -0500 Subject: GPG warning for integrity protection Message-ID: <4819FC27.8060007@ncsa.uiuc.edu> Hello all, When I decrypt a message I sometimes see this warning: gpg: WARNING: message was not integrity protected I read through the Open PGP RFC and understood that using MDC ensures message integrity for encrypted messages. If I use MDC to encrypt messages this warning will go away. How can I use MDC for Public Key Encryption ? Does the key have an MDC flag that needs to be set during key generation ? Thanks Meenal From dshaw at jabberwocky.com Thu May 1 19:22:27 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 May 2008 13:22:27 -0400 Subject: Version 4 / Version 3 keys In-Reply-To: <4819FA3E.7050701@ncsa.uiuc.edu> References: <4819FA3E.7050701@ncsa.uiuc.edu> Message-ID: <6156B98E-3041-4DE4-9DA9-B95F1E8839AC@jabberwocky.com> On May 1, 2008, at 1:13 PM, Meenal Pant wrote: > Are V3 keys commonly used or do all latest versions of GPG and PGP > support V4 keys only? GPG only generates V4 keys. V3 keys are supported, but only for backwards compatibility. It is very strongly recommended that you don't go down the V3 route. V3 is dead. Let it stay dead. David From JPClizbe at tx.rr.com Thu May 1 19:25:51 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 01 May 2008 12:25:51 -0500 Subject: Version 4 / Version 3 keys In-Reply-To: <4819FA3E.7050701@ncsa.uiuc.edu> References: <4819FA3E.7050701@ncsa.uiuc.edu> Message-ID: <4819FD1F.20600@tx.rr.com> Meenal Pant wrote: > Are V3 keys commonly used or do all latest versions of GPG and PGP > support V4 keys only? For the present, V3 keys are still supported though there are strong arguments for migrating away from them and to V4 -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Thu May 1 19:47:32 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 May 2008 13:47:32 -0400 Subject: GPG warning for integrity protection In-Reply-To: <4819FC27.8060007@ncsa.uiuc.edu> References: <4819FC27.8060007@ncsa.uiuc.edu> Message-ID: <7A2C5DBF-E09A-42EC-96F1-81A6B8B2047A@jabberwocky.com> On May 1, 2008, at 1:21 PM, Meenal Pant wrote: > Hello all, > When I decrypt a message I sometimes see this warning: > > gpg: WARNING: message was not integrity protected > > I read through the Open PGP RFC and understood that using MDC ensures > message integrity for encrypted messages. If I use MDC to encrypt > messages this warning will go away. > > How can I use MDC for Public Key Encryption ? Does the key have an MDC > flag that needs to be set during key generation ? Basically, yes. There is a flag on a key that tells GPG that is it safe to use the MDC. If that flag isn't there, GPG doesn't use MDC as it doesn't know if the recipient can handle it. (There are some exceptions to this rule, but it is basically true). To check if your key has the preference, run "gpg --edit-key (yourkey)" and then "showpref". MDC, if enabled, will be on the line marked "Features". To enable MDC on a key that doesn't have it, you can use "setpref", which allows you to set all your preferences for that key (cipher prefs, hash prefs, compression prefs, MDC, etc). David From wk at gnupg.org Thu May 1 19:52:35 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 01 May 2008 19:52:35 +0200 Subject: GPG warning for integrity protection In-Reply-To: <4819FC27.8060007@ncsa.uiuc.edu> (Meenal Pant's message of "Thu, 01 May 2008 12:21:43 -0500") References: <4819FC27.8060007@ncsa.uiuc.edu> Message-ID: <87zlr9rjx8.fsf@wheatstone.g10code.de> On Thu, 1 May 2008 19:21, mpant at ncsa.uiuc.edu said: > How can I use MDC for Public Key Encryption ? Does the key have an MDC > flag that needs to be set during key generation ? Right. Lacking such a flag you may use --force-mdc: @item --force-mdc Force the use of encryption with a modification detection code. This is always used with the newer ciphers (those with a blocksize greater than 64 bits), or if all of the recipient keys indicate MDC support in their feature flags. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ramon.loureiro at upf.edu Fri May 2 09:14:58 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 09:14:58 +0200 Subject: can GPG help me with SPAM? Message-ID: <481ABF72.8030308@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm receiving a lot of spam in my old email account... I'm even receiving emails with my own old email as sender!! :-( Is it a way to tell the sysadmin of this email provider to add some kind of scripts for automatic sign all the outgoing emails (in the name of the department)? Or maybe the solution has nothing to do with GPG? Thanks ___ ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGr9sAAoJEMVZKsuAx9ZHRMgH/ji/wDTgmahGtROXZFHxnqfM UtwtNs3dXUuKte6U0HHNX74ckvRa3LtRTp6SCYYvgBiadmZAGEtHcMicXD0Mk0cE YK1FcoZLwmUFUw19CyuQ/ftX2LjX9oypIz88ofEqf7NyQjEqn9i/OrWXZcBnemzY jz3N/DM4qvD/es4XdXlzFfMjoj5tTm01+GnY3rDnWLwNZzT2DzIit60SWZyIYGRf XKg0romAZvmVD6AVtqdryPNxpKFEaXhpeWNM/YLmI7CtkAUB0V6IdkAJlltqNldC xyKrpWZq+iC7CeIFoxReHiafq8yzhzdbaLGvfeIuCYJgwMGZu2xN1uzYfc2Ii2o= =8JMB -----END PGP SIGNATURE----- From ramon.loureiro at upf.edu Fri May 2 09:38:25 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 09:38:25 +0200 Subject: my signature does not verify! In-Reply-To: <481ABF72.8030308@upf.edu> References: <481ABF72.8030308@upf.edu> Message-ID: <481AC4F1.90901@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again! I have just posted a msg to the list ~ http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033328.html and when I have received my own email, my signature doesn't verify! :-( Could you help me to see what I'm doing wrong? I'm sending with Enigmail and this is what I'm getting in the console - ----------------------------------------------------------- enigmail> gpg.exe --charset utf8 --batch --no - -tty --status-fd 2 -d gpg: Signature made 05/02/08 09:14:52 using RSA key ID 80C7D647 gpg: BAD signature from "Ramon Loureiro " enigmail.js: Enigmail.decryptMessageEnd: Error in command execution - ------------------------------------------------------------- Thanks again! ___ ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGsTtAAoJEMVZKsuAx9ZHujoIAJ+3FtCf8PDizAZgTPPWkaQL IbgLUyDqRK1WIlpePph+XHE4lfgC7fbNzqnulG4tp8++tqg6l62q4pwLQs5Vc1L6 LH0u9PZlDN+54tvXE0iXnENYcca+EN4gReqfj6aivi5svtAUo7dOU8VusvJ88ALq 2q7M8mip+AT18g3X715IMtVsTncwR4ZoXb7VjsotD9Uyflz3A4sX3nVzFUxHVWxh tMP9O88TlN9MqBJXNIWc2ofg7UP/CCL70MAmHX8Rnd1L2w+6qPdnluE/Q7hcDSw+ 6ZBP2U2E7iapojUmdqF8pTGNXozp6VQqXBe8KDT086dkZ5hnTycGq8W5FwXHVOY= =68ak -----END PGP SIGNATURE----- From ramon.loureiro at upf.edu Fri May 2 09:52:52 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 09:52:52 +0200 Subject: playing with cryptography... Message-ID: <481AC854.8060507@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I just have ask for an email certificate to thawte.com thinking that it's handled like a GPG signature (I thought that I'll have something like a GPG certified signature) Now I have the certificate.... I have installed it in Explorer and Firefox...-by the way, I don't understand why it is associated to the browser and not to the email program- I'm certified... but I don't know what can I do with this or how can apply to my emails? Once again, excuse my ignorance. ___ ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGshRAAoJEMVZKsuAx9ZHLEwIAJXL2Do+Hlf2YaDlwvRzH6wX /iD2PNsqi2E4QgMeGkfS2BjybfSvPtkDJviIV46hNIB4sbd+pb3DVkaWLsbWJ3jD aNlEt2bWog9E6UJKhcpl3wyG1BitUglTGs6Eay72VH5Zugt+XTq5S1wARtlmhx1Y sLJ5DGwOPDtDgymC0bgZvNWz+Mr9YNF+LP21jE9URlOfPdKvluZfdWM0WBraBrKt VxDje5dTycKyr0psxxV1+0KPyt4SsCAW1oCZZ995b9qJR+WzvWQai9mDNDL3JYMN OGEI2vDD9DW9YVfpbs/U320hIEzNc+Kga5AkcpwXWI2UArISFK3+3VoLLjfc6nY= =haNl -----END PGP SIGNATURE----- From shavital at mac.com Fri May 2 09:56:05 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 02 May 2008 03:56:05 -0400 Subject: my signature does not verify! In-Reply-To: <481AC4F1.90901@upf.edu> References: <481ABF72.8030308@upf.edu> <481AC4F1.90901@upf.edu> Message-ID: <481AC915.3020104@mac.com> Ramon Loureiro wrote the following on 5/2/08 3:38 AM: > > Hi again! > I have just posted a msg to the list > ~ http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033328.html > and when I have received my own email, my signature doesn't verify! :-( > Could you help me to see what I'm doing wrong? > > I'm sending with Enigmail and this is what I'm getting in the console > > ----------------------------------------------------------- > enigmail> gpg.exe --charset utf8 --batch --no > -tty --status-fd 2 -d > gpg: Signature made 05/02/08 09:14:52 using RSA key ID 80C7D647 > gpg: BAD signature from "Ramon Loureiro " > enigmail.js: Enigmail.decryptMessageEnd: Error in command execution > ------------------------------------------------------------- > > Thanks again! > > ___ > ramon Ramon, In your above quoted message, your signature verifies: Good signature from Ramon Loureiro Key ID: 0x80C7D647 / Signed on: 5/2/08 3:38 AM Key fingerprint: BE8E 5136 6A32 B5EF 0105 0DFB C559 2ACB 80C7 D647 In your previous message, about receiving a lot of spam, signature does not verify: gpg: Signature made Fri May 2 03:14:52 2008 EDT using RSA key ID 80C7D647 gpg: BAD signature from "Ramon Loureiro " I have compared the raw source of both messages, and couldn't find any significant difference. But there must be some, somewhere :-) By the way, Thunderbird's current stable version is 2.0.0.14 Charly MacOS 10.5.2 - MacBook Intel C2Duo - GnuPG 1.4.9 - GPG2 2.0.9 - Thunderbird 2.0.0.14 - Enigmail 0.95.6 From laurent.jumet at skynet.be Fri May 2 09:50:35 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri, 02 May 2008 09:50:35 +0200 Subject: my signature does not verify! In-Reply-To: <481AC4F1.90901@upf.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Ramon ! Ramon Loureiro wrote: > @X-Mime-proxy: body=us-ascii > @X-Original-Content-Transfer-Encoding: 7bit > @X-Original-Content-Type: text/plain; charset="us-ascii"; Format="flowed" > I have just posted a msg to the list > ~ http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033328.html > and when I have received my own email, my signature doesn't verify! :-( > Could you help me to see what I'm doing wrong? First message doesn't verify; this one has a good signature. It's hard to say why a ClearSign doesn't verify. In the headers above you can see that your message comes to us in 7bit us-ascii, while I can suppose you were writing in something like iso-8859-15. Several charset translations occur during Internet travel. Who knows what exactly happens? I suggested a few months ago, to send ClearSign in Armored form; this mean no encryption but compression, and no problems with charsets. But several people complainted as they reader could not show the message. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iHEEAREDADEFAkgaycQqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BM7T8AoOimCytN2/usEs3wRSZ+Un/MkMejAJsE QEwGPULCwC/qsHMHl9Z6FyK7Dw== =dAwu -----END PGP SIGNATURE----- From hidekis at gmail.com Fri May 2 09:27:24 2008 From: hidekis at gmail.com (Hideki Saito) Date: Fri, 02 May 2008 00:27:24 -0700 Subject: can GPG help me with SPAM? In-Reply-To: <481ABF72.8030308@upf.edu> References: <481ABF72.8030308@upf.edu> Message-ID: <481AC25C.4070201@gmail.com> Hello Ramon, GnuPG really won't help you there, unless person other-side has way to verify your signature. As GnuPG is just a standard command line program, technologically speaking, as long as the mail server allows, it should be able to sign the E-mail automatically. So it is probably technically possible, however, if it is useful or not would be another question... -- Hideki Saito > > Hi, > I'm receiving a lot of spam in my old email account... > I'm even receiving emails with my own old email as sender!! :-( > > Is it a way to tell the sysadmin of this email provider to add some > kind of scripts for automatic sign all the outgoing emails (in the > name of the department)? > Or maybe the solution has nothing to do with GPG? > > Thanks > > ___ > ramon > _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From shavital at mac.com Fri May 2 10:27:51 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 02 May 2008 04:27:51 -0400 Subject: playing with cryptography... In-Reply-To: <481AC854.8060507@upf.edu> References: <481AC854.8060507@upf.edu> Message-ID: <481AD087.3020908@mac.com> Ramon Loureiro wrote the following on 5/2/08 3:52 AM: > Hi > I just have ask for an email certificate to thawte.com thinking that > it's handled like a GPG signature (I thought that I'll have something > like a GPG certified signature) > Now I have the certificate.... I have installed it in Explorer and > Firefox...-by the way, I don't understand why it is associated to the > browser and not to the email program- > I'm certified... but I don't know what can I do with this or how can > apply to my emails? > > Once again, excuse my ignorance. > > ___ > ramon Ramon, This message has again a bad signature: gpg: Signature made Fri May 2 03:52:49 2008 EDT using RSA key ID 80C7D647 gpg: BAD signature from "Ramon Loureiro " Thawte's certificates can be used both for signing and for encrypting, using S/MIME, and they are not at all like gpg keys. Your correspondent also must be using S/MIME to be able to verify your signature, and to decrypt/encrypt using those certificates. gpg 2.* is S/MIME compliant. You should be able to import into Thunderbird the e-mail certificate that was issued to you by Thawte: go to Account Settings/Security, and try to use the available options. As far as I am concerned, there's no ignorance here to be excused. I am an ignorant empirical user, and I may be as ignorant, or more than most of this list's learned members. Take care, Charly MacOS 10.5.2 - MacBook Intel C2Duo - GnuPG 1.4.9 - GPG2 2.0.9 - Thunderbird 2.0.0.14 - Enigmail 0.95.6 From ramon.loureiro at upf.edu Fri May 2 10:50:37 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 10:50:37 +0200 Subject: playing with cryptography... In-Reply-To: <481AD087.3020908@mac.com> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> Message-ID: <481AD5DD.4020308@upf.edu> Hi again! Charly Avital escribi?: > Ramon Loureiro wrote the following on 5/2/08 3:52 AM: > >> Hi >> I just have ask for an email certificate to thawte.com thinking that >> it's handled like a GPG signature (I thought that I'll have something >> like a GPG certified signature) >> Now I have the certificate.... I have installed it in Explorer and >> Firefox...-by the way, I don't understand why it is associated to the >> browser and not to the email program- >> I'm certified... but I don't know what can I do with this or how can >> apply to my emails? >> >> Once again, excuse my ignorance. >> >> ___ >> ramon >> > > Ramon, > > Thawte's certificates can be used both for signing and for encrypting, > using S/MIME, and they are not at all like gpg keys. > > Your correspondent also must be using S/MIME to be able to verify your > signature, and to decrypt/encrypt using those certificates. > > gpg 2.* is S/MIME compliant. > > You should be able to import into Thunderbird the e-mail certificate > that was issued to you by Thawte: go to Account Settings/Security, and > try to use the available options. > > Great! I think I've got it! (This msg should be MIME-signed with a Thawte certificationx) > As far as I am concerned, there's no ignorance here to be excused. I am > an ignorant empirical user, and I may be as ignorant, or more than most > of this list's learned members. > :-) Thanks ____ ramon -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2864 bytes Desc: S/MIME Cryptographic Signature URL: From claws at thewildbeast.co.uk Fri May 2 10:54:34 2008 From: claws at thewildbeast.co.uk (Paul) Date: Fri, 2 May 2008 09:54:34 +0100 Subject: my signature does not verify! In-Reply-To: <481AC4F1.90901@upf.edu> References: <481ABF72.8030308@upf.edu> <481AC4F1.90901@upf.edu> Message-ID: <20080502095434.46d89a60@thewildbeast> On Fri, 02 May 2008 09:38:25 +0200 Ramon Loureiro wrote: > Could you help me to see what I'm doing wrong? Possibly MTA re-encoding broke the sig. It is safer to use BASE64 encoding rather than 7bit when sending msgs with inline sigs. best regards Paul -- It isn't worth a nickel to two guys like you or me, but to a collector it is worth a fortune From david at miradoiro.com Fri May 2 10:19:54 2008 From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Fri, 2 May 2008 10:19:54 +0200 Subject: playing with cryptography... References: <481AC854.8060507@upf.edu> Message-ID: <000701c8ac2d$4e0e3980$0302a8c0@Nautilus> With a certificate of this kind you can sign e-mail and decrypt e-mail encrypted to you on the basis of S/MIME, which is a different protocol from OpenPGP and incompatible with it. The pros of it is that it is supported by mainstream MUAs, Outlook Express and MS Outlook, and the Web of Trust issues are handled in a less flexible but simpler way (lots of money to become accredited). --David. From ramon.loureiro at upf.edu Fri May 2 11:14:33 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 11:14:33 +0200 Subject: my signature does not verify! In-Reply-To: <481AD631.2070909@hammernoch.net> References: <481AD0E4.5080608@upf.edu> <481AD631.2070909@hammernoch.net> Message-ID: <481ADB79.6040805@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig H?gelsch?fer escribi?: > On 02.05.2008 10:29, Ramon Loureiro wrote: >> Hi! >> I have just posted a msg to this list >> ~ http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033328.html >> and when I have received my own email, my signature doesn't verify! :-( >> Could you help me to see what I'm doing wrong? > > Please disable Format="flowed". See FAQ #8 > http://enigmail.mozdev.org/support/troubles.php Great! Solved! THANKS! ___ ramon loureiro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGttxAAoJEMVZKsuAx9ZHUXMH/ijZ0P5pMtp0jP1ZU5XjxxAG nV5Q/pD0J/cFnShqT1HzvYBv5w1Z0h/zQlBm7+6ogMGiOvk8UlIQBT209cuj/O6z qfBSyYUjEFPYisll6khUi4NI7Pn1ndgtMrmXesjDTzimBeQ5i2jcW2CblLHp1RMW eMS5V/QfpK2NZl2jWCu0vvd5fp74fo9WyeXCE1O4mjb3nXXrwjbQyKeK4a6/ScXA 8/0leKaxSNdWg1mMheG7YJKujO94zNxhvN72Zgvf9y5iUBAocEnjAkeLEMJSyF0B T2EHnGT8oVyQiX3Tb4EjhL9Fjx5spqFaQOQbZ8C7x+jPKv5BvfKUNbP0s0pmQrw= =6NZe -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2864 bytes Desc: S/MIME Cryptographic Signature URL: From ramon.loureiro at upf.edu Fri May 2 11:31:02 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 11:31:02 +0200 Subject: my signature does not verify! In-Reply-To: <481ADB79.6040805@upf.edu> References: <481AD0E4.5080608@upf.edu> <481AD631.2070909@hammernoch.net> <481ADB79.6040805@upf.edu> Message-ID: <481ADF56.7050202@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh! my God! That's the neverending story! it does not verify once again... - ------------------------------------------------------------- enigmail> gpg.exe --charset utf8 --batch --no - -tty --status-fd 2 -d gpg: invalid armor header: =20\r\n gpg: invalid armor header: =20\r\n enigmail.js: Enigmail.decryptMessageEnd: Error in command execution - ------------------------------------------------------------------------------ This has happened when replying to someone's msg... :-? ...I'm going to crypto-cry... ____ ramon Ramon Loureiro escribi?: > Ludwig H?gelsch?fer escribi?: > > On 02.05.2008 10:29, Ramon Loureiro wrote: > >> Hi! > >> I have just posted a msg to this list > >> ~ http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033328.html > >> and when I have received my own email, my signature doesn't verify! :-( > >> Could you help me to see what I'm doing wrong? > > Please disable Format="flowed". See FAQ #8 > > http://enigmail.mozdev.org/support/troubles.php > Great! Solved! THANKS! > > ___ > ramon loureiro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGt9UAAoJEMVZKsuAx9ZHUXEH/R+Ula28Haxl0xZctQpeeKDc knyfclQTaL7ssZqhFQDW6QjnoQ0HnHFPr5DjYcpWCJ9LyJzKbebR4CeA6BPGcLnZ V5aAr8vRB3mfnbZACm4Q3ExumHvdzTvPhjlLybZkJDfuOeZz4Gx0s6wHQDGJKQvN 0JX1xHKsgafyPp5SDJG5iiaxG50tvHBTQHsnZBVS1NEd54vNcCH4q9swAUrxp4fD ldoWaQ3wThWQfNoS+hbcyVBUKKZtz4mdVkfdI90MGgPv3xewbrKEhyE+ETfUZonX jA81R0nuaFXJdM+MHVt3g1WDxeqHrgjiYau9qIMU6xGSdGPxdu+cUxjDBTA5x80= =yiV6 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2864 bytes Desc: S/MIME Cryptographic Signature URL: From shavital at mac.com Fri May 2 11:50:41 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 02 May 2008 05:50:41 -0400 Subject: playing with cryptography... In-Reply-To: <481AD5DD.4020308@upf.edu> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> Message-ID: <481AE3F1.9020102@mac.com> Ramon Loureiro wrote the following on 5/2/08 4:50 AM: [...] > Great! > I think I've got it! > (This msg should be MIME-signed with a Thawte certificationx) The raw source of your message shows: Content-type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=------------ms080308040504070708000801 "x-pkcs7-signature" refers to Thawte's certificates "pkcs7" I have imported your certificate in my Keychain Access. I have verified your signature with another mail application, Apple's Mail, that reports your message as signed, and displays correctly the details of your certificate. Charly From ramon.loureiro at upf.edu Fri May 2 12:00:28 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 12:00:28 +0200 Subject: playing with cryptography... In-Reply-To: <481AE3F1.9020102@mac.com> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481AE3F1.9020102@mac.com> Message-ID: <481AE63C.4040109@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charly Avital escribi?: >> Great! >> I think I've got it! >> (This msg should be MIME-signed with a Thawte certificationx) > > The raw source of your message shows: > Content-type: multipart/signed; protocol="application/x-pkcs7-signature"; > micalg=sha1; boundary=------------ms080308040504070708000801 > > "x-pkcs7-signature" refers to Thawte's certificates "pkcs7" > > I have imported your certificate in my Keychain Access. > > I have verified your signature with another mail application, Apple's > Mail, that reports your message as signed, and displays correctly the > details of your certificate. > > Charly > > Thanks! I have set the "Always sign msgs" option in Thunderbird with the THAWTE certificate So, if I now sign also with GPG, it will be double-signed.... right? I don't know if its useful or not... It must be something like signing the letter and the envelope... At least... is it compatible, both in technical and philosophical aspects?. :-? ___ ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGuY5AAoJEMVZKsuAx9ZHSZEIAIxXnHttIHWGscUC1zZH1Hwf OE6SMJaqkiACXNzo7wb96b7LlES3DZpoEjG/QxHqaX3tewjgRM4COQP1b41mptZc 9mF4I0yl3ueMuOWrrnKWkZR+9nQ0ait1o6/imD1uetxl/RIYIDDo9xrNLN3duq2x RDWE8jDirf4bn+OUrMTmtL0lBMCs3DhCeP5mQVHnJDoXwTcgPEDYGmnJGP/FXSyA eysv3HaVQCRV+8aZt5UZr2kYO4D0vQ9cbgnUioNR53v3Zxc1wLZFQX4WKuXvFg4Q aB/Lx0gZKR44zfetJrBhtwExVFzgOBxAZ8JGtDv1pL0Sj8kQFOQbmWLXQJIfPA8= =VKdC -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2864 bytes Desc: S/MIME Cryptographic Signature URL: From ramon.loureiro at upf.edu Fri May 2 12:55:56 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Fri, 02 May 2008 12:55:56 +0200 Subject: filtering signed email with thunderbird Message-ID: <481AF33C.8000105@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Is it possible to make a thunderbird filter that save my signed msgs in some folder? What in the email header must the filter check to see it has a (valid) signature? Or must it look for "BEGIN PGP..." strings into the body of the msg? Cheers!!! ___ ramon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIGvM2AAoJEMVZKsuAx9ZH1wgH/21dPf9YQYerMXFgIWzt5BRL ZQdndIvE3KCmvmEvD+AZJiP9e5VD6IZhBs824OOzV9mnMpoogmfGWDxJ1PDrONj/ jXLOQUVb5jNzcQ9XQbHKmIb7+SA/HuKVxyFLGkg7jxBwEjU1MfITiPKnJtu3tHST wH/4WgrkyhAsGeqOTD2Lb42otLfTLCVYYCxMWrgstrlnBJEd/08qMUpgpeZrGVPN r6J7NJGVIwc2Bd/3j8kh5ElCrQSfqoMzBcyKZECBD+Pu6jFJUcxIYlRwzpscgzAu U5i+KgBBzlS/B7k5F+kAE/DGbc1n8XbYSnah9G6oV3cbHPeZArN1U7zqu85UHEo= =lkWe -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1975 bytes Desc: S/MIME Cryptographic Signature URL: From email at sven-radde.de Fri May 2 13:20:01 2008 From: email at sven-radde.de (Sven Radde) Date: Fri, 02 May 2008 13:20:01 +0200 Subject: filtering signed email with thunderbird In-Reply-To: <481AF33C.8000105@upf.edu> References: <481AF33C.8000105@upf.edu> Message-ID: <1209727201.6339.12.camel@carbon> Hi! Am Freitag, den 02.05.2008, 12:55 +0200 schrieb Ramon Loureiro: > Is it possible to make a thunderbird filter that save my signed msgs > in > some folder? I don't think it's trivially possible (i.e. without coding something yourself), but I think it would be a great feature to add (to Enigmail?). > What in the email header must the filter check to see it has a (valid) > signature? The signature is not just some "valid" flag inserted into the email headers. Your mail client will perform a calculation on the email's body whenever you open it and then decide whether the mail was modified since it was signed. > Or must it look for "BEGIN PGP..." strings into the body of the msg? You can do that, but that filter would apply to every PGP-signed/-encrypted message, no matter whether the signature is valid or not. However, AFAIK you won't get anything that uses PGP/MIME with that filter. You would have to check for the corresponding Content-Type header for these messages. cu, Sven From mwood at IUPUI.Edu Fri May 2 17:54:20 2008 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 2 May 2008 11:54:20 -0400 Subject: filtering signed email with thunderbird In-Reply-To: <1209727201.6339.12.camel@carbon> References: <481AF33C.8000105@upf.edu> <1209727201.6339.12.camel@carbon> Message-ID: <20080502155420.GB13444@IUPUI.Edu> Better to ask on a Thunderbird list. I think that the best way to tackle this problem will be independent of GnuPG and specific email formats. Thunderbird "knows" quite a lot about a message by the time it is ready to present it, and it is not unreasonable to ask that all of this knowledge be made available to filters. So rather than constructing elaborate match expressions for, what is it? three very different ways of signing mail, I'd suggest finding a way to just ask the guts of Thunderbird whether a message was signed, whether the signature was verified, what public key matched, and anything else your filter needs to make a good decision. If Thunderbird doesn't provide that kind of information to filters then it sounds like a nice subject for an extension. (Sorry, I only use Thunderbird when mutt isn't readily available, and never very elaborately, so I can't be more specific about it.) -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From patrick at mozilla-enigmail.org Fri May 2 19:59:39 2008 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Fri, 02 May 2008 19:59:39 +0200 Subject: filtering signed email with thunderbird In-Reply-To: <481AF33C.8000105__24121.5692287826$1209725927$gmane$org@upf.edu> References: <481AF33C.8000105__24121.5692287826$1209725927$gmane$org@upf.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ramon Loureiro wrote: > Hi! > > Is it possible to make a thunderbird filter that save my signed msgs in > some folder? > What in the email header must the filter check to see it has a (valid) > signature? > Or must it look for "BEGIN PGP..." strings into the body of the msg? Not really. Unfortunately Thunderbird doesn't allow to easily extend message filter for such purposes, that's why there is no such feature in Enigmail. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBSBtWiXcOpHodsOiwAQKX1wf+O+mbdUNhE3qJ08bDr5K2A1hvz3dwM6k2 rn5EUNAuMOt0bQictRi2tB8XojktFnzngzNvDPbwBI2XglyV5WAQOkMqwK+3MTxI pxHJlsJPnJPNOEcXhwyVNlFWDRVFp/J/LdmGbW0ov2wF56bhsMsDGpeoMldLmiYW zjHk+TZ+TP0kC/X8z57jYXYp3TrDXI2oriXSxioIjtNHTW2B+UKNrAwaVEBgteHo 1NYu2GF/4FjQDwHdVaI3TA+JyG+Jp4PTEMUYrfTb6ZlbZgMOnpwcgr7fQd1AMjE4 o5aq2tqOa29QXTtR4pHCgESI0fCedBD2e0czuRbXiIUi6j61O6b+dw== =z9iv -----END PGP SIGNATURE----- From bill.royds at Royds.net Fri May 2 23:55:17 2008 From: bill.royds at Royds.net (Bill Royds) Date: Fri, 2 May 2008 17:55:17 -0400 Subject: playing with cryptography... In-Reply-To: <481AD5DD.4020308@upf.edu> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> Message-ID: On 2-May-08, at 04:50 , Ramon Loureiro wrote: > Great! > I think I've got it! > (This msg should be MIME-signed with a Thawte certificationx) Yes, it was signed, by the Thawte issued signature. Basically a PKI-509 type signing is a tree of trust relationship, where the root of the tree is a set of certificate issuers that your browser or email program trusts whether you do or not. These then issue certificates to others who can issue certificates to more people etc. It is simpler because you leave the issue of who do you trust up to Microsoft or Mozilla or Apple. FOr example, your certificate was issued by Thawte whose certificate was embedded in the Apple Mail program that I use. So trusting your certificate means that I trust Apple (for embedding Thawte) and Thawte (who issued your certificate). The signature verifies that the sender is who he/she claims but does not verify that the contents of the message have not been altered. The PGP (GPG) model is that one only trusts certificate that come from someone you already trust or from someone that is trusted by someone who you trust etc. There is no implicit trust so it takes more effort to get that trust. It also verifies that the message has not been altered as well as providing a signing for the sending. I think the GPG model is more secure, but the other model is more profitable for the issuers. That is why it is implemented in browsers and email readers. P.S. Your Thawte certificate reads Signed (ramon.loureiro at upf.edu) Bill Royds From jmoore3rd at bellsouth.net Sat May 3 01:22:39 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 02 May 2008 19:22:39 -0400 Subject: playing with cryptography... In-Reply-To: References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> Message-ID: <481BA23F.10700@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bill Royds wrote: > Your Thawte certificate reads Signed (ramon.loureiro at upf.edu) This also doesn't mean that You really are Ramon Loureiro, since the Certificate doesn't carry Your _Name_ indicating that Other People have eyeballed You + Government Issued Documentation affirming that You actually are who You say You are. To accomplish this You will need to accomplish several Face-to-Face meetings with other Thawte Assurers who 'vouch' [by granting points through Thawte] that they have confirmed Your Identity. I only know that I have an x.509 Key that may be used to Send an S/MIME Encrypted to the Email Address on the Certificate. :( Basically, I still have to 'trust' You at face value. All that is certain is that Thawte has confirmed Somebody controls this particular email Address. :-\ JOHN ;) Timestamp: Friday 02 May 2008, 19:22 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIG6I9AAoJEBCGy9eAtCsPv2sH/R6IHq5as61XtPvDlEwmcICJ OcaPqJhIFLUWJhFBm1j9IRL95uihDEBBpNXo2jOv60L4VfyZgkI3GkyeZr27XB9C 1DaZZJ2flsL5r3392GHf97reu0dPgGO2H1rZFyVyjl/A4PuWyz0HGaCwN0NSnTsG Civ6g13GLvogR536ufqjbGCsFl2EcU7LNLUcec0zZYWVDYPVPajaRr6p002oOvHo /EM3+lXlXZX0Xz+wyoYN2cJ7NXZGOmqJ3ZBrbdrCjGSj2l5EHY4PCyRLTmCf0P3X Hl69QosliIuYUBPGvaEkRMqJH0R7hxxUifA8An9qVq/aESWji6GSdguX2sv21ts= =1XK+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5012 bytes Desc: S/MIME Cryptographic Signature URL: From mwood at IUPUI.Edu Sat May 3 02:42:53 2008 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 2 May 2008 20:42:53 -0400 Subject: playing with cryptography... In-Reply-To: References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> Message-ID: <20080503004253.GA30016@IUPUI.Edu> On Fri, May 02, 2008 at 05:55:17PM -0400, Bill Royds wrote: > Basically a PKI-509 type signing is a tree of trust relationship, where the > root of the tree is a set of certificate issuers that your browser or email > program trusts whether you do or not. These then issue certificates to "whether you do or not" is not strictly correct, I think. It sure looks to me like I could delete some or all of the root certificates that my browser came with, and then keys from certificates which chain back to those removed roots would no longer be implicitly trusted. I've never yet heard of anyone who *did* that, mind you, so in practice the system seems to work as you say. But I don't see why it has to. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From jmoore3rd at bellsouth.net Sat May 3 05:25:30 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 02 May 2008 23:25:30 -0400 Subject: playing with cryptography... In-Reply-To: <20080503004253.GA30016@IUPUI.Edu> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <20080503004253.GA30016@IUPUI.Edu> Message-ID: <481BDB2A.80007@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Mark H. Wood wrote: > "whether you do or not" is not strictly correct, I think. It sure > looks to me like I could delete some or all of the root certificates > that my browser came with, and then keys from certificates which chain > back to those removed roots would no longer be implicitly trusted. You can also 'Edit' the Trust for any Root Certificate and even decide just what uses You choose to 'Trust' it for. [Software, Messaging, etc.] At least this capability is available within the Firefox Certificate Manager. JOHN ;) Timestamp: Friday 02 May 2008, 23:24 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIG9smAAoJEBCGy9eAtCsPf8IH/RyyqKwiVpayZtWIspFa33qh 0boA6VsY3UOAZUjsvKdr7kxUw7xt1+DwctQenEE+2Sz+I+dMGh/VUE3GXCnUvSG5 W1pEayIs1v1cQEriyoVh4GhS5LjcoytgkB0/Gd+u5SZbcMYvi0e2V+Cll69sk8mn BdaGCoFB7ylnTXBkJM6UyL39oh7t8uRU7PJkl+d38d/UMH4BfiuFYMjN856RiNvi MhDJAy4tLz7y9fOKcJCUBEWI90cqIi+jGWALaYnu2UD2dVf9pQ+nfZi/YxmDaqJk qeTWR71UkeNHN39gkzFr3u4bT1kD5FmC6g1ypanTvqT3Wq3sYoNOVGkgBMuoCo0= =CJJs -----END PGP SIGNATURE----- From wk at gnupg.org Sat May 3 09:34:02 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 03 May 2008 09:34:02 +0200 Subject: playing with cryptography... In-Reply-To: (Bill Royds's message of "Fri, 2 May 2008 17:55:17 -0400") References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> Message-ID: <87od7nn8np.fsf@wheatstone.g10code.de> On Fri, 2 May 2008 23:55, bill.royds at Royds.net said: > The PGP (GPG) model is that one only trusts certificate that come > from someone you already trust or from someone that is trusted by > someone who you trust etc. There is no implicit trust so it takes more As usual I have to mention that what you mean is the Web of Trust (WoT) as used by default in PGP and GPG. In contrast to X.509, OpenPGP allows the use of any kind of trust model with its framework. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From CronoCloud at mchsi.com Sat May 3 09:49:38 2008 From: CronoCloud at mchsi.com (Ron Rogers Jr.) Date: Sat, 3 May 2008 02:49:38 -0500 Subject: my signature does not verify! In-Reply-To: <481ADF56.7050202@upf.edu> References: <481AD0E4.5080608@upf.edu> <481AD631.2070909@hammernoch.net> <481ADB79.6040805@upf.edu> <481ADF56.7050202@upf.edu> Message-ID: <20080503024938.05effad0@mchsi.com> On Fri, 02 May 2008 11:31:02 +0200 Ramon Loureiro wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oh! my God! > That's the neverending story! > > it does not verify once again... If you're going to use PGP/Inline make certain that your mail client uses BASE64 encoding for such messages. That will ensure that the MTA doesn't mess up message, preventing verification. Ron Rogers Jr. (CronoCloud) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From reynt0 at cs.albany.edu Sat May 3 22:05:49 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Sat, 3 May 2008 16:05:49 -0400 (EDT) Subject: playing with cryptography... In-Reply-To: <481BA23F.10700@bellsouth.net> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> Message-ID: On 02 May 2008 jmoore3rd at bellsouth.net wrote: . . . > This also doesn't mean that You really are Ramon Loureiro, since the > Certificate doesn't carry Your _Name_ indicating that Other People have > eyeballed You + Government Issued Documentation affirming that You > actually are who You say You are. To accomplish this You will need to . . . > still have to 'trust' You at face value. All that is certain is that > Thawte has confirmed Somebody controls this particular email Address. A few minor, picky points, FWIW: 1. Of course, the trustworthyness of anything claiming to be Government Issued Documentation always has to be evaluated (as do governments, too, I suppose). (Maybe the old village midwife who delivered you and can identify your legendary unique secret birthmark can better identify you as the missing Crown Prince than the present government can ;^} .) 2. Is it "certain" that "Thawte has confirmed", or is it *claimed* that Thawte has confirmed? 3. Of course, Thawte's confirmation process is however trustworthy or not as it may be, which has to be evaluated. From Apple at royds.net Sat May 3 22:39:41 2008 From: Apple at royds.net (Bill Royds) Date: Sat, 3 May 2008 16:39:41 -0400 Subject: playing with cryptography... In-Reply-To: <87od7nn8np.fsf@wheatstone.g10code.de> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <87od7nn8np.fsf@wheatstone.g10code.de> Message-ID: <4760B0FB-E235-470E-B3AB-4A78C9E4B812@royds.net> On 3-May-08, at 03:34 , Werner Koch wrote: > > As usual I have to mention that what you mean is the Web of Trust > (WoT) > as used by default in PGP and GPG. In contrast to X.509, OpenPGP > allows > the use of any kind of trust model with its framework. Yes, you are correct. The WoT model was developed by Phil Zimmerman for PGP but OpenPGP has expanded on it. That is one reason that OpenPGP is better than X.509, which forces you to a single trust model, and to trust unknown certifiers. Are you sure that you trust the Government of Taiwan to certify web sites for SSL as Firefox does by default? From jmoore3rd at bellsouth.net Sat May 3 22:43:28 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 03 May 2008 16:43:28 -0400 Subject: playing with cryptography... In-Reply-To: References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> Message-ID: <481CCE70.8020901@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 reynt0 wrote: > A few minor, picky points, FWIW: > 1. Of course, the trustworthyness of anything claiming > to be Government Issued Documentation always has to be > evaluated (as do governments, too, I suppose). As a General Rule it is hoped that Passports are checked for Identity Authentication by the issuing Authority. I know that when I am 'confirming' the Identity of an Individual I require that I be shown a narrow selection of Documentation. Documents that I am comfortable with the level of difficulty of forgery. This is why it takes presentation of 'Proof of Identity' to several folks to obtain a Named Certificate. > 2. Is it "certain" that "Thawte has confirmed", or is it > *claimed* that Thawte has confirmed? They 'Ping' the Email Address to confirm control of it. > 3. Of course, Thawte's confirmation process is however > trustworthy or not as it may be, which has to be evaluated. Which is why the level of Trust in any Certificate may be Edited by the End User. But all this discussion of x.509 Certificates is somewhat far afield from the purpose of this particular List. If everyone here was comfortable with S/MIME then We wouldn't be using GnuPG. JOHN ;) Timestamp: Saturday 03 May 2008, 16:42 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIHM5vAAoJEBCGy9eAtCsPiGcH/0+XzHbEewvbylYIgskt5Pj0 V3lfydQjUXAn8INkGz6B+L8WXeN9FlkqHuSGAJs+PKYLfVnz8YQoXRojHfsdOp8F V5Lo78rYe2wNkWZXouW2RutSd9SN0JTmZoWgj+zc17Y7xNsMozm0w4jxFlF7YnOC q/vdn79hYe6blZGmf3G+QXPB+hs3IGsdjxv2qHP03pVXapVzNEz4R/47TFvVQbF5 KB3vS2tuIPhwo3/eK709ioqrCd5I3K1MjeTSXUj5cku71qAXuEKwVBimFs+0yAYF IvyIwXjRkkeIu6afXRCNO88Y/IirXao58F+sX9d8NUr29JTHVVKPKJf7aYIBLXo= =eXt8 -----END PGP SIGNATURE----- From suluhit at gmail.com Sun May 4 00:51:53 2008 From: suluhit at gmail.com (Su Lu) Date: Sat, 3 May 2008 17:51:53 -0500 Subject: Question about GnuPG Smartcard Message-ID: <481cec8c.0261220a.305d.ffff8470@mx.google.com> Hello All, I am currently working on GnuPG Smartcard, and I am wondering whether it is allowed for a GnuPG Smartcard to store multiple 1024/2048 bit RSA keys. Thanks a lot! Best regards, Su Lu suluhit at gmail.com 2008-05-03 From suluhit at gmail.com Sat May 3 23:58:04 2008 From: suluhit at gmail.com (Su Lu) Date: Sat, 3 May 2008 16:58:04 -0500 Subject: Question about GnuPG Smartcard Message-ID: <481cdfee.2cf0220a.72fd.6185@mx.google.com> Hello All, I am currently working on GnuPG Smartcard, and I am wondering whether it is allowed for a GnuPG Smartcard to store multiple 1024/2048 bit RSA keys. Thanks a lot! Best regards, Su Lu suluhit at gmail.com 2008-05-03 From dshaw at jabberwocky.com Sun May 4 04:00:29 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 3 May 2008 22:00:29 -0400 Subject: Question about GnuPG Smartcard In-Reply-To: <481cdfee.2cf0220a.72fd.6185@mx.google.com> References: <481cdfee.2cf0220a.72fd.6185@mx.google.com> Message-ID: <4F0B6A06-3155-4887-A9B3-B16FA7ED769D@jabberwocky.com> On May 3, 2008, at 5:58 PM, Su Lu wrote: > Hello All, > > I am currently working on GnuPG Smartcard, and I am wondering > whether it is allowed for a GnuPG Smartcard to store multiple > 1024/2048 bit RSA keys. Thanks a lot! The smartcard can store 3 1024-bit RSA keys. It cannot store a 2048- bit key. David From alon.barlev at gmail.com Sun May 4 07:00:18 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 4 May 2008 08:00:18 +0300 Subject: Question about GnuPG Smartcard In-Reply-To: <481cdfee.2cf0220a.72fd.6185@mx.google.com> References: <481cdfee.2cf0220a.72fd.6185@mx.google.com> Message-ID: <9e0cf0bf0805032200p738bce3bh9ab4b1081d5d5f56@mail.gmail.com> Hello, You can check out gnupg-pkcs11-scd [1], it does allow more keys (1024/2048) for gpgsm and 2048 key for gpg. Alon. [1] http://gnupg-pkcs11.sourceforge.net On 5/4/08, Su Lu wrote: > Hello All, > > I am currently working on GnuPG Smartcard, and I am wondering whether it is allowed for a GnuPG Smartcard to store multiple 1024/2048 bit RSA keys. Thanks a lot! > > Best regards, > > Su Lu > suluhit at gmail.com > 2008-05-03 > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jquinn at cs.oberlin.edu Sun May 4 20:40:48 2008 From: jquinn at cs.oberlin.edu (Jameson "Chema" Quinn) Date: Sun, 4 May 2008 12:40:48 -0600 Subject: RFC4880 format without using keyrings? In-Reply-To: References: Message-ID: I am programming in python (Sugar/OLPC) and would like to take a private key (-----BEGIN DSA PRIVATE KEY-----... in a file) and a file and output a signature of that file using that key, in valid RFC4880 format (including extra signed data). Later, I'd like to check that same signature using the public key - again, just a file, starting with ssh-dss. Is there any way to do this with GPG - that is, to use gpg for signing, without having any keyrings or any "identity", just some keys as generated for ssh? If so, how? If not, can anybody recommend a python module that outputs RFC4880 format, or comment on whether this one can be trusted for security? Jameson -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon May 5 08:45:18 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 05 May 2008 08:45:18 +0200 Subject: Question about GnuPG Smartcard In-Reply-To: <4F0B6A06-3155-4887-A9B3-B16FA7ED769D@jabberwocky.com> (David Shaw's message of "Sat, 3 May 2008 22:00:29 -0400") References: <481cdfee.2cf0220a.72fd.6185@mx.google.com> <4F0B6A06-3155-4887-A9B3-B16FA7ED769D@jabberwocky.com> Message-ID: <87od7ll05d.fsf@wheatstone.g10code.de> On Sun, 4 May 2008 04:00, dshaw at jabberwocky.com said: > The smartcard can store 3 1024-bit RSA keys. It cannot store a 2048- > bit key. That depends on the actual card. GnuPG implements a specification and allows all key sizes. There are some restrictions due to the limited size of an APDU. The forthcoming revision of the spec will declare how to work with keyr requiring longer APDUs. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From mkinni at calpoly.edu Mon May 5 09:18:19 2008 From: mkinni at calpoly.edu (Matt Kinni) Date: Mon, 05 May 2008 00:18:19 -0700 Subject: how long should a password be? Message-ID: <481EB4BB.8030209@calpoly.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Everyone says it should be as long as possible, but there comes a point where it's just impossible to remember anything longer than 20 characters. What do you think? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBCAAGBQJIHrS5AAoJELlJAlPUfypQZ+YIALg0rP9o8TmF426DqWq3NZpD rxbaGmv0cqRS9x9puU3sYTcNnRtoau8LeLh8NvyxskMBXyZbdcFUDTJCybCuAImf 1DCCjIF8ifz3QiTVQy5UIyGS9yRjdrtcTa31QPYGrqr4e7cl6/LDqsJPlpoJV4b4 MH1R9RETuaPBVmqFFS0Rysox3NAmt4z+a5Q4qRtPoPT/cRU48SsX378YvtWrko/j Tt3V+KifWYjt/ASBS8B7z15gA7JLOoQxqu4deAOmFaqYPG/B3JZ3jWqFwXMcI20e 3vf2a97b+Ad7LAXLeCQyyT3z/HSUbMUeBKAGCNgaYxKp/JAJLXa1LeDIXQyyT7E= =V6UQ -----END PGP SIGNATURE----- From noiano at x-privat.org Mon May 5 09:40:03 2008 From: noiano at x-privat.org (Noiano) Date: Mon, 05 May 2008 09:40:03 +0200 Subject: how long should a password be? In-Reply-To: <481EB4BB.8030209__28471.0334883586$1209972138$gmane$org@calpoly.edu> References: <481EB4BB.8030209__28471.0334883586$1209972138$gmane$org@calpoly.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matt Kinni wrote: > Everyone says it should be as long as possible, but there comes a point > where it's just impossible to remember anything longer than 20 > characters. What do you think? Well IMHO you should merge together some significant (just for you!) events, hard to forget, and turn them into a password. It should be - - longer >= 25 IMHO - - nonsense in any language to avoid dictionary attack - - contain special character such as !?$?()... Noiano -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iE8DBQFIHrnS+JjGoasQ6NIRCC4yAOCKodHXmpyqfcMl6+jhu5a3ZdzsNnesFfhL pVrPAOCAp6SMeXSFBGduthirWlahq8JIzKkRXWyihnYP =oJln -----END PGP SIGNATURE----- From email at sven-radde.de Mon May 5 10:05:07 2008 From: email at sven-radde.de (Sven Radde) Date: Mon, 05 May 2008 10:05:07 +0200 Subject: how long should a password be? In-Reply-To: <481EB4BB.8030209@calpoly.edu> References: <481EB4BB.8030209@calpoly.edu> Message-ID: <481EBFB3.4070107@sven-radde.de> Hi! Matt Kinni schrieb: > Everyone says it should be as long as possible (...) What do you think? You might find this interesting read: Also keep in mind that in order to attack your password, an attacker would first have to access your secret keyring (unless you use GnuPg for symmetric encryption). As to what I think personally, around 15 pretty random characters would be quite enough for my threat model. I don't expect the NSA to throw all their supercomputers at cracking my passphrase, though ;-) HTH, Sven From faramir.cl at gmail.com Mon May 5 10:08:02 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 05 May 2008 04:08:02 -0400 Subject: how long should a password be? In-Reply-To: References: <481EB4BB.8030209__28471.0334883586$1209972138$gmane$org@calpoly.edu> Message-ID: <481EC062.605@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Noiano escribi?: > Matt Kinni wrote: > > Everyone says it should be as long as possible, but there comes a point > > where it's just impossible to remember anything longer than 20 > > characters. What do you think? > > ..... > - longer >= 25 IMHO > - nonsense in any language to avoid dictionary attack > - contain special character such as !?$?()... > That brings another related question: is there any character unsuported by GnuPG? I ask this because once I was using an application, and I tried to use "special" characters in the password, but the app rejected the users saying "wrong password", so I had to use just normal characters. Is there a chance that problem can happen with GnuPG? