From gnupg at holzke.net Wed Apr 1 10:58:59 2009 From: gnupg at holzke.net (Wilfried Holzke) Date: Wed, 01 Apr 2009 10:58:59 +0200 Subject: gpg: AES-128 test encryption failed Message-ID: <49D32CD3.8070207@holzke.net> Hi, I use thunderbird and enigmail to decrypt messages. I tried to decrypt one message, but gpg says: ------------------------------------------------------------------------ OpenPGP-Sicherheitsinfo: (OpenPGP-Securityinfo) Fehler - geheimer Schl?ssel wird zur Entschl?sselung ben?tigt (error: secret key needed for decryption) gpg Kommandozeile und Ausgabe: (gpg commandline and output) /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d --use-agent gpg: .... (key info deleted) gpg: .... (key info deleted) AES-128 test encryption failed. gpg: key setup failed: Selbstpr?fung fehlgeschlagen (selftest failed) gpg: Entschl?sselung fehlgeschlagen: Selbstpr?fung fehlgeschlagen (decryption failed: selftest failed) ------------------------------------------------------------------------ If I tried to enrypt something (while sending an email) I get: ----------------- AES-128 test encryption failed. gpg: Ohhhh jeeee: ... this is a bug (seskey.c:60:make_session_key) ----------------- I use gnupg-2.0.11 on Gentoo Linux (AMD Ahtlon 64 X2, Kernel 2.6.28.5). I don't know how to proceed, any ideas? regards W. Holzke From petr.uzel at suse.cz Wed Apr 1 12:15:43 2009 From: petr.uzel at suse.cz (Petr Uzel) Date: Wed, 1 Apr 2009 12:15:43 +0200 Subject: gpg: AES-128 test encryption failed In-Reply-To: <49D32CD3.8070207@holzke.net> References: <49D32CD3.8070207@holzke.net> Message-ID: <20090401101543.GC28891@localhost> On Wed, Apr 01, 2009 at 10:58:59AM +0200, Wilfried Holzke wrote: > Hi, > > If I tried to enrypt something (while sending an email) I get: > ----------------- > AES-128 test encryption failed. > gpg: Ohhhh jeeee: ... this is a bug (seskey.c:60:make_session_key) > ----------------- > > I use gnupg-2.0.11 on Gentoo Linux (AMD Ahtlon 64 X2, Kernel 2.6.28.5). > > I don't know how to proceed, any ideas? > http://lists.gnupg.org/mailman/listinfo/gnupg-users Hi, I'm not sure if it is relevant, but you could take a look at https://bugzilla.novell.com/show_bug.cgi?id=443693 -- Best regards / s pozdravem Petr Uzel, Packages maintainer --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: puzel at suse.cz Lihovarsk? 1060/12 tel: +420 284 028 964 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz From dshaw at jabberwocky.com Wed Apr 1 14:49:54 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 1 Apr 2009 08:49:54 -0400 Subject: default symmetric algorithm used for private key In-Reply-To: <3f58ee9b0903291237y3e9af9cbg2855a0ed0b0e18b9@mail.gmail.com> References: <3f58ee9b0903291237y3e9af9cbg2855a0ed0b0e18b9@mail.gmail.com> Message-ID: <0AC4B673-2D31-4926-8E77-6CCBEC9E73E1@jabberwocky.com> On Mar 29, 2009, at 3:37 PM, Chrys M wrote: > Hello, > > I am trying to find out which is the default algorithm that GPG uses > to encrypt my private key with the passphrase provided. > Is there a command that I can use? It's CAST5, unless: a) You don't have CAST5 compiled in b) You run with --rfc24480, --rfc4880 or --openpgp In any of those cases, it's 3DES. (Basically, unless you're doing something fairly unusual, it's CAST5) David From gnupg at holzke.net Wed Apr 1 16:00:48 2009 From: gnupg at holzke.net (Wilfried Holzke) Date: Wed, 01 Apr 2009 16:00:48 +0200 Subject: gpg: AES-128 test encryption failed In-Reply-To: <20090401101543.GC28891@localhost> References: <49D32CD3.8070207@holzke.net> <20090401101543.GC28891@localhost> Message-ID: <49D37390.7030607@holzke.net> Hi, >> If I tried to enrypt something (while sending an email) I get: >> ----------------- >> AES-128 test encryption failed. >> gpg: Ohhhh jeeee: ... this is a bug (seskey.c:60:make_session_key) >> ----------------- >> >> I use gnupg-2.0.11 on Gentoo Linux (AMD Ahtlon 64 X2, Kernel 2.6.28.5). >> >> I don't know how to proceed, any ideas? >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Hi, > > I'm not sure if it is relevant, but you could take a look at > > https://bugzilla.novell.com/show_bug.cgi?id=443693 Thanks, after reading the comments I had a look on bugs.gentoo.org for "libgcrypt" and found a solution. Its an optimisation problem, "gcc -O2 ..." works... "gcc -03 ..." works not. regards W. Holzke From foad0128 at gmail.com Wed Apr 1 15:44:19 2009 From: foad0128 at gmail.com (Nix) Date: Wed, 1 Apr 2009 15:44:19 +0200 Subject: crontab + openbsd Message-ID: Hi I got a problem with a crypt file. When i execute my script no problem everything work, but when i schedule it in a crontab there is a problem with the passphrase "gpg: decryption failed: secret key not available" #!