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIHsBhAAoJEIISGkVDGUEOCZEIAKwZ9xTG3FzBiQRtzqi/5hhv 6TZHJC08yXZBVVYMUynJvIp+/hmfkHaL71xqynipCgvNBVxmzWiSp3umFPEdrdyl HrPUA0B5Xps4RWkbEXjqgq8bKtWVPL859n0x/xdTL/QQNRvLDQiWikvG3hpknp/4 gd3y/XONt+QHoThnnmxezOdLlahtYFgLGEW20uIcHkdMkFBhNGMISD2slnU/tTO3 UmxZ9W3Kdo0WWSH9wIij5F+qHOqOVUMunQUyccpc66+g25QW6DUjWpZfWuukj9gJ p/5ptueNwVggqefbAYL+Sa612o0wLQ7rcl4tf6BSWqmDoRb8jmPcLO3bIia4UJs= =gOM8 -----END PGP SIGNATURE----- From wolf.canis at googlemail.com Mon May 5 10:34:44 2008 From: wolf.canis at googlemail.com (Wolf Canis) Date: Mon, 05 May 2008 10:34:44 +0200 Subject: how long should a password be? In-Reply-To: <481EBFB3.4070107@sven-radde.de> References: <481EB4BB.8030209@calpoly.edu> <481EBFB3.4070107@sven-radde.de> Message-ID: <481EC6A4.9010803@googlemail.com> Sven Radde wrote: > Hi! > > Matt Kinni schrieb: >> Everyone says it should be as long as possible (...) What do you think? > You might find this interesting read: > Interesting article, thanks for the link. :-) > > Also keep in mind that in order to attack your password, an attacker > would first have to access your secret keyring (unless you use GnuPg > for symmetric encryption). > > As to what I think personally, around 15 pretty random characters > would be quite enough for my threat model. I don't expect the NSA to > throw all their supercomputers at cracking my passphrase, though ;-) Don't you think that 8 characters is enough, especially in reference of the article mentioned above? I think one really important factor is that one haven't only one password. The ideal would be for every account a different password. For that to archive, IMHO, you need a system, which would give you the ability to remember those passwords. W. Canis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Mon May 5 10:36:16 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 05 May 2008 03:36:16 -0500 Subject: how long should a password be? In-Reply-To: <481EB4BB.8030209@calpoly.edu> References: <481EB4BB.8030209@calpoly.edu> Message-ID: <481EC700.80305@sixdemonbag.org> Matt Kinni wrote: > Everyone says it should be as long as possible Not at all. At some point the passphrase becomes stronger than the symmetric encryption algorithm. Then it's time to stop. > where it's just impossible to remember anything longer than 20 > characters. What do you think? I think if you can't remember a phrase longer than 20 characters, you should seek immediate psychiatric help. :) Throwing out just a few memorable phrases, all substantially long than 20 characters: * They gave me a medal for dreaming of you. (Leonard Cohen, _Book of Longing_) * Beware the fury of a patient man. (John Dryden, _Absalom and Achitophel_) * The worst are filled with passionate intensity. (William Butler Yeats, _The Second Coming_) * listen: there's a hell of a good universe next door; let's go (e.e. cummings, _pity this busy monster, manunkind_) * Come with me, ladies and gentlemen who are in any wise weary of London: come with me: and those that tire at all of the world we know: for we have new worlds here. (Lord Dunsany, _Prelude to the Book of Wonder_) * Vor allem: pflanze mich nicht in dein Herz. Ich w?chse zu schnell. (Rainer Maria Rilke, _Sonnets to Orpheus_ 16.) As these examples will hopefully show you, there's no shortage of magnificent, easy-to-remember passphrases. ... and why, yes, I _do_ have a liberal-arts degree. Would you like fries with that? :) From rjh at sixdemonbag.org Mon May 5 10:42:19 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 05 May 2008 03:42:19 -0500 Subject: how long should a password be? In-Reply-To: <481EC062.605@gmail.com> References: <481EB4BB.8030209__28471.0334883586$1209972138$gmane$org@calpoly.edu> <481EC062.605@gmail.com> Message-ID: <481EC86B.4050705@sixdemonbag.org> Faramir wrote: > That brings another related question: is there any character > unsuported by GnuPG? I ask this because once I was using an application, > and I tried to use "special" characters in the password, but the app > rejected the users saying "wrong password", so I had to use just normal > characters. Is there a chance that problem can happen with GnuPG? This is a good question, but unfortunately there's a lot more to it than that. As far as GnuPG goes, you aren't entering characters at all. You're just entering bytes of data which it processes to create a symmetric key. GnuPG can probably accommodate pretty much any character set, as long as it's not _totally_ ridiculous. However, if you're using a front-end (GPGshell, WinPT, Enigmail, etc.), then you might want to ask about what character set the front-end is using. If the front-end is using a Cyrillic character set but your console is using Latin-1, it is possible that things could get a bit messed up as the two applications talk to each other. You might think you're entering the letter R, but is that a Cyrillic or a Latin R? The two don't encode the same way. Moral of the story: character sets aren't a problem, but making sure everything is speaking the charset can be a problem. From wolf.canis at googlemail.com Mon May 5 09:55:06 2008 From: wolf.canis at googlemail.com (Wolf Canis) Date: Mon, 05 May 2008 09:55:06 +0200 Subject: how long should a password be? In-Reply-To: <481EB4BB.8030209@calpoly.edu> References: <481EB4BB.8030209@calpoly.edu> Message-ID: <481EBD5A.1030601@googlemail.com> Matt Kinni wrote: > Everyone says it should be as long as possible, but there comes a point > where it's just impossible to remember anything longer than 20 > characters. What do you think? Hello, I would say a password should be between 8 - 12 characters long. But that isn't that important. Eight characters is long enough if you apply these rules: a) All characters alowed - a-z , A-Z, 0-9, all special characters b) Have a system : For example: Take a sentence as basis for your passphrase: Sentence (Clue): This is my 1st sentence as basis for very long passphrase! The resulting passphrase could be: Tim1ssabfvlp! OR hsysesaoeoa! OR !Tpilmv1fsba and so on You get it? There are infinite possibilities. That's the trick. Not the length of a password is decisive but the quality. The quality of your password decides how much effort is necessary to hack it. Hope that helps. W. Canis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From andy.mcknight at gmail.com Mon May 5 10:15:51 2008 From: andy.mcknight at gmail.com (Andy McKnight) Date: Mon, 5 May 2008 09:15:51 +0100 Subject: GPG 1.4.9 false verification Message-ID: Hi Guys, I'm new to GPG so I'm not sure if this is a problem or if it's by design but it's possible to modify a clearsigned message/document and still have it verify. When I sign a document GPG adds the two header lines "-----BEGIN PGP SIGNED MESSAGE-----" and "Hash: SHA1" followed by a blank line. I can add any text I wish into the blank line without affecting the verification of the signature. Changing anything else breaks verification. Is this behaviour by design? Are GPG users supposed to be aware that this line is untrusted? Andy. -------------- next part -------------- An HTML attachment was scrubbed... URL: From harakiri_23 at yahoo.com Mon May 5 11:27:43 2008 From: harakiri_23 at yahoo.com (Harakiri) Date: Mon, 5 May 2008 02:27:43 -0700 (PDT) Subject: [REPOST] LDAP Basic Auth not working for key search, keyserver-options ignored! Message-ID: <747136.54469.qm@web52210.mail.re2.yahoo.com> Hello, following the example here : http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html i used the binddn and bindpw option to do a simple auth against an ldap server gpg.exe --keyserver ldap://localhost --keyserver-options "binddn=\"uid=someuser\"" --keyserver-options bindpw=somepw --keyserver-options verbose --search-keys somemail However - neither binddn nor bindpw is passed to the ldap server - my LDAP Server is disabled for anonymous bind so gpg returns an error about insufficant access rights - i debugged the ldap server and gpg never calls a bind/lookup with the credentials just : Search Request Base Object : 'cn=pgpServerInfo' Scope : base object Deref Aliases : never Deref Aliases Size Limit : no limit Time Limit : no limit Types Only : false Filter : '(objectClass=*)' Attributes : pgpBaseKeySpaceDN, software, version What is wrong? LDAP Server Basic Auth is working fine for other clients like outlook, thunderbird etc when searching for x509 from the same server Im using gnupg 1.49 Thanks ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From rjh at sixdemonbag.org Mon May 5 11:44:32 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 05 May 2008 04:44:32 -0500 Subject: GPG 1.4.9 false verification In-Reply-To: References: Message-ID: <481ED700.5060601@sixdemonbag.org> Andy McKnight wrote: > Is this behaviour by design? Are GPG users supposed to be aware that > this line is untrusted? The behavior is specified by RFC4880 and is not a security risk. As an example, I have a small CSS file here that I have clearsigned. The opening looks like: *-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, World! /************************************************************************* Enigmail New Site - Main CSS (for SCREEN display on recent browsers) (I've added an asterisk to the beginning of the -----BEGIN block, to prevent mail clients from misreading it as a real OpenPGP stanza.) Now I try to verify it with: job:~ rjh$ gpg main.css.asc gpg: invalid armor header: Hello, World!\n File `main.css' exists. Overwrite? (y/N) y gpg: Signature made Mon May 5 04:38:51 2008 CDT using RSA key ID FEAF8109 gpg: Good signature from "Robert J. Hansen " gpg: aka "Robert J. Hansen" Looking at the top of main.css, what I see is: /************************************************************************* Enigmail New Site - Main CSS (for SCREEN display on recent browsers) ... The injected text is stripped. It is never presented to the user as verified text. If a mail client presents the original message, rather than the message as GnuPG has verified it, then that is a major HCI issue. I would suggest filing a bug with the maintainer of your mail client. From andy.mcknight at gmail.com Mon May 5 12:03:53 2008 From: andy.mcknight at gmail.com (Andy McKnight) Date: Mon, 5 May 2008 11:03:53 +0100 Subject: GPG 1.4.9 false verification In-Reply-To: <481ED700.5060601@sixdemonbag.org> References: <481ED700.5060601@sixdemonbag.org> Message-ID: > > The behavior is specified by RFC4880 and is not a security risk. > > Hi, I was testing this with the --verify switch only so I didn't see the final output with the stripped headers. Thanks for clearing this up. Your point regarding my mail client was interesting though. I use the web interface of Gmail with the firegpg plugin. I thought I'd look at this in a bit more detail. Sending the below message to me verifies as good through firegpg. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is some tested verification text. - -- key id: 0x6A8BAF97 fingerprint: 0AF9 F0A4 52D2 9775 F996 2027 41AD C31B 6A8B AF97 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: http://getfiregpg.org iEYEARECAAYFAkge2nUACgkQQa3DG2qLr5f0XwCfaZFqPy/Mx5IcydFkHX2Ytr0k MCMAoIGuwXlUuQo8ZQfBGA/pyXmCPphy =/gr1 -----END PGP SIGNATURE----- I then used the same message but modified the last header line after signing but before sending. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, this is my modified line. This is some tested verification text. - -- key id: 0x6A8BAF97 fingerprint: 0AF9 F0A4 52D2 9775 F996 2027 41AD C31B 6A8B AF97 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: http://getfiregpg.org iEYEARECAAYFAkge2nUACgkQQa3DG2qLr5f0XwCfaZFqPy/Mx5IcydFkHX2Ytr0k MCMAoIGuwXlUuQo8ZQfBGA/pyXmCPphy =/gr1 -----END PGP SIGNATURE----- This also verifies good through firegpg with no message regarding an incorrect header. I'd guess as nothing is stripped and no header warning is given this may be more of an issue? Andy. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramon.loureiro at upf.edu Mon May 5 12:14:18 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Mon, 05 May 2008 12:14:18 +0200 Subject: GPG in several computers In-Reply-To: <481832F9.3010004@sixdemonbag.org> References: <48178DC5.1090509@googlemail.com> <4817AF1C.4080909@bellsouth.net> <48182BEA.7040205@upf.edu> <481832F9.3010004@sixdemonbag.org> Message-ID: <481EDDFA.2040401@upf.edu> hi! En/na Robert J. Hansen ha escrit: > Ramon Loureiro wrote: > >> I'm new with GPG and Enigmail. >> I use my email at home and at work, and there in mora than one computer... >> How can I handle my GPG? > > The first question is, "which operating systems do you use?" The > instructions are a little simpler if they're all the same, but you can > do it across different operating systems without much work. > > For instance, on UNIX and OS X, GnuPG keeps its data in a directory > called $HOME/.gnupg. On Windows, it's somewhere else -- it's in one > place on Vista and one on XP. The Windows guys here will undoubtedly > tell you right where you can find it. :) > > Once you know what directory to look in, copy the files pubring.gpg, > secring.gpg and trustdb.gpg from your first machine to the appropriate > directory on the second machine. Also copy the file gpg.conf if it's there. > > Do not copy the file called random_seed. Copying that file can have > very bad effects on the security of the system. > I think I can't import. Attached you can find an image with the screen capture of the error... buffer shorter than subpacket signature packet without keyid signature packet without timestamp Suggestions are welcome... Thanks! ramon -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error-importing.jpg Type: image/jpeg Size: 25341 bytes Desc: not available URL: From faramir.cl at gmail.com Mon May 5 12:46:40 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 05 May 2008 06:46:40 -0400 Subject: How trust works in gpg... In-Reply-To: <20080415174533.GE56745@jabberwocky.com> References: <200804142205.59132.prlewis@letterboxes.org> <48049BFF.nail56411UIHS@mailshack.com> <4804A994.6020508@sven-radde.de> <200804151433.08557.prlewis@letterboxes.org> <20080415174533.GE56745@jabberwocky.com> Message-ID: <481EE590.5000707@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > David Shaw escribi?: > ..... > If someone wants to sign your key, you then end up with: > > KEY + UID + SELFSIG + SIG > > So SELFSIG is you saying "I bind this KEY and UID together", and SIG > is the other person saying "Me too". > > If you add another UID at this point, you have: > > KEY + UID + SELFSIG + SIG + UID + SELFSIG > > Now, note that the other person hasn't made any statement about > whether the second UID is valid. YOU have, but then, it's your key: > you can make any statement you like. It only becomes believable when > someone else adds their "me too". > I was reading again this message, and I'd like to know: is there any point about signing a key _but not giving any trusted status_ ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIHuWQAAoJEIISGkVDGUEOCIoIAJBWdfUWui/BFeXxt0yizeV1 Osz/O/JonZigQnX4vUkoeroPev4YSE59hIqam13ZQ71tpFFqdo+8mJnbF+hhQBq9 9Im6Cuk1TDiXE9mU9xwJ9klW7Ps0sidOk/cfbX2pE91SL/AJpZjZCgjJ6suxjttv 93YnohGtwUp92ScCWAmn4x/kf1yjOb2hGzK1oi52nMyQGFLg5wCjsIafEcO33zKI eD90jIcjcuZEWKleIHW9sMc778HrZ3tnVJEhnFoTKr5KHSuxZ5YoPwAJH2Y4lzbA sDYp52aVN57H/7l/22M6fLj2/CZVkS05gn7ToH4mR0DuJ4PeI5uukc/wnZr19mg= =Yr4Q -----END PGP SIGNATURE----- From email at sven-radde.de Mon May 5 13:20:34 2008 From: email at sven-radde.de (Sven Radde) Date: Mon, 05 May 2008 13:20:34 +0200 Subject: How trust works in gpg... In-Reply-To: <481EE590.5000707@gmail.com> References: <200804142205.59132.prlewis@letterboxes.org> <48049BFF.nail56411UIHS@mailshack.com> <4804A994.6020508@sven-radde.de> <200804151433.08557.prlewis@letterboxes.org> <20080415174533.GE56745@jabberwocky.com> <481EE590.5000707@gmail.com> Message-ID: <481EED82.1080200@sven-radde.de> Faramir schrieb: > I was reading again this message, and I'd like to know: is there any > point about signing a key _but not giving any trusted status_ ? Yes. Signing the key makes it valid for you (i.e. you believe that the person indicated in the key's User-IDs is the person who actually has control over the secret key). Assigning trust to a key means that you believe that the person owning the secret key is careful before he/she signs other people's keys (i.e. you consider other keys valid if they are signed by that person without checking the UID yourself). It can very well be the case that you are sure that a key is valid but you do not trust the owner to make this kind of assertion about other keys. Think of a long time friend whose key you have gotten during a personal meeting but about who you know that he doesn't understand the GnuPG trust concept at all. You can obviously sign his key, but you wouldn't trust any signatures on other people's keys by him. HTH, Sven From wolf.canis at googlemail.com Mon May 5 15:02:39 2008 From: wolf.canis at googlemail.com (Wolf Canis) Date: Mon, 05 May 2008 15:02:39 +0200 Subject: how long should a password be? In-Reply-To: <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> Message-ID: <481F056F.2080505@googlemail.com> Bill Royds wrote: > > On 5-May-08, at 03:55 , Wolf Canis wrote: > >> There are infinite possibilities. That's the trick. Not the length of a >> password is >> decisive but the quality. The quality of your password decides how much >> effort is necessary to hack it. > > Unfortunately that is not true. Since most systems use a single byte > for each character in a passphrase There are only 2^(8*n) bits in an n > character passphrase. > So there are only 64 bits in an 8 character password, which can be > cracked quite quickly using rainbow tables for any password. That's right, but I think there is a misunderstanding. The quote on which you refers, refers not to the bit depiction but to the possibilities to create _and_ remember passwords and if one wants a 50 character long password - with the method, which I as example described, it's possible. If you can good remember fairy tales, for example, than I would suggest that you use this ability. What I try to say is, that every user have to develop his/her own individual method. > > The real problem is allowing multiple attempts to crack the passphrase > and this only occurs if your secret keyring is available to the cracker. > > Basically, any password you can remember is easy to crack, so don't > let the keyring ever be in a position for someone to try. That's absolutely true and I assumed that the secret keyring is _not_ available to the cracker. If a cracker has the opportunity to conduct multiple, perhaps unlimited, attempts - than nothing is secure. Hopefully I could clarify this. W. Canis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Mon May 5 15:06:02 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 May 2008 09:06:02 -0400 Subject: How trust works in gpg... In-Reply-To: <481EE590.5000707@gmail.com> References: <200804142205.59132.prlewis@letterboxes.org> <48049BFF.nail56411UIHS@mailshack.com> <4804A994.6020508@sven-radde.de> <200804151433.08557.prlewis@letterboxes.org> <20080415174533.GE56745@jabberwocky.com> <481EE590.5000707@gmail.com> Message-ID: On May 5, 2008, at 6:46 AM, Faramir wrote: >> David Shaw escribi?: >> ..... >> If someone wants to sign your key, you then end up with: >> >> KEY + UID + SELFSIG + SIG >> >> So SELFSIG is you saying "I bind this KEY and UID together", and SIG >> is the other person saying "Me too". >> >> If you add another UID at this point, you have: >> >> KEY + UID + SELFSIG + SIG + UID + SELFSIG >> >> Now, note that the other person hasn't made any statement about >> whether the second UID is valid. YOU have, but then, it's your key: >> you can make any statement you like. It only becomes believable when >> someone else adds their "me too". >> > I was reading again this message, and I'd like to know: is there any > point about signing a key _but not giving any trusted status_ ? Absolutely. You signing a key means that you believe the key to belong to who it claims to belong to. You are certifying the mapping between person (or auto-signing robot, or...) and the key. Giving trusted status to the key means that you trust that person/robot/etc to sign other keys. You signing a key makes that key "valid" in GPG. You signing a key and assigning trust to it makes other keys *they* sign (potentially) valid. David From apple at royds.net Mon May 5 14:18:01 2008 From: apple at royds.net (Bill Royds) Date: Mon, 5 May 2008 08:18:01 -0400 Subject: how long should a password be? In-Reply-To: <481EBD5A.1030601@googlemail.com> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> Message-ID: <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> On 5-May-08, at 03:55 , Wolf Canis wrote: > There are infinite possibilities. That's the trick. Not the length > of a > password is > decisive but the quality. The quality of your password decides how > much > effort is necessary to hack it. Unfortunately that is not true. Since most systems use a single byte for each character in a passphrase There are only 2^(8*n) bits in an n character passphrase. So there are only 64 bits in an 8 character password, which can be cracked quite quickly using rainbow tables for any password. The real problem is allowing multiple attempts to crack the passphrase and this only occurs if your secret keyring is available to the cracker. Basically, any password you can remember is easy to crack, so don't let the keyring ever be in a position for someone to try. From faramir.cl at gmail.com Mon May 5 15:19:03 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 05 May 2008 09:19:03 -0400 Subject: How trust works in gpg... In-Reply-To: <481EED82.1080200@sven-radde.de> References: <200804142205.59132.prlewis@letterboxes.org> <48049BFF.nail56411UIHS@mailshack.com> <4804A994.6020508@sven-radde.de> <200804151433.08557.prlewis@letterboxes.org> <20080415174533.GE56745@jabberwocky.com> <481EE590.5000707@gmail.com> <481EED82.1080200@sven-radde.de> Message-ID: <481F0947.50309@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Sven Radde escribi?: > Faramir schrieb: >> I was reading again this message, and I'd like to know: is there any >> point about signing a key _but not giving any trusted status_ ? > Yes. > Signing the key makes it valid for you (i.e. you believe that the person indicated in the key's User-IDs is the person who actually has control over the secret key). > Assigning trust to a key means that you believe that the person owning the secret key is careful before he/she signs other people's keys (i.e. you consider other keys valid if they are signed by that person without checking the UID yourself). > > It can very well be the case that you are sure that a key is valid but you do not trust the owner to make this kind of assertion about other keys. > Think of a long time friend whose key you have gotten during a personal meeting but about who you know that he doesn't understand the GnuPG trust concept at all. You can obviously sign his key, but you wouldn't trust any signatures on other people's keys by him. > > HTH, Sven I got the idea now, thanks. But I still have one more question: there are also some levels of how much valid is the key I am signing... or at least, some levels about how carefully I have checked the key is valid, so, what is the requisite for each level? I am using an email address that clearly doesn't show my real name, and my key's User ID also doesn't give any personal detail about me, but somebody can trust it is "me" the one that is writing this message, and also can trust I am not impersonating someone else, so would it be ok if that person sign my key as 100% valid? What I am really asking about, is what is the "standard" way to chose what level to use when signing a key, and if is "normal" to sign the key of other people in this list. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIHwlHAAoJEIISGkVDGUEOBxwH/3RcQDhxypVtk6Lfjhc1PGqk rwFxomfqjFTGiyLH3v0DoqUZK9H7ftV/S/eIj6LiLV44W2LsNjQYnwbRitlah4zX WLL9LxjpI56gcOMviCsRU3RKyV0XVvOFq2D7ROax3AEj+2479yrESGF3IQesEIiE Ufiz2yBBM50wrgTsYWq4MMm439kZ7eDmX4f7fhHPoa9yyvohirJKcQ+1fxnA34zS 06zAU93shk54KtzX27BoX72MHT6UfWvLPGcUvPe+hVPtefFj2nHNL2PS+UiSXbZ6 suzYKLUpvIuwlPniQrHxlfkNegzzclLdjtTN1eZub02AKIxg/6DXnfBpLIsg0K0= =tf2h -----END PGP SIGNATURE----- From wk at gnupg.org Mon May 5 16:30:41 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 05 May 2008 16:30:41 +0200 Subject: how long should a password be? In-Reply-To: <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> (Bill Royds's message of "Mon, 5 May 2008 08:18:01 -0400") References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> Message-ID: <871w4gj01a.fsf@wheatstone.g10code.de> On Mon, 5 May 2008 14:18, apple at royds.net said: > So there are only 64 bits in an 8 character password, which can be > cracked quite quickly using rainbow tables for any password. That is unlikely to work because gpg uses a random 64 bit salt as well as extended hashing. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From vedaal at hush.com Mon May 5 17:41:15 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 05 May 2008 11:41:15 -0400 Subject: how long should a password be? Message-ID: <20080505154115.DAB8111803E@mailserver5.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Mon May 5 10:36:16 CEST 2008 : >> Everyone says it should be as long as possible >Not at all. At some point the passphrase becomes stronger than the >symmetric encryption algorithm. Then it's time to stop. so, assuming 95 keyboard possibilities (excluding special characters, but including 'space' as a possibility) [95^19 = (3.77)(10^37)] < [2^128 = (3.40)(10^38)] < [95^20 = (3.58)(10^39)] and [95^38 = (1.42)(10^75)] < [2^256 = (1.15)(10^77)] < [95^39 = (1.35)(10^77)] (approximate estimations, truncating after 2 significant digits) so, for the passphrase to be as secure as a 128 bit block cipher, it needs to have 20 random keyboard characters and for it to be as secure as a 128 bit cipher, it needs to have 39 random keyboard characters i don't know what the correction factor needs to be if someone uses non-random long passphrases of dictionary words, or a string acronym of memorable sentences --btw a nice way to include special characters, is to use equations or programming notation as part of the passphrase example: e=m(c^2) (here we have a unique luxury :-) the equation doesn't have to be *valid*, just *memorable*) in crypto, RSA c = m^e mod n so e=mc2 becomes: e = m [(m^e)^2 mod n] = m [m^2e mod n] = [e = m^(2e+1) mod n] (not being 'picky' about squaring the mod n in the nonsense equation :-)) many similar memorable nonsense equations as well as obfuscated perl one-liners, can be imagined by the geeky mind ;-) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- What a capital idea! Click now for great vacation packages to Washington DC! http://tagline.hushmail.com/fc/Ioyw6h4eQwZoKYXhIX4jPfFC91a4IN8I9LL8Sq8e3GHyn2izNGWs9p/ From dshaw at jabberwocky.com Mon May 5 19:55:57 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 May 2008 13:55:57 -0400 Subject: how long should a password be? In-Reply-To: <481EBFB3.4070107@sven-radde.de> References: <481EB4BB.8030209@calpoly.edu> <481EBFB3.4070107@sven-radde.de> Message-ID: <8C22CDFF-A4B1-4BC2-BDED-B7BE4FF23E09@jabberwocky.com> On May 5, 2008, at 4:05 AM, Sven Radde wrote: > Hi! > > Matt Kinni schrieb: >> Everyone says it should be as long as possible (...) What do you >> think? > You might find this interesting read: > That's a good article. See this also: . It gives a way of easily generating and (fairly) easily remembering long passphrases. > Also keep in mind that in order to attack your password, an attacker > would first have to access your secret keyring (unless you use GnuPg > for symmetric encryption). This is very true and very important. The passphrase is really the protection of last resort, and only comes into play after the secret key is already lost. Simply locking your front door gives a layer of protection here, and there are many other ways to prevent access to a secret key so the passphrase never even gets tested. David From yalla at fsfe.org Tue May 6 00:09:22 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Tue, 06 May 2008 00:09:22 +0200 Subject: Question about GnuPG Smartcard In-Reply-To: <87od7ll05d.fsf@wheatstone.g10code.de> References: <481cdfee.2cf0220a.72fd.6185@mx.google.com> <4F0B6A06-3155-4887-A9B3-B16FA7ED769D@jabberwocky.com> <87od7ll05d.fsf@wheatstone.g10code.de> Message-ID: <481F8592.7060709@fsfe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch schrieb: > On Sun, 4 May 2008 04:00, dshaw at jabberwocky.com said: > >> The smartcard can store 3 1024-bit RSA keys. It cannot store a 2048- >> bit key. > > That depends on the actual card. GnuPG implements a specification and > allows all key sizes. There are some restrictions due to the limited > size of an APDU. The forthcoming revision of the spec will declare how > to work with keyr requiring longer APDUs. I think I remember that 2048-bit RSA cards might be available soon... Was that by PPC Card? Any news on that? Cheers, Alex. P.S.: The list behaves... er... odd. Sometimes it sets the sender to gnupg-users-bounces+$user at gnupg.org (where user == emailaddress), sometimes it's just set to gnupg-users-bounces at gnupg.org. What's that about? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQCVAwUBSB+DlRYlVVSQ3uFxAQLV8AP7BsafDJxVNn9ETIx4JPECvYUC2I1zWU3k tja0bk247ErJ4aTrTBXGSP50hr6xGvO41aDY27QRDtWj8Uvy94lg/YuHDYMvZMPb Nx+Jn1yfv027vshypAHmU2tN4ujY/gVALMSAQirBr7iyiiMYRIwHcrcjwF3TAO7x mcFr+DhakL8= =FQ/c -----END PGP SIGNATURE----- From yalla at fsfe.org Tue May 6 00:03:12 2008 From: yalla at fsfe.org (Alexander W. Janssen) Date: Tue, 06 May 2008 00:03:12 +0200 Subject: [Fwd: Re: Question about GnuPG Smartcard] Message-ID: <481F8420.3080700@fsfe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (Had some very odd message from the MTA... sorry if this is a repost. Not sure if my original posting made it to the list.) Werner Koch schrieb: > On Sun, 4 May 2008 04:00, dshaw at jabberwocky.com said: > >> The smartcard can store 3 1024-bit RSA keys. It cannot store a 2048- >> bit key. > > That depends on the actual card. GnuPG implements a specification and > allows all key sizes. There are some restrictions due to the limited > size of an APDU. The forthcoming revision of the spec will declare how > to work with keyr requiring longer APDUs. I think I remember that 2048-bit RSA cards might be available soon... Was that by PPC Card? Any news on that? Cheers, Alex. P.S.: The list behaves... er... odd. Sometimes it sets the sender to gnupg-users-bounces+$user at gnupg.org (where user == emailaddress), sometimes it's just set to gnupg-users-bounces at gnupg.org. What's that about? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQCVAwUBSB+EHhYlVVSQ3uFxAQK4NgP/WVk+q/or/c+JupeGoS7IfR5tcG3hljgd /5Dk6j6kDxMYya9eLOuk/ZME5iMwkOR/pyPG2hln/vUsvOKjggnmNGltF4lvLau5 7myZqWwCEl436wzRDCmOMEbspppj0dXLtEA6A+9R7sxmzEFnmctggNvNI9UpPaJE N1mObdkEYms= =DW0j -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue May 6 04:58:51 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 05 May 2008 22:58:51 -0400 Subject: how long should a password be? In-Reply-To: <871w4gj01a.fsf@wheatstone.g10code.de> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> <871w4gj01a.fsf@wheatstone.g10code.de> Message-ID: <481FC96B.4010205@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Werner Koch escribi?: > On Mon, 5 May 2008 14:18, apple at royds.net said: > >> So there are only 64 bits in an 8 character password, which can be >> cracked quite quickly using rainbow tables for any password. > > That is unlikely to work because gpg uses a random 64 bit salt as well > as extended hashing. > > > Salam-Shalom, > > Werner I never knew how does salt work, but I am not sure if I should ask here, or in the PGP-Basics list... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIH8lqAAoJEIISGkVDGUEOfJoH/1XDCET6NNzs60R722oXqthY IwPPJf0MU4UFeHDrCpeAtME/CEPQCoZRNVMujalbkAOOf5CW6K8XBg4/imVN/qYv qOyfdEIDkfPoLTkaa2voEVHHYhUkM+z4dTVEPQUO+Ix+oIAvlAuu1d0HuGnNu7/w LVJjkrEhhTiU/JbJ2zbkEghIwRYmW0IBbJQxRd/aotkSd6YQ6tpCK2CkxcTD6wcb 9wh3eB9t+eK+OlsKudV84AboelhSPhMWLmxnSbCJ3nx6d2TgzcfroRGM97FV4ZmQ sFoJpw7T+LFxM8RlCcigXTQN87+wzJKiSxM7ngX2vAy/R4ei6+/WRSXHp92lsj8= =jwCx -----END PGP SIGNATURE----- From email at sven-radde.de Tue May 6 07:29:20 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 06 May 2008 07:29:20 +0200 Subject: how long should a password be? In-Reply-To: <481FC96B.4010205@gmail.com> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> <871w4gj01a.fsf@wheatstone.g10code.de> <481FC96B.4010205@gmail.com> Message-ID: <1210051760.6354.11.camel@carbon> Hi! Am Montag, den 05.05.2008, 22:58 -0400 schrieb Faramir: > >> So there are only 64 bits in an 8 character password, which can be > >> cracked quite quickly using rainbow tables for any password. > > > > That is unlikely to work because gpg uses a random 64 bit salt as well > > as extended hashing. > > I never knew how does salt work, but I am not sure if I should ask > here, or in the PGP-Basics list... A salt essentially makes precomputed rainbow tables useless. A rainbow table consists of two columns, "password" and "hashed password" and is filled by hashing a great number of passwords. Now, if you know only the hash of a password, just look it up in the rainbow table to get the original password. If a salt is being used, the hash is not computed as, e.g., SHA1(password), but rather SHA1(salt+password). The salt is a random number that does not need to be kept secret. This way, even if you have a rainbow table for SHA1 ready, and even if the password is in there, you cannot find it by looking up the hashed value of the password, as a given password can hash to many different values, depending on the salt used. You would have to extend your rainbow table by a third column that contains salt values, which would tremendously increase the size of the table. Say, if you want 1 million passwords in your rainbow table, a table without salt would simply have 1 million entries. With a 64 bit salt, the table would have to be expanded to 1 million * 2^64 entries, because you need to take every combination of hash+password into account. HTH, Sven From email at sven-radde.de Tue May 6 10:13:39 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 06 May 2008 10:13:39 +0200 Subject: Duplicity Message-ID: <48201333.10908@sven-radde.de> Hello all, Following, in a way, the discussion about "How long should a passphrase be?", I am currently trying to come up with a sensible backup scheme using duplicity. Duplicity creates full and incremental backups of local files, encrypts them using GnuPG and moves them to a (remote) location. By default, it uses symmetric encryption but it can be set to encrypt to a public key. When using public keys, it can also sign the backups (but, due to a current bug, verification errors are not reported...). My question now is, should I simply use passphrase-based encryption or should I go towards public key signing and encrypting. The problem with public key is that the secret key must be backed up itself and I do not have that many secure locations available where I could store backups (secure in the sense of "unlikely to burn down at the same time my house does" - not "hard for a stranger to access"). Therefore, any backup of the secret key would have to be placed next to the files encrypted with that key and having to give my secret key (even a dedicated one) away does not create a good feeling. So, an attacker would get a) passphrase-encrypted files some Gigabytes in size or b) sessionkey-encrypted files some Gigabytes in size and a passphrase-encrypted secret key. Which approach is more prudent security-wise? To me it looks like it is advantageous that in case b), the passphrase is only used to encrypt a relatively small bit of data, making analysis more difficult. Plus, I would get integrity-protection some time in the futute (once the bug is fixed). Apart from this, given a long enough passphrase, both approaches should be equally secure, aren't they? As a side question, speaking about integrity-protection, how does the MDC come into play here? Wouldn't that be enough protection anyway (as it is a special use-case)? Thanks for some "second opinions" on this, Sven From wk at gnupg.org Tue May 6 10:28:57 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 May 2008 10:28:57 +0200 Subject: [Fwd: Re: Question about GnuPG Smartcard] In-Reply-To: <481F8420.3080700@fsfe.org> (Alexander W. Janssen's message of "Tue, 06 May 2008 00:03:12 +0200") References: <481F8420.3080700@fsfe.org> Message-ID: <87wsm7deeu.fsf@wheatstone.g10code.de> On Tue, 6 May 2008 00:03, yalla at fsfe.org said: > I think I remember that 2048-bit RSA cards might be available soon... > Was that by PPC Card? Any news on that? We even have a new draft which allows to re-activate blocked card. New cards will be done but that will take several months. > P.S.: The list behaves... er... odd. Sometimes it sets the sender to > gnupg-users-bounces+$user at gnupg.org (where user == emailaddress), > sometimes it's just set to gnupg-users-bounces at gnupg.org. What's that about? Don't know. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From faramir.cl at gmail.com Tue May 6 10:52:31 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 06 May 2008 04:52:31 -0400 Subject: how long should a password be? In-Reply-To: <1210051760.6354.11.camel@carbon> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> <871w4gj01a.fsf@wheatstone.g10code.de> <481FC96B.4010205@gmail.com> <1210051760.6354.11.camel@carbon> Message-ID: <48201C4F.2000701@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven Radde escribi?: > A salt essentially makes precomputed rainbow tables useless. > > A rainbow table consists of two columns, "password" and "hashed > password" and is filled by hashing a great number of passwords. Now, if > you know only the hash of a password, just look it up in the rainbow > table to get the original password. > > If a salt is being used, the hash is not computed as, e.g., > SHA1(password), but rather SHA1(salt+password). The salt is a random > number that does not need to be kept secret. > This way, even if you have a rainbow table for SHA1 ready, and even if > the password is in there, you cannot find it by looking up the hashed > value of the password, as a given password can hash to many different > values, depending on the salt used. > You would have to extend your rainbow table by a third column that > contains salt values, which would tremendously increase the size of the > table. Say, if you want 1 million passwords in your rainbow table, a > table without salt would simply have 1 million entries. With a 64 bit > salt, the table would have to be expanded to 1 million * 2^64 entries, > because you need to take every combination of hash+password into > account. > > HTH, Sven > Excellent explanation, thanks. But I still miss the point about the salt number doesn't need to be kept secret... I mean: if the salt value is not known to the program that must validate the password, then it can't validate it (since the hash produced by the password will never match the "salted" stored hash). That means the salt used must be stored somewhere... and if I get the stored hash, and the salt, I would just need to generate the rainbow tables adding the salt value I got... Wait, I think I am beginning to get the point... since the salt is random, I figure each user will have his own salt value... and that would mean I would have to generate 1 rainbow table for each user... but then, I would rather try to crack an admin password, and then reset the passwords of the users... I already see the advantage of making pre built rainbow tables useless... but I feel I am missing the main thing.... Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIIBxPAAoJEIISGkVDGUEOLA0H/2jmMvjphVL8VKxFZOKMDw8o aF59ejrTGBVPK8xUulOziXpf43UBvwF8szRAg9NV/LgrO3knGcOviKkCFsP4vQQ8 jqO81YgTLv/JUwqmOTdpPz5wFwJs90GZln0P5X7c5HH3ZVFE1NkMCAYVX0Kd2tM9 9H8LAFCFpKgSrROzjSsZEI6x/dTLgerP/FtTIT/1qQvXCqkN0j7Rj7xn9lf7WAps wIRsC9/aY57nZMwIKgxdDuvqUW9+MOGa5IXgRL4FAA5Yk11y/OLY5JFillt6WonL szsX11I6+5Ats2clUiNfGOwNXGggZE2DwuHBY/kcxdw0wrTBYhwaNplf7hQdHh4= =ut51 -----END PGP SIGNATURE----- From eddrobinson at gmail.com Tue May 6 12:39:19 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Tue, 06 May 2008 11:39:19 +0100 Subject: Open Pgp Smartcard ssh authentication Woes :( In-Reply-To: <874p9itdkc.fsf@wheatstone.g10code.de> References: <4817665E.1030603@gmail.com> <874p9itdkc.fsf@wheatstone.g10code.de> Message-ID: <48203557.7010101@gmail.com> For anyone that this may help, It appears I have solved my problems. It turns out that gnome-keying-manager was interfering by taking control of the ssh socket. This was realised because echo $SSH_AUTH_SOCKET returned: /tmp/keyring-XXXXX which was different to the socket that gpg-agent was set to use. To fix this problem I disabled ssh support in gnome-keyring by issuing the following command: $ gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false There is more information here: http://live.gnome.org/GnomeKeyring/Ssh I thought this was a seahorse problem, but it turns out it is not. Many thanks to Werner, who helped greatly finding the socket problem. Cheers, e-dard From lopaki at gmail.com Tue May 6 19:26:44 2008 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 6 May 2008 13:26:44 -0400 Subject: Compile without libiconv or libintl on Solaris Message-ID: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> Hello - Has anyone been able to compile 1.4.8 or 1.4.9 on Solaris without iconv or intl? The only way I have been able to do it is with --enable-minimal and that disables too much. Or am I going to have to really learn Makefiles? Thanks, --Scott -- CILCIL -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Tue May 6 20:47:45 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 6 May 2008 14:47:45 -0400 Subject: Compile without libiconv or libintl on Solaris In-Reply-To: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> References: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> Message-ID: <20080506184745.GB66135@jabberwocky.com> On Tue, May 06, 2008 at 01:26:44PM -0400, Scott Lambdin wrote: > Hello - > > Has anyone been able to compile 1.4.8 or 1.4.9 on Solaris without iconv or > intl? The only way I have been able to do it is with --enable-minimal and > that disables too much. Or am I going to have to really learn Makefiles? Can you post what happens when you try? Where does it fail? David From mkinni at calpoly.edu Tue May 6 21:26:31 2008 From: mkinni at calpoly.edu (Matt Kinni) Date: Tue, 06 May 2008 12:26:31 -0700 Subject: confused about public key strength Message-ID: <4820B0E7.1040905@calpoly.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, I can't seam to figure out how the different bitstrengh of my public key effects anything. If someone encrypts something to my private key, isn't the strength of the private key that matters? So I have a 1024bit DSA pub and 4096 elgamal key. Isn't the lengh of the elgamal key what determines how strong the file is encrypted? What does the size of the public key even matter? I understand that it can be used as a singing key, but I have an RSA subkey for that instead. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBCAAGBQJIILDZAAoJELlJAlPUfypQhywIAKIW1C8i/8psgGUUMNNKLU6k pfjLjfEuJJSLsd+SggKRmzXcaTcnJiQKDy7iVAF/PU5lH/lciwgYkTLYCES3pguA V0CLik1TBOVo9JaJetTeFwfd/slpd83yz8p+FTaBdNdUypQJFf8udWiR+Dzpofxe rDjvhMccxj3ehf5mwK4apfgym/tW7eHH4QYnZlYiVoDvqNZo3YJbo9cf3JDhLr/x iI9onxvVfeLEv8GZwM4Aqdf7Y2cuvOcKwhWeHb60K0F5d4DRSdY9icye2e95DqL0 E2+lLAkqFpt4mdVQn9v1yYbjyT8LJM61FRoSNlGJ48KttoAzJ1fyli+jUHSzzNk= =4NVN -----END PGP SIGNATURE----- From lopaki at gmail.com Tue May 6 21:37:03 2008 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 6 May 2008 15:37:03 -0400 Subject: Compile without libiconv or libintl on Solaris In-Reply-To: <20080506184745.GB66135@jabberwocky.com> References: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> <20080506184745.GB66135@jabberwocky.com> Message-ID: <529e76830805061237u14be0fb5ic4aadd9db35d41f6@mail.gmail.com> If I do a config like this, and ldd the resulting gpg binary, it still needs libiconv and libintl. ./configure --prefix=/place/gnupg-1.4.8 --without-readline --disable-gnupg-iconv --without-intl --without-iconv I've tried a few variations on this. I would like to compile statically but that fails to compile. OMG I just ran a static compile to get the error and it worked. Someone sacrificed a cat somewhere or something. Well, my question mave have become a lot less urgent. On 5/6/08, David Shaw wrote: > > On Tue, May 06, 2008 at 01:26:44PM -0400, Scott Lambdin wrote: > > Hello - > > > > Has anyone been able to compile 1.4.8 or 1.4.9 on Solaris without iconv > or > > intl? The only way I have been able to do it is with --enable-minimal > and > > that disables too much. Or am I going to have to really learn Makefiles? > > Can you post what happens when you try? Where does it fail? > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- CILCIL -------------- next part -------------- An HTML attachment was scrubbed... URL: From aolsen at standard.com Tue May 6 21:49:43 2008 From: aolsen at standard.com (Alan Olsen) Date: Tue, 6 May 2008 12:49:43 -0700 Subject: Need recommendation on keyserver code Message-ID: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I need to build a private keyserver for interanl use. I have tried to get SKS to build, but I have never been able to get it to work. (The project seems to be almost abandoned.) I am using Fedora 9 on an x86_64 box with 4 gigs of ram and Numerix blows up on compile with "out of memory" errors. I have not seen anything else that handles subkeys. Any recommendations? -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBSCC2V2qdmbpu7ejzAQqmjAgAn2fMIVz9Glm2YpE/5FinZZeWXYI1AX9b BMi4cgPdxJGz3f+o8PnUdfbpY4gfwYbD6fQjp06GJF7eKhHv3aH7RGWU3lUwfP/W c3aAihJY1NR5GyEXitYGnEUNsmDMl4z19aYEF2ZWVfOOtl8qTIfN6xc5OZpjBx3J 3+J2S8hx43Ma8KUvvTw+aztKbl/LkhtXNs+dO8o33Bv1LuInFJ7HT+6EW3FLmBXu BsxAtkpk4NybgLuE7/O/vOmdVYDv/rw1gyww3E3a4wSb0nAACkmZvSVmgqedVfON 2Q2NWTnDPQGjgxqVawqKP9XIn7HhN6HvXFIrQByCeBql8j0JtzKd2Q== =WWsQ -----END PGP SIGNATURE----- From lopaki at gmail.com Tue May 6 21:50:29 2008 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 6 May 2008 15:50:29 -0400 Subject: Compile without libiconv or libintl on Solaris In-Reply-To: <529e76830805061237u14be0fb5ic4aadd9db35d41f6@mail.gmail.com> References: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> <20080506184745.GB66135@jabberwocky.com> <529e76830805061237u14be0fb5ic4aadd9db35d41f6@mail.gmail.com> Message-ID: <529e76830805061250k449b3c85q7c44b9d63397a30@mail.gmail.com> No, I had that pesky --enable-minimal in the configure command. It can compile statically with that. here is the error I get otherwise: /usr/local/bin/gcc -g -O2 -Wall --static -o gpg gpg.o build-packet.o compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o status.o plaintext.o sig-check.o keylist.o signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o exec.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a ../zlib/libzlib.a -lbz2 -lsocket Undefined first referenced symbol in file endnetconfig /usr/lib/libsocket.a(_soutil.o) setnetconfig /usr/lib/libsocket.a(_soutil.o) getnetconfig /usr/lib/libsocket.a(_soutil.o) ld: fatal: Symbol referencing errors. No output written to gpg collect2: ld returned 1 exit status make[2]: *** [gpg] Error 1 make[2]: Leaving directory `/usr/local/src/gnupg-1.4.8/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/gnupg-1.4.8' make: *** [all] Error 2 I see other folks having this problem but no fix worked for me. On 5/6/08, Scott Lambdin wrote: > > If I do a config like this, and ldd the resulting gpg binary, it still > needs libiconv and libintl. > > > ./configure --prefix=/place/gnupg-1.4.8 --without-readline > --disable-gnupg-iconv --without-intl --without-iconv > > I've tried a few variations on this. > > > > I would like to compile statically but that fails to compile. OMG I just > ran a static compile to get the error and it worked. Someone sacrificed a > cat somewhere or something. Well, my question mave have become a lot less > urgent. > > > > > > > On 5/6/08, David Shaw wrote: >> >> On Tue, May 06, 2008 at 01:26:44PM -0400, Scott Lambdin wrote: >> > Hello - >> > >> > Has anyone been able to compile 1.4.8 or 1.4.9 on Solaris without iconv >> or >> > intl? The only way I have been able to do it is with --enable-minimal >> and >> > that disables too much. Or am I going to have to really learn >> Makefiles? >> >> Can you post what happens when you try? Where does it fail? >> >> David >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > > > -- > CILCIL -- CILCIL -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue May 6 21:55:19 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 06 May 2008 14:55:19 -0500 Subject: confused about public key strength In-Reply-To: <4820B0E7.1040905@calpoly.edu> References: <4820B0E7.1040905@calpoly.edu> Message-ID: <4820B7A7.60505@sixdemonbag.org> Matt Kinni wrote: > Hello, I can't seam to figure out how the different bitstrengh of my > public key effects anything. If someone encrypts something to my > private key, isn't the strength of the private key that matters? No. Asymmetric cryptography has keys that come in public and private parts, but that doesn't mean the parts can be evaluated in isolation. It's a system. > So I have a 1024bit DSA pub and 4096 elgamal key. Isn't the lengh of > the elgamal key what determines how strong the file is encrypted? No. The file is encrypted with a symmetric cipher depending on the preferences of you and your respondent. This is anywhere between an effective keystrength of 112 bits (3DES, under a ridiculously pessimistic set of assumptions) all the way up to 256 bits. This is, by the way, a _lot_ of protection against cryptanalysis. Any talk about breaking this by brute force is deluded fantasy. It's not happening, not even with quantum computers and every other staple of the science fiction literature that people assume the NSA has access to. The key used to encrypt the file is chosen at random. You could sit there with a quarter, toss it 256 times, and have a perfectly good AES key. The computer does basically this process. This random, one-time-use key is then encrypted with your recipient's public key. The recipient's public key may be anywhere from 1024 bits up to 4096 bits. Don't be confused by comparing this to the 112- to 256-bit symmetric encryption of the file. It's an apples to oranges comparison: you cannot say "well, one has 1024-bit encryption and one uses 256-bit, so clearly one is four times better than the other." > What does the size of the public key even matter? For 99% of users, it doesn't. Use the defaults GnuPG gives you -- they're good defaults. From email at sven-radde.de Tue May 6 22:04:53 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 06 May 2008 21:04:53 +0100 Subject: confused about public key strength In-Reply-To: <4820B0E7.1040905@calpoly.edu> References: <4820B0E7.1040905@calpoly.edu> Message-ID: <4820B9E5.3000404@sven-radde.de> Hi! Matt Kinni schrieb: > Hello, I can't seam to figure out how the different bitstrengh of my > public key effects anything. If someone encrypts something to my > private key, isn't the strength of the private key that matters? The length of the public key equals the length of the private key. And there is always a public key corresponding to a private key and vice versa. Essentially, the "strength" of the key determines how hard it is for people to calculate the private key when they only know the public key. > So I have a 1024bit DSA pub and 4096 elgamal key. Isn't the lengh of > the elgamal key what determines how strong the file is encrypted? This means that you have a 1024 bit DSA public key, which people use to verify your signatures. You have a 1024 bit DSA private key, which you use to make those signatures. Then, you have a 4096 bit ElGamal public key, which people use to encrypt data for you. And you have a 4096 bit ElGamal private key which you use to decrypt this data. > What does the size of the public key even matter? I understand that it > can be used as a singing key, but I have an RSA subkey for that instead. Then you will use that subkey (for which again there is a private key and a corresponding public key) to sign data. Commonly, you will still use the DSA key for signing UIDs on your key or to sign other people's keys. The DSA key is commonly called "primary key", while all other keys are called "subkeys". The primary key combined with all of its assigned subkeys constitutes what one commonly calls "one's key". Obviously, there can be "your private key" and "your public key". cu, Sven From dshaw at jabberwocky.com Tue May 6 22:08:55 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 6 May 2008 16:08:55 -0400 Subject: Compile without libiconv or libintl on Solaris In-Reply-To: <529e76830805061250k449b3c85q7c44b9d63397a30@mail.gmail.com> References: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> <20080506184745.GB66135@jabberwocky.com> <529e76830805061237u14be0fb5ic4aadd9db35d41f6@mail.gmail.com> <529e76830805061250k449b3c85q7c44b9d63397a30@mail.gmail.com> Message-ID: <20080506200855.GC66135@jabberwocky.com> On Tue, May 06, 2008 at 03:50:29PM -0400, Scott Lambdin wrote: > No, I had that pesky --enable-minimal in the configure command. It can > compile statically with that. here is the error I get otherwise: > > /usr/local/bin/gcc -g -O2 -Wall --static -o gpg gpg.o build-packet.o > compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o > kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o > openfile.o keyid.o parse-packet.o status.o plaintext.o sig-check.o keylist.o > signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o > encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o > dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o > pipemode.o helptext.o keyserver.o photoid.o exec.o ../cipher/libcipher.a > ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a ../zlib/libzlib.a > -lbz2 -lsocket > Undefined first referenced > symbol in file > endnetconfig /usr/lib/libsocket.a(_soutil.o) > setnetconfig /usr/lib/libsocket.a(_soutil.o) > getnetconfig /usr/lib/libsocket.a(_soutil.o) > ld: fatal: Symbol referencing errors. No output written to gpg > collect2: ld returned 1 exit status Sun doesn't really approve of static linking on Solaris: http://www.sun.com/bigadmin/content/misc/solaris2faq.html#q6.24 That said, what happens if you do this: NETLIBS=-lnsl ./configure David From lopaki at gmail.com Tue May 6 22:29:39 2008 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 6 May 2008 16:29:39 -0400 Subject: Compile without libiconv or libintl on Solaris In-Reply-To: <20080506200855.GC66135@jabberwocky.com> References: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> <20080506184745.GB66135@jabberwocky.com> <529e76830805061237u14be0fb5ic4aadd9db35d41f6@mail.gmail.com> <529e76830805061250k449b3c85q7c44b9d63397a30@mail.gmail.com> <20080506200855.GC66135@jabberwocky.com> Message-ID: <529e76830805061329s41a684cdgc7a91dc5134b49d2@mail.gmail.com> Thanks but same error. Yes, I showed that same link to our sysadmin and he said "do it anyway". You know, we just run gpg in batch mode on files. We don't need no stinkin sockets. Let's make the sockets go away! On 5/6/08, David Shaw wrote: > > On Tue, May 06, 2008 at 03:50:29PM -0400, Scott Lambdin wrote: > > No, I had that pesky --enable-minimal in the configure command. It can > > compile statically with that. here is the error I get otherwise: > > > > /usr/local/bin/gcc -g -O2 -Wall --static -o gpg gpg.o build-packet.o > > compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o > seskey.o > > kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o > > openfile.o keyid.o parse-packet.o status.o plaintext.o sig-check.o > keylist.o > > signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o > > encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o > keyedit.o > > dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o > > pipemode.o helptext.o keyserver.o photoid.o exec.o ../cipher/libcipher.a > > ../mpi/libmpi.a ../util/libutil.a > ../intl/libintl.a ../zlib/libzlib.a > > -lbz2 -lsocket > > Undefined first referenced > > symbol in file > > endnetconfig /usr/lib/libsocket.a(_soutil.o) > > setnetconfig /usr/lib/libsocket.a(_soutil.o) > > getnetconfig /usr/lib/libsocket.a(_soutil.o) > > ld: fatal: Symbol referencing errors. No output written to gpg > > collect2: ld returned 1 exit status > > Sun doesn't really approve of static linking on Solaris: > > http://www.sun.com/bigadmin/content/misc/solaris2faq.html#q6.24 > > That said, what happens if you do this: > > NETLIBS=-lnsl ./configure > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- CILCIL -------------- next part -------------- An HTML attachment was scrubbed... URL: From lopaki at gmail.com Tue May 6 23:04:44 2008 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 6 May 2008 17:04:44 -0400 Subject: Compile without libiconv or libintl on Solaris In-Reply-To: <529e76830805061329s41a684cdgc7a91dc5134b49d2@mail.gmail.com> References: <529e76830805061026x4fb624a8m6c1bc7bcb4ce3dc2@mail.gmail.com> <20080506184745.GB66135@jabberwocky.com> <529e76830805061237u14be0fb5ic4aadd9db35d41f6@mail.gmail.com> <529e76830805061250k449b3c85q7c44b9d63397a30@mail.gmail.com> <20080506200855.GC66135@jabberwocky.com> <529e76830805061329s41a684cdgc7a91dc5134b49d2@mail.gmail.com> Message-ID: <529e76830805061404h673b2e2dt401a286d30b8f040@mail.gmail.com> Okay, I disabled a slew of stuff and was able to build statically. --disable-card-support --disable-agent-support --disable-gnupg-iconv --disable-photo-viewers --disable-keyserver-helpers --disable-ldap --disable-hkp --disable-finger --disable-generic --disable-keyserver-path --disable-dns-srv --disable-dns-pka --disable-dns-cert --enable-threads=solaris Of course, now I have to test the heck out of it. On 5/6/08, Scott Lambdin wrote: > > > Thanks but same error. Yes, I showed that same link to our sysadmin and > he said "do it anyway". > > You know, we just run gpg in batch mode on files. We don't need no stinkin > sockets. Let's make the sockets go away! > > > On 5/6/08, David Shaw wrote: >> >> On Tue, May 06, 2008 at 03:50:29PM -0400, Scott Lambdin wrote: >> > No, I had that pesky --enable-minimal in the configure command. It can >> > compile statically with that. here is the error I get otherwise: >> > >> > /usr/local/bin/gcc -g -O2 -Wall --static -o gpg gpg.o build-packet.o >> > compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o >> seskey.o >> > kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o >> > openfile.o keyid.o parse-packet.o status.o plaintext.o sig-check.o >> keylist.o >> > signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o >> > encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o >> keyedit.o >> > dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o >> keygen.o >> > pipemode.o helptext.o keyserver.o photoid.o exec.o ../cipher/libcipher.a >> > ../mpi/libmpi.a ../util/libutil.a >> ../intl/libintl.a ../zlib/libzlib.a >> > -lbz2 -lsocket >> > Undefined first referenced >> > symbol in file >> > endnetconfig /usr/lib/libsocket.a(_soutil.o) >> > setnetconfig /usr/lib/libsocket.a(_soutil.o) >> > getnetconfig /usr/lib/libsocket.a(_soutil.o) >> > ld: fatal: Symbol referencing errors. No output written to gpg >> > collect2: ld returned 1 exit status >> >> Sun doesn't really approve of static linking on Solaris: >> >> http://www.sun.com/bigadmin/content/misc/solaris2faq.html#q6.24 >> >> That said, what happens if you do this: >> >> NETLIBS=-lnsl ./configure >> >> David >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > > > -- > CILCIL -- CILCIL -------------- next part -------------- An HTML attachment was scrubbed... URL: From aolsen at standard.com Tue May 6 23:37:40 2008 From: aolsen at standard.com (Alan Olsen) Date: Tue, 6 May 2008 14:37:40 -0700 Subject: how long should a password be? In-Reply-To: <481EB4BB.8030209@calpoly.edu> Message-ID: <92A893260738B0408497A64189BC1E6205801380@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > Everyone says it should be as long as possible, but there comes a point > where it's just impossible to remember anything longer than 20 > characters. What do you think? Passwords should be as many characters as you can remember plus one. Actually for long passphrases I use bizarre memorable sentences. You can add in extra punctuation if you are able to remember that. My usual passphrases are 50-60 characters, but since they are phrased in a way I can remember them, I don't forget them. Examples would be: "Never buy Fix-O-Dent from a veterinarian." "Never buy corn oil from a podiatrist." "Never buy baby oil from a pediatrician." "Never buy tartar sauce from a dentist." Or you can construct something longer, if you want. (Those are kind of short, but what comes to mind at the moment.) -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBSCDPpGqdmbpu7ejzAQqssgf+KvS/7O7VScJuNNvY7C6he1K26/hRrDEu p1BnP+2wFQ7EHL6f/Bh137EuXCXK6Iok6psNHO5x1E5Y3P5YGpfgLQZ1vTd24cNS fdohdyHXohdZn1eaoCgs8zKXFoUeoaLPvBlD59DWCSTrlWXMnVrCRKRuGz5Injgo 17jDDWTFOK+2O8JNOktoPKqfniYfCs5I1oagHVpOOv1YUHqTO/dWkXEwcbFfHj/B RefDBMEOE+BUqpf1HmVUxw7hFskLv0SkylP+A5GVCgAAqh0biFj5LDqE5zzVzZSn F6kLnRZlYeqcrsoxvlBCouDWP0e6R84+2CEkYamgaAWIxlI6JB5qJg== =EEyT -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: PGPexch.rtf.pgp Type: application/octet-stream Size: 1522 bytes Desc: PGPexch.rtf.pgp URL: From wk at gnupg.org Wed May 7 09:36:10 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 07 May 2008 09:36:10 +0200 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> (Alan Olsen's message of "Tue, 6 May 2008 12:49:43 -0700") References: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> Message-ID: <87d4nya7md.fsf@wheatstone.g10code.de> On Tue, 6 May 2008 21:49, aolsen at standard.com said: > Any recommendations? http://www.earth.li/projectpurple/progs/onak.html or apt-get install onak I use it along with boa for hkp://demokeys.gnupg.org. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From JPClizbe at tx.rr.com Wed May 7 16:36:47 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 07 May 2008 09:36:47 -0500 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> References: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> Message-ID: <4821BE7F.5020906@tx.rr.com> Alan Olsen wrote: > I need to build a private keyserver for interanl use. > > I have tried to get SKS to build, but I have never been able to get > it > to work. (The project seems to be almost abandoned.) I am using Fedora 9 > on an x86_64 box with 4 gigs of ram and Numerix blows up on compile with > "out of memory" errors. I'm not sure how you came to "almost abandoned" conclusion. It doesn't seem to have been by posting and asking for help on the [sks-devel] list. SKS is a fairly mature product. It was based on RFC 2440 and the latest bis drafts of what is now RFC 4880. As such, there is little ongoing maintenance that needs to be done. The greatest problem is reconstructing the documentation from sites that have dropped from the net. > I have not seen anything else that handles subkeys. > > Any recommendations? 1) LDAP Most LDAP server platforms can function as a keyserver by extending the server's schema. There are a couple very notable differences from other keyservers: a) while other servers merge updates, the normal function with LDAP keyservers is to replace; b) it is possible to delete keys from LDAP keyservers. The schema changes and a how-to were posted to this list some time back. I can forward a couple relevant emails if you'd like. 2) ONAK is another OpenPGP compliant server, see http://www.earth.li/projectpurple/progs/onak.html 3) OpenPKSD is yet another keyserver. It's written in Ruby and maintained by Hironobu Suzuki. See http://www.openpksd.org/ 4) CryptNet. The last OpenPGP compliant platform I know about is the CryptNet Key Server (CKS). See http://keyserver.cryptnet.net/ or https://sourceforge.net/projects/cks/ -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From JPClizbe at tx.rr.com Wed May 7 17:46:58 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 07 May 2008 10:46:58 -0500 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> References: <92A893260738B0408497A64189BC1E620580137D@MSEXCHANGE305.corp.standard.com> Message-ID: <4821CEF2.20809@tx.rr.com> Alan Olsen wrote: > I need to build a private keyserver for interanl use. > I have not seen anything else that handles subkeys. > > Any recommendations? Sorry I missed this earlier. It looks like you are running PGP Universal. I thought PGP Universal bundled a LDAP keyserver into its software package. Why not just run that one? -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT net Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From aolsen at standard.com Wed May 7 18:03:08 2008 From: aolsen at standard.com (Alan Olsen) Date: Wed, 7 May 2008 09:03:08 -0700 Subject: Need recommendation on keyserver code In-Reply-To: <4821CEF2.20809@tx.rr.com> Message-ID: <92A893260738B0408497A64189BC1E6205801385@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John P. Clizbe wrote: >Alan Olsen wrote: >> I need to build a private keyserver for interanl use. > >> I have not seen anything else that handles subkeys. >> >> Any recommendations? >Sorry I missed this earlier. > It looks like you are running PGP Universal. I thought PGP Universal bundled a > LDAP keyserver into its software package. Why not just run that one? Couple reasons: 1) I need to run this on Solaris. 2) The licenses for PGP are handled by another department. 3) My budget is $0.00. 4) I plan on running this at home as well on my home internal network which runs Linux 5) Eventually I want to package at least one keyserver for Fedora. There are more reasons, but they get complex and involve a lot of internal politics. -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBSCHSvGqdmbpu7ejzAQpL9Af9E6KSauim3hOpi3mxqv5uKuOnfiEdeF14 N2/9RkhpUZCQUhj+ETK535Q006RrMY1iiSJxxJcN6XKXKH0hnKFUExx9YG7tINgm gKzQKjXbpT5VF31pfawYo9RkALqRI1sTfgxW4ITPpIq817seM65Dhesg+jU+Ppdf gf3d0dB3/v7ubingqw+Rc1L3yo1X1mE3jGo4l8pGacx5SGfZf9rgbJzjGkFOK8x2 Crmz6WIxu5g+KQrALK8ipT0nZ2YxOVRVHjmq7AI+OSo18/0RuvW30K88rs+LcCqO P7XQ0UkZ4cMZ/mAJSaPJo9akIKrtSPoQlsTJed1+z327AfrPUHgATg== =a/h1 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed May 7 18:26:06 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 7 May 2008 12:26:06 -0400 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E6205801385@MSEXCHANGE305.corp.standard.com> References: <4821CEF2.20809@tx.rr.com> <92A893260738B0408497A64189BC1E6205801385@MSEXCHANGE305.corp.standard.com> Message-ID: <20080507162606.GB68277@jabberwocky.com> On Wed, May 07, 2008 at 09:03:08AM -0700, Alan Olsen wrote: > John P. Clizbe wrote: > > >Alan Olsen wrote: > >> I need to build a private keyserver for interanl use. > > > >> I have not seen anything else that handles subkeys. > >> > >> Any recommendations? > > >Sorry I missed this earlier. > > > It looks like you are running PGP Universal. I thought PGP Universal bundled a > > LDAP keyserver into its software package. Why not just run that one? > > Couple reasons: > > 1) I need to run this on Solaris. Any of the above-mentioned keyservers should run just fine on Solaris, including the LDAP one (which is really just configuration and a schema file on top of a standard LDAP server). > 2) The licenses for PGP are handled by another department. > > 3) My budget is $0.00. > > 4) I plan on running this at home as well on my home internal network which runs Linux > > 5) Eventually I want to package at least one keyserver for Fedora. This would be a good thing. I'm sure such a package would be welcomed. The main questions you need to ask when setting up a keyserver are: 1) Are you going to be syncing with the public keyserver net? 2) Does your environment already have an LDAP infrastructure? 3) Are you using PGP Universal anywhere in your environment? Unless syncing with the public keyserver net is vitally important to you, I highly recommend the LDAP solution. It works nicely with GPG, and enables some extra automatic keyfinding magic in PGP Universal. (GPG can do the keyfinding trick with any keyserver type, but I believe PGP Universal only does it with LDAP). David From tmz at pobox.com Wed May 7 19:28:41 2008 From: tmz at pobox.com (Todd Zullinger) Date: Wed, 7 May 2008 13:28:41 -0400 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E6205801385@MSEXCHANGE305.corp.standard.com> References: <4821CEF2.20809@tx.rr.com> <92A893260738B0408497A64189BC1E6205801385@MSEXCHANGE305.corp.standard.com> Message-ID: <20080507172841.GM26399@inocybe.teonanacatl.org> Alan Olsen wrote: > 5) Eventually I want to package at least one keyserver for Fedora. IIRC from when I built SKS on Fedora 8, the main issue was updating the code to the newer Berkely DB. I didn't test it all that much after building it though -- it just wasn't that interesting. I'll attach the patches I used to get it to build. They may help you get a working package. I make no guarantees that these are correct, as I'm far from intelligent in the ways of bdb. Also, the numerix patch needs to be applied after the numerix tarball in the sks source is unpacked. Onak might end up being easier to build. I never played with it though. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Even moderation ought not to be practiced to excess. -------------- next part -------------- diff -ur sks-1.0.10/bdb/bdb_stubs.c sks-1.0.10-built-cleaned/bdb/bdb_stubs.c --- sks-1.0.10~/bdb/bdb_stubs.c 2005-01-17 18:42:51.000000000 -0500 +++ sks-1.0.10/bdb/bdb_stubs.c 2008-01-30 19:52:46.000000000 -0500 @@ -206,7 +206,9 @@ // calls to DB->err and DBENV->err lead to exceptions. // FIX: currently, prefix is ignored. Should be concatenated. -void raise_db_cb(const char *prefix, char *msg) { raise_db(msg); } +void raise_db_cb(const DB_ENV *dbenv, const char *prefix, char *msg) { + raise_db(msg); +} // ############################################################# @@ -238,7 +240,7 @@ //+ | LOCKDOWN | PRIVATE | SYSTEM_MEM | THREAD static int dbenv_verbose_flags[] = { - DB_VERB_CHKPOINT, DB_VERB_DEADLOCK, DB_VERB_RECOVERY, DB_VERB_WAITSFOR + DB_VERB_DEADLOCK, DB_VERB_RECOVERY, DB_VERB_WAITSFOR }; //+ @@ -679,9 +681,10 @@ int err; void *stat; int size; + DB_TXN *txn = NULL; test_db_closed(db); - err = UW_db(db)->stat(UW_db(db),&stat,0); + err = UW_db(db)->stat(UW_db(db),txn,&stat,0); if (err != 0) { UW_db(db)->err(UW_db(db),err,"caml_db_get_size"); } switch (*(u_int32_t*)stat) { case DB_BTREEMAGIC: diff -ur sks-1.0.10/Makefile sks-1.0.10-built-cleaned/Makefile --- sks-1.0.10~/Makefile 2005-08-13 21:33:51.000000000 -0400 +++ sks-1.0.10/Makefile 2008-01-30 21:44:04.000000000 -0500 @@ -29,9 +29,6 @@ ifndef CAMLP4O CAMLP4O=camlp4o endif -ifndef MANDIR - MANDIR=/usr/share/man -endif export OCAMLC export OCAMLOPT @@ -50,7 +47,7 @@ CAMLP4=-pp $(CAMLP4O) CAMLINCLUDE= -I lib -I bdb -COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes +COMMONCAMLFLAGS=$(CAMLINCLUDE) $(OCAMLLIB) -ccopt -Lbdb -dtypes -ccopt -pthread OCAMLDEP=ocamldep $(CAMLP4) CAMLLIBS=unix.cma str.cma bdb.cma nums.cma numerix.cma bigarray.cma cryptokit.cma OCAMLFLAGS=$(COMMONCAMLFLAGS) -g $(CAMLLIBS) @@ -129,14 +126,10 @@ install: mkdir -p $(PREFIX)/bin install sks_build.sh sks sks_add_mail $(PREFIX)/bin - mkdir -p $(MANDIR)/man8 - install sks.8.gz $(MANDIR)/man8 install.bc: mkdir -p $(PREFIX)/bin install sks_build.bc.sh sks.bc sks_add_mail.bc $(PREFIX)/bin - mkdir -p $(MANDIR)/man8 - install sks.8.gz $(MANDIR)/man8 Makefile.local: touch Makefile.local @@ -148,12 +141,6 @@ # Ordinary targets -sks.8.gz: sks.8 - gzip -f sks.8 - -sks.8: sks.pod - pod2man -c "SKS OpenPGP Key server" --section 8 -r 0.1 -name sks sks.pod sks.8 - spider: $(LIBS) $(ALLOBJS) spider.cmx $(OCAMLOPT) -o spider $(OCAMLOPTFLAGS) $(ALLOBJS) spider.cmx diff -ur sks-1.0.10~/Makefile.local sks-1.0.10/Makefile.local --- sks-1.0.10~/Makefile.local 2008-05-04 19:12:24.079272650 -0400 +++ sks-1.0.10/Makefile.local 2008-05-07 12:47:44.000000000 -0400 @@ -0,0 +1,10 @@ +BDBLIB=-L/lib +BDBINCLUDE=-I/usr/include +PREFIX=/usr/local +LIBDB=-ldb-4.6 +MANDIR=/usr/share/man +export BDBLIB +export BDBINCLUDE +export PREFIX +export LIBDB +export MANDIR -------------- next part -------------- diff -up numerix-0.19c/lib/common/chrono.c.clk_tck numerix-0.19c/lib/common/chrono.c --- numerix-0.19c/lib/common/chrono.c.clk_tck 2008-05-07 12:53:01.000000000 -0400 +++ numerix-0.19c/lib/common/chrono.c 2008-05-07 12:56:22.000000000 -0400 @@ -18,7 +18,7 @@ void chrono(char *msg) { struct tms buf; times(&buf); - t = (double)(buf.tms_utime + buf.tms_stime)/CLK_TCK; + t = (double)(buf.tms_utime + buf.tms_stime)/CLOCKS_PER_SEC; fprintf(stderr,"%8.2f %8.2f %s\n",t,t-tlast,msg); fflush(stderr); tlast = t; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From kevhilton at gmail.com Thu May 8 08:49:20 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Thu, 8 May 2008 01:49:20 -0500 Subject: Suggestions on how to compile for cygwin Message-ID: <96c450350805072349s35ed0cadocfaf84f4fbe686ee@mail.gmail.com> I frequently try to compile svn versions often for the cygwin platform. Both for svn version of gnpgp 1.49 and gnupg2, I'm getting a lot of errors during the make process. All are problems related to the gettext module. By default cygwin is installed with gettext version 0.15 however I did go ahead and install version 0.17 from source as gettext 0.16 or later is required with the gpg2 source installation. I'm still getting errors however. Does anyone have any suggestions how to get around these errors? It always involves the gettext package. -- Kevin Hilton From henry.bremridge at xobie.com Thu May 8 10:12:00 2008 From: henry.bremridge at xobie.com (Henry Bremridge) Date: Thu, 8 May 2008 09:12:00 +0100 Subject: Problem with FSFE gpg card Message-ID: <20080508081200.GA6723@newdebian.science> Running Debian Lenny and have both gpg (1.4.6) and gpg2 (2.0.9) installed (I am still trying to learn more about gpg2) This morning apt-get updated / installed the following console-common dbus dbus-x11 java-common libdbus-1-3 libevent1 libgcrypt11 libtasn1-3 Much as a few days ago (23 Apr), I could not use my card to decrypt a file as the card existence was not recognised. Furthermore in trying to use my backup key set, I could also not decrypt the file as the decryption command kept trying to find the gpg card... In rebooting the computer (as per last time) all was fixed and the card works I have two questions: - As this has now happened twice, on the assumption that this will happen again, so that I can forward a complete bug report can anyone suggest what I should try to fix the problem WITHOUT rebooting. - I like using the card, but I would like to be able to use gnupg without using the card (ie if I have to restore my complete key ring). Could anyone advise what the command is to force gpg to use a particular secret keyring I tried $gpg2 --secret-keyring secring.gpg -d filename but that did not work Any assistance / pointers gratefully received -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From henry.bremridge at xobie.com Thu May 8 12:36:58 2008 From: henry.bremridge at xobie.com (Henry Bremridge) Date: Thu, 8 May 2008 11:36:58 +0100 Subject: Problem with FSFE gpg card In-Reply-To: <4822D4AD.8030805@gmail.com> References: <20080508081200.GA6723@newdebian.science> <4822D4AD.8030805@gmail.com> Message-ID: <20080508103658.GB6723@newdebian.science> On Thu, May 08, 2008 at 11:23:41AM +0100, Edward Robinson wrote: > This possibly sounds like a driver bug, I am no expert though. Perhaps > if you list your card reader model someone can tell you if it is known to > have problems. > SCR-335 > I use a smart card and I have to admit gpg has conked out on me a couple > of times and not been able to read my card. Do you have to reboot > though? Isn't logging out and back in again enough? > When I opened a new terminal, the problem was the same. Rebooting was the quickest solution. > > I think it may depend on how you backed up your keyring. If you copied > the .gnupg folder, then you could do: > > gpg --homedir Removed my card and then tried $gpg --homedir -d file.gpg and got the following message gpg: anonymous recipient; trying secret key ... gpg: detected reader `SCM SCR 335 00 00' gpg: pcsc_connect failed: no smartcard (0x8010000c) gpg: apdu_send_simple(0) failed: no card Please insert the card and hit return or enter 'c' to cancel: c if I just entered $gpg --homedir Then I get gpg: Go ahead and type your message ... I have got to be making a silly mistake somewhere. Will take the time the to reread the manuals slowly and the set up commands of the card > > Not sure if that is what you want. > Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From eddrobinson at gmail.com Thu May 8 13:05:08 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Thu, 08 May 2008 12:05:08 +0100 Subject: Problem with FSFE gpg card In-Reply-To: <20080508103658.GB6723@newdebian.science> References: <20080508081200.GA6723@newdebian.science> <4822D4AD.8030805@gmail.com> <20080508103658.GB6723@newdebian.science> Message-ID: <4822DE64.7060804@gmail.com> Henry Bremridge wrote: >> I think it may depend on how you backed up your keyring. If you copied >> the .gnupg folder, then you could do: >> >> gpg --homedir > > Removed my card and then tried > > $gpg --homedir -d file.gpg > > and got the following message > > gpg: anonymous recipient; trying secret key ... > gpg: detected reader `SCM SCR 335 00 00' > gpg: pcsc_connect failed: no smartcard (0x8010000c) > gpg: apdu_send_simple(0) failed: no card > Please insert the card and hit return or enter 'c' to cancel: c Did you generate your secret keys on the card? If so, you can only decrypt the file with the private key on the card (since it does not exist anywhere else). However, if you also encrypted the file with your master public key (likely to be a 2048 elgamel key) then that should have tried your private key in the the backed up keyring. Did you set the hidden-encrypt line in your gpg.conf? Read section 6.9 of this: https://www.fsfe.org/en/card/howto/subkey_howto > if I just entered > > $gpg --homedir > > Then I get > > gpg: Go ahead and type your message ... That's fine, your just doing `gpg' except your specifying where the homedir is located. Type gpg on its own and it would be the same but using .gnupg as your home dir. > I have got to be making a silly mistake somewhere. Will take the time the to reread the manuals slowly and the set up commands of the card Possibly, but then again I am not an expert, so someone may come along and put you straight! Cheers, Edd From eddrobinson at gmail.com Thu May 8 13:07:25 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Thu, 08 May 2008 12:07:25 +0100 Subject: Problem with FSFE gpg card In-Reply-To: <20080508103658.GB6723@newdebian.science> References: <20080508081200.GA6723@newdebian.science> <4822D4AD.8030805@gmail.com> <20080508103658.GB6723@newdebian.science> Message-ID: <4822DEED.8030503@gmail.com> Henry Bremridge wrote: > Removed my card and then tried > > $gpg --homedir -d file.gpg > > and got the following message > > gpg: anonymous recipient; trying secret key ... > gpg: detected reader `SCM SCR 335 00 00' > gpg: pcsc_connect failed: no smartcard (0x8010000c) > gpg: apdu_send_simple(0) failed: no card > Please insert the card and hit return or enter 'c' to cancel: c Oops, I just remembered, try hitting c until it gives up on the card and see if it finds and used your master key in the backup (assuming that you encrypted the file with your master public encryption key..) Cheers, Edd From eddrobinson at gmail.com Thu May 8 12:23:41 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Thu, 08 May 2008 11:23:41 +0100 Subject: Problem with FSFE gpg card In-Reply-To: <20080508081200.GA6723@newdebian.science> References: <20080508081200.GA6723@newdebian.science> Message-ID: <4822D4AD.8030805@gmail.com> Henry Bremridge wrote: > Running Debian Lenny and have both gpg (1.4.6) and gpg2 (2.0.9) installed (I am still trying to learn more about gpg2) > > This morning apt-get updated / installed the following > > console-common dbus dbus-x11 java-common libdbus-1-3 libevent1 libgcrypt11 libtasn1-3 > > > Much as a few days ago (23 Apr), I could not use my card to decrypt a file as the card existence was not recognised. Furthermore in trying to use my backup key set, I could also not decrypt the file as the decryption command kept trying to find the gpg card... > > In rebooting the computer (as per last time) all was fixed and the card works This possibly sounds like a driver bug, I am no expert though. Perhaps if you list your card reader model someone can tell you if it is known to have problems. I use a smart card and I have to admit gpg has conked out on me a couple of times and not been able to read my card. Do you have to reboot though? Isn't logging out and back in again enough? > - I like using the card, but I would like to be able to use gnupg without using the card (ie if I have to restore my complete key ring). Could anyone advise what the command is to force gpg to use a particular secret keyring > > I tried $gpg2 --secret-keyring secring.gpg -d filename but that did not work > > Any assistance / pointers gratefully received I think it may depend on how you backed up your keyring. If you copied the .gnupg folder, then you could do: gpg --homedir where backup_usb_stick is wherever you backed-up the folder to. When I have restored from a backup and I have backed up my pubring and secring, I have done something along the lines of: gpg --import /place/to/backup/pubring.sec gpg --import /place/to/backup/secring.sec Not sure if that is what you want. Cheers, Edd From henry.bremridge at xobie.com Thu May 8 17:10:39 2008 From: henry.bremridge at xobie.com (Henry Bremridge) Date: Thu, 8 May 2008 16:10:39 +0100 Subject: Problem with FSFE gpg card In-Reply-To: <4822DE64.7060804@gmail.com> References: <20080508081200.GA6723@newdebian.science> <4822D4AD.8030805@gmail.com> <20080508103658.GB6723@newdebian.science> <4822DE64.7060804@gmail.com> Message-ID: <20080508151039.GC6723@newdebian.science> On Thu, May 08, 2008 at 12:05:08PM +0100, Edward Robinson wrote: > Henry Bremridge wrote: >>> I think it may depend on how you backed up your keyring. If you >>> copied the .gnupg folder, then you could do: >>> >>> gpg --homedir >> >> Removed my card and then tried >> >> $gpg --homedir -d file.gpg >> >> and got the following message >> >> gpg: anonymous recipient; trying secret key ... >> gpg: detected reader `SCM SCR 335 00 00' >> gpg: pcsc_connect failed: no smartcard (0x8010000c) >> gpg: apdu_send_simple(0) failed: no card >> Please insert the card and hit return or enter 'c' to cancel: c > > Did you generate your secret keys on the card? If so, you can only > decrypt the file with the private key on the card (since it does not > exist anywhere else). However, if you also encrypted the file with your > master public key (likely to be a 2048 elgamel key) then that should have > tried your private key in the the backed up keyring. Did you set the > hidden-encrypt line in your gpg.conf? > Yes (just rechecked) and I think I found the problem. For some reason the file is not being encrypted to my master file > Read section 6.9 of this: > https://www.fsfe.org/en/card/howto/subkey_howto > >> if I just entered >> >> $gpg --homedir >> >> Then I get >> >> gpg: Go ahead and type your message ... > > That's fine, your just doing `gpg' except your specifying where the > homedir is located. Type gpg on its own and it would be the same but > using .gnupg as your home dir. > >> I have got to be making a silly mistake somewhere. Will take the time the to reread the manuals slowly and the set up commands of the card > > Possibly, but then again I am not an expert, so someone may come along > and put you straight! Many thanks -- Henry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From JPClizbe at tx.rr.com Thu May 8 19:57:09 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 08 May 2008 12:57:09 -0500 Subject: Suggestions on how to compile for cygwin In-Reply-To: <96c450350805072349s35ed0cadocfaf84f4fbe686ee@mail.gmail.com> References: <96c450350805072349s35ed0cadocfaf84f4fbe686ee@mail.gmail.com> Message-ID: <48233EF5.2080300@tx.rr.com> Kevin Hilton wrote: > I frequently try to compile svn versions often for the cygwin > platform. Both for svn version of gnpgp 1.49 and gnupg2, I'm getting > a lot of errors during the make process. All are problems related to > the gettext module. By default cygwin is installed with gettext > version 0.15 however I did go ahead and install version 0.17 from > source as gettext 0.16 or later is required with the gpg2 source > installation. I'm still getting errors however. Does anyone have any > suggestions how to get around these errors? It always involves the > gettext package. > Sorry, took a bit... needed to build gettext-0.17 on my Cygwin install first. 1.4.10-svn4754 built just fine. No idea why you're having so much trouble. Did a fresh co and my normal build script. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From aolsen at standard.com Thu May 8 20:12:24 2008 From: aolsen at standard.com (Alan Olsen) Date: Thu, 8 May 2008 11:12:24 -0700 Subject: Need recommendation on keyserver code In-Reply-To: <20080507172841.GM26399@inocybe.teonanacatl.org> Message-ID: <92A893260738B0408497A64189BC1E620580138A@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Todd Zullinger wrote: >Alan Olsen wrote: >> 5) Eventually I want to package at least one keyserver for Fedora. >IIRC from when I built SKS on Fedora 8, the main issue was updating the code to the newer >Berkely DB. I didn't test it all that much after building it though -- it just wasn't >that interesting. >I'll attach the patches I used to get it to build. They may help you get a working > package. I make no guarantees that these are correct, as I'm far from intelligent in > the ways of bdb. Those patches do not fix my build problems. (It is running out of memory compiling numerix.ml.) Your patches are also for a much earlier version of numerix. I have sent mail to the SKS author to see if he has any ideas. >Onak might end up being easier to build. I never played with it though. Compiled with no problems. (The bzr version took a bit more. Had to page in the memories of how autoconf developer builds work.) I have not tested Onak yet. I have a keyserver dump I am going to load into it and see what happens. Thanks! -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBSCNCiGqdmbpu7ejzAQoNlAf+K2MP37bnG1B0hlAJTz3NGu+z25F/I/hq VRgnTawRGcAgBi85hAD5Vp5k07jqVsdSKrpWWCey19h4LBlI9AWxyEirqFcyxzl9 UEPtZRRrU/99jq6iZg/T39m2vQGrA7Fwhb5MIuR+Di+pWvOBIyOwPsJdSbqCOYT4 bVhzvOILeE0B1lN6XG99VkNefFqUik8Pg9ggcJqT6I9CjskjNRPtt3ntSsXvw3pP htIBINz8IyDn4yCzGD/Xn/4GuW2XoEeuWWk7pwy2a/ed6C+s0Cfo8RT7F0zxOUsi fSCLRq1N7wLpVpb+Y4YYHrhGTeLwEkzkqbfLEivG7ROCiT9wXHHLCw== =hMxf -----END PGP SIGNATURE----- From tmz at pobox.com Thu May 8 23:22:08 2008 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 8 May 2008 17:22:08 -0400 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E6205801389@MSEXCHANGE305.corp.standard.com> References: <20080507172841.GM26399@inocybe.teonanacatl.org> <92A893260738B0408497A64189BC1E6205801389@MSEXCHANGE305.corp.standard.com> Message-ID: <20080508212208.GB2592@inocybe.teonanacatl.org> Alan Olsen wrote: > Those patches do not fix my build problems. (It is running out of > memory compiling numerix.ml.) Odd. I built it again before sending the patches, on an up to date Fedora 8 box (i386). It did compile. I didn't test any further though. > Your patches are also for a much earlier version of numerix. Yeah, the numerix patch was against the version of numerix included in the sks tarball. Packaging numerix and making sks use the system numerix would be better (if possible), but it wasn't something I looked at. > I have sent mail to the SKS author to see if he has any ideas. Good luck. :) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From aolsen at standard.com Thu May 8 23:49:39 2008 From: aolsen at standard.com (Alan Olsen) Date: Thu, 8 May 2008 14:49:39 -0700 Subject: Need recommendation on keyserver code In-Reply-To: <20080508212208.GB2592@inocybe.teonanacatl.org> Message-ID: <92A893260738B0408497A64189BC1E620580138D@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Todd Zullinger wrote: > Alan Olsen wrote: >> Those patches do not fix my build problems. (It is running out of >> memory compiling numerix.ml.) >Odd. I built it again before sending the patches, on an up to date Fedora 8 box (i386). > It did compile. I didn't test any further though. I believe the problem has to do with the version of OCAML I am using. 3.10.1 seems to have problems. 3.10.2 has been released. I am going to try that. I am also using x86_64 and that may have something to do with it. >> Your patches are also for a much earlier version of numerix. >Yeah, the numerix patch was against the version of numerix included in the sks tarball. > Packaging numerix and making sks use the system numerix would be better (if possible), > but it wasn't something I looked at. The patch takes a bit to apply. The code still needs patching at that point in the code. The code location has changed quite a bit though. >> I have sent mail to the SKS author to see if he has any ideas. >Good luck. :) Probably need it. It has been a chore to get anything working with SKS. Probably since I am using a version of Fedora 9 out of Rawhide... -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBSCN1f2qdmbpu7ejzAQrcSAgAvNsY4zSZafIfUOqUzmGl2jzm0ILGUwJT Gg3VrWAT4e8AEquCy2OBablfjM81sLkeB3D9SAHLYxInnB67JpKHLyKzBY7KcKXD TawOZRMuKLUqTTK7Ripj3VRFYLOKa7pflbxzpAHUuejbJMD1A7fGw+fyyJZuXxE3 /ur9XFUp0l1NdDbPzULbpau37/5x6d+kK01KnZRBi/9hEDGRH4j0RhAUKkXTzszX sNqwa1KhySO9V7uv8miRK6qxsSEGdrnABdF+ILCj4ywo01FoKc1koSU+/asz4Fxt 68h+mJ3LOUeadRcJr7NvB/qb/Z58l1T8zgNYlJW1D+8ZjFxz0ehQqA== =56nO -----END PGP SIGNATURE----- From Yasuhiro.Funaki at safenet-inc.com Wed May 7 05:31:27 2008 From: Yasuhiro.Funaki at safenet-inc.com (Funaki, Yasuhiro) Date: Wed, 7 May 2008 11:31:27 +0800 Subject: Hash algo for Gnupg Message-ID: <8919D897E400EC4A85E30E35FFBF70201D80E7@pok1exch002.sfnt.local> Dear expert, I understand as below when hash is used at decrypting operation. >Hash algo is used to generate a key to decrypt a private key from passphrase at decrypting operation. When above my understanding is correct, could you advice me how to specify the hash algo at generating key pair and how to change hash algo after generating key pair? Regards Yasuhiro The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. From v.chilupuri at eclipsegroup.com.au Thu May 8 07:08:41 2008 From: v.chilupuri at eclipsegroup.com.au (Chilupuri, Vishwarupachary (Chary) (AU - Sydney)) Date: Thu, 8 May 2008 15:08:41 +1000 Subject: How to decrypt multiple blocks of encrypt messages in one csv file gnupg Message-ID: Hi , I got a situation like below: Web form with name,address,creditcard details so on. so i'm encrypting using the public key,and storing it in the database. Later i'm exporting the results from the database to the Excel file.(ex:donation.csv which includes all the encripted blocks of data ) -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) hQIOA+9g7DJqQ2tcEAf/a1nPtVTNontTMFu6SaKh7IhImkKiYgt+8pkWlvRJF4xS wdfL+JPmVWhQHGpNYmsr3ORViA== #NAME? -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) hQIOA+9g7DJqQ2tcEAf7BnWFMtACgjKKl+DUuI0VZjUaGy/kSE+Ra4rz2gmTC4ig #NAME? -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) hQIOA+9g7DJqQ2tcEAf/Tonb/+Tlqdrk6CVNdOtmXyX6W9bOYu5j+YVHAqXxsZda 19NAEpNPEIHz9jbyFIfJP0nOSw== #NAME? -----END PGP MESSAGE----- For decryption purpose i'm changing the file name as example: "donation.csv.gpg" Now i want to decrypt the whole file .I tried c:\>gpg --decrypt-files "donation.csv.gpg"(i'm providing passphrase) It decrypting only the first record and skipping all the other records. Please can some one help me to solve this problem? Thanks' in advance. Kind Regards, Chary Chilupuri | Senior Analyst | Eclipse | Deloitte T: (02) 9322 5424 | M: +61 (433) 914 042 | Web: www.eclipsegroup.com.au Level 2, Grosvenor Place, 225 George Street Sydney 2000, Australia The Eclipse Group is a wholly owned subsidiary of Deloitte Touche Tohmatsu. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient of this email, you must not disseminate copy or otherwise use this information. If you have received this in error, please notify the Eclipse Group immediately P Please consider the environment before printing.

This email and any attachments to it are confidential. You must not use, disclose or act on the email if you are not the intended recipient. Liability limited by a scheme approved under Professional Standards Legislation. Deloitte is a member of Deloitte Touche Tohmatsu (a Swiss Verein). As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte", "Deloitte & Touche", "Deloitte Touche Tohmatsu", or other related names. Services are provided by the member firms or their subsidiaries and affiliates and not by the Deloitte Touche Tohmatsu Verein. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sattva at pgpru.com Fri May 9 11:32:32 2008 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Fri, 09 May 2008 16:32:32 +0700 Subject: How to decrypt multiple blocks of encrypt messages in one csv file gnupg In-Reply-To: References: Message-ID: <48241A30.4000509@pgpru.com> Chilupuri, Vishwarupachary (Chary) (AU - Sydney) (08.05.2008 12:08): > Hi , > I got a situation like below: > Web form with name,address,creditcard details so on. so i'm encrypting > using the public key,and storing it in the database. > Later i'm exporting the results from the database to the Excel > file.(ex:donation.csv which includes all the encripted blocks of data ) > For decryption purpose i'm changing the file name as example: > "donation.csv.gpg" > Now i want to decrypt the whole file .I tried c:\>gpg --decrypt-files > "donation.csv.gpg"(i'm providing passphrase) > It decrypting only the first record and skipping all the other records. > Please can some one help me to solve this problem? > Thanks' in advance. It wouldn't work that way. You have to split your file into multiple files and iterate over them with GPG. Or, if this is applicable, concatenate all webform input data before encryption and store it in a single DB field (this is how I would implement that: since all data is already encrypted, is there a reason to store it in many different fields?). -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 513 bytes Desc: OpenPGP digital signature URL: From sattva at pgpru.com Fri May 9 11:45:23 2008 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Fri, 09 May 2008 16:45:23 +0700 Subject: Hash algo for Gnupg In-Reply-To: <8919D897E400EC4A85E30E35FFBF70201D80E7@pok1exch002.sfnt.local> References: <8919D897E400EC4A85E30E35FFBF70201D80E7@pok1exch002.sfnt.local> Message-ID: <48241D33.2010108@pgpru.com> Funaki, Yasuhiro (07.05.2008 10:31): > Dear expert, > > I understand as below when hash is used at decrypting operation. >> Hash algo is used to generate a key to decrypt a private key from > passphrase at decrypting operation. > When above my understanding is correct, > could you advice me how to specify the hash algo at generating key pair > and how to change hash algo after generating key pair? Such application of hashing algorithm is called String-to-Key (or S2K for simplicity): it crunches variable-length passphrase into a fixed-length string used as a decryption key. In order to specify a hash for S2K operations, use --s2k-digest-algo (or place it in gpg.conf): all newly generated keys will use that hash. Now if you want to change S2K hash algorithm of an existing key, just change passphrase (even to the same value) of that key. > Regards > Yasuhiro -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 513 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Fri May 9 14:21:41 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 09 May 2008 08:21:41 -0400 Subject: Protecting private key on USB flash drive: how to? Message-ID: <482441D5.2050800@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I am going to carry gpg in my USB flash drive, either using portable firefox+FireGPG+some way to put gpg on the drive, or portable thunderbird+gpg for portable TB+enigmail. But despite what way I will use, I will be carrying my private key with me... since there is no way I will protect it with my life (and it is not worth of that), I'd like to know the suggested way to keep the key safe. I think I will use a very strong passphrase, but maybe there are other measures that can (or should) be taken... Thanks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJEHVAAoJEIISGkVDGUEOYb4IAMNbNATYokIkW9DbDECCHFe7 R64XDF86NKn6HYjJkQE0cumF4OeghpO4DWUtpkQky2AFX4IEOydS537jOMM06FFz dGVLUsfFgTKYJrTH0o7O2os3YHPmTN0/jSFZf5bAiMkjGpHvXVCAJy6VD862z2nJ I/RySjPtsnFazOr9RzTzj8yTB2WV9IvdMHonndUBr9Ncsbdg8JsPDJAo37DcknJZ zvj6nHwIzHInnVgQWGyOeC8IxWnzShwlsAzfIuU2o0cGrl58VARE55qY0EFf/5ew uoSJjsQX4IgYLpO/aexi+2fklIgyn2wzKyJgvYScDLAunbWrS6JYWQlQvQAwRus= =GDVs -----END PGP SIGNATURE----- From andy.mcknight at gmail.com Fri May 9 16:23:47 2008 From: andy.mcknight at gmail.com (Andy McKnight) Date: Fri, 9 May 2008 15:23:47 +0100 Subject: Can't sign & encrypt from command line Message-ID: Hi, I'm running gpg 1.4.9 on Vista. When working with files from the command line I can encrypt or sign but I can't do both. The results I get as are as follows: gpg -a -s -e file.txt Encrypts the file only. I cannot verify a signature on this file, I get the following message. gpg: no valid OpenPGP data found. gpg: verify signatures failed: unexpected data gpg -a -e file.txt Gives the same result as above gpg -a -s file.txt Signs the file and I can verify the signature. Produces an armored output file which looks encrypted but can be decrypted without a passphrase prompt with: gpg file.txt Is this something I'm doing wrong or is this a problem? Andy. -- key id: 0x6A8BAF97 fingerprint: 0AF9 F0A4 52D2 9775 F996 2027 41AD C31B 6A8B AF97 -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at hush.com Fri May 9 17:04:20 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Fri, 09 May 2008 11:04:20 -0400 Subject: Protecting private key on USB flash drive: how to? Message-ID: <20080509150420.7C8F42003D@mailserver7.hushmail.com> Faramir faramir.cl at gmail.com wrote on Fri May 9 14:21:41 CEST 2008 : >I am going to carry gpg in my USB flash drive, ... I will be carrying my private key with me ... I'd like to know the suggested way to keep the key safe. many people have different opinions on this, fwiw, here is what i do: [1] make a true-crypt container just large enough to contain your secret keyring (minimum container volume is 19 kb) [2] encrypt the truecrypt container using a keyfile rather than a passphrase [3] for the keyfile, (a)use any detached gnupg .sig file that you signed and are keeping on your flash drive (e.g. your truecrypt traveller programthat you signed) (b)armor the .sig file using the gnupg --emarmor command (c)replace the "Comment" string with a good passphrase use the resulting gnupg enarmored .asc file with your passphrase as the comment, as your keyfile [4] erase this keyfile after mounting the container [5] reconstruct it whenever you need to this has the advantage that your keyfile is not useably present on your usb, but can be re-constructed by you at any time, [6] when constructing your truecrypt container, create it without an extension [7] when storing it, rename it with an .exe extension (tends to keep people from clicking on it, or copying it ;-)) ) [8] before mounting the container, rename it back to what it was, without the .exe extension truecrypt can be run in Traveller mode without being installed on your computer (i.e. you can intentionally not install it on your laptop, and just run it from your usb, and then remove the registry entries after each use, if you want to and like to devote extra time to these sorts of things ;-) ) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Want to lose weight? Click here for diet help and solutions. http://tagline.hushmail.com/fc/Ioyw6h4exXzv8ZOGvRoTUMQKAgwxkCfjKbA7lk5vYnEtzzuQ72bAVx/ From andy.mcknight at gmail.com Fri May 9 17:42:15 2008 From: andy.mcknight at gmail.com (Andy McKnight) Date: Fri, 9 May 2008 16:42:15 +0100 Subject: Can't sign & encrypt from command line In-Reply-To: References: Message-ID: > > > I'm running gpg 1.4.9 on Vista. When working with files from the command > line I can encrypt or sign but I can't do both. > Guys, scratch this question. It doesn't verify if I only run a verification using the --verify command but it does verify it I decrypt the file. Andy. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aongenae at gmail.com Fri May 9 17:22:56 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Fri, 9 May 2008 17:22:56 +0200 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <83713a650805090820s1c4864d5xe7baa9f9e27fd2b7@mail.gmail.com> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <83713a650805090820s1c4864d5xe7baa9f9e27fd2b7@mail.gmail.com> Message-ID: <83713a650805090822h5b656c25o972175f2c81e66d3@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just discover Truecrypt and there is a very interesting feature, the hidden volume (http://www.truecrypt.org/hiddenvolume.php) it could be good to use it for this case. unfortunately, it should be created on a win machine :'(, moreover I don't know if it's possible to use this feature with a key file (never try). I would like to know if there is a way to use my gpg key from a usb drive, so my private key is not imported on the new computer ? (symbolic link or ... I don't know) _-Arnaud-_ ps: sorry vedaal I have done a mistake while I reply -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQIVAwUBSCRsTAVFz/xYrL/ZAQIYAg/9HybHeiLnyadC1ifuunvAutUjPuDw3jbf 5ESV1erbyaaQ+F9b7B4dmGEyj7Pq4qWi53s2GICyF42QAzHFVc4B6Q76R90Kvl91 xCkoBEZvlae9Aj1oLLWVwKKe15v2QXQ5PLg7f6/dUNvTpTHr8CET2GO8SehN88/S m7/2NWIR/r1C9poqvo8h7FHVQu1X7gK8+0c6nibvoyO2UE4T9J3dgdFDh+m4ng/o W3AAlYdqATb1nFr8HlxpQfL0GctHH66i9WxUB2/qeFa7LRif45rgllpH+axGjkLz UXQfDCxhLDKNELR5UT6tJK4mY0BaGZNBcZb23x1xoMVfcmSVv+TxWGn1sMEmgGbn I8U4zQ1kpr+EuaG7re8OOyGu+ypxtyoNudAMjQ9XXU/eJpzxvsXS7pJvt5PbjP9s 8FelTHwSta78uFVltLzNJIMbZ1PqtHaXzs10fpQFkTZQXiGrk6/bCOf7+7xVp9do jvWo4f80CEEN3NsuV02c4gQyibExlH3dhYrcnwNV+KRfY3NZ+Q0VkXf1JIGsN7si VuYr4oO2KYnbrVS6UwC/0KV110QQhuTHgotuf2lGuKHkFiiCUGfiJBw/fnV362d6 XsH+M7jjaZPLLErFTzO/2ozJMPJjmi2A7OEHR01fwViGaJParkJn4bKtqSYDD7Xk i44DnwTb95s= =k5Bs -----END PGP SIGNATURE----- From faramir.cl at gmail.com Fri May 9 18:02:52 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 09 May 2008 12:02:52 -0400 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <20080509150420.7C8F42003D@mailserver7.hushmail.com> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> Message-ID: <482475AC.6040709@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 vedaal at hush.com escribi?: > Faramir faramir.cl at gmail.com > wrote on Fri May 9 14:21:41 CEST 2008 : > >> I am going to carry gpg in my USB flash drive, > ... I will be carrying my private key with me > ... I'd like to know the suggested way to keep the key safe. > here is what i do: > > [1] make a true-crypt container just large enough to contain your > secret keyring (minimum container volume is 19 kb) .... > [8] before mounting the container, > rename it back to what it was, without the .exe extension OMG... 8 highly complex steps... surely that will defeat any attempt to seize my private key... I was thinking something like encrypting my private key with gpgshell, and making it self extracting... Or to compress with winrar (password protected, and with "encrypt filenames" activated... passware recovery kit doesn't even know what to do with these files), or something like that... > truecrypt can be run in Traveller mode without being installed on > your computer Unfortunately, I still need admin powers to run it, even in traveler mode, and the computer where I would use it just give me user rights... Thanks vedaal, I will keep this advice in case I start using a laptop, but for now I can't use this solution (due my lack of admin rights). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJHWsAAoJEIISGkVDGUEO+AQH/AmwvKfioRKjnh4o9+dmHjpW qjwtln6u08Rl2RyE9JeUmhlyFji5CUDSM3i07K+fhqMzrG8xFO0+ZGvOP6EkI2Bq b7exNRCjSQJmnN2TXO1JurevJGVWO/McApQk3MVo8wHPFztM9ljbtcBrPcUgUmKu wzNpxYSxu9s2vgto0imrUpg7b1IDllpoCIxAa0xUYDX7bH0/o/SMEyIbZm45YEos UuLERJysW0V1VZLzbC080IopRDKPk+/GGMg5Rk/XpTUQJQ4KDk4xeS73hREUrCuw lEWOplEXWnGfllr2tp5+1dFvIIQFcQNR7Uamq24wXf6lXVXK7uIuJeffuhWY0vg= =rNyu -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri May 9 19:56:51 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 09 May 2008 12:56:51 -0500 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <83713a650805090822h5b656c25o972175f2c81e66d3@mail.gmail.com> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <83713a650805090820s1c4864d5xe7baa9f9e27fd2b7@mail.gmail.com> <83713a650805090822h5b656c25o972175f2c81e66d3@mail.gmail.com> Message-ID: <48249063.5040506@sixdemonbag.org> Arnaud Ongenae wrote: > I just discover Truecrypt and there is a very interesting feature, the > hidden volume (http://www.truecrypt.org/hiddenvolume.php) it could be > good to use it for this case. Depends on where you are and what you're doing. I am not a fan of TrueCrypt's hidden volume feature, and I think most people who are fans haven't thought things through. Let's say that you're visiting a repressive country. For obvious reasons, you want to put your personal data on a TrueCrypt drive. You get arrested at the airport because they think you're smuggling drugs in/working with the rebels/an American spy/whatever. You proceed to get the stuffing beat out of you. You're willing to divulge your secrets at this point, so you offer your TrueCrypt password. However, since you're not really an American spy/an arms dealer/whatever, the data the interrogator is expecting to find isn't there. The interrogator demands you turn over the hidden volume. You explain there isn't one. The interrogator demands you prove it. You explain that, by TrueCrypt's design, you can't. The interrogator decides to keep on beating you until you decide to turn over the (nonexistent) hidden volume. Moral of the story: there are times when you very much want to prove that you _don't_ have certain data. TrueCrypt's design makes these sorts of proofs impossible. From rjh at sixdemonbag.org Fri May 9 20:02:14 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 09 May 2008 13:02:14 -0500 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <482475AC.6040709@gmail.com> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <482475AC.6040709@gmail.com> Message-ID: <482491A6.8080104@sixdemonbag.org> Faramir wrote: > OMG... 8 highly complex steps... surely that will defeat any attempt > to seize my private key... Not really. Imagine a piece of malware that looks for new drives to be mounted. As soon as it gets mounted, the malware looks through the drive looking for interesting data. Malware such as this already exists and has been spotted in the wild. As soon as you mount a TrueCrypt volume, it becomes subject to these sorts of attacks. Note that the malware design doesn't have to accommodate TrueCrypt at all. The design is simple enough and robust enough to work regardless of whether you're using TrueCrypt or PGPDisk, or whether you're plugging in a USB token or a FireWire external hard drive, or... etc., etc. I do not think very highly of this idea. From faramir.cl at gmail.com Fri May 9 20:21:46 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 09 May 2008 14:21:46 -0400 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <482491A6.8080104@sixdemonbag.org> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <482475AC.6040709@gmail.com> <482491A6.8080104@sixdemonbag.org> Message-ID: <4824963A.5000703@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen escribi?: > Faramir wrote: >> OMG... 8 highly complex steps... surely that will defeat any attempt >> to seize my private key... > > Not really. > > Imagine a piece of malware that looks for new drives to be mounted. As > soon as it gets mounted, the malware looks through the drive looking for > interesting data. Malware such as this already exists and has been > spotted in the wild. > > As soon as you mount a TrueCrypt volume, it becomes subject to these > sorts of attacks. Note that the malware design doesn't have to > accommodate TrueCrypt at all. The design is simple enough and robust > enough to work regardless of whether you're using TrueCrypt or PGPDisk, > or whether you're plugging in a USB token or a FireWire external hard > drive, or... etc., etc. Ok... but I think I would use this at my university, and there the computers are safe enough... I can run programs (I have used portable FireFox a lot of times), but I can't install anything... and a malware would need to make changes to windows registry in order to be loaded each time the computer start... The idea is to protect the private key if the USB flash drive is lost or stolen. I really think nobody will even know what is a secret key, but since we are talking about security... I mean, I am intending to protect an email nobody is going to hack, so, I should protect the key too, even if nobody is going to know what to do with it if they found it... Maybe I found an interesting solution: steganography. I can hide the secret key inside a picture, and carry some pictures with me, as well as the java program to recover it... Or maybe I should just use a "son-of-b***h" passphrase that will take some thousand years to bruteforce... By the way, how is the private keyring protected? Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJJY6AAoJEIISGkVDGUEOqJsH/ia3VMuHfb4Y9rVuQjsEThP3 EG+WJlDClJ6ASOZpKu2bUQJxmrq0ZiJsHFZuZ6aYaX7zq0uzDcGeNw+Bod/4swRW hT3u32ZOFqbiY9FIPft5QGR6Vl9lwGBK3d7QxHx9n3v54+LbteHoNq+LU4rNRfnx rA7Hj4eLWaD6mZlhvAKMWGPfxiaM5xLiH7MQ/EkXfS6UAxgm5Q0l9turYXGdxDuk t+UuXvmJ+dKKIuxaKa9GyjlyZemAjgEBxsWy+jMa2H/xgSfbFv1vJVufi27x2e91 ZKFqgvstPbuJ+XTLWj9BEy/DrUo5TFo2c+bdJIjqmcCbdftfsz+vvQ8qt+jZxG8= =rjDj -----END PGP SIGNATURE----- From vedaal at hush.com Fri May 9 20:42:51 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Fri, 09 May 2008 14:42:51 -0400 Subject: Protecting private key on USB flash drive: how to? Message-ID: <20080509184251.F24AA11803C@mailserver5.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Fri May 9 19:56:51 CEST 2008 : > The interrogator decides to keep on beating you until you decide >to turn over the (nonexistent) hidden volume. >there are times when you very much want to prove >that you _don't_ have certain data. >TrueCrypt's design makes these sorts of proofs impossible not 'impossible' just *tediously inconvenient* ;-) for discussion purposes, assume the following: [1] a 1 gig usb drive [2] a true-crypt container of 1 gig (actually somewhat less, but whatever it is, to fill the drive) [3] a hidden volume of 100 mb now, if you know that you are going to a repressive area where you will be forced to reveal everything and prove that there is nothing left unrevealed, then you can: (a) copy the hidden volume to somewhere else, well out of the influence of the interrogators, and leave it there until you are safely home (b) erase the hidden volume from the truecrypt container (Peter Guttmann 35 pass, should work fine, considering the next few steps) (c) copy whatever convincingly private information you have on the hidden volume, that you don't mind the interrogators having, into the truecrypt volume; (your medical information, SAT scores, parking tickets, tax returns, etc. ;-) [all stuff that they can get without you anyway, and verify] ) (d) fill up the rest of the truecrypt container with free open source programs that you like to take with you, to recreate on whatever laptop you might want to use, some excellent space-fillers are: cygwin components and libraries grc compilers ubuntu packages python programs, libraries and documentation, any number of downloadable pdf books, videos, or music (keep them 'legal' ;-) ) etc. if there is no space left for a hidden volume in the truecrypt container or on the usb drive, then there is no possible hidden volume, something even the interrogator should be able to see ... (n.b. this means you can't take a laptop with you, unless you fill the harddrive the same way [although not that hard to do if you absolutely must, and are a film buff, 20 to 40 movies added to what's ordinarily on your laptop, will easily fill a 160 gig drive] ) caveat: as Al Pacino said in *The Recruit* : "Everybody breaks. Don't get caught." Don't visit these kind of repressive areas in the first place ;-) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6muhkDk7x0ig9hNLfEi1gjJCl016xr3mMjptRcyWn5jOX/ From rjh at sixdemonbag.org Fri May 9 21:26:42 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 09 May 2008 14:26:42 -0500 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <20080509184251.F24AA11803C@mailserver5.hushmail.com> References: <20080509184251.F24AA11803C@mailserver5.hushmail.com> Message-ID: <4824A572.7050701@sixdemonbag.org> vedaal at hush.com wrote: > (b) erase the hidden volume from the truecrypt container > (Peter Guttmann 35 pass, should work fine, considering the next few > steps) Have you even read Gutmann's paper? Gutmann's paper is meant for wiping data from physical drives, not software drives. The 35-pass number is also a misreading of Gutmann's paper: you use the proper schedule for whatever your underlying hardware is. I don't think you've thought this through. I think trusting a scheme like this is very unwise. I think we're also far away from what's on-topic for GnuPG-Users, so I'll just leave this thread at that. From chd at chud.net Fri May 9 20:47:49 2008 From: chd at chud.net (Chris De Young) Date: Fri, 09 May 2008 11:47:49 -0700 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <48249063.5040506@sixdemonbag.org> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <83713a650805090820s1c4864d5xe7baa9f9e27fd2b7@mail.gmail.com> <83713a650805090822h5b656c25o972175f2c81e66d3@mail.gmail.com> <48249063.5040506@sixdemonbag.org> Message-ID: <48249C55.8080704@chud.net> > Depends on where you are and what you're doing. > [...] > Moral of the story: there are times when you very much want to prove > that you _don't_ have certain data. TrueCrypt's design makes these > sorts of proofs impossible. Well, it actually gives you the choice -- as I recall the hidden volume feature requires that the outer volume be formatted as FAT, so if you need prove that no hidden volume exists, formatting the outer volume as NTFS accomplishes this. Of course, this probably won't help you, because the rubber-hose cryptanalyst probably won't follow this explanation and understand the design well enough to be convinced. But still. And, the hidden volume feature *is* still useful if you actually do have the data they're looking for - as you say, it depends on what you're doing. -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Fri May 9 22:01:24 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 09 May 2008 16:01:24 -0400 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <20080509184251.F24AA11803C@mailserver5.hushmail.com> References: <20080509184251.F24AA11803C@mailserver5.hushmail.com> Message-ID: <4824AD94.9080109@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 vedaal at hush.com wrote: > Robert J. Hansen rjh at sixdemonbag.org > wrote on Fri May 9 19:56:51 CEST 2008 : > >> The interrogator decides to keep on beating you until you decide >> to turn over the (nonexistent) hidden volume. > >> there are times when you very much want to prove >> that you _don't_ have certain data. >> TrueCrypt's design makes these sorts of proofs impossible > > > not 'impossible' > just *tediously inconvenient* ;-) > if you know that you are going to a repressive area where you will > be forced to reveal everything and prove that there is nothing left > unrevealed, This simply doesn't happen. Truly covert Operatives don't carry anything. GnuPG [& PGP] are ciphers; great for long winded detail but unless One is traveling under Diplomatic Cover ciphers are not used. Codes are used and coded words/phrases may be transmitted by posting on a Web Site or via Radio Signal. JOHN ;) Timestamp: Friday 09 May 2008, 16:00 --400 (Eastern Daylight Time) - -- The NSA would like to remind everyone to call their mothers this Sunday. They need to calibrate their system. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIJK2TAAoJEBCGy9eAtCsPxvEH/0eoSV6OJHEl3o8uLqgCNcAn i0ABslFAFCuRa6CMbh+I9vZhNjRmelMtXMjfnHHhvec4Qktr/n3n3Xe0PT+somFA DGx3HZVWT6Pm0JVMfNIb2Pfrafy6KQ+KUHmfm4ePiTwnDRXDBuGyYfQEFAZazmGd k0j5IYgeefuZGW4OEGRAYA+qOvnJiYGa+DD9IwZDVQDEBPImHsrGF1HY0pXsJAUt 2S7Mf1X7gBxc/C0x8Zgqq7J9OeNt/8B+8xitUn1jjA4PGfwt0tP9JOEIYLz8VvyX 1IC5NyfzdQYh7lUCj7NIfimTEXqlmNoj/B18njxG9EaLHZRL+Sfq0X5q046bv+Q= =AFEk -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat May 10 08:53:55 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 10 May 2008 01:53:55 -0500 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <4824963A.5000703@gmail.com> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <482475AC.6040709@gmail.com> <482491A6.8080104@sixdemonbag.org> <4824963A.5000703@gmail.com> Message-ID: <48254683.1020301@sixdemonbag.org> Faramir wrote: > Ok... but I think I would use this at my university, and there the > computers are safe enough... They are probably not. I would strongly recommend talking to your local IT support group and finding out firsthand how much of a malware problem they've had with publicly accessible computers. Universities are the computer equivalent of biowarfare research facilities. They're some of the most hostile, bot-compromised networks out there. > and a malware would need to make changes to windows registry in order > to be loaded each time the computer start... Sure. But it's malware. It uses exploits. It's not going to respect the same rules that you have to play under. From email at sven-radde.de Sat May 10 10:34:54 2008 From: email at sven-radde.de (Sven Radde) Date: Sat, 10 May 2008 10:34:54 +0200 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <48249063.5040506@sixdemonbag.org> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <83713a650805090820s1c4864d5xe7baa9f9e27fd2b7@mail.gmail.com> <83713a650805090822h5b656c25o972175f2c81e66d3@mail.gmail.com> <48249063.5040506@sixdemonbag.org> Message-ID: <1210408494.7144.4.camel@carbon> Hi! Am Freitag, den 09.05.2008, 12:56 -0500 schrieb Robert J. Hansen: > I am not a fan of TrueCrypt's hidden volume feature, and I think most > people who are fans haven't thought things through. I agree. All the "plausible deniability" stuff ?(Truecrypt or whatever else) is only good if 'they' actually have to *prove* that something is there. If mere suspicion is enough to get you into trouble, nothing can protect you (neither using Truecrypt, nor not using it). The hidden volume might have its uses when facing recent UK legislation, though. cu, Sven From roam at ringlet.net Sat May 10 10:37:19 2008 From: roam at ringlet.net (Peter Pentchev) Date: Sat, 10 May 2008 11:37:19 +0300 Subject: how long should a password be? In-Reply-To: <48201C4F.2000701@gmail.com> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> <871w4gj01a.fsf@wheatstone.g10code.de> <481FC96B.4010205@gmail.com> <1210051760.6354.11.camel@carbon> <48201C4F.2000701@gmail.com> Message-ID: <20080510083719.GA1087@straylight.m.ringlet.net> On Tue, May 06, 2008 at 04:52:31AM -0400, Faramir wrote: [snip Sven Radde's explanations about the salt] > Excellent explanation, thanks. But I still miss the point about the > salt number doesn't need to be kept secret... I mean: if the salt value > is not known to the program that must validate the password, then it > can't validate it (since the hash produced by the password will never > match the "salted" stored hash). That means the salt used must be stored > somewhere... and if I get the stored hash, and the salt, I would just > need to generate the rainbow tables adding the salt value I got... Wait, > I think I am beginning to get the point... since the salt is random, I > figure each user will have his own salt value... and that would mean I > would have to generate 1 rainbow table for each user... but then, I > would rather try to crack an admin password, and then reset the > passwords of the users... It seems that you are missing another important point about the salt - it is generated randomly each and every time something needs to be encrypted :) There is no such thing as "the salt value for this user"; every time this user wants to hash a password, the system generates a random salt value and hashes this particular password, just this once, with this value. Hope that helps :) G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From faramir.cl at gmail.com Sat May 10 17:37:27 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 10 May 2008 11:37:27 -0400 Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <1210408688.7144.8.camel@carbon> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <482475AC.6040709@gmail.com> <1210408688.7144.8.camel@carbon> Message-ID: <4825C137.2060001@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks, Sven Radde, I figure Truecrypt will be a good option when I have enough privileges in the other computer too, and I am a bit unwilling to use an outdated version to work around that limitation... For now, I think the best option would be a gpg self extracting encrypted file (containing the private keyring), and using symmetric encryption in it, and that file hidden inside a lossless compressed image file (and what would look more innocent that a folder with some pretty girls in swimsuits? well, maybe pretty girls without swimsuits). I already found a java based steganography program (freeware and opensource), and I also have portabilized jre + gpg + gpgshell in the usb flash drive. The procedure would be to extract the encrypted file from the picture, extract the private keyring, copy it to the right folder, and do whatever I have to do. Once finished, I would just delete the keyring. All this with my fingers crossed to avoid some malware stealing my passphases and all that. But I also found a tutorial that shows how to protect the primary private key, allowing to revocate the compromised subkeys without losing everything (signatures other people could have put in my keys). The problem is I am still newbie in how public keys work, so I am not sure if the public keys I already uploaded to the keyservers can work with the private subkey the tutorial suggest to make (but it wont be a really big problem, since the only public key that would receive a message is the one I use in this list, and I can wait until I arrive home to check this mail... I can just revocate and rebuild the other one)... and also, I am not sure if these subkeys would be enough to decrypt encrypted emails sent to me (and if they can't, then there is no point in following the tutorial). I will give put the link to the tutorial, so, in the unlikely case you don't already know it (everywhere I look for cryptography info, I find the name of one or two people in this list), you can read it and give your opinion... the link is: http://tjl73.altervista.org/HTML_sign_tutorial/tutorial_en.html Regards (is there, in english, a better salutation than "regards"? I use too write "Saludos", or just "salu2", but that wouldn't have any meaning here) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJcE3AAoJEIISGkVDGUEOi/IIAMvHx+Ou3vWiu3obL2/7Jt+g dvdag/SpSrDzN8XRrY3ooa80eaXztwwJp8INp+U8evjRPhv4bqBre2aUtf9J8yx/ Jag1dwj+xSskVYVoi6+/Ax/06Dz4hNdnzb8GSvmgkDVY8v+jPgNaG9n1zVRLZ5jK /S+bhOuq53XooljK6rkztEMuoLeEi0J7ssECAxPO+cyuyDNMf5Ta2nSkPWzM3nDZ oNPmbFu5qK10BQl7/fbFjwtZI+MbhZOxttESjeBcQmyuGZRHS4j6T7EHU29brxnV Z3paAztIcy89bG4TBrxBcG2JqH6tlJtfUzZJ521qsSso3ZAFh6x6pLRcOkfZ//0= =m8Ea -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat May 10 17:42:03 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 10 May 2008 11:42:03 -0400 Subject: [Fwd: Re: Protecting private key on USB flash drive: how to?] Message-ID: <4825C24B.3070305@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Philipp escribi?: > On Fri, 2008-05-09 at 08:21 -0400, Faramir wrote: > >> Well, I am going to carry gpg in my USB flash drive, either using >> portable firefox+FireGPG+some way to put gpg on the drive, or portable >> thunderbird+gpg for portable TB+enigmail. But despite what way I will ... > In addition to a strong passphrase you could use steganographic > software. It doesn't encrypt data but hides it, usually in a picture of > sound file. ... Yes, I was thinking hard about the subject, and I remembered steganography... and in the wikipedia article they have a lot of links to that kind of software. I chose Digital Invisible Ink Toolkit, since it is open source, free, built in java, so it should run anywhere. I already had some portable apps (like portable openoffice.org) in my flash drive, including jre... so it looks very viable to use that. > I think I've heard of USB-sticks or external hard disks with integrated > finger print readers. I don't really trust this kind of hardware but > it's an additional layer of security. I don't trust them too, since I was told it is very likely they can be hacked... at least, laptops protected by fingerprint readers can be hacked. So I would rather use a USB flash drive with built in 256 bits AES... but then, I think it would be the same than just encrypting the keyring with that encryption system, or making a self extracting gpg encrypted file... And if I put that file inside a picture (which supports encryption too...), that probably would be more than enough to keep the data safe... Well, the thing is my keyring is not valuable at all, it has not even been signed by other people... but since I am studying an IT related career, I should do things "the right way" (or learn how to do them "the right way"), before I actually have to use that knowledge... Thanks for your advice, since cryptography is based on "the security is in the key, not in the algorithm" (the info is not hidden, but protected), and steganography is based on hiding the info, I thought maybe talking about steganography at gpg list would be some kind of heresy XD. But if you thought about it too, I feel more confident in it is a good idea to mix both systems. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJcJLAAoJEIISGkVDGUEOi2YH/0XlR6ihYREYfJidwlxInHwd 9dSlIIGyVm6zo4LpMFHD8rK87OEMp5tFtyLBydfmNfLfzN1XZeYbVntUNYAMX/3C R0SqwilVHBlhX20d1I2i5IcYXIse3X/EwGyD0NTGMQMwr5HnjKNxB/CRX1S+ciOa 85tg04Rw1zrjPKZRbca3c97qIh7ix7qFY9dQD3HmWFl1tve2kLTvwx0fx5BaB3Uo xu/Pz5lzbee4t1hyOgBav2JmXYl+Wgq+Nwbki7bruF/AezfG6+VRK5OEhmYz9qyk /z5zQNO+wkuy0oPDQVc0TYeYuzoBBFa0BhbynD+0JjfZh0KpTc+HBVVryb39sQ4= =mx7v -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat May 10 17:03:30 2008 From: faramir.cl at gmail.com (Faramir) Date: Sat, 10 May 2008 11:03:30 -0400 Subject: how long should a password be? In-Reply-To: <20080510083719.GA1087@straylight.m.ringlet.net> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> <871w4gj01a.fsf@wheatstone.g10code.de> <481FC96B.4010205@gmail.com> <1210051760.6354.11.camel@carbon> <48201C4F.2000701@gmail.com> <20080510083719.GA1087@straylight.m.ringlet.net> Message-ID: <4825B942.2050403@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Pentchev escribi?: > On Tue, May 06, 2008 at 04:52:31AM -0400, Faramir wrote: > [snip Sven Radde's explanations about the salt] (removed the part where I say what I understood about salt) > It seems that you are missing another important point about the salt - > it is generated randomly each and every time something needs to be > encrypted :) There is no such thing as "the salt value for this user"; > every time this user wants to hash a password, the system generates > a random salt value and hashes this particular password, just this once, > with this value. Yes, that IS a very important point I was missing. And the real dimension of making pre computed rainbow tables useless... I found this: http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm It have estimations of the time required to generate a set of tables for passwords 1-7 characters long, with just alpha characters, and with alpha+numeric characters. The second option (with a 666 Mhz computer, very slow by now, but it helps to get an idea of the required time) is more than 15 days! With some weak protected files, maybe it would be a lot faster to use bruteforce (in other hand, once the tables are ready, the required time to use them can be really short... but since salt ensure the tables can't be used more than once...). I know people who explained salt to me don't need this info, but maybe there are more people following this subject... Have a nice weekend ;) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJblBAAoJEIISGkVDGUEOagQH/jy4VJW+Vj5/kghfhRziHtkZ oo3ekMAmolbxWZZN3VAXVq6LQvrQWlwbTHsTzuN87EhgEGey6UwvM3VNRzi9Lane 8/k3Y3kszNWg/SvPfvz1MCDeFnIRyr6QoxA0U/8hVI2Co+224IXVu0yNZvs0JlnJ 93xQhLBcZixk19TOAgtL4qg9BOicbLks7hF6yPK5MsaNeA47x6bRkYcy8RipEWb6 VsJx14Fqn+gUAtLChn2DTBSnL4N5bfEZh3Sv9EUmR+Jr8WpC4u2DMVTePBwyPRS6 dHBX8UhgN7jzC+L24ELLCL/2NkTYnfjezSbbz63Q/T0e+mylFFY3GCubZKOShF8= =CZeZ -----END PGP SIGNATURE----- From bill.royds at royds.net Sat May 10 18:11:10 2008 From: bill.royds at royds.net (Bill Royds) Date: Sat, 10 May 2008 12:11:10 -0400 Subject: how long should a password be? In-Reply-To: <20080510083719.GA1087@straylight.m.ringlet.net> References: <481EB4BB.8030209@calpoly.edu> <481EBD5A.1030601@googlemail.com> <4C71D221-FB02-4D02-947D-ACCC13C9C248@royds.net> <871w4gj01a.fsf@wheatstone.g10code.de> <481FC96B.4010205@gmail.com> <1210051760.6354.11.camel@carbon> <48201C4F.2000701@gmail.com> <20080510083719.GA1087@straylight.m.ringlet.net> Message-ID: <8F5680CE-D9E3-4E6A-A0BC-AB39141042F2@royds.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10-May-08, at 04:37 , Peter Pentchev wrote: > It seems that you are missing another important point about the salt - > it is generated randomly each and every time something needs to be > encrypted :) There is no such thing as "the salt value for this > user"; > every time this user wants to hash a password, the system generates > a random salt value and hashes this particular password, just this > once, > with this value. But this begs the question of how to add the salt properly when verifying the password against stored values. To be able to authenticate against a password, it needs to be available, in some form, as required. Normally that form is in a table of hashed passwords, where the hashed value is a hashed combination of the actual password and the salt Hash(Password,salt). The authentication routine has the password, but where is the salt stored? If it is stored along with the password, then it is available to the cracker who has the hash table, which is necessary for brute force cracking so adds no more security. It can't be generated each time because it has to be the same as used in creation of the hash table. So storage of the salt becomes its own security problem. Bill Royds -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (Darwin) Comment: Bill Royds iQIcBAEBAgAGBQJIJclbAAoJEI1SgF3RWQJIrmYP/jvuMNWBvtWfptagHjjyZ6Lo k1u2u9mZ0xTn0dlo9BZoFSvMvS1ZndgdAuKCDwoy9Uv34M1lkviwcaqX/P+3WF7T axgrf7QCirLZlsEf3SlxT+a5MJvBcBrHEblJo80AAIyswjx951AHQ/v3v8UVblgn vVGd072PHB/U12A+XzNpEyULCv0rlbraESP4OBG0jyT704xcJaoYmax8UPpNvuVf eb76Wy8EuOH3r+DhQhsNjSSrl2V2kR96SkrwcFOwlDOW5YE6gJF8UF+9wXjOov/r qSUNxXlyAXe6gwV6VhmSb41Y0BLLqp7uWqjG1NJGmy2KmWAhT971ZRvRpc3phy5J 4eck/Bcj8S/lLMW9qUBQee2hexmlLES18sVqzMzzpKKu3UwjoX7p4u23CFR7jpGe 5ewoVugKxR7R8vL3TSC3wEUb+k1wvCT5kkOzReBkjIG0Oif1SriR9U5eGKg9Wh9D vH33vQrvA+oD/guKpyxXspnFZXGZaajOjBHJDCO6x7azVJByb8H2Opg/v7yNP4tb UfIFJh/CUkvAgubM5pyoXCppzTdT6uCXLxDuoFb3NUSsqTJw0A04QtSDYhjz3EiT rnJMyrdxkr5fsk8Z45gYLonHsK8lgjeuXvcjuDP9RJQa4wSPdWY5F27FM8gUgRV8 udMN++aQ9/q27Y6t5bGg =6WRq -----END PGP SIGNATURE----- From henry.bremridge at xobie.com Sun May 11 09:55:00 2008 From: henry.bremridge at xobie.com (Henry Bremridge) Date: Sun, 11 May 2008 08:55:00 +0100 Subject: Problem with FSFE gpg card In-Reply-To: <20080508151039.GC6723@newdebian.science> References: <20080508081200.GA6723@newdebian.science> <4822D4AD.8030805@gmail.com> <20080508103658.GB6723@newdebian.science> <4822DE64.7060804@gmail.com> <20080508151039.GC6723@newdebian.science> Message-ID: <20080511075500.GB24860@newdebian.science> On Thu, May 08, 2008 at 04:10:39PM +0100, Henry Bremridge wrote: > > Read section 6.9 of this: > > https://www.fsfe.org/en/card/howto/subkey_howto > > Problem solved: in the gpg.conf file when referring to the other keys, I forgot to add the ! Many thanks -- henry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From ramon.loureiro at upf.edu Sun May 11 10:05:10 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Sun, 11 May 2008 10:05:10 +0200 Subject: Trust model syntax Message-ID: <4826A8B6.1060904@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hI! Where can I find information to understand what does this example line mean? q,n,mf,u? gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 1q, 0n, 1m, 0f, 0u Thanks! ____ ramon loureiro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJIJqiwAAoJEMVZKsuAx9ZHgngH/RNgoAnuYhXAnEgydoNqFFPI +Y5NlchglBlvaIJzmbzITmwXwBGMkn9pEZOXdrhvbp56yYRs9TF8TIwlelK/hHnF m9cf2cQIUVM8I98Btc1wsQAaSbj7hXE1WSRI495JrSio2okukJ7v9ePJPum7P+2r KB+M/B/kd//sKkhDWbBZc/U8k/LeUt5Y36uvn0AmjjHB8f9TGIAznZsiZUKQEOLO Xu4/Qq7T1hoAe01H4Q4YSY0OfbCxmfAzngvfVce8tNnNquu9uxaiBgcOgly1i0j8 XW82arAg3n2d9nRnseLUqzw+7Ojs8u+CtsyWL+T2lBEAmf0JI7Zmr02RYyvBr/I= =BZ90 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sun May 11 15:28:23 2008 From: faramir.cl at gmail.com (Faramir) Date: Sun, 11 May 2008 09:28:23 -0400 Subject: Trust model syntax In-Reply-To: <4826A8B6.1060904@upf.edu> References: <4826A8B6.1060904@upf.edu> Message-ID: <4826F477.9010401@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ramon Loureiro escribi?: > > > hI! > > Where can I find information to understand what does this example line > mean? q,n,mf,u? > > gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 1q, 0n, 1m, 0f, 0u > > > Thanks! - - No ownertrust assigned / not yet calculated. e Trust calculation has failed; probably due to an expired key. q Not enough information for calculation. n Never trust this key. m Marginally trusted. f Fully trusted. u Ultimately trusted. It is in GnuPG manual (gpg.man file... WordPad or Notepad will open that file without any problem). Now the problem is to remember the meaning of these characters... ;) Javier -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIJvR3AAoJEIISGkVDGUEO9oAH/2dUdqSf58CFmnCGqjK5kEa8 O+xz209/NWgV4WTZ0Ye3p3bt+8yZ0Ag6vpr2IG/RvbiAYnAbxzhpYLo3A7xyNr5D JDO7hcSOc2R35pOwYjERtplg2020M9O/qAkwRLV1ZmHMF9JHt8w0kzN1XM7XYAK5 uuBHcB6K2GSloh0C7ahejANA8towMpaJkeYHMK51zIiFw67ypttAWoeBMI+M6AT6 G+Bn5Krfhu2VXmCvYdlOH+L6m15G/yR5oaY5wXdjA/xxxKv33StTprEq71+ezyN/ aQCPqZs/2wmo4MRv+ozfsnIZ8Mdam0h8bM9wtv8Eqq4ikj0I369+G01vxHZVfdg= =MTkn -----END PGP SIGNATURE----- From shavital at mac.com Sun May 11 15:36:12 2008 From: shavital at mac.com (Charly Avital) Date: Sun, 11 May 2008 09:36:12 -0400 Subject: Trust model syntax In-Reply-To: <4826A8B6.1060904@upf.edu> References: <4826A8B6.1060904@upf.edu> Message-ID: <4826F64C.1070501@mac.com> Ramon Loureiro wrote the following on 5/11/08 4:05 AM: > > > hI! > > Where can I find information to understand what does this example line > mean? q,n,mf,u? > > gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 1q, 0n, 1m, 0f, 0u It could be: >From GnuPG's manual The four trust/validity levels are abbreviated: unknown (q), none (n), marginal (m), and full (f). Charly From dan at geer.org Sun May 11 16:30:16 2008 From: dan at geer.org (dan at geer.org) Date: Sun, 11 May 2008 10:30:16 -0400 Subject: [Fwd: Re: Protecting private key on USB flash drive: how to?] In-Reply-To: Your message of "Sat, 10 May 2008 11:42:03 EDT." <4825C24B.3070305@gmail.com> Message-ID: <20080511143016.5AC8533C71@absinthe.tinho.net> For my curiousity, has anyone used threshold (split-key) crypto for key protection? One can do a lot of things w/ threshold, but probably not so easily w/ volunteer labor, etc. --dan From eocsor at gmail.com Mon May 12 09:02:32 2008 From: eocsor at gmail.com (Roscoe) Date: Mon, 12 May 2008 16:32:32 +0930 Subject: [Fwd: Re: Protecting private key on USB flash drive: how to?] In-Reply-To: <20080511143016.5AC8533C71@absinthe.tinho.net> References: <4825C24B.3070305@gmail.com> <20080511143016.5AC8533C71@absinthe.tinho.net> Message-ID: http://point-at-infinity.org/ssss/ works good for passwords to keys :) On Mon, May 12, 2008 at 12:00 AM, wrote: > > For my curiousity, has anyone used threshold (split-key) > crypto for key protection? One can do a lot of things > w/ threshold, but probably not so easily w/ volunteer > labor, etc. > > --dan > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From vedaal at hush.com Mon May 12 15:28:55 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 12 May 2008 09:28:55 -0400 Subject: Protecting private key on USB flash drive: how to? // secret-sharing Message-ID: <20080512132855.91A1A15803E@mailserver6.hushmail.com> Roscoe eocsor at gmail.com wrote Mon May 12 09:02:32 CEST 2008 : >> For my curiosity, has anyone used threshold (split-key) >> crypto for key protection? > http://point-at-infinity.org/ssss/ works good for passwords to keys :) no, the Shamir split-key/secret sharing, works for shares of 'keys', not for passwords here is a quote from the site: =====[begin quote]===== Note that Shamir's scheme is provable secure, that means: in a (t,n) scheme one can prove that it makes no difference whether an attacker has t-1 valid shares at his disposal or none at all; as long as he has less than t shares, there is no better option than guessing to find out the secret. =====[end quote]===== key structures are much more complex than passphrases example: assume a passphrase of 16 characters that is shared among two people each having 8 characters protected by Shamir's secret sharing even though each person cannot 'decrypt' the other person's 'share', (that part is true), each one can start from scratch and do a brute force attack on the other 8 characters when combined with the 8 characters already known, and recover the passphrase when Shamir uses the technique to share 'Keys' the 'key', which is far more complex than a simple password string, cannot be reconstructed from a brute force attack, even when t-1 shares are known 'split-keys' have been used by pgp since 6.x, (usually for 'corporate signing' when a certain majority t/n is needed for approval of a measure, although it could work as well for decrypting too) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Need cash? Apply now for a credit loan with fast approval. http://tagline.hushmail.com/fc/Ioyw6h4d9GyhnVARCGdPmzeVF7VYG3XQdmdONDdZwRPnO8sWSVh0pp/ From kevhilton at gmail.com Mon May 12 15:10:20 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Mon, 12 May 2008 08:10:20 -0500 Subject: SVN version not correctly displaying Message-ID: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> I did manage finally to compile gpg in cygwin after installing gettext from svn. The problem I am having now is that although I have downloaded svn version 4762, Im only getting 4759 showing when doing gpg --version Just to run through the process, I do a: svn up ./autogen.sh && ./configure --enable-maintainer-mode --enable-camellia --enable-idea && make && make install Within the configure process the 4759 version is shown, rather than the 4762 version. -- Kevin Hilton From jmoore3rd at bellsouth.net Mon May 12 17:11:16 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 12 May 2008 11:11:16 -0400 Subject: SVN version not correctly displaying In-Reply-To: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> Message-ID: <48285E14.8090309@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Kevin Hilton wrote: > I did manage finally to compile gpg in cygwin after installing gettext > from svn. The problem I am having now is that although I have > downloaded svn version 4762, Im only getting 4759 showing when doing > gpg --version > > Just to run through the process, I do a: > svn up > ./autogen.sh && ./configure --enable-maintainer-mode --enable-camellia > --enable-idea && make && make install > > Within the configure process the 4759 version is shown, rather than > the 4762 version. > Did You Manually change the version number within configure.ac? Did You remember to replace the GPG files after Building? JOHN ;) Timestamp: Monday 12 May 2008, 11:10 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIKF4TAAoJEBCGy9eAtCsPMhUIAJloeXuCEbMH+ekMVLMXcbQQ 8latwS4d6Qc7BdeIODmKW+8vf1UXPz5VfP6MPHOykHxscnL6Q90DwKvuObzKkw8L d+u3OUxewgLgdBG452Vl9W01C0RS7hmHdNEJG8TAodosN69i72XYkaTiK02oE19+ CjYfD+6aoHDpl0+jULakVy2blHqclWkIh82VJ7U+OyQavTU7CZ1a2e1mN2vE0tQi UKBpof9L+1dMfgDO9YpOR4xRO7wiOjSzq1hHc63H8jDQPTn9MrAMMOVo4hZXf6fl L0pOTH2Jckh/RA3kK120CMduCgZXxmBry0QdMNXmTa++CO6WGgVeaHhaZsuL4iE= =o3J+ -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Mon May 12 17:48:13 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 12 May 2008 10:48:13 -0500 Subject: SVN version not correctly displaying In-Reply-To: <48285E14.8090309@bellsouth.net> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <48285E14.8090309@bellsouth.net> Message-ID: <482866BD.7020907@tx.rr.com> John W. Moore III wrote: > Kevin Hilton wrote: >> I did manage finally to compile gpg in cygwin after installing gettext >> from svn. The problem I am having now is that although I have >> downloaded svn version 4762, Im only getting 4759 showing when doing >> gpg --version > >> Just to run through the process, I do a: >> svn up >> ./autogen.sh && ./configure --enable-maintainer-mode --enable-camellia >> --enable-idea && make && make install > >> Within the configure process the 4759 version is shown, rather than >> the 4762 version. Probably the results of a prior build getting in your way. Did you make clean or make distclean first? > Did You Manually change the version number within configure.ac? > > Did You remember to replace the GPG files after Building? Huh??? Replace files? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Mon May 12 18:01:03 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 12 May 2008 12:01:03 -0400 Subject: SVN version not correctly displaying In-Reply-To: <482866BD.7020907@tx.rr.com> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <48285E14.8090309@bellsouth.net> <482866BD.7020907@tx.rr.com> Message-ID: <482869BF.8020806@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John Clizbe wrote: > Huh??? Replace files? Coffee hadn't kicked in yet. On M$ the output from 'make' doesn't automatically replace the Binary files. :-! JOHN ;) Timestamp: Monday 12 May 2008, 12:00 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIKGm8AAoJEBCGy9eAtCsPgyoH/RgLqZkN85apP1yjpJO4g1Hk eiS3aJkg2U5qj7l4RMfFfDQq7sGEkOPx4KwCh5N0+5Wj/1bveE2IIice0s5VG5bH QsA+uLHZeEtbheo1B8qmGVtoW0AfbWo6rK7R32sTzdiweTGLqh5Oi/OXccLjQ4Vv HSn+biIh3cyuMFggwDfnZs4HKbBtpyDwEaZMAUvfJGCzQoBCnfnaqe3D+rYZnHRn bxSnhT5A6+jC0ywh2pPuiXFE4mYE17NiHL4rh/un6n8uoKSzGd17OAH24XDRJmFz QPHMlxHVPItexTN4vmwGa9sIOynKjsMF2j9faZdEi539rmOo/B5Yef5oS1Subgw= =mn2n -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Mon May 12 18:30:12 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 12 May 2008 11:30:12 -0500 Subject: SVN version not correctly displaying In-Reply-To: <482869BF.8020806@bellsouth.net> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <48285E14.8090309@bellsouth.net> <482866BD.7020907@tx.rr.com> <482869BF.8020806@bellsouth.net> Message-ID: <48287094.6020307@tx.rr.com> John W. Moore III wrote: > John Clizbe wrote: > >> Huh??? Replace files? > > Coffee hadn't kicked in yet. On M$ the output from 'make' doesn't > automatically replace the Binary files. :-! Could you explain that one? 'Cause that's rather antithetical to the way make works, whether one is on windows or not. If one of a files' dependencies changes, then that file and files that depend on it are regenerated. If config.h (where the printed version info lives) is changed, all the source files that include it are rebuilt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Mon May 12 18:49:13 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 12 May 2008 12:49:13 -0400 Subject: SVN version not correctly displaying In-Reply-To: <48287094.6020307@tx.rr.com> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <48285E14.8090309@bellsouth.net> <482866BD.7020907@tx.rr.com> <482869BF.8020806@bellsouth.net> <48287094.6020307@tx.rr.com> Message-ID: <48287509.4060508@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John Clizbe wrote: > > Could you explain that one? Simple, I misunderstood where the 'incorrect' version was displaying. I initially interpreted the problem as Building one Version and then when checking --version seeing the 'incorrect' [older] version. When I Build I must then take the freshly compiled Binaries and manually place them in the GnuPG Directory. If I Build a version but do not replace the New build in the proper directory then it won't be in the - --version Path. I am a Windows User and prefer that all build output be generated in a separate directory from the Path directory. To Me; --version implies checking the version in the Path and not the Build directory. JOHN ;) Timestamp: Monday 12 May 2008, 12:48 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIKHUHAAoJEBCGy9eAtCsPJtUH/A6bSvgoPXfLUQRxs+tmPnPz 600/eiRB7AWB8guiACSyNDLGth1QxdQhGtgLixnhH76fU3PJYL2FJCLJ/Ifk3L0y b5rGGmq5kx5Wbav8UmVqkUb79J/XMwOqXl+v+Gat5VdArtc6onEpQoKhuCjABp2e RTUZFnXWCGCWtuGs0vQPNJPpV2zBAXkbRorKkDX2ZCuq5FjIvnURBq4hwRU63qWa rJ5bYUl7v6fyhN1yPON0P/3Ssoo+Mu82vLcXlRaZ9csYGHbcn5g2aeJmbXzLWmp4 PH8ZKAMe2ovZtNcftsu8RhTxymH0NpjnCTDgnejGwkr1PsyhZm/oQrImywTdNxY= =ZUM3 -----END PGP SIGNATURE----- From aolsen at standard.com Mon May 12 19:41:19 2008 From: aolsen at standard.com (Alan Olsen) Date: Mon, 12 May 2008 10:41:19 -0700 Subject: Need recommendation on keyserver code In-Reply-To: <92A893260738B0408497A64189BC1E620580138D@MSEXCHANGE305.corp.standard.com> Message-ID: <92A893260738B0408497A64189BC1E6205801395@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >>> I have sent mail to the SKS author to see if he has any ideas. >>Good luck. :) > Probably need it. It has been a chore to get anything working with SKS. Probably since I am using a version of > Fedora 9 out of Rawhide... A new version of sks was released over the weekend. So far, it looks like it will work. (It at least builds.) The author removed the dependancies on Numerix and fixed it to work with DB 4.6.x. -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBSCiBTGqdmbpu7ejzAQrdqwgAttyTRSrEXFIiwhOzQRBgSFdHComeefha sxbdBW+V4bn9pKs2rlzfKVN+8a3esKO0gsFSMFP5lzt6y+P3BX/++7bBnnvYdKgC ATUxLKKNdoL+ec7s4izc7sn2mK6J+NT6QTyvc2J0TUshnjz0HVKEXuGY/OAE5wu0 07TR6bFqzHwOrYzz90mB10T2t/cFOtZsa/doiUtWU4et0H3Ld8/19kCigIf7ztmp rv9BSondZhs7UNr5oCpX6330sitTL203ffDY8khUfLoxvsKl/Ji/NZRnLiD8wn+m z+rDQLWvCrXg/p9opwNVyubN4pDqM6kGsmw/sTbnPs+YTzOBl8QRZQ== =JSj+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: PGPexch.rtf.pgp Type: application/octet-stream Size: 1300 bytes Desc: PGPexch.rtf.pgp URL: From reynt0 at cs.albany.edu Tue May 13 00:28:49 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Mon, 12 May 2008 18:28:49 -0400 (EDT) Subject: Protecting private key on USB flash drive: how to? In-Reply-To: <4825C137.2060001@gmail.com> References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <482475AC.6040709@gmail.com> <1210408688.7144.8.camel@carbon> <4825C137.2060001@gmail.com> Message-ID: On Sat, 10 May 2008, Faramir wrote: . . . > image file (and what would look more innocent that a folder with some > pretty girls in swimsuits? well, maybe pretty girls without swimsuits). . . . Photos of happy puppies and sad puppies? From benjamin at py-soft.co.uk Tue May 13 05:00:36 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 13 May 2008 04:00:36 +0100 Subject: Updated copy of pinentry-mac available. Message-ID: <48290454.1010505@py-soft.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A new copy of the native MacOSX pinentry program for gpg[2] is now available from: http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-mac.0.02-1.zip With the accompanying signature at: http://www.py-soft.co.uk/~benjamin/download/mac-gpg/pinentry-mac.0.02-1.zip.sig Extract from the archive and then copy pinentry-mac to /Applications. Then ensure that ~/.gnupp/gpg-agent.conf contains: pinentry-program "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac" (Above should be on one line). This is only a minor revision to allow for the greater information passed by gpg v2.0.9. Next version will contain the very latest pinentry backend and be properly packaged. Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (Darwin) Comment: Built by the macgpg project Comment: http://macgpg.sourceforge.net/ Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSCkET+gNmph0Y1E2AQLXlw//esh36ypoMCt+vqgZ76z4IPmJLe9ExtSg g+OuMf8Wf5km9j17qPWu3BTUWjvbs0pyAmCet3GxcdBmUIPSNqW28h/YbJDvnfBW 5op+qQhMgFuhH1BrEJ3xLgzl7e7YVXVyEwRroULHdzsNpbFYcHhX/kzpLzjSF6xD QP7Z2btsrBRph0VqcgYSxUIOgawyJRrGGrBau+Gunh8nG2gTYYah5e/5hL40dJTU SaVxC1DQxBAqNpql2QbDVzOGw447aEtEeIYFPmh525qvUl7M/+UEFlCq8OZ58F1T RgupjsYyF9vDJdT4EgdAodNwsU+oljtvvwET8QgZAgQPs81ujX1XVWfwi0i3bP0/ 9XsNp1Y64pXns28MrVdVrFlVZMKm8kUBNHK9QTulLAkn8mzj0Gl4QVUgVJ/o0VDz 71yCH4rDubzCj3es9Vwbc0MdgUAieewYdVKYy6+9hOyx2RZR+CuFHNKTbgrmeaeo 1u6JagIMbd180EWZ9ZJW1eR/AooGsZN1SVWdSjFsL9AokjlTpVsz17Yn9WAVFzFu lLvPLlGTBTCi42dYWmDzPCLSiQ0jr75hdVJ1yy2zNsSpJQoeFhZoZvjhPHwVLV2e 30cQ3LKB80VfVc0Ry6EcFF2K+XYRYwzq7Ne+xWjBcLV6svkpuC8/fgCSGAG0J3kq MH61MESH4Wc= =1f8O -----END PGP SIGNATURE----- From kevhilton at gmail.com Tue May 13 05:34:26 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Mon, 12 May 2008 22:34:26 -0500 Subject: SVN version not correctly displaying In-Reply-To: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> Message-ID: <96c450350805122034x2437f1b0vfabb02ad2e325cc1@mail.gmail.com> > Did You Manually change the version number within configure.ac? I had no idea that you had to change the version number within the configure.ac file. I was hoping to avoid any manual changes but see that it may be needed. > Did you make clean or make distclean first? Yes a make distclean -- it didn't make any difference. During the ./configure process it tells you the version number it is compiling for. From eocsor at gmail.com Tue May 13 08:24:40 2008 From: eocsor at gmail.com (Roscoe) Date: Tue, 13 May 2008 06:24:40 +0000 Subject: Protecting private key on USB flash drive: how to? // secret-sharing In-Reply-To: <20080512132855.91A1A15803E@mailserver6.hushmail.com> References: <20080512132855.91A1A15803E@mailserver6.hushmail.com> Message-ID: I would have thought the 'secret' in shamirs secret sharing scheme could be an arbitrary piece of data? On Mon, May 12, 2008 at 1:28 PM, wrote: > Roscoe eocsor at gmail.com > wrote Mon May 12 09:02:32 CEST 2008 : > > >> For my curiosity, has anyone used threshold (split-key) > >> crypto for key protection? > > > http://point-at-infinity.org/ssss/ works good for passwords to > keys :) > > no, > the Shamir split-key/secret sharing, > works for shares of 'keys', > not for passwords > > here is a quote from the site: > > =====[begin quote]===== > Note that Shamir's scheme is provable secure, that means: in a > (t,n) scheme one can prove that it makes no difference whether an > attacker has t-1 valid shares at his disposal or none at all; as > long as he has less than t shares, there is no better option than > guessing to find out the secret. > =====[end quote]===== > > key structures are much more complex than passphrases > > example: > assume a passphrase of 16 characters that is shared among two people > each having 8 characters protected by Shamir's secret sharing > > even though each person cannot 'decrypt' the other person's 'share', > (that part is true), > each one can start from scratch and do a brute force attack on the > other 8 characters when combined with the 8 characters already > known, and recover the passphrase > > when Shamir uses the technique to share 'Keys' > the 'key', which is far more complex than a simple password string, > cannot be reconstructed from a brute force attack, even when t-1 > shares are known > > 'split-keys' have been used by pgp since 6.x, > (usually for 'corporate signing' > when a certain majority t/n is needed for approval of a measure, > although it could work as well for decrypting too) > > > vedaal > > any ads or links below this message are added by hushmail without > my endorsement or awareness of the nature of the link > > -- > Need cash? Apply now for a credit loan with fast approval. > http://tagline.hushmail.com/fc/Ioyw6h4d9GyhnVARCGdPmzeVF7VYG3XQdmdONDdZwRPnO8sWSVh0pp/ > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From faramir.cl at gmail.com Tue May 13 11:53:30 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 13 May 2008 05:53:30 -0400 Subject: Protecting private key on USB flash drive: how to? (part 2) In-Reply-To: References: <20080509150420.7C8F42003D@mailserver7.hushmail.com> <482475AC.6040709@gmail.com> <1210408688.7144.8.camel@carbon> <4825C137.2060001@gmail.com> Message-ID: <4829651A.7060705@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 reynt0 escribi?: > On Sat, 10 May 2008, Faramir wrote: > . . . >> image file (and what would look more innocent that a folder with some >> pretty girls in swimsuits? well, maybe pretty girls without swimsuits). > . . . > > Photos of happy puppies and sad puppies? Well... probably the puppies would be more suspicious (lol) But now I am more interested in following the tutorial "Keeping primary key safe" than in hiding the keyring... since that way I also would be protected in the case some malevolent malware takes a copy of the keyring while I am using it... I would just revocate the subkeys... I still need to know a few things... I can "play" with the keyring in my USB flash drive as often as I need, but I would hate messing my desktop computer's keyring on daily basis (actually, I don't think I would be using the USB drive so often, it would be more a "just in case I need to access the mail when I am not at home"). So I would like to know if I need to keep a copy of the "disposable" subkeys in order to be able to read the messages... I mean: Home computer - - Primary Key (SC) - Subkey1 (s) - Subkey2 (e) USB keyring - - # - Subkey3 (s) - Subkey4 (e) Now, if I suspect my USB keyring becomes compromised, would revocate Subkeys 3 and 4, and generate Subkeys 5 and 6 to replace them, but... would I still be able to read messages I received when I was using subkeys 3 and 4? What happens with my public key each time I add a subkey? Does it "grows"? It is always exactly the same public key? Since I am not so sure to know how subkeys are generated, I can't know those things (and if it involves high level mathematics, probably I would no understand it, too). Maybe the subject is preventing people from reading these messages, since at least 1 person thought it had gone almost off-topic... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIKWUaAAoJEIISGkVDGUEOFykIAJr4xdSjGAFF4S8eerfOM7iU yp29QBTdknjhCxxwceOaW7R2oay+F2pCYdnDlMaT5SJVaJzlrTnPMC82vbmPWTlW Q8l5iEu//+0lknjcOZtfWhulO+5UV/SPvH/8tQmS4/3E6iWbI5fULg05YO7aoYSL yRZ6qTE/V1m8yd+RcFM13S4yE9xlOItQ4VVpwbR3FNUDDCQWL9cbTuE/BzXMQWVm 9RNUhVPNFprxcp+1Uwj3KyJ/deQ8rVQzyZnZk/O6JaXpQeXj0yJG86pk9e/GfwLR 0n2XrjZ7G3MolLIg+fB8u9b8S8ojHl4+pY4NOYcZCcBDd04wO0e8z/L6RvFLiI4= =6Z+M -----END PGP SIGNATURE----- From vedaal at hush.com Tue May 13 15:53:59 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 13 May 2008 09:53:59 -0400 Subject: Protecting private key on USB flash drive: how to? // secret-sharing Message-ID: <20080513135359.9A4C1D0326@mailserver10.hushmail.com> >Message: 7 >Date: Tue, 13 May 2008 06:24:40 +0000 >From: Roscoe >Subject: Re: Protecting private key on USB flash drive: how to? // > secret-sharing >To: gnupg >Message-ID: > >Content-Type: text/plain; charset=ISO-8859-1 > >I would have thought the 'secret' in shamirs secret sharing scheme >could be an arbitrary piece of data? you're right i think i mis-understood you i thought (wrongly ;-) ) that what you meant, was dividing up a password into several shares, with a part of the password held by each one what i now think you mean, is that you want to protect the entire password as a data item, using Shamir's secret-sharing system that does work, sorry, vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here for top quality Spyware removers. http://tagline.hushmail.com/fc/Ioyw6h4dKPZkHV6HYGzYg59qVrSNIV4Y3NS4mvR8AAnaqrdVoQEjiH/ From tgagne at wideopenwest.com Tue May 13 22:05:05 2008 From: tgagne at wideopenwest.com (=?UTF-8?B?VGhvbWFzIEdhZ27DqQ==?=) Date: Tue, 13 May 2008 16:05:05 -0400 Subject: Automating, passwd command replies, "Need the secret key to do this." Message-ID: <4829F471.2050907@wideopenwest.com> Following the instructions for creating a subkey seem straightforward., but I run into a problem after moving secring.auto and the "public keyring" to a test directory. First, I'm unsure which file(s) is the "public keyring." At the end, the instructions say to use the "passwd" command to remove the passphrase. Did I not copy the right file? tgagne:/home/tgagne/test ls -ltr total 8 4 -rw-rw-r-- 1 tgagne users 1232 2008-05-13 15:47 secring.auto 4 -rw------- 1 tgagne users 2409 2008-05-13 15:50 pubring.gpg gagne:/home/tgagne/test gpg --homedir . --edit load_affinia gpg: WARNING: unsafe permissions on homedir `.' gpg (GnuPG) 2.0.4-svn0; Copyright (C) 2007 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: keyring `./secring.gpg' created gpg: ./trustdb.gpg: trustdb created pub 1024D/FC9B4089 created: 2008-05-13 expires: never usage: SC trust: unknown validity: unknown sub 1024D/21AF94BC created: 2008-05-13 expires: never usage: S [ unknown] (1). load_affinia (Affinia File Transfer Key) Command> passwd Need the secret key to do this. -- Visit for more great reading. From jmoore3rd at bellsouth.net Wed May 14 00:21:19 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 13 May 2008 18:21:19 -0400 Subject: Automating, passwd command replies, "Need the secret key to do this." In-Reply-To: <4829F471.2050907@wideopenwest.com> References: <4829F471.2050907@wideopenwest.com> Message-ID: <482A145F.2000705@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thomas Gagn? wrote: > Command> passwd > Need the secret key to do this. the Command passwd is for changing the passphrase. Of course, it is possible to change the passphrase to nothing but first the Secret Key needs to be unlocked. Otherwise, anyone could change Your passphrase to anything or nothing. The "Need Secret Key to do this" is the prompt to enter the passphrase in order to unlock the Secret Key. JOHN ;) Timestamp: Tuesday 13 May 2008, 18:20 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIKhRdAAoJEBCGy9eAtCsPPV4H/38Tfffs9CFWkbsF9N6eg+WN jfiKioDMPEVlzm56cIo7ip3y6BvB1HWptX27v4HZ73zAylADuHLHmV2kVWhR/INi u5cMF0BQsYmr0CwXU8zknd885eKTJId4y56KIvav5+t56a4jc6OBMyHLfXLtRGgB r8v9nxs0w1iSinp2kzLr5pJO4TbmaD003jB5Z6meTo3V+yCmFKQqSPlYx4U78Z3n speX/zSgSN5DRte3J35YtCnioqnzowJ8h+OIG6hIw5eoz8Bmlw0ZX75JbhHw2zk6 cNhK+nbm7LQ5l384t9Kk+4WpWLuEvjpO1JygS2bTnLYabWOiKrlRIs/HmzPQnJk= =fIx3 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed May 14 05:11:26 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 13 May 2008 22:11:26 -0500 Subject: Weird error Message-ID: <482A585E.9060709@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I have a message which successfully decrypts and verifies on Thunderbird and Enigmail, running on OS X. The same message bombs out at the command line. gpg: using character set `utf-8' gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Charset: UTF-8 gpg: CRC error; 5341CC - DC3534 :pubkey enc packet: version 3, algo 1, keyid 97B2C95A0569E3E6 data: [2047 bits] :pubkey enc packet: version 3, algo 16, keyid 7582ADCB684C50FA data: [3072 bits] data: [3071 bits] gpg: encrypted_mdc packet with unknown version 255 gpg: quoted printable character in armor - probably a buggy MTA has been used When I try decrypting this message on an Ubuntu 8.04 box with Thunderbird and Enigmail, it bombs. When I decrypt it at the command line on Ubuntu 8.04, it bombs. This seems highly weird to me. I have the original message, stripped of header information and other assorted things, posted at: http://sixdemonbag.org/buggy_message.asc Anyone have any idea what's going on here? -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJIKlheAAoJELcA9IL+r4EJaYEIANE2v5+6Rzmki7/ZxHVCOxfz vjUNfWCqnQIAT+xnaI89wb10c9VMUQ7u1NQluFRxo9MnNqOV3FLK8M0rqupbqmh1 1oZ5QKv3xclVC9omCCdge+RsxZp8e8rSfmeD52P3FqkrkXkTRsyQ152T6fa2UBMh hALw9G/X0+MvyZDgH4ey9nTmqBUDuEfQfCww9ZNt1EmZdhszbSUj3dqhu0IeFsVU mzC6SphNMt2KEjTcOHmNA/lHrH++Nn+AwObYH1AhVYqTkAY4k8UTuSoEc7RN35XV QCujNgdalrDIEGydM0Z3AagRkHBAFRdQMzGBoVD+a0J7cbqxLnUHEalK94w0o2U= =2qYb -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Wed May 14 07:44:24 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 14 May 2008 00:44:24 -0500 Subject: [Enigmail] Weird error In-Reply-To: <482A585E.9060709@sixdemonbag.org> References: <482A585E.9060709@sixdemonbag.org> Message-ID: <482A7C38.8010904@Mozilla-Enigmail.org> Robert J. Hansen wrote: > I have a message which successfully decrypts and verifies on Thunderbird > and Enigmail, running on OS X. > > The same message bombs out at the command line. > gpg: quoted printable character in armor - probably a buggy MTA has been > used > When I try decrypting this message on an Ubuntu 8.04 box with > Thunderbird and Enigmail, it bombs. When I decrypt it at the command > line on Ubuntu 8.04, it bombs. > > This seems highly weird to me. I have the original message, stripped of > header information and other assorted things, posted at: > > http://sixdemonbag.org/buggy_message.asc > > Anyone have any idea what's going on here? Yep. You've been told already: quoted printable. Last two lines. Recall in base=64, '=' is only allowed as null filler, so at the end of the message there shouldn't be anything after the '='. Ditto the CRC being an extra two characters too long, should only be five. Quoted printable uses a two digit hex value prefixed with '='. 0x3D = '=' = '=3D' s/=3D/=/ and it should decrypt. Quoted printable should have been specified in the messages' MIME headers. TB on OS X is interpreting the '=3D' correctly and changing it back to '=' before passing to Enigmail and GnuPG. It would appear to be a Ubuntu bug. The q-p encoding of '=' is also what is keeping it from decrypting on the command line. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From gernot.schmied at chello.at Wed May 14 14:23:32 2008 From: gernot.schmied at chello.at (Gernot Schmied) Date: Wed, 14 May 2008 12:23:32 +0000 Subject: estimate of of PGP keys in the Internet Message-ID: <1210767812.15736.9.camel@iktech.net> Hello Group! I am working on a study about PGP in the EU legal context. I'd appreciate any pointers to usage statistics about key servers and any links that provide insight into the number of pgp keys used in the Internet community or special countries. Thanks a lot, Gernot From sickuser at gmail.com Wed May 14 22:58:59 2008 From: sickuser at gmail.com (gabrix) Date: Wed, 14 May 2008 22:58:59 +0200 Subject: Linux crypto killer apllication Message-ID: <200805142259.06868.gabrix@gabrix.ath.cx> Mine is just a suggestion to improve our dear gnupg. What is missing in linux is a killer crypt application . I recently used two windows application pgp and bestcrypt . And they both have , disk encryption , mail encryption , key generator up to 8192 length , text encryption , zip encryption . All these features are for linux from command line or together to other command line softwares and not really friendly for newbyes . Will be any , of the above said features , implemented in gnupg in the future ? Thanks ! -- 1024D/6C71F528 Key fingerprint = AD40 8FC1 F8C0 60E1 608E C136 8080 9773 6C71 F528 https://www.gabrix.ath.cx/gnupgkey.asc Email: root at gabrix.ath.cx MSN: sickuser at gmail.com ekiga: gabrihell at ekiga.net skype: gabx666 Jabber: gabrihell at jabber.linux.it -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sickuser at gmail.com Wed May 14 22:40:03 2008 From: sickuser at gmail.com (gabrix) Date: Wed, 14 May 2008 22:40:03 +0200 Subject: old default options file Message-ID: <200805142240.11954.gabrix@gabrix.ath.cx> Hi list , after kgpg installation whatever gpg command i launch i get this error: gabrix at mail:~$ gpg --version gpg: NOTE: old default options file `/home/gabrix/.gnupg/options' ignored I know it's not a major problem but anyway the error is annoying , to what option does it refer ? Thanks. Gabriele -- 1024D/6C71F528 Key fingerprint = AD40 8FC1 F8C0 60E1 608E C136 8080 9773 6C71 F528 https://www.gabrix.ath.cx/gnupgkey.asc Email: root at gabrix.ath.cx MSN: sickuser at gmail.com ekiga: gabrihell at ekiga.net skype: gabx666 Jabber: gabrihell at jabber.linux.it -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From christoph.anton.mitterer at physik.uni-muenchen.de Wed May 14 23:36:48 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Wed, 14 May 2008 23:36:48 +0200 Subject: Linux crypto killer apllication In-Reply-To: <200805142259.06868.gabrix@gabrix.ath.cx> References: <200805142259.06868.gabrix@gabrix.ath.cx> Message-ID: <1210801008.9009.3.camel@fermat.scientia.net> On Wed, 2008-05-14 at 22:58 +0200, gabrix wrote: > Mine is just a suggestion to improve our dear gnupg. > What is missing in linux is a killer crypt application . > I recently used two windows application pgp and bestcrypt . And they both > have , disk encryption , mail encryption , key generator up to 8192 length , > text encryption , zip encryption . gpg is not intended and for disk encryption, which requires special techniques (good IV initialisation method etc). Current state of the art is probably XTS which is supported by recent linux kernles (sind 2.6.24 IIRC) and dmcrypt. gpg can create keys with a key size greater than 4096 but you have to patch it manually. I think it would be nice if the expert mode allows to create keys of any length (at least for RSA). Best wishes, Chris. From rjh at sixdemonbag.org Wed May 14 23:45:28 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 14 May 2008 16:45:28 -0500 Subject: Linux crypto killer apllication In-Reply-To: <200805142259.06868.gabrix@gabrix.ath.cx> References: <200805142259.06868.gabrix@gabrix.ath.cx> Message-ID: <482B5D78.5010804@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 gabrix wrote: > What is missing in linux is a killer crypt application . There are many, many things more important than this. > I recently used two windows application pgp and bestcrypt . And they both > have , disk encryption , mail encryption , key generator up to 8192 length , > text encryption , zip encryption . If you want an encrypted disk partition, many Linux distros provide the tools for that natively. OpenSuse 10.3 allows you to encrypt partitions when you install the OS, for instance. Regarding key length, anything past 2048 bits of RSA/ElGamal is, IMO, patently ridiculous. If it were up to me GnuPG would not generate keys larger than 2kbit. You do not gain anything when you move from 2kbit up to 4kbit except larger RSA signatures. > All these features are for linux from command line or together to other > command line softwares and not really friendly for newbyes . GnuPG is not a Linux application. GnuPG works on many, many different OSes. Keeping it as a command-line application allows the GnuPG developers to stay focused on making GnuPG work on a ton of different systems, and not getting tied to one particular platform. That said, there are _many_ GnuPG front-ends. I'm personally very fond of Enigmail (http://enigmail.mozdev.org), which gives excellent GnuPG integration into email. > Will be any , of the above said features , implemented in gnupg in the > future ? Unlikely. Two last words o' warning. First, I am not a GnuPG developer. They are, of course, free to do whatever they like. That said, I'm pretty sure my representations here are accurate. Second, your reply-to is root at somedomain. This is probably a very bad idea. It suggests that you're using the superuser account as your normal user account. If you're doing this, then please create a normal user account as soon as possible and start using that. It'll save you a ton of grief in the long run. -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJIK114AAoJELcA9IL+r4EJaXUH/24E2WAcciY+AaqO4qmLRwJm Fwudmymluyi7UxKkjlsnicgtbBYi0uhFOSDM23QuAWFMzfMLZenS/z8dKVIUWSuc 7Xa4xDB0ipeSoT+Qnmupn+JYhkPneYLDTsZ1Rb3Mh+cKAPUl2jb40dXej6YqWSSt WvVjp+0smsF0bnMdDnuMhWdcwVHvQC3o7Y7ju4Q8rhUGboCgWT5d86+EvnBCDmVW rhELpB1+XUaMGJo7rlE86SRRgvUkDmRydzLu/uzvS+DZzxFXssfK5AvCHzTSmuc4 Mc5xu+64dOBLp2pMY036RIbG54izVdtZILToIIN+dBZbpKnYTr4L3qzd7bBrAX4= =KcDA -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed May 14 23:51:44 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 14 May 2008 16:51:44 -0500 Subject: Linux crypto killer apllication In-Reply-To: <1210801008.9009.3.camel@fermat.scientia.net> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> Message-ID: <482B5EF0.4050002@sixdemonbag.org> Christoph Anton Mitterer wrote: > gpg is not intended and for disk encryption, which requires special > techniques (good IV initialisation method etc). As opposed to OpenPGP's idiosyncratic CFB mode, which presumably needs no IV? It's true that disk encryption uses specialized techniques, but pretty much every crypto algorithm relies upon good IVs. > I think it would be nice if the expert mode allows to create keys of > any length (at least for RSA). I'm sure that if you can articulate a case for it and submit a patch, the developers would consider it. From christoph.anton.mitterer at physik.uni-muenchen.de Wed May 14 23:58:17 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Wed, 14 May 2008 23:58:17 +0200 Subject: Linux crypto killer apllication In-Reply-To: <482B5EF0.4050002@sixdemonbag.org> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org> Message-ID: <1210802297.11681.2.camel@fermat.scientia.net> On Wed, 2008-05-14 at 16:51 -0500, Robert J. Hansen wrote: > Christoph Anton Mitterer wrote: > > gpg is not intended and for disk encryption, which requires special > > techniques (good IV initialisation method etc). > As opposed to OpenPGP's idiosyncratic CFB mode, which presumably needs > no IV? IIRC, OpenPGP sets the IV to 0? > It's true that disk encryption uses specialized techniques, but pretty > much every crypto algorithm relies upon good IVs. Of course... > > I think it would be nice if the expert mode allows to create keys of > > any length (at least for RSA). > I'm sure that if you can articulate a case for it and submit a patch, > the developers would consider it. That's not a question of practical cases,.. Every now and then we get posts where people ask for this... right? So allow it in the expert mode, thus normal users will be prevented from doing it and people who think that they might get additional security can simply use it (at their own risk)... Chris. From h.schmalle at web.de Wed May 14 23:09:09 2008 From: h.schmalle at web.de (Holger Schmalle) Date: Wed, 14 May 2008 23:09:09 +0200 Subject: cannot change passphrase entered via enigmail on new system Message-ID: <1801510452@web.de> Hello, in 2005 I created a private key using enigmail (I know now this was a big mistake :-( ). Recently I changed my complete system (from Gentoo to Ubuntu ...). The consequence is, that I cannot enter the correct passphrase. Neither with enigmail, nor on the command line. I suppose this is a problem with the character encoding. I dont think that I can manage it to restore my old system with all the stuff like char encoding, enigmail version ... I have a lot of encrypted e-Mails. Is there any chance for me to read them ever again??? My passphrase contains chars like "?{[(#". Best regards, Holger _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071&distributionid=000000000066 From rjh at sixdemonbag.org Thu May 15 00:21:35 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 14 May 2008 17:21:35 -0500 Subject: old default options file In-Reply-To: <200805142240.11954.gabrix@gabrix.ath.cx> References: <200805142240.11954.gabrix@gabrix.ath.cx> Message-ID: <482B65EF.3020205@sixdemonbag.org> gabrix wrote: > I know it's not a major problem but anyway the error is annoying , to what > option does it refer ? GnuPG 1.0 through 1.2 (I think) stored the options file in $HOME/.gnupg/options. As of 1.4, the options file was changed to $HOME/.gnupg/gpg.conf. Your options file is misnamed. Fix that and it should go away. Don't just rename the file, though -- check it to make sure that it contains the options you want. From JPClizbe at tx.rr.com Thu May 15 00:32:48 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 14 May 2008 17:32:48 -0500 Subject: old default options file In-Reply-To: <200805142240.11954.gabrix@gabrix.ath.cx> References: <200805142240.11954.gabrix@gabrix.ath.cx> Message-ID: <482B6890.3070006@tx.rr.com> gabrix wrote: > Hi list , > after kgpg installation whatever gpg command i launch i get this error: > > gabrix at mail:~$ gpg --version > gpg: NOTE: old default options file `/home/gabrix/.gnupg/options' ignored > > I know it's not a major problem but anyway the error is annoying , to what > option does it refer ? The GnuPG options file /used to be/ named just 'options' and lives in ~/.gnupg. Current version of GnuPG expect configuration options to be in gpg.conf The error is because GnuPG finds a file in its home directory named options. Renaming 'options' to 'gpg.conf' will correct this and eliminate the error. ( mv ~/.gnupg/{options,gpg.conf} ). But don't stop with a simple rename, open gpg.conf and make sure those are options you really want. I notice your return address is 'root'. This is usually not a very good idea. It suggests that you're using the superuser account as your normal user account. If you're doing this, then please create a normal user account as soon as possible and start using that. It'll save you a ton of grief in the long run. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From avi.wiki at gmail.com Wed May 14 23:43:42 2008 From: avi.wiki at gmail.com (Avi) Date: Wed, 14 May 2008 17:43:42 -0400 Subject: Gnupg-users Digest, Vol 56, Issue 21 In-Reply-To: References: Message-ID: <27ee9bfb0805141443n3f7e723gac987230a88556da@mail.gmail.com> 2008/5/14 : > ---------- Forwarded message ---------- > From: "Robert J. Hansen" > To: GnuPG Users List , Enigmail user discussion > list > Date: Tue, 13 May 2008 22:11:26 -0500 > Subject: Weird error > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I have a message which successfully decrypts and verifies on Thunderbird > and Enigmail, running on OS X. > > The same message bombs out at the command line. > > > gpg: using character set `utf-8' > gpg: armor: BEGIN PGP MESSAGE > gpg: armor header: Charset: UTF-8 > gpg: CRC error; 5341CC - DC3534 > :pubkey enc packet: version 3, algo 1, keyid 97B2C95A0569E3E6 > data: [2047 bits] > :pubkey enc packet: version 3, algo 16, keyid 7582ADCB684C50FA > data: [3072 bits] > data: [3071 bits] > gpg: encrypted_mdc packet with unknown version 255 > gpg: quoted printable character in armor - probably a buggy MTA has been > used > > > When I try decrypting this message on an Ubuntu 8.04 box with > Thunderbird and Enigmail, it bombs. When I decrypt it at the command > line on Ubuntu 8.04, it bombs. > > This seems highly weird to me. I have the original message, stripped of > header information and other assorted things, posted at: > > http://sixdemonbag.org/buggy_message.asc > > Anyone have any idea what's going on here? > > -----BEGIN PGP SIGNATURE----- > > iQEcBAEBCAAGBQJIKlheAAoJELcA9IL+r4EJaYEIANE2v5+6Rzmki7/ZxHVCOxfz > vjUNfWCqnQIAT+xnaI89wb10c9VMUQ7u1NQluFRxo9MnNqOV3FLK8M0rqupbqmh1 > 1oZ5QKv3xclVC9omCCdge+RsxZp8e8rSfmeD52P3FqkrkXkTRsyQ152T6fa2UBMh > hALw9G/X0+MvyZDgH4ey9nTmqBUDuEfQfCww9ZNt1EmZdhszbSUj3dqhu0IeFsVU > mzC6SphNMt2KEjTcOHmNA/lHrH++Nn+AwObYH1AhVYqTkAY4k8UTuSoEc7RN35XV > QCujNgdalrDIEGydM0Z3AagRkHBAFRdQMzGBoVD+a0J7cbqxLnUHEalK94w0o2U= > =2qYb > -----END PGP SIGNATURE----- > -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Removing the 3D characters after the penultimate "=" and before the final equals sign should fix it, I think. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.64 iEYEAREDAAYFAkgrXQEACgkQy6A/RnheoikodQCdH5n1wZxh6eeXHCitz9NrhUu0 IhEAnj6el7UO1oo8roVZ0WXESFk7HVcR =tAGO -----END PGP SIGNATURE----- -- en:User:Avraham ---- pub 1024D/785EA229 3/6/2007 Avi (Wikipedia-related) Primary key fingerprint: D233 20E7 0697 C3BC 4445 7D45 CBA0 3F46 785E A229 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Thu May 15 00:52:02 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 14 May 2008 17:52:02 -0500 Subject: Linux crypto killer apllication In-Reply-To: <1210802297.11681.2.camel@fermat.scientia.net> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org> <1210802297.11681.2.camel@fermat.scientia.net> Message-ID: <482B6D12.6000906@sixdemonbag.org> Christoph Anton Mitterer wrote: > That's not a question of practical cases,.. Sure it is. Adding features "just because it's nice" is a pretty shoddy way to do engineering. Changes need to be driven by articulated needs. > Every now and then we get posts where people ask for this... right? We also get posts where people ask "is there any way for me to get access to my files now that I've forgotten my passphrase?" Should we change GnuPG to accommodate their wishes? Just because people ask for something is not a compelling reason to give it to them. I see no reason to add "features" to GnuPG that have no connection to any real-world need. Changing the largest keysize, even in expert mode, has no connection to any real-world need I've ever heard anyone articulate, and so I'm pretty hostile to the idea. From sickuser at gmail.com Thu May 15 03:02:58 2008 From: sickuser at gmail.com (gabrix) Date: Thu, 15 May 2008 03:02:58 +0200 Subject: Linux crypto killer apllication In-Reply-To: <482B5D78.5010804@sixdemonbag.org> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482B5D78.5010804@sixdemonbag.org> Message-ID: <200805150303.06758.gabrix@gabrix.ath.cx> On Wednesday 14 May 2008 23:45, Robert J. Hansen wrote: > gabrix wrote: > > What is missing in linux is a killer crypt application . > > There are many, many things more important than this. I don't know the hit parade but cryptography is important to me . > > > I recently used two windows application pgp and bestcrypt . And they both > > have , disk encryption , mail encryption , key generator up to 8192 > > length , text encryption , zip encryption . > > If you want an encrypted disk partition, many Linux distros provide the > tools for that natively. OpenSuse 10.3 allows you to encrypt partitions > when you install the OS, for instance. Also debian and many other , too > > Regarding key length, anything past 2048 bits of RSA/ElGamal is, IMO, > patently ridiculous. If it were up to me GnuPG would not generate keys > larger than 2kbit. You do not gain anything when you move from 2kbit up > to 4kbit except larger RSA signatures. > OK ! > > All these features are for linux from command line or together to other > > command line softwares and not really friendly for newbyes . > > GnuPG is not a Linux application. GnuPG works on many, many different > OSes. Keeping it as a command-line application allows the GnuPG > developers to stay focused on making GnuPG work on a ton of different > systems, and not getting tied to one particular platform. Posix application maybe ! > > That said, there are _many_ GnuPG front-ends. I'm personally very fond > of Enigmail (http://enigmail.mozdev.org), which gives excellent GnuPG > integration into email. > > > Will be any , of the above said features , implemented in gnupg in the > > future ? > > Unlikely. > > Two last words o' warning. > > First, I am not a GnuPG developer. They are, of course, free to do > whatever they like. That said, I'm pretty sure my representations here > are accurate. > > Second, your reply-to is root at somedomain. This is probably a very bad > idea. It suggests that you're using the superuser account as your > normal user account. If you're doing this, then please create a normal > user account as soon as possible and start using that. It'll save you a > ton of grief in the long run. And if it is an alias ? > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- 1024D/6C71F528 Key fingerprint = AD40 8FC1 F8C0 60E1 608E C136 8080 9773 6C71 F528 https://www.gabrix.ath.cx/gnupgkey.asc Email: root at gabrix.ath.cx MSN: sickuser at gmail.com ekiga: gabrihell at ekiga.net skype: gabx666 Jabber: gabrihell at jabber.linux.it -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From rjh at sixdemonbag.org Thu May 15 03:52:57 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 14 May 2008 20:52:57 -0500 Subject: Linux crypto killer apllication In-Reply-To: <200805150303.06758.gabrix@gabrix.ath.cx> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482B5D78.5010804@sixdemonbag.org> <200805150303.06758.gabrix@gabrix.ath.cx> Message-ID: <482B9779.40908@sixdemonbag.org> gabrix wrote: > Also debian and many other , too Great -- then you've answered your own question. If there already exist high-quality Free Software encrypted disk partition software, then why should GnuPG reinvent the wheel and do its own? > Posix application maybe ! I wouldn't even go that far. Windows, for instance, is not especially POSIX-conformant, and yet it runs GnuPG just fine. > And if it is an alias ? Then you can expect to continue to get helpful warnings like the ones you've already received. From JPClizbe at tx.rr.com Thu May 15 06:33:39 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 14 May 2008 23:33:39 -0500 Subject: Linux crypto killer apllication In-Reply-To: <200805150303.06758.gabrix@gabrix.ath.cx> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482B5D78.5010804@sixdemonbag.org> <200805150303.06758.gabrix@gabrix.ath.cx> Message-ID: <482BBD23.1050507@tx.rr.com> gabrix wrote: > On Wednesday 14 May 2008 23:45, Robert J. Hansen wrote: >> gabrix wrote: >> > All these features are for linux from command line or together to other >> > command line softwares and not really friendly for newbyes . >> >> GnuPG is not a Linux application. GnuPG works on many, many different >> OSes. Keeping it as a command-line application allows the GnuPG >> developers to stay focused on making GnuPG work on a ton of different >> systems, and not getting tied to one particular platform. > > Posix application maybe ! Windows and DOS, HP/Compaq/DEC's VMS, and IBM's OS/2 and the MVS and VM mainframe operating systems are normally not considered to be POSIX OSes. Even if they do have POSIX subsystems bolted-on. A measure of GnuPG's success is its porting to non-POSIX operating systems. >> Two last words o' warning. >> >> First, I am not a GnuPG developer. They are, of course, free to do >> whatever they like. That said, I'm pretty sure my representations here >> are accurate. >> >> Second, your reply-to is root at somedomain. This is probably a very bad >> idea. It suggests that you're using the superuser account as your >> normal user account. If you're doing this, then please create a normal >> user account as soon as possible and start using that. It'll save you a >> ton of grief in the long run. > > And if it is an alias ? Then it would be a poor choice from a system administration viewpoint. Only machine processes should send mail as 'root' and the alias is to direct it to administrators. It shouldn't be used as a general mail address. You are, of course, free to do as you please, but others will continue to assume and conclude you are using the root account for general use and will judge you based on that as Rob has already suggested. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From david at miradoiro.com Thu May 15 08:25:20 2008 From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Thu, 15 May 2008 08:25:20 +0200 Subject: Linux crypto killer apllication References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org> Message-ID: <007e01c8b654$77fbd500$0302a8c0@Nautilus> From: "Robert J. Hansen" > I see no reason to add "features" to GnuPG that have no connection to > any real-world need. Changing the largest keysize, even in expert mode, > has no connection to any real-world need I've ever heard anyone > articulate, and so I'm pretty hostile to the idea. Well, I'm pretty sure if GnuPG had the limit you suggest (2048) it would be legally unusable for some purposes, due to legal guidelines, "best practices", and all that tosh. Now you can say those things are misguided, but if they make it impossible to use GnuPG they're a real-world need just as the man page is. I don't know of any of these policies that require keys longer than 4096, but I wouldn't discard the possibility, certainly not in the future. --David. From rjh at sixdemonbag.org Thu May 15 08:42:56 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 May 2008 01:42:56 -0500 Subject: Linux crypto killer apllication In-Reply-To: <007e01c8b654$77fbd500$0302a8c0@Nautilus> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> Message-ID: <482BDB70.7040102@sixdemonbag.org> David Pic?n ?lvarez wrote: > Well, I'm pretty sure if GnuPG had the limit you suggest (2048) it > would be legally unusable for some purposes, due to legal guidelines, > "best practices", and all that tosh. Can you name some? I'd love to know them. > I don't know of any of these policies that require keys longer than > 4096, but I wouldn't discard the possibility, certainly not in the > future. If 2kbit RSA/DSA/ElG ever becomes attackable either via cryptanalysis, brute force or developments in large number theory, the solution will be to move to entirely new algorithm families, not to just tack on another few bits to the end. From email at sven-radde.de Thu May 15 09:24:04 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 15 May 2008 09:24:04 +0200 Subject: Linux crypto killer apllication In-Reply-To: <007e01c8b654$77fbd500$0302a8c0@Nautilus> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> Message-ID: <482BE514.50606@sven-radde.de> David Pic?n ?lvarez schrieb: > Well, I'm pretty sure if GnuPG had the limit you suggest (2048) it > would be legally unusable for some purposes, due to legal guidelines, > "best practices", and all that tosh. FWIW, german digital signature laws AFAIK mandate a key length of exactly 1024 bits even for the strongest class of signatures. Certificates for electronic banking (also a heavily regulated field) are of 1024 bits (or is even 768 still common?). Inadequate cryptographic strength is certainly not something that would be attributed to GnuPG very often... cu, Sven From brian at briansmith.org Thu May 15 08:39:37 2008 From: brian at briansmith.org (Brian Smith) Date: Wed, 14 May 2008 23:39:37 -0700 Subject: Linux crypto killer apllication References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> Message-ID: David Pic?n ?lvarez wrote: > From: "Robert J. Hansen" >> I see no reason to add "features" to GnuPG that have no connection to >> any real-world need. Changing the largest keysize, even in expert mode, >> has no connection to any real-world need I've ever heard anyone >> articulate, and so I'm pretty hostile to the idea. It is reasonable to choose to protect a secret for the rest of one's life (~100 years). In fact, I see no reason why that shouldn't be the default security level for everybody's personal use. That would require RSA 16,384 or more, according to RSA. Since that key size is impractically large for several interesting exchange technologies (e.g. 2D barcodes), that means we need to migrate to something else like ECC. - Brian From faramir.cl at gmail.com Thu May 15 09:52:55 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 15 May 2008 03:52:55 -0400 Subject: Linux crypto killer apllication In-Reply-To: <200805142259.06868.gabrix@gabrix.ath.cx> References: <200805142259.06868.gabrix@gabrix.ath.cx> Message-ID: <482BEBD7.9080303@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 gabrix escribi?: > Mine is just a suggestion to improve our dear gnupg. > What is missing in linux is a killer crypt application . > I recently used two windows application pgp and bestcrypt . And they both > have , disk encryption , mail encryption , key generator up to 8192 length , > text encryption , zip encryption . > All these features are for linux from command line or together to other > command line softwares and not really friendly for newbyes . Well, in Windows, I am using GPGShell, and the GPGtray utility provides text encryption. I think it doesn't give zip encryption, but you can encrypt a zip file. I don't know what applications made to provide a GUI for gpg are available for linux, but since it seems the linux gpg branch is stronger than windows branch, there should be enough of them to chose. Maybe somebody can name some of them... and also if somebody know about some utility to provide disk encryption in linux (with GUI)... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIK+vXAAoJEIISGkVDGUEOAccH/17dICHI7KTRbogogxOd6OpW goRcYOHSqlGt4FUlHw192ILO+Yykfb3YMuBd+caw0BlFjiIvnjDBMiiMR8DmfU0U MRceKeCF2M7woai7G9NNTpJVQXRVjree0kImFFDvO6qcpAMbFooz8Kw2+/YUagiO Oee2bJY2Sj7d9uqV3DV0mCh5J85ww+l+XL1huORDUHqMLhne+AlyuRK1xvdRTvsM 7fdj2ZARTU0O3qSOgF3+h1ZOwrYFCwMZqz+h8EQgnz5VigbWq/1pXEFv8gdty/y5 kVTmgnHbBTWC55bpFWhv6aVSPypAyc/inYARR3tt4SkXVwrwYToULhQvSMq/Us4= =p9kd -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu May 15 10:10:49 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 May 2008 03:10:49 -0500 Subject: Linux crypto killer apllication In-Reply-To: References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> Message-ID: <482BF009.9070802@sixdemonbag.org> Brian Smith wrote: > It is reasonable to choose to protect a secret for the rest of one's > life (~100 years). You're committing two logical fallacies here: the first is you're begging the question, and the second is the assumption of facts not in evidence. This discussion is about tradeoffs, and whether what is to be gained by adopting very large keys would be worthwhile given the sacrifices which would have to be made. By saying "it's reasonable to choose to use extremely long keys", you're skipping the entire debate and moving straight to the conclusion you want to reach, leaving the original question unanswered. Namely: is it worth it? My crystal ball for the future is very hazy. That's good news, actually. Everyone's crystal ball is hazy. I at least know it. Trying to predict what computing power will be like in 100 years is absolute folly. It's ridiculous. It's so silly it doesn't deserve to be taken seriously. If, in 1870, you were to ask Charles Babbage to prognosticate 100 years into the future for his Analytical Engine, do you really think he would have foreseen the internet, distributed computation, quantum computers, hypercomputation, the Church-Turing Thesis? If, in 1935, you were to ask Alonzo Church about the significance of his research and where it would take us in 100 years, what do you think he would've said? Saying "it's reasonable to choose to protect personal secrets for 100 years" is on faulty logical grounds because you _can't_ choose to protect secrets for 100 years. You can't look that far into the future. 100 years from now the world will be unrecognizable to us. Scientific, mathematical and technological advances we haven't even imagined yet will be old-hat. The world of that future will be indistinguishable from magic -- and I am at a loss for how anyone can defend against magic. From christoph.anton.mitterer at physik.uni-muenchen.de Thu May 15 10:21:34 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Thu, 15 May 2008 10:21:34 +0200 Subject: Linux crypto killer apllication In-Reply-To: <482BDB70.7040102@sixdemonbag.org> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org> <1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BDB70.7040102@sixdemonbag.org> Message-ID: <1210839694.2493.1.camel@etppc19> On Thu, 2008-05-15 at 01:42 -0500, Robert J. Hansen wrote: > If 2kbit RSA/DSA/ElG ever becomes attackable either via cryptanalysis, > brute force or developments in large number theory, the solution will be > to move to entirely new algorithm families, not to just tack on another > few bits to the end. Yes,... moreover,... there are parts of the cryptosystem that are / will be weak someday,.. where increasing the keysize won't help (e.g. the hash algos) Chris. From christoph.anton.mitterer at physik.uni-muenchen.de Thu May 15 10:22:46 2008 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Thu, 15 May 2008 10:22:46 +0200 Subject: Linux crypto killer apllication In-Reply-To: <482BE514.50606@sven-radde.de> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org> <1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BE514.50606@sven-radde.de> Message-ID: <1210839766.2493.3.camel@etppc19> On Thu, 2008-05-15 at 09:24 +0200, Sven Radde wrote: > FWIW, german digital signature laws AFAIK mandate a key length of > exactly 1024 bits even for the strongest class of signatures. > Certificates for electronic banking (also a heavily regulated field) are > of 1024 bits (or is even 768 still common?). Well I'm not sure if we should too much trust in Germanys BSI ;-) Chris. From faramir.cl at gmail.com Thu May 15 10:42:23 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 15 May 2008 04:42:23 -0400 Subject: Linux crypto killer apllication In-Reply-To: <482B9779.40908@sixdemonbag.org> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482B5D78.5010804@sixdemonbag.org> <200805150303.06758.gabrix@gabrix.ath.cx> <482B9779.40908@sixdemonbag.org> Message-ID: <482BF76F.7030909@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> And if it is an alias ? > > Then you can expect to continue to get helpful warnings like the ones > you've already received. But I figure it is a good bobytrap ;) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIK/dvAAoJEIISGkVDGUEO8CcH/0ufuvkKSS4DgmfBZahBeTNB Gku/C6zHtJ9LqBKnoOZsbKOFwT41KXclpuUprcO2pFs5Zv0fNuz7/iOKJJwCBjKL 9s6bh0yBLBMQN5NGcGY74dcFtWbvgKvoHo5oc4AmVP9AMaQDyPPoRqThaa5G8/3M 9Wkd/9ExdF9tk5TdvtOcR2vfvULOtpJAX5VpzHX3ObitQgkulgqDEp13+WIb2ycf C2oYCvjXsoaDntsZhAnBnSXIYDQR5DzkvlFvWczHEoso/IdV7VsWN8Z18xGaeZSM S1WxToHeFH9r13wHtDeDiTgRJhIUYFCLIosKkU+zV4drJ0ASmpFO0NLkU67CdBA= =vAfw -----END PGP SIGNATURE----- From david at miradoiro.com Thu May 15 14:17:40 2008 From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Thu, 15 May 2008 14:17:40 +0200 Subject: Linux crypto killer apllication References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BDB70.7040102@sixdemonbag.org> Message-ID: <005201c8b685$acbc8240$0302a8c0@Nautilus> > Can you name some? I'd love to know them. I'm speaking from memory, but I think I've seen something of the sort re the Data Protection regulations in Spain, for personally identifiable information. I might be mistaken though. --David. From jmoore3rd at bellsouth.net Thu May 15 14:37:19 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 15 May 2008 08:37:19 -0400 Subject: Linux crypto killer apllication In-Reply-To: <482BEBD7.9080303@gmail.com> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482BEBD7.9080303@gmail.com> Message-ID: <482C2E7F.1090901@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > provide a GUI for gpg are available for linux, but since it seems the > linux gpg branch is stronger than windows branch, Er... Upon what do You base this conclusion? GnuPG is equally "strong" on either platform. There is No Linux Branch & Windows Branch. Both the 1.4.x Branch & the 2.0.x Trunk will run on both Linux & Windows. JOHN :-\ Timestamp: Thursday 15 May 2008, 08:36 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJILC59AAoJEBCGy9eAtCsPyoAH/3JAmjwEVFZOr7Q9AoUBjv7d T3li5lWn700tFn3TwQ64g6SRgZg8VMo/PfT3rNh2M9H6yFjYzGXxSlAzNeDaLF6t K17qmul3w5HV6NtaWfqbn1N0ZjK8wZcXXya2tGMIWCARwXJRJMdeejQVOM4mznue /rpt/be8+hUg1j0iTtn6XAKIr6g7N6ADqNCxzz65eaE7ROXpi5KbrSIdJA5IyIer WDMmH+z7hbW/o0eu34PbVie5zb4agVR/u1pMu22bknF/3s1LCnv39CdBVHCBxnbg Q+x6vWLPrm4Fm2Wp6ggG7ILiAgJZGje85iV3CBxbV7WDGFi428kzAZhzp3PPGyg= =HCqN -----END PGP SIGNATURE----- From shavital at mac.com Thu May 15 14:53:21 2008 From: shavital at mac.com (Charly Avital) Date: Thu, 15 May 2008 08:53:21 -0400 Subject: Trying to compile gpgme under MacOSX Message-ID: <482C3241.7060403@mac.com> Hi, Trying to compile gpgme 1.1.4 on: MacOS 10.5.2 - MacBook Intel C2Duo - GnuPG 1.4.9 - GPG2 2.0.9 1. Configure: env CFLAGS="-isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc" \ ./configure --enable-static --disable-shared --disable-dependency-tracking --with-gpg-error-prefix=/usr/local --with-gpg=/usr/local/bin/gpg --without-pth --disable-glibtest Results in: GPGME v1.1.4 has been configured as follows: GnuPG path: /usr/local/bin/gpg GnuPG version: 1.4.9, min. 1.3.0 GpgSM path: /usr/local/bin/gpgsm GpgSM version: 2.0.9, min. 1.9.6 GPGME Pthread: yes GPGME Pth: But sudo make install: ----------- Making install in assuan make install-am /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -D_ASSUAN_IN_GPGME_BUILD_ASSUAN -isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc -Wall -Wcast-align -Wshadow -Wstrict-prototypes -c -o assuan-util.lo assuan-util.c gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -D_ASSUAN_IN_GPGME_BUILD_ASSUAN -isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc -Wall -Wcast-align -Wshadow -Wstrict-prototypes -c assuan-util.c -o assuan-util.o /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -D_ASSUAN_IN_GPGME_BUILD_ASSUAN -isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc -Wall -Wcast-align -Wshadow -Wstrict-prototypes -c -o assuan-errors.lo assuan-errors.c gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -D_ASSUAN_IN_GPGME_BUILD_ASSUAN -isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc -Wall -Wcast-align -Wshadow -Wstrict-prototypes -c assuan-errors.c -o assuan-errors.o In file included from assuan-errors.c:13: assuan.h:74: error: syntax error before 'socklen_t' assuan.h:74: warning: function declaration isn't a prototype assuan.h:75: error: syntax error before 'socklen_t' assuan.h:75: warning: function declaration isn't a prototype In file included from assuan-errors.c:13: assuan.h:74: error: syntax error before 'socklen_t' assuan.h:74: warning: function declaration isn't a prototype assuan.h:75: error: syntax error before 'socklen_t' assuan.h:75: warning: function declaration isn't a prototype lipo: can't figure out the architecture type of: /var/tmp//cc1t515b.out make[2]: *** [assuan-errors.lo] Error 1 make[1]: *** [install] Error 2 ---------- /Developer/SDKs/MacOSX10.5.sdk is present in the system. Previous to trying to compile gpgme, libgpg-error-1.6 had been successfully configured and installed. Thanks in advance for your feedback. Charly From lists at michel-messerschmidt.de Thu May 15 15:26:26 2008 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Thu, 15 May 2008 15:26:26 +0200 (CEST) Subject: Linux crypto killer apllication In-Reply-To: <482BE514.50606@sven-radde.de> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net> <482B6D12.6000906@sixdemonbag.org><007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BE514.50606@sven-radde.de> Message-ID: <3931.195.124.114.37.1210857986.squirrel@webmail.artfiles.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven Radde said: > David Pic?n ?lvarez schrieb: >> Well, I'm pretty sure if GnuPG had the limit you suggest (2048) it >> would be legally unusable for some purposes, due to legal guidelines, >> "best practices", and all that tosh. > FWIW, german digital signature laws AFAIK mandate a key length of > exactly 1024 bits even for the strongest class of signatures. Actually the legal requirements changed this year. 1024 bit RSA and SHA-1 are not sufficient anymore. 2048 bit is recommended and at least 1280 bit is required (see http://www.bundesnetzagentur.de/media/archive/12198.pdf for details). Still I haven't seen any legal requirement beyond 2048 bit RSA/DSA yet. But the retirement of SHA-1 may become an issue for OpenPGP. Regards, Michel - -- Der t?gliche Wahnsinn - http://www.virtualfreedom.de/dtw/ "Rasse" war der Irrglaube des 20. Jahrhunderts, "Sicherheit" ist der des 21. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFILDoCBi3LpOkEzmoRAqj+AKCwwBYBeMGG2hyNUiTshYGoqsZtugCgri82 /RxzertXM/pWvgxziHL6XDM= =i0pU -----END PGP SIGNATURE----- From faramir.cl at gmail.com Thu May 15 15:30:29 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 15 May 2008 09:30:29 -0400 Subject: Linux crypto killer apllication In-Reply-To: <482C2E7F.1090901@bellsouth.net> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482BEBD7.9080303@gmail.com> <482C2E7F.1090901@bellsouth.net> Message-ID: <482C3AF5.6000801@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John W. Moore III escribi?: > Faramir wrote: > > >> provide a GUI for gpg are available for linux, but since it seems the >> linux gpg branch is stronger than windows branch, > > Er... Upon what do You base this conclusion? GnuPG is equally "strong" > on either platform. There is No Linux Branch & Windows Branch. > > Both the 1.4.x Branch & the 2.0.x Trunk will run on both Linux & Windows. > > JOHN :-\ > Timestamp: Thursday 15 May 2008, 08:36 --400 (Eastern Daylight Time) Sorry, my message was not clear enough. When I first saw the GNUpg web site, and searched for a binary download for windows, there was one, and downloads for linux, there were a lot of different versions. Now I went to the site again, and took a look at gpg 2.0.9. There is a link to an external site that provides a GNUpg installer for windows... but the most recent version available is 2.0.7 They also provide instructions to make the installer (I figure that way people doesn't have to wait to get an updated version), but they say it is better to make it on a linux based system (or in a virtual machine with linux). So it is easier for a linux user to get the updated version than for a windows user. Finally, when I read the FAQs, the paths to files are linux style, not windows style (but it is not a problem, since it is easy to understand). Even some portable version of the software says something like "for people who doesn't have a linux based machine at their work and want to carry... from home" (not exactly those words, since I don't remember where I saw it...). For all those reasons, I *think* if we make a poll about what operating system is using people in this list, linux would win... (maybe I am wrong). Now, I don't say it IS that way, but that is the "feeling" I got. And it is good to know a lot of people got rid of windows, even if I have not been able to do that too. Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJILDr1AAoJEIISGkVDGUEOpMMIAIywgm0Ok3fve/Ou5rQUpN6z QkV/rHXXx+R3bYPHC6s9v6X3cpIof4f75j9hHZMn3jPG9GZW4KCtTYESxrAOQo/p UUPfv4KBlGQxLgZOk4ftWtag+CgNbHI4lnE7aSnESyEnJ1/TAwgztTbUZAgDWL/5 z/XG+V6PqRXgZnpaX7qTSeoLbOeJuouPxMOY4gcc93H/GF4kuNJjHGKiSeh2O3nU xMXl9iTL797TVys+XC6ELdwNWbmfrqMcwKW1dcEvz019HAL3p+1nRNfIh3pNfjg+ LFa1eJnTLl+svG7/c5cO02inRTtUKnORAmd6tQNjiFA+0lOoxaNe6OMLw4Re68Y= =t/MA -----END PGP SIGNATURE----- From brian at briansmith.org Thu May 15 15:38:05 2008 From: brian at briansmith.org (Brian Smith) Date: Thu, 15 May 2008 06:38:05 -0700 Subject: Linux crypto killer apllication References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> Message-ID: Robert J. Hansen wrote: > Brian Smith wrote: >> It is reasonable to choose to protect a secret for the rest of one's life >> (~100 years). > > You're committing two logical fallacies here: the first is you're begging > the question, and the second is the assumption of facts not in evidence. Exactly what question am I begging? I think it is reasonable to assume that people often have secrets that they want to take to their grave (at least). Everything I have read suggests that RSA 8192 will be broken within (some of) our lifetimes, so RSA 8192 or less is not enough. You basically said the same thing in your message. > This discussion is about tradeoffs, and whether what is to be gained by > adopting very large keys would be worthwhile given the sacrifices which > would have to be made. Modern computers can handle RSA 16,384 without too much difficulty, so it isn't really impractical to use it. Even if it was impractical, there are other algorithms (ignored by gnupg) that are more efficient to use. I don't really see what sacrifices would have to be made, especially in terms of implementing gnupg. > By saying "it's reasonable to choose to use extremely long keys", you're > skipping the entire debate and moving straight to the conclusion you want > to reach, leaving the original question unanswered. Namely: is it worth > it? I didn't say it was reasonable to choose extremely long keys, although it is. I said that if you want to keep a message encrypted for your entire lifetime, you need to use something stronger than RSA 8192.... > Saying "it's reasonable to choose to protect personal secrets for 100 > years" is on faulty logical grounds because you _can't_ choose to protect > secrets for 100 years. You can't look that far into the future. ...because something stronger than RSA 8192 will probably take longer to break than RSA 2048. Maybe RSA 16K isn't enough. But, anything less is definitely not enough. > 100 years from now the world will be unrecognizable to us. Scientific, > mathematical and technological advances we haven't even imagined yet will > be old-hat. The world of that future will be indistinguishable from > magic -- and I am at a loss for how anyone can defend against magic. At what point should we quit trying then? Now? - Brian From brian at briansmith.org Thu May 15 15:38:53 2008 From: brian at briansmith.org (Brian Smith) Date: Thu, 15 May 2008 06:38:53 -0700 Subject: Linux crypto killer apllication References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> Message-ID: <06047B0189E34F5580D7CEC7288822FA@T60> Robert J. Hansen wrote: > Brian Smith wrote: >> It is reasonable to choose to protect a secret for the rest of one's life >> (~100 years). > > You're committing two logical fallacies here: the first is you're begging > the question, and the second is the assumption of facts not in evidence. Exactly what question am I begging? I think it is reasonable to assume that people often have secrets that they want to take to their grave (at least). Everything I have read suggests that RSA 8192 will be broken within (some of) our lifetimes, so RSA 8192 or less is not enough. You basically said the same thing in your message. > This discussion is about tradeoffs, and whether what is to be gained by > adopting very large keys would be worthwhile given the sacrifices which > would have to be made. Modern computers can handle RSA 16,384 without too much difficulty, so it isn't really impractical to use it. Even if it was impractical, there are other algorithms (ignored by gnupg) that are more efficient to use. I don't really see what sacrifices would have to be made, especially in terms of implementing gnupg. > By saying "it's reasonable to choose to use extremely long keys", you're > skipping the entire debate and moving straight to the conclusion you want > to reach, leaving the original question unanswered. Namely: is it worth > it? I didn't say it was reasonable to choose extremely long keys, although it is. I said that if you want to keep a message encrypted for your entire lifetime, you need to use something stronger than RSA 8192.... > Saying "it's reasonable to choose to protect personal secrets for 100 > years" is on faulty logical grounds because you _can't_ choose to protect > secrets for 100 years. You can't look that far into the future. ...because something stronger than RSA 8192 will probably take longer to break than RSA 2048. Maybe RSA 16K isn't enough. But, anything less is definitely not enough. > 100 years from now the world will be unrecognizable to us. Scientific, > mathematical and technological advances we haven't even imagined yet will > be old-hat. The world of that future will be indistinguishable from > magic -- and I am at a loss for how anyone can defend against magic. At what point should we quit trying then? Now? - Brian From vedaal at hush.com Thu May 15 16:00:32 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 15 May 2008 10:00:32 -0400 Subject: Linux crypto killer apllication // key lengths // govt. standards Message-ID: <20080515140032.C696F15803E@mailserver6.hushmail.com> >Message: 9 >Date: Thu, 15 May 2008 15:26:26 +0200 (CEST) >From: "Michel Messerschmidt" >Subject: Re: Linux crypto killer apllication >Actually the legal requirements changed this year. >1024 bit RSA and SHA-1 are not sufficient anymore. 2048 bit is >recommended and at least 1280 bit is required (see >http://www.bundesnetzagentur.de/media/archive/12198.pdf for >details). > >Still I haven't seen any legal requirement beyond 2048 bit RSA/DSA >yet. >But the retirement of SHA-1 may become an issue for OpenPGP. fwiw, here is a US gov guideline/recommendation for keylengths: http://snad.ncsl.nist.gov/dnssec/FISMA-dnssec.html it quotes 'NIST Special Publication 800-57: Recommendations for Key Management' and lists the table of projected keylengths until 2030 gnupg's 4096 and sha-512 capability, together with 256 bit symmetric algortihms, seem *more than enough* ;-) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Need cash? Apply now for a credit loan with fast approval. http://tagline.hushmail.com/fc/Ioyw6h4d9GyshrkvDmaUkkdDHZZw4tTKbcw5gqksebW8QB2sAbVr0j/ From faramir.cl at gmail.com Thu May 15 17:00:14 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 15 May 2008 11:00:14 -0400 Subject: Changing subkeys: what impact does it have? Message-ID: <482C4FFE.8000802@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! If I make 1 subkey for signing, and another one for encryption, and after a while I delete them and make a new subkey's pair, would I be able to read messages encrypted to me with the old pair? Does my public key change when I add or delete a subkey? thanks... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJILE/+AAoJEIISGkVDGUEOm5AH/37uQOtwZWm4jaf36aYpk9d0 KahJUsj1JBnVmK+cDB0EW84qIpe3eUyS9Z6djgrm+3fE6VMoe9dpmy2y9SwGgiff sp+oY7RRuf+NJoKvXwFlQgM6UbELj9c4bSJr3KDBc2uzRHriQNVxRQA+JnVl8n6M DihnCXWc7xP4DyAHe4FwC8PhRx7ok4791/Zwq5CjdnNWG5A/1A9QPP/pQBsDxKH9 iT2EZfBMfcbG6wwd10o2iUTk/zZhSOEwRVAqHJQZyi3c7AHq/T+/C9ZuB/iJrEoD mFQ5VCWinVfGKW5oeyeb6EE+r/mG6yWLPTNKmqUQQBROadjtyvbzse68LavGufs= =WmJW -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu May 15 17:54:21 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 May 2008 10:54:21 -0500 Subject: Linux crypto killer apllication In-Reply-To: References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> Message-ID: <482C5CAD.6080606@sixdemonbag.org> > Exactly what question am I begging? The reasonableness of the choice to protect a secret for the rest of one's life. > I think it is reasonable to assume that people often have secrets > that they want to take to their grave (at least). I'd like to see some proof offered for this assertion, since it seems quite broad and far-reaching. > Everything I have read suggests that RSA 8192 will be broken within > (some of) our lifetimes, so RSA 8192 or less is not enough. Your crystal ball is a lot clearer than mine is, apparently. If we're able to ever break large (>2kbit) RSA keys, it will only be possible by either (a) advances in computational technology so vast they are indistinguishable from magic, or (b) advances in mathematics so vast they are indistinguishable from magic. Look at Ron Rivest's original (1970s) estimates for how long it would take to break RSA512. Just thirty years later, those estimates were overtaken by reality and technologies that in the 1970s would have been considered magical. > Modern computers can handle RSA 16,384 without too much difficulty My cellphone is a modern computer, and it disagrees with you. I imagine the time to verify would be measured in minutes, not instants. I also often have to take my cellphone onto 2.5G networks where the total data rate is about 10kb/sec. A 16kbit key would thus add substantially to the delay in receiving my email. > Even if it was impractical, there are other algorithms (ignored by > gnupg) that are more efficient to use. Not ignored, simply not implemented. The OpenPGP WG is, right now, discussing how to best add ECC to OpenPGP. > I don't really see what sacrifices would have to be made, especially > in terms of implementing gnupg. That may be a sign you should think more about the problem domain. > At what point should we quit trying then? Now? Yes. You cannot keep data secret forever. Anyone who is storing secret data needs to have disclosure plans -- what to do when, not if, those secrets come to light. A good set of contingency plans will do you worlds more good than tacking a few bits onto your key. From dshaw at jabberwocky.com Thu May 15 18:22:07 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 15 May 2008 12:22:07 -0400 Subject: Changing subkeys: what impact does it have? In-Reply-To: <482C4FFE.8000802@gmail.com> References: <482C4FFE.8000802@gmail.com> Message-ID: <20080515162206.GA3868@jabberwocky.com> On Thu, May 15, 2008 at 11:00:14AM -0400, Faramir wrote: > Hello! > If I make 1 subkey for signing, and another one for encryption, > and after a while I delete them and make a new subkey's pair, would I be > able to read messages encrypted to me with the old pair? No. If you delete the encryption subkey, then you will not be able to decrypt. The signing subkey is not involved in encryption, so you can delete that one without affecting encrypted messages. > Does my public > key change when I add or delete a subkey? Aside from the obvious addition or removal of a subkey, no. David From jmoore3rd at bellsouth.net Thu May 15 18:25:02 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 15 May 2008 12:25:02 -0400 Subject: Linux crypto killer apllication In-Reply-To: <482C5CAD.6080606@sixdemonbag.org> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> <482C5CAD.6080606@sixdemonbag.org> Message-ID: <482C63DE.4040907@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > You cannot keep data secret forever. Anyone who is storing secret data > needs to have disclosure plans -- what to do when, not if, those secrets > come to light. > > A good set of contingency plans will do you worlds more good than > tacking a few bits onto your key. This is very accurate. The third Department established within the National Security Agency back in 1947 was the 'Office of Public Information'. 60 years ago satellite photography was non-existent and even 60 years after inception the very existence & scope of NSA was unknown to all but a few hundred thousand. Still, with 60 years of preparation the 'Discovery' of NSA by the World was anticipated & prepared for. The 'contingency plans' implemented by the 1st DIRNSA have served the Agency better than the most expensive Super Computer they ever purchased. I am amazed at the outcry over 'eavesdropping' that is occurring now. The capability has existed & been implemented ever since 1913 here in the U.S. Time was when /every/ telegram that traversed a Western Union wire passed through the Nation's cryptography department. If these 'invasions of privacy' have been so detrimental for 95 years then why did it take so long to become part of the public outrage? People, G.W. Bush did not 'invent' the NSA; President Truman did. JOHN ;) Timestamp: Thursday 15 May 2008, 12:24 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJILGPcAAoJEBCGy9eAtCsPaCsH/0/bmebS1E00X3ollsV757HY VALNFbkz5/CwXB50ix/FkZwDHy6UWZ8yXKZXRZ/lZ9m2NUqfggAZztaxBfBN5UUa kfJ6sOhSV1mHbUVsWd6HlbBVr2iknHacaSgKZpmB3daAQzD/fv6GpI/XQCm9uKDD p0dFiZqwNHRbbdy+ZJPzF1EeGfE8p7GEVlgHEpZj5kQPhf45DhKuIlcn1DjuS/mQ Oyl7WVejUyZg0WvhR70TGfYpmHbLnGe4E/aiHEudR0v5y8mcSYP3RDwVtSEw8oKu Z9Wn3FTzlax3T1yPK4pZFu0+2fJQnkFGBPdZXQ4XHzxUY40rOs4bugh83/vw4Qs= =bmaN -----END PGP SIGNATURE----- From faramir.cl at gmail.com Thu May 15 19:35:32 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 15 May 2008 13:35:32 -0400 Subject: Linux crypto killer apllication In-Reply-To: <482C5CAD.6080606@sixdemonbag.org> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> <482C5CAD.6080606@sixdemonbag.org> Message-ID: <482C7464.9080200@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen escribi?: >> Exactly what question am I begging? > > The reasonableness of the choice to protect a secret for the rest of > one's life. I remember some well known figure died, and left some information to be disclosed a lot of years latter... I am not sure, but I think she was Jackeline Kennedy... and it was enough time to be sure her sons would be dead by that time. Ok, it is not common, but it can happen... > If we're able to ever break large (>2kbit) RSA keys, it will only be > possible by either (a) advances in computational technology so vast they > are indistinguishable from magic, or (b) advances in mathematics so vast > they are indistinguishable from magic. > > Look at Ron Rivest's original (1970s) estimates for how long it would > take to break RSA512. Just thirty years later, those estimates were > overtaken by reality and technologies that in the 1970s would have been > considered magical. I don't get if you are saying Ron Rivest was optimistic, or if you are saying it would take less time than he calculated... >> Modern computers can handle RSA 16,384 without too much difficulty > > My cellphone is a modern computer, and it disagrees with you. I imagine > the time to verify would be measured in minutes, not instants. Come on, there is a big difference between a cellphone and a desktop computer, even if they were made the same year... > I also often have to take my cellphone onto 2.5G networks where the > total data rate is about 10kb/sec. A 16kbit key would thus add > substantially to the delay in receiving my email. Sure, but, as I said, it is not the same a desktop modern computer, with broadband, and a cellphone... and nobody have said the larger keys would be for daily use... in fact, they didn't even say they would use it for email encryption... I figure when they intend to protect something for 100 years, they would encrypt the file and store it somewhere... and if it is so valuable, probably it should be in a place safer than a computer... > You cannot keep data secret forever. Anyone who is storing secret data > needs to have disclosure plans -- what to do when, not if, those secrets > come to light. By the way, it would be easier to steal the protected file, and steal the key.. have you heard about "burundanga"? Or maybe, it would be a good idea to protect the file with the strongest protection available, then divide it with some variant of Shamir's secret-sharing scheme, and place each part in a different bank vault... I think if someboy want's to use a hyper long key... it is his/her problem, as long I am not forced to do it too... By the way, I got a message from the starter of this subject (I mean, the original one, not the long keys thing), and her idea is it would be easier to make people get interested in cryptographic applications if there were one GUI capable to concentrate the different tools, or maybe one GUI for each one, but all with its GUI... (by the way, she is happy with command line apps... her idea is aimed to noobs like me). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJILHRkAAoJEIISGkVDGUEOQasIAIGVlFS6m7N2ZbawwlcXXMHZ mKim31P9QzWXbuev+WSqC64pG6vjwp+wOOCKrRSGsQ/tTLGzNT8F7mcYXVeVQUtl a9qNcVD65wl88LoelqFZJ4Aqu7oV5emrMk0lXtq1I5cVc9CeD0lGSf0i6BDudzOu pccfdMb91GDvpOHIZn2ROUrRxJ0i9GtAxCwzFLTNSeGsoW1Jl1wKqHUmOc8JvKhY qTVAxeTVOdXrN/YpaHsPr9sTZnKo7z0lGK0l2/y6VlQt5RrmybsSeKqDXqOQHIxy 6l+u+gnlhs3sALl4/9NEqgachAoNGp2ZjvGpOJAPKbddiV3fC4k8rO87dOfIogI= =bqic -----END PGP SIGNATURE----- From faramir.cl at gmail.com Thu May 15 19:44:36 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 15 May 2008 13:44:36 -0400 Subject: Changing subkeys: what impact does it have? In-Reply-To: <20080515162206.GA3868@jabberwocky.com> References: <482C4FFE.8000802@gmail.com> <20080515162206.GA3868@jabberwocky.com> Message-ID: <482C7684.2090805@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw escribi?: > On Thu, May 15, 2008 at 11:00:14AM -0400, Faramir wrote: >> Hello! >> If I make 1 subkey for signing, and another one for encryption, >> and after a while I delete them and make a new subkey's pair, would I be >> able to read messages encrypted to me with the old pair? > > No. If you delete the encryption subkey, then you will not be able to > decrypt. The signing subkey is not involved in encryption, so you can > delete that one without affecting encrypted messages. Even if I make a new subkey for encryption? I mean, the idea is to replace an "old" pair of subkeys (maybe compromised), with a new pair, one for signing, and other for encryption. I figure I can revoke the subkeys, and keep them, but if they are very shot lived, I would end having a lot of useless subkeys... so if I could just replace them, I could revoke them, notify a keyserver about their revoked status, and then delete them... >> Does my public >> key change when I add or delete a subkey? > > Aside from the obvious addition or removal of a subkey, no. So... including the addition of a subkey, it does change? I will try an empirical approach to this subject... wish me good luck :P -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJILHaEAAoJEIISGkVDGUEOxlUH/RLtEF3DQ+07dIqMl8aSB5uY QpbrljKRnzrD7d+uDmbjl2tNtGerCrt9v7bwFF43aSQnCet2f3QrKjEhGM8KXUHp 5BcwROZrcgR0JF7YSjlHsxPJCKxNA7J2PnEVeS0IV0lwCNEspm843IeA5JowIf3i F3t3+ljrvTGE9w8OehlqhJXl1P4gXYzCJ0BmVx95l0xIURoSwPlQu7LdrkKCQFZd 50WIBFXZACsujg57qWt2bhvk95XAQdPmdMd1S7rj0XrH4rb3dlXLEwbNzhTefjcB tXT8DrfZaa7Mb5QSOFUcG3yOrzOFq8NPXGfnVk7lB0pww7+xbdCEfMfTOBLi250= =5I12 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu May 15 20:05:05 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 May 2008 13:05:05 -0500 Subject: Linux crypto killer apllication In-Reply-To: <482C7464.9080200@gmail.com> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> <482C5CAD.6080606@sixdemonbag.org> <482C7464.9080200@gmail.com> Message-ID: <482C7B51.6090409@sixdemonbag.org> Faramir wrote: > I remember some well known figure died, and left some information to > be disclosed a lot of years latter... I am not sure, but I think she > was Jacqueline Kennedy... and it was enough time to be sure her sons > would be dead by that time. Some of Mark Twain's writings are not to be released until 2010. [shrugs] The presence of outliers proves nothing other than there are outliers. The general point I'm making remains: I consider it an unproven, unfounded, and overly broad assertion that most people have secrets they want kept for the duration of their lives. > I don't get if you are saying Ron Rivest was optimistic, or if you > are saying it would take less time than he calculated... Both. By Rivest's original figuring, RSA512 would remain secure for millions upon millions of years. Rivest was optimistic, and it took far less time than he had calculated. If in the 1970s you had used Rivest's 100-year figures, you'd be using RSA512 today. This is Ron Rivest we're talking about here -- one of the brightest lights in modern crypto.[*] If Ron's predictions have a track record of failure, and so does everyone else's, then why are we taking the "16kbit for a century" predictions seriously? [*] Also a fine gentleman, with a sense of humor that's positively elfin. I suspect he would much rather be known for that than for being "the big brain on crypto". :) >> My cellphone is a modern computer, and it disagrees with you. I >> imagine the time to verify would be measured in minutes, not >> instants. > > Come on, there is a big difference between a cellphone and a desktop > computer, even if they were made the same year... Apparently you haven't used an iPhone. The iPhone supports IMAP, and a lot of computer geeks I know have their iPhone set up to monitor their inbox. It's an awful platform to write emails from, but it's very useful for mobile work. Porting GnuPG to the iPhone would be fairly straightforward -- writing a GnuPG plugin for the iPhone's mail client would probably not be too hard -- but waiting five minutes for the iPhone to number-crunch a 16kbit key would be excessive. Mobile is where things are at nowadays. A good cell phone is a surprisingly powerful computer, comparable to a desktop of a decade ago. It has great connectivity and you can easily get tens of gigabytes of storage attached. Don't be fooled by the small displays and awkward user interfaces. > I figure when they intend to protect something for 100 years, they > would encrypt the file and store it somewhere... and if it is so > valuable, probably it should be in a place safer than a computer... Ask yourself this question: "why, then, is the original poster recommending the use of RSA, when all that's needed is symmetric crypto?" > By the way, it would be easier to steal the protected file, and steal > the key... As I have said several times, the strongest cipher in the world is no match for a lonely embassy cipher clerk and a thousand dollar a night hooker armed with a bottle of eighteen year old Scotch. The English idiom for trustworthy information, "straight from the horse's mouth", was originally "straight from the whore's mouth", and dates from the era where the best military intelligence was collected by talking to the prostitutes a commander visited. I've found references to this sort of intelligence gathering going back all the way to Hannibal Barca and the Battle of Cannae. It's effective, reliable and cheap. The NSA spent billions developing new ciphersystems. The KGB just went after the cipher clerks. These sorts of attacks tend to be dramatically effective against cryptosystems. Human failings are endemic to the system. The more we focus on adding another few bits to our keys, the less we focus on the human factor. That's where your attention needs to go when it comes to long-term security. People talk. They always do. From david at miradoiro.com Thu May 15 21:48:20 2008 From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Thu, 15 May 2008 21:48:20 +0200 Subject: Linux crypto killer apllication References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> <482C5CAD.6080606@sixdemonbag.org><482C7464.9080200@gmail.com> <482C7B51.6090409@sixdemonbag.org> Message-ID: <008b01c8b6c4$a1e82510$0302a8c0@Nautilus> From: "Robert J. Hansen" > Some of Mark Twain's writings are not to be released until 2010. > [shrugs] The presence of outliers proves nothing other than there are > outliers. The general point I'm making remains: I consider it an > unproven, unfounded, and overly broad assertion that most people have > secrets they want kept for the duration of their lives. >From the patterns of use of crypto most people don't have any secrets worth bothering with, and most people don't want their e-mail kept secret. Maybe under this logic GnuPG shouldn't exist. I assert that if GnuPG can serve a set of users without causing harm to anyone and complicating the design (which permitting longer keys wouldn't do) it probably should. > This is Ron Rivest we're talking about here -- one of the brightest > lights in modern crypto.[*] If Ron's predictions have a track record of > failure, and so does everyone else's, then why are we taking the "16kbit > for a century" predictions seriously? Because it is probably a fairly good lower bound. > Apparently you haven't used an iPhone. The iPhone supports IMAP, and a > lot of computer geeks I know have their iPhone set up to monitor their > inbox. It's an awful platform to write emails from, but it's very > useful for mobile work. Porting GnuPG to the iPhone would be fairly > straightforward -- writing a GnuPG plugin for the iPhone's mail client > would probably not be too hard -- but waiting five minutes for the > iPhone to number-crunch a 16kbit key would be excessive. 1) Did you have to choose the iPhone, one of the most free-software-hostile platforms ever, to exemplify smart pohnes? 2) Are you sure RSA 16k would take that long to run? Those microprocessors are getting pretty decent these days. 3) Like it or not, smart phones are not to be considered, for now, general purpose computers. They can do many things, but not everything expected from a computer at this point. > Mobile is where things are at nowadays. A good cell phone is a > surprisingly powerful computer, comparable to a desktop of a decade ago. > It has great connectivity and you can easily get tens of gigabytes of > storage attached. Yes, and probably not too far in the future it will be able to do RSA 16k in reasonable time if it can't today. > Don't be fooled by the small displays and awkward user interfaces. Beware the SDK terms though. > Ask yourself this question: "why, then, is the original poster > recommending the use of RSA, when all that's needed is symmetric crypto?" RSA is more flexible. Easier to protect several documents, easier to have shared secrets, etc. > The more we focus on adding another few bits to our keys, the less we > focus on the human factor. That's where your attention needs to go when > it comes to long-term security. People talk. They always do. I don't think that's actually true. In the margin, we should be using 512 keys because that way we can focus more on human security issues. Reductio ad absurdum, but you see my point: deciding to have an RSA 8k key or RSA 16k key doesn't particularly detract from placing emphasis on other measures of human-related security. --David. From Apple at royds.net Thu May 15 23:44:36 2008 From: Apple at royds.net (Bill Royds) Date: Thu, 15 May 2008 17:44:36 -0400 Subject: Linux crypto killer apllication In-Reply-To: <008b01c8b6c4$a1e82510$0302a8c0@Nautilus> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> <482C5CAD.6080606@sixdemonbag.org><482C7464.9080200@gmail.com> <482C7B51.6090409@sixdemonbag.org> <008b01c8b6c4$a1e82510$0302a8c0@Nautilus> Message-ID: On 15-May-08, at 15:48 , David Pic?n ?lvarez wrote: > > RSA is more flexible. Easier to protect several documents, easier to > have shared secrets, etc You don't seem to understand the difference between public key an secret key encryption. RSA is not used to encrypt the document. RSA is used to encrypt the key that is used to encrypt the document. The key is a shared private key that is transmitted using a PK system like RSA. IF you want to save encrypted data for a long time, you encrypt it with a sufficiently long private key (generated at random), such as as AES 512. You then encrypt that key with the public keys of everybody that needs to know the key to decrypt the document. Since the private key is fairly short in bytes and random, it has a full entropy, so would be hard to decrypt by random guessing. If you are worried by key size, it is the key size of the AES cypher that you need to worry about, not RSA. From rjh at sixdemonbag.org Fri May 16 00:54:05 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 15 May 2008 17:54:05 -0500 Subject: Linux crypto killer apllication In-Reply-To: <008b01c8b6c4$a1e82510$0302a8c0@Nautilus> References: <200805142259.06868.gabrix@gabrix.ath.cx> <1210801008.9009.3.camel@fermat.scientia.net> <482B5EF0.4050002@sixdemonbag.org><1210802297.11681.2.camel@fermat.scientia.net><482B6D12.6000906@sixdemonbag.org> <007e01c8b654$77fbd500$0302a8c0@Nautilus> <482BF009.9070802@sixdemonbag.org> <482C5CAD.6080606@sixdemonbag.org><482C7464.9080200@gmail.com> <482C7B51.6090409@sixdemonbag.org> <008b01c8b6c4$a1e82510$0302a8c0@Nautilus> Message-ID: <482CBF0D.2060205@sixdemonbag.org> David Pic?n ?lvarez wrote: > From the patterns of use of crypto most people don't have any secrets > worth bothering with, and most people don't want their e-mail kept > secret. I'm not willing to go there. We can conclude crypto is not often used, but if you want to talk about why crypto is not often used you're going to need some foundation other than speculation. Ed Felten has a paper out -- I'll dig it up if people are interested -- outlining patterns of PGP usage in an international, politically-active NGO that had a lot of secrets to keep, which included interviews asking "so why do or don't you use PGP?" > Because it is probably a fairly good lower bound. Words like "probably" make people think of probabilities; weighted, measured, quantitative things grounded in objective reality. That is not the case here. "Because it seems like a fairly good lower bound" is more accurate -- and then it opens the door to ask, why precisely does it seem that way, and how do you know your perceptions are accurate with respect to the mathematical and technological developments of a century hence? > 1) Did you have to choose the iPhone, one of the most > free-software-hostile platforms ever, to exemplify smart pohnes? I didn't choose the iPhone -- the free market did. The iPhone's capabilities are understood, at least vaguely, by most people, which makes them good for exposition purposes. > 2) Are you sure RSA 16k would take that long to run? Talk to the OpenPGP WG. The mobile operators are pushing ECC since RSA, ElGamal and DSA all require unreasonable amounts of time, memory and procesor power. > 3) Like it or not, smart phones are not to be considered, for now, > general purpose computers. They can do many things, but not > everything expected from a computer at this point. Yes, but we're not talking about manipulating spreadsheets. We're talking about _reading email_, which is clearly something people do with their smart phones. > RSA is more flexible. Easier to protect several documents, easier to > have shared secrets, etc. Explain the "RSA is more flexible", please. It is also not easier to protect several documents. Great, so I take my several documents, I zip them up, I encrypt the file symmetrically, bang, Bob's your uncle. It is also not easier to have shared secrets. Shamir's scheme is in no way connected to asymmetric crypto. You can do a secret sharing scheme with a small symmetric key just as easily as you can with an asymmetric key. From JPClizbe at tx.rr.com Fri May 16 03:06:53 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 15 May 2008 20:06:53 -0500 Subject: Linux crypto killer apllication In-Reply-To: <482BEBD7.9080303@gmail.com> References: <200805142259.06868.gabrix@gabrix.ath.cx> <482BEBD7.9080303@gmail.com> Message-ID: <482CDE2D.40308@tx.rr.com> Faramir wrote: > Well, in Windows, I am using GPGShell, and the GPGtray utility > provides text encryption. I think it doesn't give zip encryption, but > you can encrypt a zip file. As I recall, ZIP encryption is just symmetric encryption with a pass{word,phrase}. > I don't know what applications made to provide a GUI for gpg are > available for linux, but since it seems the linux gpg branch is > stronger than windows branch, there should be enough of them to > chose. Linux branch? Windows branch? Not in GnuPG - the code for each of those is the same. You will find more F/OSS applications available than you will Windows apps because there is less of a barrier to F/OSS development - the tools are free. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From jd1987 at borozo.com Fri May 16 17:35:36 2008 From: jd1987 at borozo.com (Joe Demeny) Date: Fri, 16 May 2008 11:35:36 -0400 Subject: gpg: decryption failed: No secret key Message-ID: <200805161135.37006.jd1987@borozo.com> I'm trying to decrypt a message using KMail and gpg and it fails. I then tried to manually decrypt the encrypted part and this is what I got: $ gpg -v -d test gpg: using character set `US-ASCII' Warning: using insecure memory! gpg: armor: BEGIN PGP MESSAGE Version: GnuPG v2.0.9 (FreeBSD) :pubkey enc packet: version 3, algo 16, keyid 72F9D3DCCF8503BE data: [2046 bits] data: [2048 bits] gpg: armor header: gpg: public key is CF8503BE :encrypted data packet: length: unknown gpg: encrypted with ELG key, ID CF8503BE gpg: decryption failed: No secret key I'm wondering what the error "No secret key" means? Am I trying to decrypt the message with the wrong key? Or have I broken my gpg setup? -- Joe Demeny From shavital at mac.com Fri May 16 18:40:49 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 16 May 2008 12:40:49 -0400 Subject: gpg: decryption failed: No secret key In-Reply-To: <200805161135.37006.jd1987@borozo.com> References: <200805161135.37006.jd1987@borozo.com> Message-ID: <482DB911.2080807@mac.com> Joe Demeny wrote the following on 5/16/08 11:35 AM: > I'm trying to decrypt a message using KMail and gpg and it fails. I then tried > to manually decrypt the encrypted part and this is what I got: > > $ gpg -v -d test > gpg: using character set `US-ASCII' > Warning: using insecure memory! > gpg: armor: BEGIN PGP MESSAGE > Version: GnuPG v2.0.9 (FreeBSD) > :pubkey enc packet: version 3, algo 16, keyid 72F9D3DCCF8503BE > data: [2046 bits] > data: [2048 bits] > gpg: armor header: > gpg: public key is CF8503BE > :encrypted data packet: > length: unknown > gpg: encrypted with ELG key, ID CF8503BE > gpg: decryption failed: No secret key > > I'm wondering what the error "No secret key" means? Am I trying to decrypt the > message with the wrong key? Or have I broken my gpg setup? Key ID CF8503BE that was used to encrypt that message is the encryption subkey of: pub 1024D/22321032 created: 1999-11-10 expires: never usage: SCA trust: [] validity: [] sub 2048g/CF8503BE created: 1999-11-10 expires: never usage: E [ unknown] (1). Janos Dohanics That key belongs, therefore, to Janos Dohanics , who is the only person who can decrypt that message, *if* he has in keyring the above key, and *if* he knows the required passphrase. Hope this helps? Charly From faramir.cl at gmail.com Fri May 16 19:06:32 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 16 May 2008 13:06:32 -0400 Subject: gpg: decryption failed: No secret key In-Reply-To: <482DB911.2080807@mac.com> References: <200805161135.37006.jd1987@borozo.com> <482DB911.2080807@mac.com> Message-ID: <482DBF18.4020909@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charly Avital escribi?: > Joe Demeny wrote the following on 5/16/08 11:35 AM: >> I'm trying to decrypt a message using KMail and gpg and it fails. I then tried >> to manually decrypt the encrypted part and this is what I got: ... >> I'm wondering what the error "No secret key" means? Am I trying to decrypt the >> message with the wrong key? Or have I broken my gpg setup? > > > Key ID CF8503BE that was used to encrypt that message is the encryption > subkey of: ..... > That key belongs, therefore, to Janos Dohanics , who > is the only person who can decrypt that message, *if* he has in keyring > the above key, and *if* he knows the required passphrase. Joe Demeny, do you know how does private/public key encryption work? I mean, the general idea, not the "magic" involved in it. If you don't, we can explain it to you, so you can avoid these problems. But if you already know about it, then maybe you will require some troubleshooting with the specifics of your installed software setup, and I am not sure if this is the best place to ask for it (if the problem is GNUpg setup, clearly this IS the right place to ask for help. But if the problem is the KMail setup, I am not so sure... anyway, I wouldn't complain if somebody gives you support for KMail. But I am just a new user here, so I can just speak for myself). Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJILb8YAAoJEMV4f6PvczxAvrAH/00Z1+M9J6dD3IXMK9NB5GTZ w0MKnbptX+KaynrDBX2WCI6Nwd4jRjg5jWYEWaAz45LRwetmoQTNtKVYqTQiPBZI MZdL05PACjqgRJWyHdObXUxk+mwANH5BF/Mvgj6w5OFpxSP5IZsiaZTTUN5hgmoA O90fOjVsjlJvzOITUv7BsjyQhnHelTMUPvRyTdAL0SQLxzUDkScLUEFz5R5Jdz6+ pJV2cLbh2uN7UIGdGJI9jdfJRwpNgpgQfbJG8RJZpsHqE+v0iJvJXWqddTXvsEHG aOYDaj/e/szMZr7hEZ7Am5VGKHrhVJwnbRbBEHtuT7I7WEvVFU6Ae3GJiNB8CN0= =IAgV -----END PGP SIGNATURE----- From ihtraum18 at gmail.com Fri May 16 21:58:14 2008 From: ihtraum18 at gmail.com (=?ISO-8859-1?Q?Eduardo_J=FAnior?=) Date: Fri, 16 May 2008 16:58:14 -0300 Subject: Encrypt a file Message-ID: Hi, when I encrypt a file using gpg as default it is made with the figure CAST5 and with only 1 passphrase. How do I file that is encrypted with more than 1 passphrase? Or I can encrypts it using my RSA key or more than one? []'s -- Eduardo J?nior GNU/Linux user #423272 :wq -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Sat May 17 00:32:35 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 16 May 2008 18:32:35 -0400 Subject: gpg: decryption failed: No secret key In-Reply-To: <200805161135.37006.jd1987@borozo.com> References: <200805161135.37006.jd1987@borozo.com> Message-ID: <482E0B83.7050803@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Joe Demeny wrote: > gpg: decryption failed: No secret key > > I'm wondering what the error "No secret key" means? Am I trying to decrypt the > message with the wrong key? Or have I broken my gpg setup? > Nothing is 'broken' but what GPG is telling You is that it wasn't encrypted to You. [or, at least to Your Key] Unless Your Key was specified to be encrypted to then You do not have the Secret Key necessary to decrypt. That's all. JOHN ;) Timestamp: Friday 16 May 2008, 18:32 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJILguBAAoJEBCGy9eAtCsPt6AH/2z9dTbtEDiJOJQLryryH+u6 z+RNP5gzn5XjCSxOMjkMgNZfBc2bM/KEsIkpABfq9S6brFPP2RoK55g7BlSqZgpQ VTBk/4c27aa4RwmuiWmeHZJFRK84EscXHMu9OKcL+yUNANzvLAoJq20S1AI7kYig wBCYezVTdVGf1iKeM55xMrHVJL5HUpl25DcjAl/JNSQhxXxfwbe+S5f0qyvNhRxS 6l0te1tYf5DLdsNXYCWpdxDTqykuMAqAcJ4FUod3H9WMxAWxNvkkab8KMqCSIFTP 0bTwb/bZliLOAUDJm0aZcDbI7F8e7xHSQx0Ex+jPKZ87UuLiCzz9RpQaiI/TmJQ= =jvx/ -----END PGP SIGNATURE----- From eddrobinson at gmail.com Mon May 19 13:52:29 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Mon, 19 May 2008 12:52:29 +0100 Subject: OpenPGP card +Lock screen -- possible??? Message-ID: <483169FD.8080502@gmail.com> Hello all, Does anyone know if it is possible to use my openpgp smart card as a way of locking my screen on my gnome / debian lenny distro? I was thinking it would be nice if on removal of my smart card the gnome-screensaver kicked in. I am not fussed about using it to unlock again (I have a fingerprint reader for that). I guess really the simplest way would be if it was possible to run scripts on removal of the card, that way I could just write a script to launch the screensaver. Cheers, Edd From rudolf.deilmann at gmail.com Mon May 19 16:39:41 2008 From: rudolf.deilmann at gmail.com (Rudolf Deilmann) Date: Mon, 19 May 2008 16:39:41 +0200 Subject: OpenPGP card +Lock screen -- possible??? In-Reply-To: <483169FD.8080502@gmail.com> References: <483169FD.8080502@gmail.com> Message-ID: <483190df.05a0660a.32e5.ffffaefa@mx.google.com> Am Mon, 19 May 2008 12:52:29 +0100 schrieb Edward Robinson : Hi Edward, > Does anyone know if it is possible to use my openpgp smart card as a > way of locking my screen on my gnome / debian lenny distro? I was > thinking it would be nice if on removal of my smart card the > gnome-screensaver kicked in. I am not fussed about using it to > unlock again (I have a fingerprint reader for that). > > I guess really the simplest way would be if it was possible to run > scripts on removal of the card, that way I could just write a script > to launch the screensaver. It should be possible with ivman. Just compare the output of 'lshal' before and after you plugged in your smart card; and then add according entries to IvmConfigActions.xml: Btw, there is http://www.pamusb.org/ - but it works with usb sticks. And it's a little bit offtopic here. From wk at gnupg.org Tue May 20 10:58:27 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 20 May 2008 10:58:27 +0200 Subject: SVN version not correctly displaying In-Reply-To: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> (Kevin Hilton's message of "Mon, 12 May 2008 08:10:20 -0500") References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> Message-ID: <87mymljqrw.fsf@wheatstone.g10code.de> On Mon, 12 May 2008 15:10, kevhilton at gmail.com said: > svn up > ./autogen.sh && ./configure --enable-maintainer-mode --enable-camellia To get the svn version into the version string you need to ./autogen.sh --force this is so that the autotools cache is not used and M4 can properly extract the svn revision. And pretty please do not use --enable-camellia; that is developer only and will lead to problems because Camellia is not yet defined in OpenPGP and algorithm ids may still change. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From eddrobinson at gmail.com Tue May 20 12:12:24 2008 From: eddrobinson at gmail.com (Edward Robinson) Date: Tue, 20 May 2008 11:12:24 +0100 Subject: OpenPGP card +Lock screen -- possible??? In-Reply-To: <483190df.05a0660a.32e5.ffffaefa@mx.google.com> References: <483169FD.8080502@gmail.com> <483190df.05a0660a.32e5.ffffaefa@mx.google.com> Message-ID: <4832A408.50307@gmail.com> Hi Rudolf, Unfortunately lshal is the same when I plug the card in or take it out, nothing changes. I did a diff on the outputs to be sure. Any other thoughts?? Cheers, Edd Rudolf Deilmann wrote: > Am Mon, 19 May 2008 12:52:29 +0100 > schrieb Edward Robinson : > > Hi Edward, > >> Does anyone know if it is possible to use my openpgp smart card as a >> way of locking my screen on my gnome / debian lenny distro? I was >> thinking it would be nice if on removal of my smart card the >> gnome-screensaver kicked in. I am not fussed about using it to >> unlock again (I have a fingerprint reader for that). >> >> I guess really the simplest way would be if it was possible to run >> scripts on removal of the card, that way I could just write a script >> to launch the screensaver. > > It should be possible with ivman. > Just compare the output of 'lshal' before and after you plugged in > your smart card; and then add according entries to IvmConfigActions.xml: > > > > > > > > Btw, there is http://www.pamusb.org/ - but it works with usb sticks. > And it's a little bit offtopic here. From mo at g10code.com Tue May 20 12:43:29 2008 From: mo at g10code.com (Moritz Schulte) Date: Tue, 20 May 2008 12:43:29 +0200 Subject: OpenPGP card +Lock screen -- possible??? In-Reply-To: <4832A408.50307@gmail.com> References: <483169FD.8080502@gmail.com> <483190df.05a0660a.32e5.ffffaefa@mx.google.com> <4832A408.50307@gmail.com> Message-ID: <4832AB51.8040803@g10code.com> > Any other thoughts?? More or less. But it requires some hacking. SCDaemon allows for signalling in case of certain events, including card removal. One approach would be: write a small daemon, which connects to SCDaemon and waits for the card-removal event. Let that daemon execute a user-defined script when the cards removed and make sure the daemon is started on session start. When i think about it... I guess that daemon could be implemented as a GNOME panel applet. Sitting in the panel and displaying certain card information on request and From tgagne at wideopenwest.com Tue May 20 19:02:50 2008 From: tgagne at wideopenwest.com (=?ISO-8859-1?Q?Thomas_Gagn=E9?=) Date: Tue, 20 May 2008 13:02:50 -0400 Subject: Automating, passwd command replies, "Need the secret key to do this." In-Reply-To: <482A145F.2000705@bellsouth.net> References: <4829F471.2050907@wideopenwest.com> <482A145F.2000705@bellsouth.net> Message-ID: <4833043A.8070905@wideopenwest.com> John W. Moore III wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Thomas Gagn? wrote: > > >> Command> passwd >> Need the secret key to do this. >> > > the Command passwd is for changing the passphrase. Of course, it is > possible to change the passphrase to nothing but first the Secret Key > needs to be unlocked. Otherwise, anyone could change Your passphrase to > anything or nothing. > > The "Need Secret Key to do this" is the prompt to enter the passphrase > in order to unlock the Secret Key. > I tried it again. The problem is the response to "passwd" doesn't appear to be a prompt. It's only a complaint, and the "passwd" command doesn't seem to take an argument. -- Visit for more great reading. From ramon.loureiro at upf.edu Tue May 20 23:21:57 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Tue, 20 May 2008 23:21:57 +0200 Subject: playing with cryptography... In-Reply-To: <481BA23F.10700@bellsouth.net> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> Message-ID: <483340F5.40506@upf.edu> John W. Moore III escribi?: > Bill Royds wrote: > >> Your Thawte certificate reads Signed (ramon.loureiro at upf.edu) > > This also doesn't mean that You really are Ramon Loureiro, since the > Certificate doesn't carry Your _Name_ indicating that Other People have > eyeballed You + Government Issued Documentation affirming that You > actually are who You say You are. To accomplish this You will need to > accomplish several Face-to-Face meetings with other Thawte Assurers who > 'vouch' [by granting points through Thawte] that they have confirmed > Your Identity. > > I only know that I have an x.509 Key that may be used to Send an S/MIME > Encrypted to the Email Address on the Certificate. :( Basically, I > still have to 'trust' You at face value. All that is certain is that > Thawte has confirmed Somebody controls this particular email Address. :-\ > I've got a personal THAWTE Certificate! It carries my name. I wonder if it will be enought to trust me on the GPG model... ___ ramon loureiro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3046 bytes Desc: S/MIME Cryptographic Signature URL: From jmoore3rd at bellsouth.net Wed May 21 00:34:51 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 20 May 2008 18:34:51 -0400 Subject: playing with cryptography... In-Reply-To: <483340F5.40506@upf.edu> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> Message-ID: <4833520B.3080307@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Ramon Loureiro wrote: > I've got a personal THAWTE Certificate! > It carries my name. I wonder if it will be enought to trust me on the > GPG model... I would personally recommend You look into www.gswot.org; but I admit to bias there. :-D JOHN ;) Timestamp: Tuesday 20 May 2008, 18:34 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIM1IJAAoJEBCGy9eAtCsPvaIH/RRb2NvJRehSZLvBBFmmuEJD DERHfTnIqo83bK0FR9Y7aWRxnDqJ5c7lmBJYsyHR56mF5A7EnV/aCKkVdvnyWWP1 kOkUSSLGLMHywI7620bBvsJmVGQnIa+fmNIk8EjqeanGyxd6tPys0LmWUDzLo7hN V1wBoVfx4ZiJiXVJ/W1zbyzk/8Kw58uzMTRbIlmCgQB1iQKbdMRtL3xP1jf7d6w/ dFG4JQ0pzkS7XAiOo+2RLAHt1x04fJLjUNVETLQo4RPMBDR4aQ4sjS/UHvmBxrxt sQcyVxXe++CCisfwwSH5sV8mdzH4tkh6kEz+smirvQ7KwDzWJe4XTFr2UX48Rk0= =/vqt -----END PGP SIGNATURE----- From kevhilton at gmail.com Thu May 22 05:29:31 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Wed, 21 May 2008 22:29:31 -0500 Subject: SVN version not correctly displaying In-Reply-To: <87mymljqrw.fsf@wheatstone.g10code.de> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <87mymljqrw.fsf@wheatstone.g10code.de> Message-ID: <96c450350805212029m32ac4020n37e084abac486d96@mail.gmail.com> I tried the autogen.sh --force flag and during the configure statement it still stated the old version was being used. I have svn version 4765 downloaded, however ./autogen.sh --force && --configure --enable-maintainer-mode --enable-idea still list 4759 as the version. Any other ideas? From Yasuhiro.Funaki at safenet-inc.com Thu May 22 14:00:58 2008 From: Yasuhiro.Funaki at safenet-inc.com (Funaki, Yasuhiro) Date: Thu, 22 May 2008 20:00:58 +0800 Subject: not supported algo Message-ID: <8919D897E400EC4A85E30E35FFBF70201D894C@pok1exch002.sfnt.local> PGP9.6 use SHA256 for selfsign for sub keys but GnuPG1.4.8 does not support SHA-256 and cause abort. Could you share any idea how to import such keys which use not supoorted algo ? Regards YF The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. From mwood at IUPUI.Edu Thu May 22 20:37:28 2008 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 22 May 2008 14:37:28 -0400 Subject: playing with cryptography... In-Reply-To: <481CCE70.8020901@bellsouth.net> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <481CCE70.8020901@bellsouth.net> Message-ID: <20080522183728.GA22773@IUPUI.Edu> On Sat, May 03, 2008 at 04:43:28PM -0400, John W. Moore III wrote: > reynt0 wrote: > > A few minor, picky points, FWIW: > > 2. Is it "certain" that "Thawte has confirmed", or is it > > *claimed* that Thawte has confirmed? > > They 'Ping' the Email Address to confirm control of it. Aw, how hard is it to go to www.thawte.com, look for the seal, and see that an independent auditor (apparently KPMG) has examined their practices and given an opinion on whether they follow their own policies and procedures (which should be published, so you can inspect them)? If you think the seal is faked, ask the auditors. > > 3. Of course, Thawte's confirmation process is however > > trustworthy or not as it may be, which has to be evaluated. > > Which is why the level of Trust in any Certificate may be Edited by the > End User. Which evaluation is what Certification Practice Statements are for. The CA's CPS should be one of the inputs to the audit. This stuff all works. It just works differently. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mwood at IUPUI.Edu Thu May 22 21:00:40 2008 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 22 May 2008 15:00:40 -0400 Subject: how long should a password be? In-Reply-To: <481EBFB3.4070107@sven-radde.de> References: <481EB4BB.8030209@calpoly.edu> <481EBFB3.4070107@sven-radde.de> Message-ID: <20080522190040.GB22773@IUPUI.Edu> FWIW I usually use a gadget called 'apg' to generate random passwords. It has a mode in which it will only produce strings that are pronounceable (sometimes just barely so), which I find a great aid to memorability. For example, I can recall my home WEP key easily even though I almost never see it. Usually setting a minimum of 8 characters produces a satisfactory result. If I want something much longer than that, I make up a phrase or sentence using one or two random strings from apg as "words". I have not tested the strength of these choices, but I'm satisfied that they produce something better than I would without mechanical aid. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From vedaal at hush.com Thu May 22 21:21:30 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 22 May 2008 15:21:30 -0400 Subject: not supported algo Message-ID: <20080522192130.C959C15803E@mailserver6.hushmail.com> >Message: 7 >Date: Thu, 22 May 2008 20:00:58 +0800 >From: "Funaki, Yasuhiro" >Subject: not supported algo >To: >PGP9.6 use SHA256 for selfsign for sub keys but GnuPG1.4.8 does >not >support SHA-256 and cause abort. >Could you share any idea how to import such keys which use not >supoorted >algo ? could you generate a test key in PGP 9.6 , and post the keypair here together with the passphrase, and maybe someone will be able to come up with a workaround vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Save big on a huge selection of discount auto parts. Click now! http://tagline.hushmail.com/fc/Ioyw6h4eju28IQGoodsFwoV61R3nXX6pT5QpqaX151Y1OogASVICbN/ From vedaal at hush.com Thu May 22 21:21:30 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 22 May 2008 15:21:30 -0400 Subject: not supported algo Message-ID: <20080522192130.C959C15803E@mailserver6.hushmail.com> >Message: 7 >Date: Thu, 22 May 2008 20:00:58 +0800 >From: "Funaki, Yasuhiro" >Subject: not supported algo >To: >PGP9.6 use SHA256 for selfsign for sub keys but GnuPG1.4.8 does >not >support SHA-256 and cause abort. >Could you share any idea how to import such keys which use not >supoorted >algo ? could you generate a test key in PGP 9.6 , and post the keypair here together with the passphrase, and maybe someone will be able to come up with a workaround vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Boost your productivity with new office software. Click now! http://tagline.hushmail.com/fc/Ioyw6h4dJ1KCcIeuRxna8pLYFfTpQSmTBdkgDIe7y87YlccDg2MAwP/ From JPClizbe at tx.rr.com Wed May 21 10:28:49 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 21 May 2008 03:28:49 -0500 Subject: playing with cryptography... In-Reply-To: <483340F5.40506@upf.edu> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> Message-ID: <4833DD41.40809@tx.rr.com> Ramon Loureiro wrote: > I've got a personal THAWTE Certificate! > It carries my name. I wonder if it will be enought to trust me on the GPG > model... That depends on the person granting trust, the trust model they have adopted, and whether or not (and to what degree) they trust Thawte's certification (signature). The OpenPGP trust model is a proper superset of the centralized hierarchical trust model most often seen in the X.509 world. Several years ago Matt Blaze made the observation that commercial CAs will protect you against anyone who that CA refuses to accept money from. Most Class I Certificates only prove you have control of the email address. Not that you actually are who the name and email purport to be. There's a fairly simple explanation of the difference in the two architectures by Phil Zimmermann at http://www.openpgp.org/technical/whybetter.shtml -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri May 23 07:34:35 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 23 May 2008 07:34:35 +0200 Subject: SVN version not correctly displaying In-Reply-To: <96c450350805212029m32ac4020n37e084abac486d96@mail.gmail.com> (Kevin Hilton's message of "Wed, 21 May 2008 22:29:31 -0500") References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <87mymljqrw.fsf@wheatstone.g10code.de> <96c450350805212029m32ac4020n37e084abac486d96@mail.gmail.com> Message-ID: <878wy137o4.fsf@wheatstone.g10code.de> On Thu, 22 May 2008 05:29, kevhilton at gmail.com said: > I tried the autogen.sh --force flag and during the configure statement > it still stated the old version was being used. I have svn version > 4765 downloaded, however ./autogen.sh --force && --configure > --enable-maintainer-mode --enable-idea still list 4759 as the version. What does "svn info configure.ac" say? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From hs2412 at gmail.com Fri May 23 09:24:57 2008 From: hs2412 at gmail.com (Hardeep Singh) Date: Fri, 23 May 2008 12:54:57 +0530 Subject: playing with cryptography... In-Reply-To: <4833DD41.40809@tx.rr.com> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> <4833DD41.40809@tx.rr.com> Message-ID: Hi > The OpenPGP trust model is a proper superset of the centralized hierarchical > trust model most often seen in the X.509 world. Several years ago Matt Blaze > made the observation that commercial CAs will protect you against anyone who > that CA refuses to accept money from. > Well, that may be true, but there are currently no options that are significantly better. The WOT model used by GPG is better? Maybe, but not significantly. > Most Class I Certificates only prove you have control of the email address. Not > that you actually are who the name and email purport to be. There is nothing that can prove who you say you are. State provided ID cards only prove that you were able to convince the system that you have a specific name. Let me know if you feel differently. Regards Hardeep From kevhilton at gmail.com Fri May 23 14:31:17 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Fri, 23 May 2008 07:31:17 -0500 Subject: SVN version not correctly displaying In-Reply-To: <878wy137o4.fsf@wheatstone.g10code.de> References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <87mymljqrw.fsf@wheatstone.g10code.de> <96c450350805212029m32ac4020n37e084abac486d96@mail.gmail.com> <878wy137o4.fsf@wheatstone.g10code.de> Message-ID: <96c450350805230531r775ff626t23d3929cf4aa30f0@mail.gmail.com> $ svn info configure.ac Path: configure.ac Name: configure.ac URL: svn://cvs.gnupg.org/gnupg/branches/STABLE-BRANCH-1-4/configure.a Repository Root: svn://cvs.gnupg.org/gnupg Repository UUID: 8a63c251-dffc-0310-8ec6-d64dca2275b1 Revision: 4765 Node Kind: file Schedule: normal Last Changed Author: wk Last Changed Rev: 4753 Last Changed Date: 2008-04-30 06:46:35 -0500 (Wed, 30 Apr 2008) Text Last Updated: 2008-05-08 00:28:46 -0500 (Thu, 08 May 2008) Checksum: 1c05726d57e4533f00678401269d3603 The version part is discovered here (as you know): m4_define([svn_revision], m4_esyscmd([echo $((svn info 2>/dev/null \ || echo 'Revision: 0')|sed -n '/^Revision:/ s/[^0-9]//gp'|head -1)| \ tr -d '\n'])) Im not certain about the m4 declarations, but the script logic: echo $((svn info 2>/dev/null || echo 'Revision: 0')|sed -n '/^Revision:/ s/[^0-9]//gp'|head -1)| tr -d '\n'] Works OK on the command line and produces the desired svn number. From graham at gmurray.org.uk Fri May 23 14:20:55 2008 From: graham at gmurray.org.uk (Graham Murray) Date: Fri, 23 May 2008 13:20:55 +0100 Subject: playing with cryptography... In-Reply-To: (Hardeep Singh's message of "Fri, 23 May 2008 12:54:57 +0530") References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> <4833DD41.40809@tx.rr.com> Message-ID: <87k5hl6wk8.fsf@newton.gmurray.org.uk> "Hardeep Singh" writes: > There is nothing that can prove who you say you are. State provided ID > cards only prove that you were able to convince the system that you > have a specific name. For individuals I think that too much importance is placed on identity based on name. For companies it is different, it is useful to know that the email/web site etc that purports to be from example.com is actually from the company Example Ltd. For individuals, it is much more useful to treat the certificate/gpg key as identity so that it can be said (as long as the sender is careful with not allowing others access to the private key) that the email signed by John Doe's key/certificate is from the same person calling himself John Doe that you have previously received email. From rjh at sixdemonbag.org Fri May 23 19:06:15 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 23 May 2008 12:06:15 -0500 Subject: playing with cryptography... In-Reply-To: References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> <4833DD41.40809@tx.rr.com> Message-ID: <1211562375.27484.4.camel@job.localdomain> On Fri, 2008-05-23 at 12:54 +0530, Hardeep Singh wrote: > Well, that may be true, but there are currently no options that are > significantly better. The WOT model used by GPG is better? Maybe, but > not significantly. WoT gives you more options about how to determine trust levels. This, to me, is significant. > There is nothing that can prove who you say you are. State provided ID > cards only prove that you were able to convince the system that you > have a specific name. This is Philosophy 101 sort of stuff. There is nothing that can prove _anything_ in the world. After all, the cosmos may have been created just last Thursday, and all of our memories are just what we were created with, etc., etc. It's not about proof, either. It's about probabilities. We're not looking for a 100% assurance the person involved really is who they say. A confidence in the high nineties is practically just as good, and can be achieved fairly easily by asking to see a few different forms of government ID. From trichotecene at yahoo.es Thu May 22 19:27:41 2008 From: trichotecene at yahoo.es (Dimitri) Date: Thu, 22 May 2008 17:27:41 +0000 (GMT) Subject: import sec key problem In-Reply-To: <20080421092508.xa77n8or6s80og0c@69.89.31.199> Message-ID: <837349.96013.qm@web27206.mail.ukl.yahoo.com> Hello all. I am treat import my key-sec from other PC, It key was generated in OpenBSD and I need import this in winXP too. The problem is no import this successfully, ajust a screenshot. Wath is the problem? Dimitri.- http://es.geocities.com/trichotecene OpenBSD - Free, Functional & Secure --- El lun, 21/4/08, Walter Torres escribi?: > De: Walter Torres > Asunto: Re: changing the default keyring location in windows > Para: gnupg-users at gnupg.org > Fecha: lunes, 21 abril, 2008 12:25 > Quoting Matt Kinni : > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Hello, I want to move my keyring files from > %appdata%/gnupg to R:/ > > > > I know you can do this somehow, I just can't > figure out how. Is there > > something I can add to ggp.conf? Or is there an > environment variable I > > can set? > > Matt, > > First, take a look at my wiki, it describes how I install > GnuGP and > moved the files to where I think they should belong... > > http://walters-way.com/doku.php/wamp:security:gpg > > Second, it seems that my description is a bit old since a > non-installer ZIP is no longer offer. I hope my method of > moving the > keys still works, but... > > > Gnu Gurus at large, > > I would love to have a non-installer ZIP version available > again. I > don't like installers. I don't know where files are > being put. I don't > know what keys are being created. > > Take a look at my install method. (Above URL) My > methodology has a > linux-type setup on my windows. Files "live" > where they are supposed > to live (as if it was a linux box). > > Yes, I know, "if you want linux Walter, why not just > use linux ". Long > story. But that doesn't change the fact that too many > Gnu apps > developers for Windows think they have to change the way > the Gnu app > works (or at least where the files reside) because they are > on > Windows. Registry keys are not mandatory! You can develop > an app > without them, for the most part. > > I don't have a single file in my Windows System > directory. > > I have only 4 or 5 registry keys (and 2 of them are for > GnuGP!). > > When my Windows machine needs to be rebuilt (and as you > know, Windows > does far too often!) I don't have to spend days > rebuilding my linux > side. All my "linux apps" are on their own > volume, so they are not > effected when I wipe C: drive. Then all I do is re-enter > the ENV VARS > (and the 4 or 5 keys) and I'm back in business. 10 > minutes and I done! > > And BTW: GnuGP and the USERS directory path directive in > Apache are > the only two items that I *have* to use a volume letter. > > I don't know if the "left click and encrpyt" > feature (I like that > one!) can be moved from the registry, but I do know that > the KEYS > location can be removed from the registry. If GnuGP used > the HOME ENV > VAR (or at least looked for it) than that key could be > removed. > > Hope someone understands all this. > > Walter > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ______________________________________________ Enviado desde Correo Yahoo! La bandeja de entrada m?s inteligente. -------------- next part -------------- A non-text attachment was scrubbed... Name: winpt.JPG Type: image/pjpeg Size: 12568 bytes Desc: not available URL: From ale at pcartwright.com Fri May 23 20:55:28 2008 From: ale at pcartwright.com (Paul Cartwright) Date: Fri, 23 May 2008 14:55:28 -0400 Subject: gpg & kmail Message-ID: <200805231455.28636.ale@pcartwright.com> I have gnupg 1.4.9 installed and kmail 1.9.9 on KDE 3.5.9 when I try to go to SETTINGS-Configure kmail-Security the GpgME section is greyed out. When I hit rescan it tells me: While scanning for OpenPGP support backend GpgME: Engine /usr/bin/pgp is not installed properly While scanning for SMIME support backend GpgME: Engine /usr/bin/pgpsm is not installed properly # which gpg /usr/local/bin/gpg what am I doing wrong? This is a Debian Lenny box using KDE. packages installed: 1# dpkg --list|grep gpg ii gnome-gpg 0.4.0-1 GPG passphrase agent based on GNOME Keyring ii gpgkeys 0.3.1-4.1 GPG Keymanagement frontend ii gpgme 1.1.4-1 Package created with checkinstall 1.6.1 ii gpgv 1.4.6-2.2 GNU privacy guard - signature verification tool ii kgpg 4:3.5.9-1 GnuPG frontend for KDE ii libgpg-error-dev 1.4-2 library for common error values and messages in GnuPG components ii libgpg-error0 1.4-2 library for common error values and messages in GnuPG components ii libgpgme11 1.1.6-2 GPGME - GnuPG Made Easy ii libgpgme6 0.3.16-2 GPGME - GnuPG Made Easy -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 From rjh at sixdemonbag.org Fri May 23 21:16:48 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 23 May 2008 14:16:48 -0500 Subject: import sec key problem In-Reply-To: <837349.96013.qm@web27206.mail.ukl.yahoo.com> References: <837349.96013.qm@web27206.mail.ukl.yahoo.com> Message-ID: <48371820.6030701@sixdemonbag.org> Dimitri wrote: > The problem is no import this successfully, ajust a screenshot. > > Wath is the problem? There is no problem. The key was imported successfully. Type "gpg --edit-key " and set the key to the appropriate trust level. That's all. From faramir.cl at gmail.com Fri May 23 21:25:00 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 May 2008 15:25:00 -0400 Subject: playing with cryptography... In-Reply-To: References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> <4833DD41.40809@tx.rr.com> Message-ID: <48371A0C.7080506@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardeep Singh escribi?: > There is nothing that can prove who you say you are. State provided ID > cards only prove that you were able to convince the system that you > have a specific name. > > Let me know if you feel differently. > > Regards > Hardeep Well, I feel different... soon after I was born, a nurse put ink on my foot, and made a "footprint". That was archived, with my name, and my parents names. Latter, when I was about 8 years old, I got my ID card, and a ID code was assigned to me (now they are making those ID codes when a baby is born), and they took all my fingerprints (both hands). I admit they didn't check if my feet was the same as in my birth certificate, but if somebody says she is my real mother, it can be verified (without DNA test). So I feel here, in Chile, state provided ID cards are reasonably safe. Or at least, if there is any claim of wrong identity, it can be tracked to the moment a new born is registered in the system. Sure, maybe there can be a mistake in the hospital, and 2 babies can be exchanged... but that is one of these "what if...?" that we shouldn't be worried about, unless something forces us to consider that case. My point is, when I had the age to be able to think "I am going to fake my identity", it was already too late to be able to fake the system. All I can do is forge my ID card, and that is a complex thing to do, they have many security measures. Just my 2 cents... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJINxoMAAoJEMV4f6PvczxAzloH/1mFW0E4rx9jptuQdzj1pbAh cvi321mdo75GfXfDK+LmX3IC6i+fPWwZKh+OxDPlxMQRazvzJz+quky5MCaTeVVD ez4z0oWTZYPJxTWEf6Wx/YfIa3eFJvcflKaROr9HwwY6raHqQ433S/Axk/ZaoNqU /W6Vp9ZNQAvBjpqMswgicGfFvinF51YuD9nTd587EouPrYbZrIDhWur1bu2twYEs oYJXUuJTpzeYTLUnwcZaKRk91BVsYrj0DOrGTUKDsd1rzkZHYobAFal4A73IuO48 ekFAh9Dv+5FFftOtbWqLGzcezrFVZb0vHaVFk74uLhpUj+QMjKXJZEBatT94U5I= =2cEk -----END PGP SIGNATURE----- From faramir.cl at gmail.com Fri May 23 21:45:30 2008 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 May 2008 15:45:30 -0400 Subject: playing with cryptography... In-Reply-To: <87k5hl6wk8.fsf@newton.gmurray.org.uk> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> <4833DD41.40809@tx.rr.com> <87k5hl6wk8.fsf@newton.gmurray.org.uk> Message-ID: <48371EDA.9040708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graham Murray escribi?: > For individuals I think that too much importance is placed on identity > based on name. For companies it is different, it is useful to know that > the email/web site etc that purports to be from example.com is actually > from the company Example Ltd. For individuals, it is much more useful to > treat the certificate/gpg key as identity so that it can be said (as > long as the sender is careful with not allowing others access to the > private key) that the email signed by John Doe's key/certificate is from > the same person calling himself John Doe that you have previously > received email. Right, with many people using nicknames instead of real names, on Internet, I don't really care about their true identity, unless I am buying something from them... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJINx7aAAoJEMV4f6PvczxAIOwH/3k1800DIGFPPxpK/4ytUTF9 6Na93KUDxCaKNeevYDDj1SU4QuX+L/NHOp8u7Hv1kBQWYAYHD98egJxJImuvf+dd eOm1YpMEJ9ECzA0wa+9Adu3B8/GRtcg9SEmIk0FDcyS7Cwhi22nzktqwh8JP7Ban EaM3KAaP5fW2Dbk/g6BaJzoA36zmieeBK7ZwZMqm0YjdZmeqppqUaJaVy8q8sXOS WxBGuedadArYio6YeQFEmbNoGGE0gBSbQN81PLaGHLez0I8kxEBKOcflKhBZbLby lqAwUri7+0bZJpTUMC6TC337u0wUKFP68Z73J9eW5ypKDbM5gDEs9+oZMxkU0A0= =C6JA -----END PGP SIGNATURE----- From reynt0 at cs.albany.edu Fri May 23 23:54:25 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Fri, 23 May 2008 17:54:25 -0400 (EDT) Subject: playing with cryptography... In-Reply-To: <4833DD41.40809@tx.rr.com> References: <481AC854.8060507@upf.edu> <481AD087.3020908@mac.com> <481AD5DD.4020308@upf.edu> <481BA23F.10700@bellsouth.net> <483340F5.40506@upf.edu> <4833DD41.40809@tx.rr.com> Message-ID: (replying to John Clizbe's post, but his full message is an attachment as read by my nice simple email software so "Reply" gives only a blank message, so I had to fiddle to get it to show like a usual quoted reply) . . . > Most Class I Certificates only prove you have control of the > email address. Not that you actually are who the name and > email purport to be. Of course, the issue is, who "you" refers to and how do you know? I believe many assumptions are made by many people about this, just following natural human social behaviors, and the tricksters are often good at sifting through the assumptions to see where they can sneak in. That is, maybe the way people often talk about this is "Philosophy 101 stuff" (as RJH said), but the subject is serious and important, IMHO, and the more people can be aware of this on like a Philosophy 401 basis the less at-risk they will be. As GM indicated, the base reality is "to treat the certificate/gpg key as identity", then add anything, like email, signed by the key as part of the identity, and maybe sometime form a judicious belief about some particular human person being associated with the key. To be picky, anything else is assumptions; and eg in a world full of *bots, long-established natural human assumptions will have to be reevaluated. > There's a fairly simple explanation of the difference > in the two architectures by Phil Zimmermann at > http://www.openpgp.org/technical/whybetter.shtml Nice reference; lucid explanation. From jw at raven.inka.de Sat May 24 02:13:17 2008 From: jw at raven.inka.de (Josef Wolf) Date: Sat, 24 May 2008 02:13:17 +0200 Subject: WARNING: unsafe ownership on homedir `/m/a/etc/naclient/ppcbackup Message-ID: <20080524001317.GA4830@raven.wolf.lan> Hello, I am wondering what this error message WARNING: unsafe ownership on homedir `/usr/local/etc/backup' is trying to tell me. This directory is owned by root:myself and has mode 750. So it is writable only by root and readable only by myself and by root. AFAICS, it is as safe as it can get. Do I really have to remove access for _root_? How do I do that? I can see the necessity of such a warning if the directory is writable by some arbitrary user. But isn't root somewhat special? Just wondering... From nsushkin at sushkins.net Sat May 24 02:33:07 2008 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Fri, 23 May 2008 20:33:07 -0400 Subject: gpg & kmail In-Reply-To: <200805231908.00369.ale@pcartwright.com> References: <200805231534.46221.nsushkin@openfinance.com> <200805231908.00369.ale@pcartwright.com> Message-ID: <200805232033.13682.nsushkin@sushkins.net> On Friday 23 May 2008 19:08, Paul Cartwright wrote: > On Fri May 23 2008, Nicholas Sushkin wrote: > > > From: Paul Cartwright > > > I have gnupg 1.4.9 installed and kmail 1.9.9 on KDE 3.5.9 > > > > You need gnupg2 package for KMail to support S/MIME. > > # apt-get install gnupg2 > Reading package lists... Done > Building dependency tree > Reading state information... Done > gnupg2 is already the newest version. > > kmail seems to want to find these programs under /usr/bin when they seem > to be installed under /usr/local/bin I'd be suspicious. Make sure you don't have a self-compiled version of gnupg2 in addition to the one installed from a package. AFAIK, an official package would install into /usr/bin. See http://packages.debian.org/etch/i386/gnupg2/filelist for an example. -- Nick -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1388 bytes Desc: not available URL: From nsushkin at sushkins.net Sat May 24 02:25:58 2008 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Fri, 23 May 2008 20:25:58 -0400 Subject: gpg & kmail Message-ID: <200805232025.58188.nsushkin@sushkins.net> On Friday 23 May 2008 14:55, Paul Cartwright wrote: > From: Paul Cartwright > I have gnupg 1.4.9 installed and kmail 1.9.9 on KDE 3.5.9 You need gnupg2 package for KMail to support S/MIME. -- Nick From ale at pcartwright.com Sat May 24 04:19:11 2008 From: ale at pcartwright.com (Paul Cartwright) Date: Fri, 23 May 2008 22:19:11 -0400 Subject: gpg & kmail In-Reply-To: <200805232025.58188.nsushkin@sushkins.net> References: <200805232025.58188.nsushkin@sushkins.net> Message-ID: <200805232219.15208.ale@pcartwright.com> On Fri May 23 2008, Nicholas Sushkin wrote: > You need gnupg2 package for KMail to support S/MIME. well, I found that you can change the path for gpg 1.4.9 using the ./configure --prefix=PATH. so I recompiled it with /usr/bin instead of the default /usr/local/bin. SO, gnupg installs by default to /usr/local/bin, per the INSTALL file: Installation Names ================== By default, `make install' will install the package's files in `/usr/local/bin', `/usr/local/man', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX'. yet, kmail was looking specifically for /usr/bin/gpg. -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From caleb.marcus at gmail.com Sat May 24 05:56:30 2008 From: caleb.marcus at gmail.com (Caleb Marcus) Date: Fri, 23 May 2008 23:56:30 -0400 Subject: Disabling compression when encrypting Message-ID: <1211601390.6167.0.camel@caleb-laptop> I prefer to use external compression tools before encrypting my data with GnuPG. Is there any way to disable compression in GnuPG to avoid the CPU overhead of the unnecessary additional layer of compression while encrypting? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From rjh at sixdemonbag.org Sat May 24 07:58:20 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 24 May 2008 00:58:20 -0500 Subject: Disabling compression when encrypting In-Reply-To: <1211601390.6167.0.camel@caleb-laptop> References: <1211601390.6167.0.camel@caleb-laptop> Message-ID: <1211608700.5156.2.camel@job.localdomain> On Fri, 2008-05-23 at 23:56 -0400, Caleb Marcus wrote: > I prefer to use external compression tools before encrypting my data > with GnuPG. Is there any way to disable compression in GnuPG to avoid > the CPU overhead of the unnecessary additional layer of compression > while encrypting? --compress-algo none Alternately, you can add "compress-algo none" to the end of your gpg.conf file. From laurent.jumet at skynet.be Sat May 24 07:49:12 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Sat, 24 May 2008 07:49:12 +0200 Subject: Disabling compression when encrypting In-Reply-To: <1211601390.6167.0.camel@caleb-laptop> Message-ID: Hello Caleb ! Caleb Marcus wrote: > I prefer to use external compression tools before encrypting my data > with GnuPG. Is there any way to disable compression in GnuPG to avoid > the CPU overhead of the unnecessary additional layer of compression > while encrypting? There are several ways to disable compression: "-z 0" or "--compress-level 0" on the command line, or the latter in the options file. -- Laurent Jumet KeyID: 0xCFAF704C From kloecker at kde.org Sat May 24 15:55:15 2008 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sat, 24 May 2008 15:55:15 +0200 Subject: gpg & kmail In-Reply-To: <200805232219.15208.ale@pcartwright.com> References: <200805232025.58188.nsushkin@sushkins.net> <200805232219.15208.ale@pcartwright.com> Message-ID: <200805241555.16221@erwin.ingo-kloecker.de> On Saturday 24 May 2008, Paul Cartwright wrote: > On Fri May 23 2008, Nicholas Sushkin wrote: > > You need gnupg2 package for KMail to support S/MIME. > > well, I found that you can change the path for gpg 1.4.9 using > the ./configure --prefix=PATH. so I recompiled it with /usr/bin > instead of the default /usr/local/bin. SO, gnupg installs by default > to /usr/local/bin, per the INSTALL file: Almost anything that you compile yourself is installed to /usr/local by default. /usr is reserved for installed packages. Installing self-compiled packages to /usr isn't the best idea because those self-compiled packages will be overwritten as soon as you install a pre-compiled version of the same package. OTOH, pre-compiled packages are never installed to /usr/local. > yet, kmail was looking specifically for /usr/bin/gpg. To be precise: gpgme was looking for /usr/bin/gpg (probably because that's were gpg was to be found when gpgme was built). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Sat May 24 16:57:33 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 24 May 2008 10:57:33 -0400 Subject: Disabling compression when encrypting In-Reply-To: <1211608700.5156.2.camel@job.localdomain> References: <1211601390.6167.0.camel@caleb-laptop> <1211608700.5156.2.camel@job.localdomain> Message-ID: <200C444F-A4C8-4DAF-B65E-05941E85EDFF@jabberwocky.com> On May 24, 2008, at 1:58 AM, Robert J. Hansen wrote: > On Fri, 2008-05-23 at 23:56 -0400, Caleb Marcus wrote: >> I prefer to use external compression tools before encrypting my data >> with GnuPG. Is there any way to disable compression in GnuPG to avoid >> the CPU overhead of the unnecessary additional layer of compression >> while encrypting? > > --compress-algo none > > Alternately, you can add "compress-algo none" to the end of your > gpg.conf file. Note that GPG also checks the input file to see if it is compressed. If it sees a compressed input file, it automatically disables compression. David From ihtraum18 at gmail.com Sat May 24 17:13:49 2008 From: ihtraum18 at gmail.com (=?ISO-8859-1?Q?Eduardo_J=FAnior?=) Date: Sat, 24 May 2008 12:13:49 -0300 Subject: Encrypt a file Message-ID: Hello, It is possible to encrypt a file, using gpg, and then, I can decriptar using more than one RSA key? Or if I can encrypt the file with the figure CAST5 using more than one passphase? []'s -- Eduardo J?nior GNU/Linux user #423272 :wq -------------- next part -------------- An HTML attachment was scrubbed... URL: From nsushkin at sushkins.net Sat May 24 19:47:17 2008 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Sat, 24 May 2008 13:47:17 -0400 Subject: gpg & kmail In-Reply-To: <200805232144.05628.ale@pcartwright.com> References: <200805232033.13682.nsushkin@sushkins.net> <200805232144.05628.ale@pcartwright.com> Message-ID: <200805241347.25608.nsushkin@sushkins.net> On Friday 23 May 2008 21:44, Paul Cartwright wrote: > On Fri May 23 2008, Nicholas Sushkin wrote: > > > kmail seems to want to find these programs under /usr/bin when they > > > seem to be installed under /usr/local/bin > > > > I'd be suspicious. Make sure you don't have a self-compiled version of > > gnupg2 in addition to the one installed from a package. AFAIK, an > > official package would install into /usr/bin. See > > http://packages.debian.org/etch/i386/gnupg2/filelist for an example. > > -- > > no, gnupg2 installs /usr/bin/gpg2 which IS there. > gnupg2 doesn't install gpg. Kmail is complaining about /usr/bin/gpg , > so... what package installs that? Looks like your Debian gnupg2 package does not install gpgsm. I'd ask on some Debian mailing list. Here is what I have with Slackware: [1345][nsushkin at metro:~]$ grep -E '(bin|exec)' /var/log/packages/gnupg2-2.0.9-i486-1 usr/bin/ usr/bin/gpgsm-gencert.sh usr/bin/scdaemon usr/bin/gpgkey2ssh usr/bin/gpgparsemail usr/bin/gpgsm usr/bin/kbxutil usr/bin/gpgconf usr/bin/gpg-agent usr/bin/gpgv2 usr/bin/gpg2 usr/bin/watchgnupg usr/bin/gpg-connect-agent usr/sbin/ usr/sbin/applygnupgdefaults usr/sbin/addgnupghome usr/libexec/ usr/libexec/gpg2keys_curl usr/libexec/gpg-check-pattern usr/libexec/gpg2keys_ldap usr/libexec/gpg2keys_hkp usr/libexec/gpg-protect-tool usr/libexec/gpg-preset-passphrase usr/libexec/gpg2keys_finger usr/libexec/gnupg-pcsc-wrapper [1346][nsushkin at metro:~]$ grep -E '(bin|exec)' /var/log/packages/gnupg-1.4.9-i486-1 usr/bin/ usr/bin/gpgsplit usr/bin/gpg-zip usr/bin/gpg usr/bin/gpgv usr/libexec/ usr/libexec/gnupg/ usr/libexec/gnupg/gpgkeys_hkp usr/libexec/gnupg/gpgkeys_ldap usr/libexec/gnupg/gpgkeys_curl usr/libexec/gnupg/gpgkeys_finger -- Nick -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1388 bytes Desc: not available URL: From rjh at sixdemonbag.org Sat May 24 20:12:43 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 24 May 2008 13:12:43 -0500 Subject: Disabling compression when encrypting In-Reply-To: <200C444F-A4C8-4DAF-B65E-05941E85EDFF@jabberwocky.com> References: <1211601390.6167.0.camel@caleb-laptop> <1211608700.5156.2.camel@job.localdomain> <200C444F-A4C8-4DAF-B65E-05941E85EDFF@jabberwocky.com> Message-ID: <48385A9B.6090609@sixdemonbag.org> David Shaw wrote: > Note that GPG also checks the input file to see if it is compressed. If > it sees a compressed input file, it automatically disables compression. How does it do this? Does it look for known headers, or does it check the entropy of the source text? If the former, then what headers does GnuPG know about? zip, bz2 and gz, I'm assuming, but what about more exotic formats like 7z and the like? From reynt0 at cs.albany.edu Sat May 24 22:36:27 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Sat, 24 May 2008 16:36:27 -0400 (EDT) Subject: playing with cryptography... Message-ID: On Fri, 23 May 2008, Faramir wrote: > reynt0 escribi? [format slightly neatened by reynt0]: > >> is "Philosophy 101 stuff" (as RJH said), but the subject >> is serious and important, IMHO, and the more people can >> be aware of this on like a Philosophy 401 basis the less >> at-risk they will be. > > Wow... not even wikipedia knows what Philosophy 101 and 401 are.... I apologize. College course numbering in the USA often follows a standard scheme, where the 1xx series is for first year courses, 2xx is for second year, and so on; x0x would be the most basic courses at a level, x1x would be more advanced at the level, and so on; so 101 is the lowest level, least advanced introduction to some topic. RJH's "101" in this context was a common way to criticize that something was superficial (if I understand RJH's post correctly). 401 would be a fourth year course, and is a way of asserting the topic can be significant. I actually spent a little bit of time deciding whether to say "401" or "501" (where 501 would be first year graduate level course, 601 would be second year graduate, and so on), but decided that at a good university a competence should taught by the 4xx level (and not worrying about whether it should be 401 or 425 or 446 or whatever ;-) ). HTH. Sorry if you or anyone else wasted much time searching for the clarification. From jmoore3rd at bellsouth.net Sat May 24 22:50:18 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 24 May 2008 16:50:18 -0400 Subject: playing with cryptography... In-Reply-To: References: Message-ID: <48387F8A.70202@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 reynt0 wrote: > competence should taught by the 4xx level Apparently You haven't Interviewed a U.S. College Graduate recently. :-\ A Bachelor's Degree is usually 'proof of competence' only in Course/Instructor selection and One's tolerance level with mind altering substances. :( This varies by School, of course, and I am certain that the Univ. of Iowa surpasses most in the Skill Set of it's Graduates. :-D JOHN ;) Timestamp: Saturday 24 May 2008, 16:49 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIOH+JAAoJEBCGy9eAtCsPm6AH/j9U/GWZkR6bBKTPRMCngOfe te9DkHh2K4PAIO9KGZ0PRW1OVawcNDOfkP0WRqLiZGXnPVsUoRVD/0/Q2J75fyt/ kSm7DWRIaB348YR6TpSycg02+alMj6UxVWgPHIoatq1RVoqTYt6pVXTnP/dKVN9h LAUQnel0CeucMrf9drhO6hmxkwqrRflLNHet53DX46osu3ryR0pwsQVmD+6Iyv6v gJLjn50KyFLITrUhfualMijFEt2cF6RHC2qgXg+kAuQDldBuz3xM9jkfaCvpJ93M T20oYKsNHnBX57igRxWqc5qK5g/N4pPUCLXi/WaOrryrVeYxMjeDf59VZimhGS8= =LAeX -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sun May 25 00:55:48 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 24 May 2008 17:55:48 -0500 Subject: playing with cryptography... In-Reply-To: <48387F8A.70202@bellsouth.net> References: <48387F8A.70202@bellsouth.net> Message-ID: <48389CF4.8000603@sixdemonbag.org> John W. Moore III wrote: > Apparently You haven't Interviewed a U.S. College Graduate recently. > :-\ Or, for that matter, some people with graduate degrees. As I told a friend of mine a couple of days ago, "I used to be a lot more impressed by Master's degrees until they gave me one." An undergraduate degree in CS is basically a certificate that says you've learned the basics, you've been exposed to some advanced concepts, and you're ready to begin learning. There are some undergrads who know this and are chomping at the bit for more. They're some of the most useful and energetic people I know. There are, unfortunately, an awful lot who seem to think it means they're done with learning. These people tend to be the sort you hear horror stories about. > This varies by School, of course, and I am certain that the Univ. of > Iowa surpasses most in the Skill Set of it's Graduates. :-D UI has a surprisingly good program, but we're hardly immune to human nature. :) From dshaw at jabberwocky.com Sun May 25 03:22:30 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 24 May 2008 21:22:30 -0400 Subject: Disabling compression when encrypting In-Reply-To: <48385A9B.6090609@sixdemonbag.org> References: <1211601390.6167.0.camel@caleb-laptop> <1211608700.5156.2.camel@job.localdomain> <200C444F-A4C8-4DAF-B65E-05941E85EDFF@jabberwocky.com> <48385A9B.6090609@sixdemonbag.org> Message-ID: <34A3BCF0-C4EB-47CC-B076-371B240811CA@jabberwocky.com> On May 24, 2008, at 2:12 PM, Robert J. Hansen wrote: > David Shaw wrote: >> Note that GPG also checks the input file to see if it is >> compressed. If it sees a compressed input file, it automatically >> disables compression. > > How does it do this? Does it look for known headers, or does it > check the entropy of the source text? If the former, then what > headers does GnuPG know about? zip, bz2 and gz, I'm assuming, but > what about more exotic formats like 7z and the like? Known headers. It's basically the same thing that file(1) does. You're correct in that it only catches zip, gzip, and bz2. David From kusti at iki.fi Sun May 25 10:19:46 2008 From: kusti at iki.fi (Kimmo Surakka) Date: Sun, 25 May 2008 11:19:46 +0300 Subject: gpg & kmail In-Reply-To: <200805241347.25608.nsushkin@sushkins.net> References: <200805232033.13682.nsushkin@sushkins.net> <200805232144.05628.ale@pcartwright.com> <200805241347.25608.nsushkin@sushkins.net> Message-ID: On 5/24/08, Nicholas Sushkin wrote: > Looks like your Debian gnupg2 package does not install gpgsm. I'd ask on > some Debian mailing list. Here is what I have with Slackware: Another possibility is to use packages.debian.org to search for package contents. That way you'll find that gpgsm can be foind in the package "gpgsm". -- Kimmo Surakka http://www.iki.fi/kusti From jzatulove at thirdave.com Fri May 23 21:08:58 2008 From: jzatulove at thirdave.com (YetAnotherGUser) Date: Fri, 23 May 2008 12:08:58 -0700 (PDT) Subject: Erroneous/Varied encryption results Message-ID: <17433345.post@talk.nabble.com> I'm having an interesting problem where encrypting directly through a command line process and through a wrapped cmd line call from a C# program produce different encrypted files. I was playing around w/ how I was defining the command line arguments and saw that if I use the UID, quoted name, and unquoted name the file encrypts differently. Is there any documentation referring to this and as what I'm seeing accurate? Ultimately what I'm doing is forking a process from my program which makes a psexec (remote process) call to the gpg box and executes the gpg command arguments. psexec -i \\[machine] -u [domain\user] -p [pwd] -n 4 -high "C:\GnuPG\gpg.exe" --recipient "x at x.com" --yes --output [out_path\file].pgp --encrypt [inpath\file] In all instances the encryption succeeds, but the file contents vary. Regards. -- View this message in context: http://www.nabble.com/Erroneous-Varied-encryption-results-tp17433345p17433345.html Sent from the GnuPG - User mailing list archive at Nabble.com. From nsushkin at openfinance.com Fri May 23 21:34:38 2008 From: nsushkin at openfinance.com (Nicholas Sushkin) Date: Fri, 23 May 2008 15:34:38 -0400 Subject: gpg & kmail In-Reply-To: References: Message-ID: <200805231534.46221.nsushkin@openfinance.com> On Friday 23 May 2008 14:55, Paul Cartwright wrote: > From: Paul Cartwright > I have gnupg 1.4.9 installed and kmail 1.9.9 on KDE 3.5.9 You need gnupg2 package for KMail to support S/MIME. -- Nicholas Sushkin, Senior Software Engineer http://www.openfinance.com http://www.wealthinformationexchange.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1394 bytes Desc: not available URL: From trichotecene at yahoo.es Sat May 24 04:11:17 2008 From: trichotecene at yahoo.es (deoxy) Date: Fri, 23 May 2008 22:11:17 -0400 Subject: import sec key problem In-Reply-To: <48371820.6030701@sixdemonbag.org> References: <837349.96013.qm@web27206.mail.ukl.yahoo.com> <48371820.6030701@sixdemonbag.org> Message-ID: <20080524021117.GA18488@babylon.my.domain> oooouh ok, I am a dummy!!!. Thanks. Dmitri On Fri, May 23, 2008 at 02:16:48PM -0500, Robert J. Hansen wrote: > Dimitri wrote: > > The problem is no import this successfully, ajust a screenshot. > > > > Wath is the problem? > > There is no problem. > > The key was imported successfully. > > Type "gpg --edit-key " and set the key to the appropriate trust > level. That's all. From wk at gnupg.org Mon May 26 12:56:55 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 May 2008 12:56:55 +0200 Subject: SVN version not correctly displaying In-Reply-To: <96c450350805230531r775ff626t23d3929cf4aa30f0@mail.gmail.com> (Kevin Hilton's message of "Fri, 23 May 2008 07:31:17 -0500") References: <96c450350805120610r56f06984m1a3007f36a665643@mail.gmail.com> <87mymljqrw.fsf@wheatstone.g10code.de> <96c450350805212029m32ac4020n37e084abac486d96@mail.gmail.com> <878wy137o4.fsf@wheatstone.g10code.de> <96c450350805230531r775ff626t23d3929cf4aa30f0@mail.gmail.com> Message-ID: <87od6tqqo8.fsf@wheatstone.g10code.de> On Fri, 23 May 2008 14:31, kevhilton at gmail.com said: > Works OK on the command line and produces the desired svn number. Okay, That you just need to recreate configure. And take care that autoconf does noch cache anything. In case tehre is a problem with --force, you may want to remove the netire directory autom4te.cache and then rerun ./autogen.sh and finally ./configure --enable-maintainer-mode. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From email at sven-radde.de Mon May 26 13:38:30 2008 From: email at sven-radde.de (Sven Radde) Date: Mon, 26 May 2008 13:38:30 +0200 Subject: Erroneous/Varied encryption results In-Reply-To: <17433345.post@talk.nabble.com> References: <17433345.post@talk.nabble.com> Message-ID: <483AA136.1070002@sven-radde.de> Hi! YetAnotherGUser schrieb: > psexec -i \\[machine] -u [domain\user] -p [pwd] -n 4 -high > "C:\GnuPG\gpg.exe" --recipient "x at x.com" --yes --output [out_path\file].pgp > --encrypt [inpath\file] > > In all instances the encryption succeeds, but the file contents vary. > Regards. This is the intended behaviour, if I understand correctly what you are doing. When encrypting, GnuPG generates a random session key with which the data is encrypted. That key is then encrypted using the recipient's public key. Therefore, if the same file is encrypted twice, the outputs will be totally different (apart from some parts of the metadata). Check Google/Wikipedia for "hybrid cryptosystem". HTH, Sven From giangios at gmail.com Mon May 26 23:26:34 2008 From: giangios at gmail.com (giangios) Date: Mon, 26 May 2008 14:26:34 -0700 (PDT) Subject: Removing all installed versions of GNUPG Message-ID: <17464099.post@talk.nabble.com> Hi to evrybody, I am not very familiar with linux and I have found out that GNUPG was installed more than once on the server. There was already a preinstalled one and trying to install and configure the last version I have realized that I have now 3 installations of GNUPG. How can I remove all the installations? Shall I go to the build directory and type 'make uninstall'? This would work in the 2 I have installed (maybe), but what concerning the preinstalled version. Could somebody explain me how to remove all the installations? Thanks -- View this message in context: http://www.nabble.com/Removing-all-installed-versions-of-GNUPG-tp17464099p17464099.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Tue May 27 01:25:41 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 26 May 2008 18:25:41 -0500 Subject: Removing all installed versions of GNUPG In-Reply-To: <17464099.post@talk.nabble.com> References: <17464099.post@talk.nabble.com> Message-ID: <483B46F5.2030409@sixdemonbag.org> giangios wrote: > How can I remove all the installations? Depends a lot on your distribution of Linux. > Shall I go to the build directory and type 'make uninstall'? That'll work for at least one of them. It would be more helpful if you were to let us know which distribution you're using, and where the gpg executables are located on your system. Removing GnuPG entirely from a Linux system is not recommended and is probably a bad idea. Many distributions use GnuPG to digitally sign their packages. Without GnuPG, you have no way of knowing if your packages are authentic. From giangios at gmail.com Tue May 27 10:03:47 2008 From: giangios at gmail.com (giangios) Date: Tue, 27 May 2008 01:03:47 -0700 (PDT) Subject: Removing all installed versions of GNUPG In-Reply-To: <483B46F5.2030409@sixdemonbag.org> References: <17464099.post@talk.nabble.com> <483B46F5.2030409@sixdemonbag.org> Message-ID: <17485108.post@talk.nabble.com> Robert J. Hansen-3 wrote: > > giangios wrote: >> How can I remove all the installations? > > Depends a lot on your distribution of Linux. > >> Shall I go to the build directory and type 'make uninstall'? > > That'll work for at least one of them. > > It would be more helpful if you were to let us know which distribution > you're using, and where the gpg executables are located on your system. > > Removing GnuPG entirely from a Linux system is not recommended and is > probably a bad idea. Many distributions use GnuPG to digitally sign > their packages. Without GnuPG, you have no way of knowing if your > packages are authentic. > > I have found out in the documentation this: 6.22) I just compiled GnuPG from source on my GNU/Linux RPM-based system and it's not working. Why? Many GNU/Linux distributions that are RPM-based will install a version of GnuPG as part of its standard installation, placing the binaries in the /usr/bin directory. Later, compiling and installing GnuPG from source other than from a source RPM won't normally overwrite these files, as the default location for placement of GnuPG binaries is in /usr/local/bin unless the '--prefix' switch is used during compile to specify an alternate location. Since the /usr/bin directory more than likely appears in your path before /usr/local/bin, the older RPM-version binaries will continue to be used when called since they were not replaced. To resolve this, uninstall the RPM-based version with 'rpm -e gnupg' before installing the binaries compiled from source. If dependency errors are displayed when attempting to uninstall the RPM (such as when Red Hat's up2date is also installed, which uses GnuPG), uninstall the RPM with 'rpm -e gnupg --nodeps' to force the uninstall. Any dependent files should be automatically replaced during the install of the compiled version. If the default /usr/local/bin directory is used, some packages such as SuSE's Yast Online Update may need to be configured to look for GnuPG binaries in the /usr/local/bin directory, or symlinks can be created in /usr/bin that point to the binaries located in /usr/local/bin. I have unistalled the 'preinstalled' gnupg and reinstalled the last version. When I run the command: rpm -q gnupg, now doesn't show any gnupg installation, but I can use it. Now I need to point the distribution packages (CENTOS 4.2) to use the last (and unique) installed GNUPG. If the default /usr/local/bin directory is used, some packages such as SuSE's Yast Online Update may need to be configured to look for GnuPG binaries in the /usr/local/bin directory, or symlinks can be created in /usr/bin that point to the binaries located in /usr/local/bin. What shall I do? I am not very familiar to configure servers. :-/ -- View this message in context: http://www.nabble.com/Removing-all-installed-versions-of-GNUPG-tp17464099p17485108.html Sent from the GnuPG - User mailing list archive at Nabble.com. From tmz at pobox.com Tue May 27 10:37:23 2008 From: tmz at pobox.com (Todd Zullinger) Date: Tue, 27 May 2008 04:37:23 -0400 Subject: Removing all installed versions of GNUPG In-Reply-To: <17485108.post@talk.nabble.com> References: <17464099.post@talk.nabble.com> <483B46F5.2030409@sixdemonbag.org> <17485108.post@talk.nabble.com> Message-ID: <20080527083722.GA18974@inocybe.teonanacatl.org> giangios wrote: > When I run the command: rpm -q gnupg, now doesn't show any gnupg > installation, but I can use it. Right -- rpm only knows about packages you add via rpm packages, not about random things you compile from source. > Now I need to point the distribution packages (CENTOS 4.2) to use > the last (and unique) installed GNUPG. You should be building a gnupg rpm. > What shall I do? I am not very familiar to configure servers. :-/ The only sane advice would be to undo what you have done and not attempt to replace core system components until you better understand the system you are working with. I would recommend reading up on building packages with rpm, if you really feel that you must have a newer gnupg version installed in your server(s). A few places to start might be: http://fedoraproject.org/wiki/Docs/Drafts/BuildingPackagesGuide http://docs.fedoraproject.org/drafts/rpm-guide-en/ http://www.rpm.org/max-rpm-snapshot/ -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Whenever you find yourself on the side of the majority, it is time to pause and reflect. -- Mark Twain -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From bnsmith001 at gmail.com Tue May 27 23:36:12 2008 From: bnsmith001 at gmail.com (Barry Smith) Date: Tue, 27 May 2008 17:36:12 -0400 Subject: Removing all installed versions of GNUPG In-Reply-To: <17464099.post@talk.nabble.com> References: <17464099.post@talk.nabble.com> Message-ID: <483C7ECC.3000305@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Giangios. | 3 installations of GNUPG. I would follow the following procedure -- 1) I would carefully and politely (aka, politically) ~ research why there are three gpg's installed on ~ the server. 2) Then I would update the "correctly" "standardly" ~ installed version of gpg. 3) Then I would politely send out an email/memo to all ~ parties involved in the non-standard copies of gpg, ~ and inform them that ~ "The latest version of gpg has been installed ~ on the server in [the standard library]. ~ Please contact [someone] about using the ~ latest version of gpg. This change will ~ happen on end of day Friday [2008/05/23]." ~ Please, use all of the politeness that you can in ~ this email/memo, because you want the users to ~ contact you voluntarily to make sure that they ~ are using the correct gpg. 4) Cron a script to run on [2008/08/23] to delete ~ the two wrong gpg directories. Optionally -- 5) In the cron'd script, create symbolic links from ~ the old directories to the new directories. Sidebar tech ref guidance -- ~ Copied from a web page -- ~ > ln -s [TARGET DIRECTORY OR FILE] ./[SHORTCUT] ~ > ~ > For example: ~ > ~ > ln -s /usr/local/apache/logs ./logs ~ > ~ > This points a symbolic link "./logs" to "/usr/local/apache/logs" ~ Symbolic links in some of the "Unices" can have their own overhead ~ (OS is picky about doing "rm -r" when a Symbolic link is ~ encountered). On the "Unices", Symbolic Links work super effectively ~ for program execution, and data access. As everyone is probably aware (probably), on the "Unices," all individual keyrings are stored in a ".gpg" directory under each user's "/home/[user]/" directory. I point that out so that I can point out the central point... that updating a central version of gpg should be invisibly impactless to any and all users, once they correct the use of the different/alternate/deleted versions of gpg. Further comment -- I ran across a similar problem in Windows. 1) One was needed by Cygwin (Linux under Windows), 2) one was needed by my email program (Thunderbird), and 3) one was needed by a GPG file toolpack (GPG4Win) that I use regularly. I determined that it would be easier to - -- do the installation into the default location (which is ~ where the GPG4Windows looks), and then - -- Do the installation again into the location that my email ~ program looked for GPG, and lastly - -- build the gpg for Cygwin from source. Technical Yes, during my efforts, I found out that there is a Windows Environment variable (as well as a cygwin/"Unices" alias) that can be set for GPG to look in one location for the executables... not PATH, but another one, something like gpgpath... the gpg docs are really written from a Unix/Linux perspective, and should cover this in perfect detail for your Linux-viewpoint. Best of Luck. Let me know off-list if there is anything else that you want to ask me directly about this task. Peace, Barry Smith giangios wrote: | Hi to evrybody, | | I am not very familiar with linux and I have found out that GNUPG was | installed more than once on the server. There was already a preinstalled one | and trying to install and configure the last version I have realized that I | have now 3 installations of GNUPG. | | How can I remove all the installations? | | Shall I go to the build directory and type 'make uninstall'? | | This would work in the 2 I have installed (maybe), but what concerning the | preinstalled version. | | Could somebody explain me how to remove all the installations? | | Thanks - -- Barry Smith (2008-01-21 2048 no expire) Public Key ID : 0xBA649960 Key fingerprint : BAF9 A3F3 DF31 5038 1D72 442C 80E9 FF84 BA64 9960 If you can't find my key, tell me what keyserver to upload it to, or ask my to send it to you directly. Outgoing mail is certified Virus Free. Checked by Norton 360 All-In-One (http://www.symantec.com). Peace and Love! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkg8fssACgkQgOn/hLpkmWA/sQCfVtKO+Clpbhxdr71alRacj2Ke 368An00FHi3TdF0l+YzCjzHXxjk7udcP =quG4 -----END PGP SIGNATURE----- From giangios at gmail.com Wed May 28 10:06:25 2008 From: giangios at gmail.com (giangios) Date: Wed, 28 May 2008 01:06:25 -0700 (PDT) Subject: Removing all installed versions of GNUPG In-Reply-To: <483C7ECC.3000305@gmail.com> References: <17464099.post@talk.nabble.com> <483C7ECC.3000305@gmail.com> Message-ID: <17507257.post@talk.nabble.com> Thanks to everybody for help and suggestions. At the end I have installed checkinstall, removed all the previous installations of GNUPG and used checkinstall for making the last version available in the system. The server where I had this problem is used just by me, so I had no critical points to handle with other users. Giangios Barry Smith-4 wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, Giangios. > > | 3 installations of GNUPG. > > I would follow the following procedure -- > 1) I would carefully and politely (aka, politically) > ~ research why there are three gpg's installed on > ~ the server. > > 2) Then I would update the "correctly" "standardly" > ~ installed version of gpg. > > 3) Then I would politely send out an email/memo to all > ~ parties involved in the non-standard copies of gpg, > ~ and inform them that > ~ "The latest version of gpg has been installed > ~ on the server in [the standard library]. > ~ Please contact [someone] about using the > ~ latest version of gpg. This change will > ~ happen on end of day Friday [2008/05/23]." > ~ Please, use all of the politeness that you can in > ~ this email/memo, because you want the users to > ~ contact you voluntarily to make sure that they > ~ are using the correct gpg. > > 4) Cron a script to run on [2008/08/23] to delete > ~ the two wrong gpg directories. > > Optionally -- > 5) In the cron'd script, create symbolic links from > ~ the old directories to the new directories. > > Sidebar tech ref guidance -- > ~ Copied from a web page -- > ~ > ln -s [TARGET DIRECTORY OR FILE] ./[SHORTCUT] > ~ > > ~ > For example: > ~ > > ~ > ln -s /usr/local/apache/logs ./logs > ~ > > ~ > This points a symbolic link "./logs" to "/usr/local/apache/logs" > > ~ Symbolic links in some of the "Unices" can have their own overhead > ~ (OS is picky about doing "rm -r" when a Symbolic link is > ~ encountered). On the "Unices", Symbolic Links work super effectively > ~ for program execution, and data access. > > > As everyone is probably aware (probably), on the > "Unices," all individual keyrings are stored in > a ".gpg" directory under each user's "/home/[user]/" > directory. I point that out so that I can point > out the central point... that updating a central > version of gpg should be invisibly impactless to > any and all users, once they correct the use of > the different/alternate/deleted versions of gpg. > > Further comment -- > I ran across a similar problem in Windows. > 1) One was needed by Cygwin (Linux under Windows), > 2) one was needed by my email program (Thunderbird), and > 3) one was needed by a GPG file toolpack (GPG4Win) > that I use regularly. > > I determined that it would be easier to > - -- do the installation into the default location (which is > ~ where the GPG4Windows looks), and then > - -- Do the installation again into the location that my email > ~ program looked for GPG, and lastly > - -- build the gpg for Cygwin from source. > > Technical > Yes, during my efforts, I found out that there is a Windows > Environment variable (as well as a cygwin/"Unices" alias) that > can be set for GPG to look in one location for the executables... > not PATH, but another one, something like gpgpath... the gpg > docs are really written from a Unix/Linux perspective, and > should cover this in perfect detail for your Linux-viewpoint. > > Best of Luck. > > Let me know off-list if there is anything else that you want > to ask me directly about this task. > > Peace, > > Barry Smith > > > > > giangios wrote: > | Hi to evrybody, > | > | I am not very familiar with linux and I have found out that GNUPG was > | installed more than once on the server. There was already a > preinstalled one > | and trying to install and configure the last version I have realized > that I > | have now 3 installations of GNUPG. > | > | How can I remove all the installations? > | > | Shall I go to the build directory and type 'make uninstall'? > | > | This would work in the 2 I have installed (maybe), but what concerning > the > | preinstalled version. > | > | Could somebody explain me how to remove all the installations? > | > | Thanks > > > - -- > > Barry Smith (2008-01-21 2048 no expire) > > Public Key ID : 0xBA649960 > Key fingerprint : BAF9 A3F3 DF31 5038 1D72 442C 80E9 FF84 BA64 9960 > If you can't find my key, tell me what keyserver to upload it to, > or ask my to send it to you directly. > > Outgoing mail is certified Virus Free. > Checked by Norton 360 All-In-One (http://www.symantec.com). > > Peace and Love! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkg8fssACgkQgOn/hLpkmWA/sQCfVtKO+Clpbhxdr71alRacj2Ke > 368An00FHi3TdF0l+YzCjzHXxjk7udcP > =quG4 > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/Removing-all-installed-versions-of-GNUPG-tp17464099p17507257.html Sent from the GnuPG - User mailing list archive at Nabble.com. From wk at gnupg.org Wed May 28 18:52:31 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 28 May 2008 18:52:31 +0200 Subject: FYI: GnuPG Server maintenance next Monday Message-ID: <87wsle9xrk.fsf@wheatstone.g10code.de> Hi! This is to let you know that the GnuPG servers are taken down on Monday, June 2 at about 6:00 UTC to be moved to OpenIT's new data processing center. The new location is in the same city and in physical vicinity to a huge IP exchange point. They should be up again by midnight. All services are affected including email, thus you may get mail delivery *warnings*. All should be well again by Tuesday. Should a real damage happen, I will leave a message at http://www.gpg4win.org. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From carloswill at gmail.com Wed May 28 19:21:11 2008 From: carloswill at gmail.com (Carlos Williams) Date: Wed, 28 May 2008 13:21:11 -0400 Subject: First Time Setup Confusion Message-ID: I am the email administrator for my small company and have never dealt with any kind of cryptographic software. I have several internal users on my email server (Postfix) who have the need to send encrypted email to trusted vendors so there will be some kind of public key exchange however I don't understand where GPG fits in the puzzle and maybe someone can explain this to me. I was told on a tech forum that PGP and / or GPG both are client side applications and don't need to run on my email (Postfix) server. I contacted PGP and they explained they have a client application that runs on the users desktop that handles the key encryption and exchange however I would like to use GPG and don't understand what the steps are that need to be done. I read their mini_howto guide: http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html However this basically runs over the entire process and everything I need to install this. I am just not clear on if I need to install GPG on my email server or a stand alone server (or does it matter) and how this all works with my current system. Please pardon my ignorance and thanks for any help and or info! -------------- next part -------------- An HTML attachment was scrubbed... URL: From Thomas.Wolf at wfhc.org Wed May 28 00:51:54 2008 From: Thomas.Wolf at wfhc.org (Wolf, Tom) Date: Tue, 27 May 2008 17:51:54 -0500 Subject: GNU privacy guard on AIX Message-ID: Hello, I need to install GNU Privacy Guard (gnupg) 2.0.9 on several AIX 5.2 systems. Before I can install gnupg, the following dependent packages need to be installed. * libgpg-error * libgcrypt * libksba * libassuan I'm having problems installing the first package, libgpg-error (1.5). I'm able to successfully configure it using the following command: #configure AWK=/usr/bin/awk CC=/opt/freeware/bin/gcc GREP=/opt/freeware/bin/grep LD=/opt/freeware/bin/gld However, I keep getting the following error when make is executed: .... .... if /opt/freeware/bin/gcc -DHAVE_CONFIG_H -I. -I. -I.. -DLOCALEDIR=\"/usr/local/share/locale\" -g -O2 -MT gpg_error-gpg-error.o -MD -MP -MF ".deps/gpg_error-gpg-error.Tpo" -c -o gpg_error-gpg-error.o `test -f 'gpg-error.c' || echo './'`gpg-error.c; then mv -f " .deps/gpg_error-gpg-error.Tpo" ".deps/gpg_error-gpg-error.Po"; else rm -f ".deps/gpg_error-gpg-error.Tpo"; exit 1; fi /bin/sh ../libtool --tag=CC --mode=link /opt/freeware/bin/gcc -g -O2 -o gpg-error gpg_error-strsource-sym.o gpg_error-stre rror-sym.o gpg_error-gpg-error.o ./libgpg-error.la/opt/freeware/bin/gcc -g -O2 -o .libs/gpg-error gpg_error-strsource-sym.o gpg_error-strerror-sym.o gpg_error-gpg-error.o -L./.libs -lgp g-error -Wl,-blibpath:/usr/local/lib:/opt/freeware/lib/gcc/powerpc-ibm-aix5.2.0. 0/4.0.0:/opt/freeware/lib/gcc/powerpc-ibm-aix5.2.0.0/4.0 .0/../../..:/usr/lib:/lib collect2: library libgpg-error not found make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Stop. make: 1254-004 The error code from the last command is 1. Since I'm trying to install the libgpg-error package, I don't understand how one of its libraries, which I assume would be generated as part of the install, is causing the make process to fail. Any suggestions for clearing this error would be greatly appreciated. Thank you. Tom Wolf Thomas.Wolf at wfhc.org 414-465-4544 Privileged/Confidential information may be contained in this message. The information contained in this message is intended only for the use of the recipient(s) named above and their co-workers who are working on the same matter. The recipient of this information is prohibited from disclosing the information to any other party unless this disclosure has been authorized in advance. If you are not intended recipient of this message or any agent responsible for delivery of the message to the intended recipient, you are hereby notified that any disclosure, copying, distribution or action taken in reliance on the contents of this message is strictly prohibited. You should immediately destroy this message and kindly notify the sender by reply E-Mail. Please advise immediately if you or your employer does not consent to Internet E-Mail for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the firm shall be understood as neither given nor endorsed by it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jw at raven.inka.de Wed May 28 21:27:49 2008 From: jw at raven.inka.de (Josef Wolf) Date: Wed, 28 May 2008 21:27:49 +0200 Subject: WARNING: unsafe ownership on homedir `/m/a/etc/naclient/ppcbackup In-Reply-To: <20080524001317.GA4830@raven.wolf.lan> References: <20080524001317.GA4830@raven.wolf.lan> Message-ID: <20080528192749.GB4830@raven.wolf.lan> On Sat, May 24, 2008 at 02:13:17AM +0200, Josef Wolf wrote: > I am wondering what this error message > > WARNING: unsafe ownership on homedir `/usr/local/etc/backup' > > is trying to tell me. > > This directory is owned by root:myself and has mode 750. So it is > writable only by root and readable only by myself and by root. > AFAICS, it is as safe as it can get. Do I really have to remove > access for _root_? How do I do that? > > I can see the necessity of such a warning if the directory is writable > by some arbitrary user. But isn't root somewhat special? > > Just wondering... No opinions? Here is one more example: myself at raven:~> LANG= gpg -e \ --homedir /m/a/etc/naclient/ppcbackup \ -r "myself" \ test gpg: WARNING: unsafe permissions on homedir `/m/a/etc/naclient/ppcbackup' myself at raven:~> ls -l -d /m \ /m/a \ /m/a/etc \ /m/a/etc/naclient \ /m/a/etc/naclient/ppcbackup drwxr-x--x 9 myself myself 4096 2008-05-21 00:08 /m drwxr-x--x 10 myself myself 4096 2006-07-18 15:00 /m/a drwxr-x--x 7 myself myself 4096 2007-06-23 01:36 /m/a/etc drwxr-x--- 3 myself myself 4096 2008-05-24 01:49 /m/a/etc/naclient/ drwxr-x--- 2 myself myself 4096 2008-05-28 21:17 /m/a/etc/naclient/ppcbackup/ myself at raven:~> LANG= id uid=1006(myself) gid=1006(myself) groups=1006(myself) myself at raven:~> The homedir and all the directories above it are owned by myself:myself. None of them is modifiable by anyone else but myself:myself. And the homedir is readable only by myself:myself. Why is this directory considered to have unsafe permissions? How do I get rid of this warning? From aongenae at gmail.com Wed May 28 21:36:43 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Wed, 28 May 2008 21:36:43 +0200 Subject: First Time Setup Confusion In-Reply-To: References: Message-ID: <83713a650805281236m13561c1el95a42a84896a17d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenPGP is a protocol that is used on the end user machine, BY the end user. It allow them to encrypt the message so that only some selected person are allowed to read the mail, and it permit to the sender to sign the mail so the receiver can be sure that the content of the mail was not altered and is really from the sender. So, as the administrator, you don't have to install anything on the mail server. But if you're also in charge with the end user machine, you have to install GPG on these machine (it is already installed on most linux distribution). I don't enter the detail but you really should understand the concept of public key encryption to explain it to the end users. - -- _-Arnaud-_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJIPbNnAAoJEFgy9SDyxO8hGVkH/2I95RsWuoYkCbi+c5nGy1f8 KxzwHicIxD2DSHQEUu2q+8vtuIQLBQkJhjLMFC/A2grMyVsTTb2jqW1cDjuSH6+1 IN5OheOmhTBWiX/479dpuXabXDeBpDn+7utEUgcrl4pXtcEDjpsu6XYNnSwrJJvc 0b1kdORuZ4TEqWmZsizsZoP5sN2jnepN6xoJuLVSektLEKmCxK1mrHzNnVWfy9xz ihq3rd71TpYKk2xiGTGyXh25hD6nzIpzcQJFCIPkH8jWE0D49Rg9KmlELpq/GmDj zaO3hzm384/glGZMvstR/Xo7r01tRlcTZE7lg5+7B9RU+MusegWFfIo2fTUiBVk= =FuA+ -----END PGP SIGNATURE----- 2008/5/28 Carlos Williams : > I am the email administrator for my small company and have never dealt with > any kind of cryptographic software. I have several internal users on my > email server (Postfix) who have the need to send encrypted email to trusted > vendors so there will be some kind of public key exchange however I don't > understand where GPG fits in the puzzle and maybe someone can explain this > to me. I was told on a tech forum that PGP and / or GPG both are client side > applications and don't need to run on my email (Postfix) server. I contacted > PGP and they explained they have a client application that runs on the users > desktop that handles the key encryption and exchange however I would like to > use GPG and don't understand what the steps are that need to be done. > > I read their mini_howto guide: > > http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html > > However this basically runs over the entire process and everything I need to > install this. I am just not clear on if I need to install GPG on my email > server or a stand alone server (or does it matter) and how this all works > with my current system. > > Please pardon my ignorance and thanks for any help and or info! > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From faramir.cl at gmail.com Wed May 28 21:36:13 2008 From: faramir.cl at gmail.com (Faramir) Date: Wed, 28 May 2008 15:36:13 -0400 Subject: First Time Setup Confusion In-Reply-To: References: Message-ID: <483DB42D.8040303@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carlos Williams escribi?: > I am the email administrator for my small company and have never dealt > with any kind of cryptographic software. I have several internal users > on my email server (Postfix) who have the need to send encrypted email > to trusted vendors so there will be some kind of public key exchange > however I don't understand where GPG fits in the puzzle and maybe > someone can explain this to me. I was told on a tech forum that PGP and > / or GPG both are client side applications and don't need to run on my > email (Postfix) server. I contacted PGP and they explained they have a > client application that runs on the users desktop that handles the key > encryption and exchange however I would like to use GPG and don't > understand what the steps are that need to be done. > > I read their mini_howto guide: > > http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-1.html > > However this basically runs over the entire process and everything I > need to install this. I am just not clear on if I need to install GPG on > my email server or a stand alone server (or does it matter) and how this > all works with my current system. > > Please pardon my ignorance and thanks for any help and or info! Hello Carlos Williams. GNUpg is the opensource (and free) software for PGP encryption, so it is a very good choice. It doesn't need to be installed in a server, but in each end user computer. It can even be carried in a USB flash stick. What you need to send a signed, or encrypted message with gpg, is: gpg, an email client with support for gpg (I use mozilla thunderbird, with Enigmail add-on for that), and your key pair (you generate it with gpg, there is not an external provider for that). Then both sides exchange their public keys, they need to import the public keys to their public keyring, and start using them. How to export and import the public keys varies depending if you are using command line commands, or if you are using a GUI. But also, you must make sure you really got the right key from your vendor, and not the key from somebody impersonating him. About how to do that, I am sure other people here can explain it a lot better than I could do that... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIPbQtAAoJEMV4f6PvczxAULUIAI7i8OTS28wfMedu9tN1EQqi pS1tXte7Rw0akuaMWjJbB0rrF2HxAKu2E+UECtdpFamXG/AZGOFee6JxJ/1ACjys g8gHrrg5oaVbDyXNM5c7W9E7iR8qYjUXgiy1k7tKuPzW4biGZtNqDuA3JYVrWW8k qO6K+CbMyUdPiCpUMAarR24sHFzv5TOfJuURY6VbCI5gCyLrPikECz3a6gMiMdF8 fmpYDHtlWwdd1s7CYRWa2YriNnhkMsaC/H9qrGYV6A9MNbACht0h+TLIddHV9evL nYuU7++JJTWtXk5nm9cHN+Y3QAnCFYtkLyRjDkUGV2oplZJiVMMHvF5gr+1FUm4= =4UZb -----END PGP SIGNATURE----- From laurent.jumet at skynet.be Thu May 29 08:10:34 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 29 May 2008 08:10:34 +0200 Subject: Bad signature... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! Is there an explanation for this: When I sometimes check signature inside my mailer for a clearSign, I get the message "Bad signature". If I copy the whole message in the clipboard (I'm using XP) and test the signature in the clipboard using GPGShell, signature is good. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iHEEAREDADEFAkg+SW0qGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMc/wAmgNtV8DsJr37WYoa7PgEPTC9blgiAJ48 A8r+rmg1EWj9ENcmW8kTS/OrSw== =DRWc -----END PGP SIGNATURE----- From laurent.jumet at skynet.be Thu May 29 10:59:52 2008 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 29 May 2008 10:59:52 +0200 Subject: Enigmail... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! I just tryed the plug-in Enigmail on Thunderbird, and it seems very good. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iHEEAREDADEFAkg+cM4qGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMSdEAoN/5gIAWYoLEFw0+vgL77941OMdwAKC7 31wbH9wVK3HuxpkvZE6TU+oy+w== =SxWl -----END PGP SIGNATURE----- From ramon.loureiro at upf.edu Thu May 29 11:47:59 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Thu, 29 May 2008 11:47:59 +0200 Subject: what if they have my sec key? Message-ID: <483E7BCF.4050302@upf.edu> Hi! I'm using different PCs at work for sending email (and other things, of course...) They are shared with 3 more users. Is it possible for these users to hack my secret key? If they have got it, can they use some kind of brute force system to guess my pass phrase? What will be the best option in this scenario? Having the secret key on my USB drive? ? Thanks! From email at sven-radde.de Thu May 29 12:50:40 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 29 May 2008 12:50:40 +0200 Subject: what if they have my sec key? In-Reply-To: <483E7BCF.4050302@upf.edu> References: <483E7BCF.4050302@upf.edu> Message-ID: <483E8A80.5040509@sven-radde.de> Hi! Ramon Loureiro schrieb: > Is it possible for these users to hack my secret key? > If they have got it, can they use some kind of brute force system to > guess my pass phrase? Yes. If they can read your private keyring, they can start to brute-force your passphrase. You should make sure that 1) they cannot read the private key - seperate user accounts with limited priviledges is the key here and 2) your passphrase is secure enough to frustrate anybody trying to crack it. However, be aware that those other users might also be able to exploit security holes in the system in order to install keyloggers or similar, eliminatine the protection that your passphrase offers. > What will be the best option in this scenario? > Having the secret key on my USB drive? Having the key on a USB drive is probably secure enough if you do not take into account malicious software on the system you want to use it on. If you must assume that there could be keyloggers/etc. be installed on the system (by other users or remote attackers), your best bet is probably the OpenPGP smartcard, which will keep your key safe. NB that there are some "probably"s in my answer -- it all really depends on your threat model (i.e. how far are people willing to go to grab hold of your private key). It also depends on how you want to balance usability and security against each other. In many cases, having the key in one's home directory unreadable by others could be good enough already. In other cases, even having a smartcard-reader with autonomous PIN-pad won't be secure. HTH, Sven From BruderB at cation.de Thu May 29 11:49:51 2008 From: BruderB at cation.de (B) Date: Thu, 29 May 2008 11:49:51 +0200 Subject: Enigmail... In-Reply-To: References: Message-ID: <483E7C3F.5080606@cation.de> Laurent Jumet schrieb: > Hello ! > > I just tryed the plug-in Enigmail on Thunderbird, and it seems very good. > Yes, it is! It' my choice Nr. 1! I really like the per-recipient-rules! Boris From faramir.cl at gmail.com Thu May 29 14:02:20 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 29 May 2008 08:02:20 -0400 Subject: what if they have my sec key? In-Reply-To: <483E7BCF.4050302@upf.edu> References: <483E7BCF.4050302@upf.edu> Message-ID: <483E9B4C.3010708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ramon Loureiro escribi?: > Hi! > > I'm using different PCs at work for sending email (and other things, of > course...) > They are shared with 3 more users. > > Is it possible for these users to hack my secret key? > If they have got it, can they use some kind of brute force system to > guess my pass phrase? > > What will be the best option in this scenario? > Having the secret key on my USB drive? > ? There is a tutorial somewhere, "keeping your private key safe", that says you can carry just a couple of subkeys, and use them to sign/encrypt/decrypt messages... and if something bad happen, you just need to revocat... to apply revocation to the subkeys, and to generate another subkeys using your primary secret key (which you would keep at a safe place, like your home computer, or in a USB stick hidden under your dog's feeding bowl (use a titanium covered USB Stick, in case the dog is hungry). The good part is you would never lose your primary key, so you don't have to gather signatures again. But you won't be able to sign other people's keys at work, just at home. Also, if your subkeys are stolen -or you think they could have been compromised- on daily basis... you would be collecting a pair of revocated subkeys each and everyday... so maybe a combination would be good... carry the subkeys in the USB stick, so if you lose it, you just lose the subkeys, and the files wouldn't be available at your office when you are not there... so it should be harder to steal them... And off course, use a passphase that is not in any dictionary... bruteforce takes a lot of time, but dictionary attacks are pretty fast... think about something that would make the thief to curse aloud and in several languages (lol). The passphrase in your home computer doesn't need to be the same than the one in the USB stick... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIPptMAAoJEMV4f6PvczxA1OgIAJFSKijYR5XA6wHk671JCe+s 7sC1JifQvBZ+Nm6C8nFe8sVtJLskB0k9WfUv0HvHDsOco/izoOxIr3aIKwEk0fh7 8nj354urq1SdS8+NnpOxB5T9qj+P4URg9LdtNF7myc7PBcMdlOgX2/lbgYHpw43n BC83t5b3RWITdZMaFacGvHpijuCM+9S18qG+yPgTI6y3R7tCVa9YqLwvJoU4YLVR PSWGCdsW1RGveqffgz2QeOJSisSMBmJd3aXIJHccqbI4woUC5M3SM5P0hL1jEaMk /qmqBNWZv5A2bJhp5yLY47MSDY0o4grHgC8wHnMHz7SVhB3ldBZRGx+mPvshAxw= =iP6+ -----END PGP SIGNATURE----- From jeandavid8 at verizon.net Thu May 29 13:10:02 2008 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Thu, 29 May 2008 07:10:02 -0400 Subject: what if they have my sec key? In-Reply-To: <483E7BCF.4050302@upf.edu> References: <483E7BCF.4050302@upf.edu> Message-ID: <483E8F0A.5040904@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ramon Loureiro wrote: > Hi! > > I'm using different PCs at work for sending email (and other things, of > course...) > Are just the PCs at work shared, or are the secret keys at work shared too? > > Is it possible for these users to hack my secret key? It depends, partly, on the security features of the OS you are running. Can the other users see your key ring? If you run Linux or Unix, for example, and have the permissions of directory containing your key ring set to drwx------ , and the permissions of your secret key ring set to -rw------- you should be pretty safe except from the super-user. If you do not trust the super user, you are in big trouble in any case. It is my understanding that the security features of at least some versions of Windows are much less and that anyone can get at those files. > If they have got it, can they use some kind of brute force system to > guess my pass phrase? In theory, yes, especially if it is too simple. If you pick a complicated one such as NICqW$Yu1Fg.ZSLawenaP5ZCiDy (now that that one has been displayed on the Internet, it is no longer considered a good one), they are much less likely to guess it even with a dictionary attack. The main trouble with a passphrase like that is that it may take a month or so before you can remember it, and writing it down is not considered a good idea. > > What will be the best option in this scenario? > Having the secret key on my USB drive? > ? > That is safe as long as the other users of your machine are not running programs on it while you are using it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 06:55:01 up 6 days, 20:52, 4 users, load average: 4.64, 4.25, 4.11 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIPo8JPtu2XpovyZoRAg89AJ9Xy5Y9slk2Ibtb7Wmn4cYNg9aygwCcCTas mlgjikdq8E3sCSh3sC+CQHg= =GXaJ -----END PGP SIGNATURE----- From carloswill at gmail.com Thu May 29 14:51:27 2008 From: carloswill at gmail.com (Carlos Williams) Date: Thu, 29 May 2008 08:51:27 -0400 Subject: First Time Setup Confusion In-Reply-To: References: Message-ID: On Thu, May 29, 2008 at 4:36 AM, Hardeep Singh wrote: > Hi Carlos > > Step 1 is to read this: > http://en.wikipedia.org/wiki/Public-key_cryptography > > Regards > Hardeep Thanks all. It appears I have a better understanding of how this works in general based on the online documentation I read which is vendor neutral. Now my only question is that GPG seems to function nativly on most common Linux systems but my question is what if I have a Linux email server that has 50 Outlook / Windows XP clients who connect to it via IMAP4. In this case I see that there are some options but I don't know how supported or buggy they are. What does this list recommend for Windows / Outlook clients sending encrypted email using GNUPG? -------------- next part -------------- An HTML attachment was scrubbed... URL: From carloswill at gmail.com Thu May 29 16:21:48 2008 From: carloswill at gmail.com (Carlos Williams) Date: Thu, 29 May 2008 10:21:48 -0400 Subject: Am I Missing Something? Message-ID: I am trying to generate a key and start using it with Mozilla Thunderbird / Enigmail & I am obviously missing something. I generated a key on my system using the following command: cwilliams at tunafish:~$ gpg --gen-key You can see below exactly what I did and I am now unclear once I created this key how to start using it with my email client. Am I missing something? Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Real name: Carlos Williams Email address: cwilliams at example.org Comment: You selected this USER-ID: "Carlos Williams " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++.++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++++++++++++....+++++..+++++++++++++++.++++++++++++++++++++++++++++++...+++++..+++++++++++++++>....+++++.+++++>+++++....+++++^^^ gpg: key XXXXXXX marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/XXXXXX 2008-05-29 Key fingerprint = 5646 E345 DE00 5E55 555C 5555 E5AD 5F0C C5B5 55CB uid Carlos Williams sub 2048g/XXXXXXX 2008-05-29 Now I can see the following when I list the keys: cwilliams at tunafish:~$ gpg --list-keys /home/carl/.gnupg/pubring.gpg ---------------------------------- pub 1024D/XXXXXXX 2008-05-29 uid Carlos Williams sub 2048g/XXXXXXX 2008-05-29 Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at sven-radde.de Thu May 29 16:35:53 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 29 May 2008 16:35:53 +0200 Subject: First Time Setup Confusion In-Reply-To: References: Message-ID: <483EBF49.4080402@sven-radde.de> Carlos Williams schrieb: > What does this list recommend for Windows / Outlook clients sending > encrypted email using GNUPG? Cannot speak for the list as a whole, but I would recommend gpg4win (www.gpg4win.org) which comes with a plugin for Outlook - and some other useful GUIs. Unfortunately, it does not work with Outlook 2007 (or does it, meanwhile?). HTH, Sven From aongenae at gmail.com Thu May 29 16:41:24 2008 From: aongenae at gmail.com (Arnaud Ongenae) Date: Thu, 29 May 2008 16:41:24 +0200 Subject: Am I Missing Something? In-Reply-To: References: Message-ID: <83713a650805290741w4861ad30yd9d733baedb38375@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First of all, I don't think it's a good thing to have a key that never expire especially for the first one (when we don't really understand every aspect of OpenPGP) Secondly, It seems good, you now have a public private key. You can export your public key to give it to other person so they would be able to crypt mail they want to sent to you. Enigmail allow the generation of the key it's maybe easier than the terminal for new users, you can therefore use enigmail to export and send your public key to other people. You can have a try with me if you want and send me your public key (it's useless to do those test on the list). _-Arnaud-_ ps: In thunderbird, when you look at this mail, you can clic on the little pen in the down right of the screen and import my public key from any keyserver. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: http://getfiregpg.org iQEcBAEBAgAGBQJIPsCTAAoJEFgy9SDyxO8haOUH/jpK0h2F6raQEDQ3K9Spvo2e uoPK0VxH1fEswSJgv+Hs7qWFgcMhEjjFvjTTl4BUlKyRX2CN0+4aD+SHpzYWXQkr HF/uROwhbFXB6nYI1UHcIIzxFV1zvGxinZcZy1BiwcUO/VEmXOzTUBTDIHzeaxi6 Zs1jM/jFePHLh/nT2ONWKt+2M1e0mlWfuzNS89Gs9Z9YMWDdne0aS2BpZZQWYUnp 4vea7miv9zCO3omdcRHHEgh6sb7asUilEp7FEPHNlUw9jZ+wr8pMche9Oy2HXIVA czsJoL/oUmV3Apmd0+xu9oGOnFPBdX3xcM8lOJzagz3jJJ/WW4PoRhOmsymQ99o= =GN+r -----END PGP SIGNATURE----- 2008/5/29 Carlos Williams : > I am trying to generate a key and start using it with Mozilla Thunderbird / > Enigmail & I am obviously missing something. I generated a key on my system > using the following command: > > cwilliams at tunafish:~$ gpg --gen-key > > You can see below exactly what I did and I am now unclear once I created > this key how to start using it with my email client. Am I missing something? > > Please select what kind of key you want: > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > Your selection? 1 > DSA keypair will have 1024 bits. > ELG-E keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) > Requested keysize is 2048 bits > Please specify how long the key should be valid. > 0 = key does not expire > = key expires in n days > w = key expires in n weeks > m = key expires in n months > y = key expires in n years > Key is valid for? (0) > Key does not expire at all > Is this correct? (y/N) y > > Real name: Carlos Williams > Email address: cwilliams at example.org > Comment: > You selected this USER-ID: > "Carlos Williams " > > Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O > You need a Passphrase to protect your secret key. > > We need to generate a lot of random bytes. It is a good idea to perform > some other action (type on the keyboard, move the mouse, utilize the > disks) during the prime generation; this gives the random number > generator a better chance to gain enough entropy. > ..+++++.++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++++++++++++....+++++..+++++++++++++++.++++++++++++++++++++++++++++++...+++++..+++++++++++++++>....+++++.+++++>+++++....+++++^^^ > gpg: key XXXXXXX marked as ultimately trusted > public and secret key created and signed. > > gpg: checking the trustdb > gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u > pub 1024D/XXXXXX 2008-05-29 > Key fingerprint = 5646 E345 DE00 5E55 555C 5555 E5AD 5F0C C5B5 55CB > uid Carlos Williams > sub 2048g/XXXXXXX 2008-05-29 > > Now I can see the following when I list the keys: > > cwilliams at tunafish:~$ gpg --list-keys > /home/carl/.gnupg/pubring.gpg > ---------------------------------- > pub 1024D/XXXXXXX 2008-05-29 > uid Carlos Williams > sub 2048g/XXXXXXX 2008-05-29 > > Thanks for any help! > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From faramir.cl at gmail.com Thu May 29 16:41:50 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 29 May 2008 10:41:50 -0400 Subject: First Time Setup Confusion In-Reply-To: References: Message-ID: <483EC0AE.20808@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carlos Williams escribi?: > On Thu, May 29, 2008 at 4:36 AM, Hardeep Singh > wrote: > > Hi Carlos > > Step 1 is to read this: > http://en.wikipedia.org/wiki/Public-key_cryptography > > Regards > Hardeep > > > Thanks all. It appears I have a better understanding of how this works > in general based on the online documentation I read which is vendor neutral. > Now my only question is that GPG seems to function nativly on most > common Linux systems but my question is what if I have a Linux email > server that has 50 Outlook / Windows XP clients who connect to it via > IMAP4. In this case I see that there are some options but I don't know > how supported or buggy they are. What does this list recommend for > Windows / Outlook clients sending encrypted email using GNUPG? I don't know if outlook supports gpg, but if not, I would install gpgshell, a GUI for gpg, I would write the messages in outlook or notepad, copy the text to the clipboard, use gpgtray (a tool from gpgshell) to encrypt the clipboard content, and paste it into the message I am writting. You can encrypt files too, using gpgtools, before attaching them to the email message. But probably there is a better way to do it... If the client was outlook express, I would recommend to replace it with mozilla thunderbid with enigmail addon, but it is not the case... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIPsCtAAoJEMV4f6PvczxAd84H+wYEnBLUoxAssnyX1bAjtOl9 b4HBpi7FeUQxgAR6sbKsWFr0gOW0p14op0ySXXK5m3a9cY7tPVdMv3G93xmgBz0p g37rmxOf1LokYd8oMf7c0rrlHjOV9pxvZbO5DC0dgNGvv96g2iMBro3oxEpqw8sJ jnxAKqhrnbQ/EWIotE5PLEiby1jiT1MOL69quf7aezPWefmtFmpltcIAg2GTOiuZ rnJRv9lMIwToogXdkyuIbSh8GAr3o7CQMntBHz/PaqCy5Xxv+cTUa+RPB2Lmk9PY ZbQh3Tc71poHqS+RQB9XrPfSZXXyqkDmnTFsD3LKWtbilE4I8pPlaI73my5HOZw= =ZEQj -----END PGP SIGNATURE----- From email at sven-radde.de Thu May 29 16:42:45 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 29 May 2008 16:42:45 +0200 Subject: Am I Missing Something? In-Reply-To: References: Message-ID: <483EC0E5.70901@sven-radde.de> Carlos Williams schrieb: > You can see below exactly what I did and I am now unclear once I > created this key how to start using it with my email client. Am I > missing something? Everything is fine. The key was generated and is ready for use. You do not seem to have generated a revocation certificate. It is *highly* recommended that you do that before you put your key into active use (i.e. publish it to keyservers etc). You can now use the key to send out signed email. The method how to do this depends on which client you are using. To encrypt mail, you need to gather GnuPG public keys of the people you want to encrypt to. At the moment, with only your key in the keyring, you can only encrypt to yourself. HTH, Sven From shavital at mac.com Thu May 29 17:11:13 2008 From: shavital at mac.com (Charly Avital) Date: Thu, 29 May 2008 11:11:13 -0400 Subject: Am I Missing Something? In-Reply-To: References: Message-ID: <483EC791.7050100@mac.com> Carlos Williams wrote the following on 5/29/08 10:21 AM: > I am trying to generate a key and start using it with Mozilla Thunderbird / > Enigmail & I am obviously missing something. I generated a key on my system > using the following command: > > cwilliams at tunafish:~$ gpg --gen-key > > You can see below exactly what I did and I am now unclear once I created > this key how to start using it with my email client. Am I missing something? [...] I don't know which Thunderbird and Enigmail versions you are using, but this should help (I am using the Macintosh version, but there shouldn't be significant differences if you are using another platform): If you want to use the key you have generated to sign outgoing messages, and to self-encrypt, please select 'Account Settings" from your Menu options. This will display a page where your account(s) are listed. Select "OpenPGP Security", and input the options you want to use, first of all 'Enable OpenPGP support (Enigmail) for this identity' Select 'Use specific OpenPGP key ID (0x1234ABCD): Click the button 'Select Key...' located at the right end of the empty field. This will launch a window 'Select OpenPGP Key for Encryption. Select (highlight) the row where your key is listed, go to the bottom of the window, and click OK. This will bring you back to the previous window, where your account(s) is listed, but now the previously empty field will show the key ID of your selected key, beginning with 0x (that's zero x). Select other options you want to save, e.g.: 'Sign non-encrypted messages by Default' IF you want to sign ALL your outgoing messages. 'Sign encrypted messages by default', that's a good idea... 'Encrypt messages by default', NOT a good idea, since you will be posting messages to lists, and you don't post encrypted messages to a list (unless it is a special list where all postings are encrypted with a shared public key). gnupg-users is NOT such a list. 'Use PGP/MIME by default', not a good idea, keep the choice to yourself. Click 'Advanced', this will display another window where you can select options for 'Send OpenPGP Header' 'Send OpenPGP Key ID' if you want your Key ID to be included in the headers of the messages you send. 'Send URL for key retrieval: an empty field where you can enter the URL where from your public key can be downloaded. 'Attach public key to signed or encrypted messages'. If you select that option, *every time* you send a signed message to a list, your public key will be attached, and that's a little too much, you can choose to attach your public key manually in OpenPGP Preferences. Click the OK button, you will be brought back to the previous window, click the OK button, and you are set. By the way, you choose to erase, in your message, the Key ID of your public key, and that's your privilege. But if you are going to send signed messages to people, you might want your recipients to be able to verify your signature, and they need your public key. You can choose to upload your public key (it is a *public* key) to a key server, where from it will propagate to other keyservers, allowing your correspondents to download your key when needed. Last, but not least, since you are going to use Thunderbird+Enigmail, I suggest that you subscribe to the Enigmail mailing list, visit Enigmail's site and Best of luck, Charly From faramir.cl at gmail.com Thu May 29 16:57:27 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 29 May 2008 10:57:27 -0400 Subject: Am I Missing Something? In-Reply-To: References: Message-ID: <483EC457.2090607@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carlos Williams escribi?: > I am trying to generate a key and start using it with Mozilla > Thunderbird / Enigmail & I am obviously missing something. I generated a > key on my system using the following command: I "think" you need to associate the key to your email account in thunderbird/enigmail. Under accounts configuration, you need to enable PGP for the email account, and select the key you want to use with that account (enigmail is supposed to chose the right key, comparing the email addresses, but I have not tried it). > Now I can see the following when I list the keys: > > cwilliams at tunafish:~$ gpg --list-keys > /home/carl/.gnupg/pubring.gpg > ---------------------------------- > pub 1024D/XXXXXXX 2008-05-29 > uid Carlos Williams > > sub 2048g/XXXXXXX 2008-05-29 > > Thanks for any help! Well, I did: C:\Documents and Settings\Javier>gpg --list-keys and a huge amount of keys appeared... my own keys, and all they keys I have got reading this list... but here is one of my keys, as the output showed it: pub 2048R/862D895B 2008-05-27 uid Fishkiloide sub 2048R/A0588420 2008-05-27 sub 2048R/E09751CD 2008-05-27 I have 2 subkeys because I added 1 extra subkey... but other than that, it is the same kind of output... so I dont think you are doing anything wrong. Probably, you still have to enable pgp support for your email account, in thunderbird... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJIPsRWAAoJEMV4f6PvczxAz/YH/A31JXWIsZmRTHgywC2QGWJC HThqhlBCn0Nv+a/p2SDRHIVWAllJJAHhHDK00qlBR2+eepH3tXupdXuf4rVHQAlr qlPTVUJoexD0jdq4hYPCULvteq/BPMN1Fr3YeW49YhZt6Hh4mqm+bxEUQGuEKv24 Try2mM3YNxRgszoK6PWtHGTiX+ZAhj0VBLX0vqVbwqGq/M9yY/K4D/Ir/j8JJCcU aPR91OTJuBNWjVFNTJS8NOQ6ZbNiz3gZEelShtUhWDZnSDecwXWpGoYG6cemM5bh 9+L+uWyoXOBKcQltNm4gQ35TMv8ABW111wMFqxB3lJeJNikSrfg5tuaCl9LvDOQ= =8mw9 -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Thu May 29 17:56:24 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 29 May 2008 10:56:24 -0500 Subject: Enigmail... In-Reply-To: References: Message-ID: <483ED228.3050407@Mozilla-Enigmail.org> Laurent Jumet wrote: > Hello ! > > I just tryed the plug-in Enigmail on Thunderbird, and it seems very good. Thank you. Patrick and everyone else have done a lot of work to bring it along. It helps to have a tool like GnuPG to build on top. Most of the Enigmail folks follow this list. There's even an Enigmail list if you'd like to refer questions, compliments, or complaints ( 8-{ ) there: enigmail at mozdev.org. Non-subscribed posters are moderated to reduce SPAM and improve the signal/noise ratio. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From John at Mozilla-Enigmail.org Thu May 29 18:29:43 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 29 May 2008 11:29:43 -0500 Subject: First Time Setup Confusion In-Reply-To: References: Message-ID: <483ED9F7.3030106@Mozilla-Enigmail.org> Carlos Williams wrote: > Thanks all. It appears I have a better understanding of how this works > in general based on the online documentation I read which is vendor neutral. > Now my only question is that GPG seems to function natively on most > common Linux systems but my question is what if I have a Linux email > server that has 50 Outlook / Windows XP clients who connect to it via > IMAP4. In this case I see that there are some options but I don't know > how supported or buggy they are. What does this list recommend for > Windows / Outlook clients sending encrypted email using GNUPG? For many Windows users, Thunderbird (or Seamonkey) with Enigmail is a very good solution and works well with IMAP servers. For Outlook there is a plug-in, GpgOL, for Outlook didtributed as part of GPG4Win. I can't speak about how well it operates as I [dw]on't use Outlook. Outlook has traditionally had severe problems with handling the OpenPGP extensions for MIME, PGP/MIME. The GpgOL folks can comment about that better than I can, and luckily, they usually follow this list. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From carloswill at gmail.com Thu May 29 17:59:06 2008 From: carloswill at gmail.com (Carlos Williams) Date: Thu, 29 May 2008 11:59:06 -0400 Subject: Am I Missing Something? In-Reply-To: <483EC791.7050100@mac.com> References: <483EC791.7050100@mac.com> Message-ID: On Thu, May 29, 2008 at 11:11 AM, Charly Avital wrote: > I don't know which Thunderbird and Enigmail versions you are using, but > this should help (I am using the Macintosh version, but there shouldn't > be significant differences if you are using another platform): I am using Thunderbird 2.0.0.14 & Enigmail 0.95.6. > > > If you want to use the key you have generated to sign outgoing messages, > and to self-encrypt, please select 'Account Settings" from your Menu > options. > > This will display a page where your account(s) are listed. > > Select "OpenPGP Security", and input the options you want to use, first > of all 'Enable OpenPGP support (Enigmail) for this identity' OK. > > > Select 'Use specific OpenPGP key ID (0x1234ABCD): > Click the button 'Select Key...' located at the right end of the empty > field. This will launch a window 'Select OpenPGP Key for Encryption. > Select (highlight) the row where your key is listed, go to the bottom of > the window, and click OK. When I select the "Select Key" option, I get the "Select OpenPGP key" window however there is no keys listed in the box for me to choose from. Why do I not see the key I generated? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Thu May 29 20:51:31 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 29 May 2008 14:51:31 -0400 Subject: Am I Missing Something? In-Reply-To: References: <483EC791.7050100@mac.com> Message-ID: <483EFB33.1080607@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Carlos Williams wrote: > When I select the "Select Key" option, I get the "Select OpenPGP key" > window however there is no keys listed in the box for me to choose from. > Why do I not see the key I generated? Make certain that on the 'OpenPGP' > 'Preferences' > 1st Tab that the Path to gpg.exe is correct. HTH JOHN ;) Timestamp: Thursday 29 May 2008, 14:50 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIPvsyAAoJEBCGy9eAtCsPoMUH/3SM0Y4atpMN37qrj4ZDKG5f zbHR1Cw9zi8HMSc4WXWJgnTx1XBoeh2q3H9vfhXwHIN9czA6fH1X1rSn872dYh0+ OcJQ6mI3j8b6Z4KekuQo9oP86r7l19JNwNXQ/GV99zZyz7o4OPykbvEHTegJBCmR sVD3VzDnm1typsZTLb4rX/KiyIkmSNBLdEzOV/vsrSwD1ktVrLQunsuCtdW/WSWh dnsm9nW77UDfFf1h7Ils2CMye6QhWN5Rb1fUtrd1NR+h0G4NhFkFs1s0uY9K/nUz wur20GEjv1y4WvcAi/o4dnh0qDnfQ3waKBW6XDFTJrSB42rTyIHDHP/XsOAV0sw= =kWux -----END PGP SIGNATURE----- From tobias.weisserth at gmail.com Sat May 31 19:39:18 2008 From: tobias.weisserth at gmail.com (Tobias Weisserth) Date: Sat, 31 May 2008 19:39:18 +0200 Subject: SCM SPR532 & Ubuntu 8.04 & GnuPG 1.4.6 versus GnuPG 2.0.7 Message-ID: <43cee7130805311039h738c4ea3x3b6e814ed2095ca7@mail.gmail.com> Hi there GnuPG users, Recently I bought a SmartCard along with a SCM SPR532 from kernelconcepts. The SPR532 has a pinpad I want to use instead of entering the pin with the keyboard. I read in one of the GNU howtos that only GnuPG 2 supports this. I followed all the tutorials and howto documents I could and I managed to figure out that I had to tweak the USB driver bundle installation of the SCM driver to copy the bundle into the right directory for Ubuntu 8.04. After restarting pcscd I could use GnuPG 1.4.6 with the card. So, after trying different things I managed to initialize my card and generate a new key using GnuPG 1.4.6 (current Ubuntu stable package). However, GnuPG 2.0.7 (Ubuntu 8.04 package) will not read the card like GnuPG 1.4.6. When I do a gpg2 --card-status I get: gpg: OpenPGP card not available: Unknown IPC command This is the output of gpg (1.4.6) for the same command: gpg: detected reader `SPR532 USB Smart Card Reader (21250709203507) 00 00' Application ID ...: D276000124010101000100000FEA0000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000FEA Name of cardholder: Tobias Weisserth Language prefs ...: en Sex ..............: male URL of public key : [not set] Login data .......: [not set] Private DO 1 .....: [not set] Private DO 2 .....: [not set] Signature PIN ....: not forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 5 ... The card reader has the latest vendor firmware. I would also like to know how the whole setup is integrated with graphical clients in Ubuntu 8.04, for example Evolution, Seahorse and such. Any help is welcome! Thanks! Tobias W. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sven at radde.name Thu May 29 00:15:54 2008 From: sven at radde.name (Sven Radde) Date: Thu, 29 May 2008 00:15:54 +0200 Subject: WARNING: unsafe ownership on homedir `/m/a/etc/naclient/ppcbackup In-Reply-To: <20080528192749.GB4830@raven.wolf.lan> References: <20080524001317.GA4830@raven.wolf.lan> <20080528192749.GB4830@raven.wolf.lan> Message-ID: <1212012954.6677.13.camel@carbon> Hi! Am Mittwoch, den 28.05.2008, 21:27 +0200 schrieb Josef Wolf: > homedir is readable only by myself:myself. Why is this directory > considered to have unsafe permissions? How do I get rid of this warning? I would suggest to remove any access rights except for the *user* "myself". In other words, make sure that the permissions read "drwx------". GnuPG cannot know that you are probably the only user of the group "myself". Therefore, other people could have read access to your private keyring, which is probably the issue that GnuPG complains about. HTH, Sven From mixmaster at remailer.privacy.at Thu May 29 15:00:22 2008 From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria)) Date: Thu, 29 May 2008 15:00:22 +0200 (CEST) Subject: what if they have my sec key? References: <483E8A80.5040509__35204.1183542044$1212058366$gmane$org@sven-radde.de> Message-ID: <52702feefa69a46b1ef3608b0a82011c@remailer.privacy.at> >> Having the secret key on my USB drive? > Having the key on a USB drive is probably secure enough if you do not > take into account malicious software on the system you want to use it > on. If you must assume that there could be keyloggers/etc. be > installed on the system (by other users or remote attackers), your > best bet is probably the OpenPGP smartcard, which will keep your key safe. Isn't the smartcard limited to 1024 bit keys? Do anyone know when a key with enough storage for any practical key size will be ready? From nonscrivetemi at pboxmix.winstonsmith.info Thu May 29 15:04:31 2008 From: nonscrivetemi at pboxmix.winstonsmith.info (Non scrivetemi) Date: Thu, 29 May 2008 15:04:31 +0200 (CEST) Subject: Enigmail... References: Message-ID: <7ac5b3134e215b5a7f7c60d5b2866462@pboxmix.winstonsmith.info> > I just tryed the plug-in Enigmail on Thunderbird, and it seems very > good. Enigmail is indeed quite brilliant. It's so good that once you've installed it you quickly yearn for a better mail client than Thunderbird, which is as bug-ridden a piece of rubbish as I've seen. From zgabor at gmail.com Fri May 30 08:07:30 2008 From: zgabor at gmail.com (=?ISO-8859-1?Q?G=E1bor_Zahemszky?=) Date: Fri, 30 May 2008 08:07:30 +0200 Subject: pocket gnupg anywhere? Message-ID: Hello! On GPG's homepage, there is a link to a PocketConsole based version, which can run on Windows Mobile platform-based PDA's. ( http://www.symbolictools.de/public/pocketconsole/applications/gnupg/ ) By the way, this page doesn't exist anymore. Are there anybody who can help me, and post a link to a working WinMobile version (or mail me directly that software) ? Thanks, G?bor -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.tovmasyan at yahoo.com Fri May 30 13:48:38 2008 From: t.tovmasyan at yahoo.com (Tigran Tovmasyan) Date: Fri, 30 May 2008 04:48:38 -0700 (PDT) Subject: about GnuPG Message-ID: <285591.78150.qm@web45503.mail.sp1.yahoo.com> Hi There !!! My name is Tigran and I have some issue ... On my system (Linux RH9 2.4.29) I'm using gpg (GnuPG) 1.2.1 with zlib-1.1.4-8. But when I'm tring to decrypt files which was encrypted with public and private keys it get me this error message: --------------------------------------------------------------------------- gpg --decrypt-files /root/Test.xls.gpg gpg: encrypted with 2048-bit ELG-E key, ID 80224B85, created 2005-02-11 "test1 " File `/root/Test.xls' exists. Overwrite (y/N)? y gpg: fatal: zlib inflate problem: invalid stored block lengths secmem usage: 2048/3104 bytes in 4/7 blocks of pool 4544/16384 --------------------------------------------------------------------------------------- After this it creates a file Test.xls, but it has very small size and I can't open it 'cause it's damaged. I try to change my zlib with zlib 1.2.3 but it not help. Then I changed version of GPG with GPG 1.4.9. But steel I don't fix my issue. If you have any ideas please write me back ASAP. With Best Regards Tigran Tovmasyan -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Sat May 31 23:12:36 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 31 May 2008 17:12:36 -0400 Subject: Enigmail... In-Reply-To: <7ac5b3134e215b5a7f7c60d5b2866462@pboxmix.winstonsmith.info> References: <7ac5b3134e215b5a7f7c60d5b2866462@pboxmix.winstonsmith.info> Message-ID: <4841BF44.90105@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Non scrivetemi wrote: > Enigmail is indeed quite brilliant. It's so good that once you've > installed it you quickly yearn for a better mail client than > Thunderbird, which is as bug-ridden a piece of rubbish as I've > seen. Without a succinct explanation of what You consider Bugs the comment is useless. FWIW, Enigmail does work with other MUA's. True, many are available from the Mozilla Site/Servers but the code is different. Which version of Thunderbird are You using? 2.0.x? 3.0pre? JOHN ;) Timestamp: Saturday 31 May 2008, 17:12 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4754: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJIQb9DAAoJEBCGy9eAtCsPXCsH/i7kHWe5EC5drNM7Vnm6Mjoh 5VAiEkX9xRD4lpJ7l/+OBAR7w1/VOTazP5LsSmx3Fp8HFYafvgAtLrhYjVo2k1ho q7/7QTLduPQx3u6jQDsfeGwNjDDTZYSoXRNyFa09NVjrOLGhxC/nt2lt7fO1q5HH GjE2e1BcSdZqUnyZzj8D88ROWPrhNjLxBd9YLKwS4/zxvEdH4sL9YRmBjrH2nwgq a5siSFryXmZ3i9iu1bBmeXpBkXpR3vW3itdnuYaXBbjXJQfEuLbeDanzbqwNFmtT UVnJ2RZPRCKA7T5CQoP818V6122uISRYyBtvc0+1jntX4ZsWN+k6Uc9pG4KBR28= =+8IG -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat May 31 23:20:06 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 31 May 2008 16:20:06 -0500 Subject: what if they have my sec key? In-Reply-To: <52702feefa69a46b1ef3608b0a82011c@remailer.privacy.at> References: <483E8A80.5040509__35204.1183542044$1212058366$gmane$org@sven-radde.de> <52702feefa69a46b1ef3608b0a82011c@remailer.privacy.at> Message-ID: <4841C106.9060309@sixdemonbag.org> Anonymous Remailer (austria) wrote: > Isn't the smartcard limited to 1024 bit keys? Do anyone know when a > key with enough storage for any practical key size will be ready? 1kbit is a practical key size for most people and purposes. A kilobit key may be attackable via a phenomenally well-equipped and well-funded adversary within the next decade, but if you're concerned more about rogue sysadmins than rogue governments, a kilobit is plenty fine. From wk at gnupg.org Sat May 31 13:10:31 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 31 May 2008 13:10:31 +0200 Subject: First Time Setup Confusion In-Reply-To: <83713a650805281236m13561c1el95a42a84896a17d@mail.gmail.com> (Arnaud Ongenae's message of "Wed, 28 May 2008 21:36:43 +0200") References: <83713a650805281236m13561c1el95a42a84896a17d@mail.gmail.com> Message-ID: <87lk1qhgpk.fsf@wheatstone.g10code.de> On Wed, 28 May 2008 21:36, aongenae at gmail.com said: > I don't enter the detail but you really should understand the concept > of public key encryption to explain it to the end users. Put no-permission-warning int gpg.conf. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.