/bin/sh gpgdir=/appli/ for i in `find $gpgdir -name '*.TOTO'`; do echo ma_passphrase| /usr/local/bin/gpg --batch --no-tty --passphrase-fd 0 -o "${i}"_decrypt -d $i done Can you help me please. -------------- next part -------------- An HTML attachment was scrubbed... URL: From foad0128 at gmail.com Wed Apr 1 15:46:50 2009 From: foad0128 at gmail.com (Nix) Date: Wed, 1 Apr 2009 15:46:50 +0200 Subject: crontab + openbsd In-Reply-To: References: Message-ID: Hi I got a problem with a crypt file. When i execute my script no problem everything work, but when i schedule it in a crontab there is a problem with the passphrase "gpg: decryption failed: secret key not available" #!/bin/sh gpgdir=/appli/ for i in `find $gpgdir -name '*.TOTO'`; do echo ma_passphrase| /usr/local/bin/gpg --batch --no-tty --passphrase-fd 0 -o "${i}"_decrypt -d $i done Can you help me please. -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at Mozilla-Enigmail.org Wed Apr 1 21:33:37 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 01 Apr 2009 14:33:37 -0500 Subject: Using GPG exported key In-Reply-To: <1a27245d0904011211s79b6ec23va71036b23906c57d@mail.gmail.com> References: <1a27245d0904011211s79b6ec23va71036b23906c57d@mail.gmail.com> Message-ID: <49D3C191.20809@Mozilla-Enigmail.org> Joao Paulo Fernandes wrote: > Hi everyboby, > > Im exporting my gpg key from my unix server > gpg --armor --output "key.txt" --export myserver > > i import the key.txt in other computer > gpg --import key.txt > > i trust ultimately the myserver key with --edit-key > but i still get the error when i try to encrypt files with the key: > gpg -r myserver --output "test.gpg" -e mytext.txt > > gpg: myserver: skipped: public key not found > gpg: mytext.txt: encryption failed: public key not found > > I saw this is a common error people have but no solution. > Somebody could help me ? gpg --export-secret-keys 0xdecafbad > secret.asc gpg --export 0xdecafbad > public.asc On other machine: gpg --import secret.asc gpg --import public.asc FWIW, the GnuPG keyring files {pubring,secring,trustdb}.gpg are binary compatible. I find it's just as convenient to copy or import entire keyrings. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From reynt0 at cs.albany.edu Thu Apr 2 03:34:40 2009 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 1 Apr 2009 21:34:40 -0400 (EDT) Subject: crypto conference In-Reply-To: <49D277C7.5030600@ist-schlau.de> References: <49CFC4A0.6040500@ist-schlau.de> <87y6unufft.fsf@wheatstone.g10code.de> <49D277C7.5030600@ist-schlau.de> Message-ID: This might not be the right place to post this, but gnupg-users is the only crypto-related list I follow so I'll mention this here since possibly of interest, and people can repost elsewhere if they feel it appropriate. DIMACS (Center for Discrete Mathematics and Theoretical Computer Science) at Rutgers Univ in New Jersey in USA has many very good workshops, conferences, etc, with excellent signal:noise ratio, held at Rutgers and offsite. Almost all are open to anyone interested, and they--at least the ones held on-campus at Rutgers--are not expensive. On June 3 - 5 2009 there will be held a DIMACS Workshop at nearby Princeton Univ in New Jersey in USA which some subscribers to gnupg-users might be interested to know about. It is titled "Workshop on Complexity and Cryptography: Status of Impagliazzo's Worlds". Ful details are not yet available, but basic url is: http://dimacs.rutgers.edu/Workshops/Cryptography/index.html Following links from that page you can see what else they do at DIMACS, if interested. From foad0128 at gmail.com Thu Apr 2 10:18:31 2009 From: foad0128 at gmail.com (Nix) Date: Thu, 2 Apr 2009 10:18:31 +0200 Subject: crontab + openbsd In-Reply-To: References: Message-ID: Hi I got a problem with a crypt file. When i execute my script no problem everything work, but when i schedule it in a crontab there is a problem with the passphrase "gpg: decryption failed: secret key not available" #!/bin/sh gpgdir=/appli/ for i in `find $gpgdir -name '*.TOTO'`; do echo ma_passphrase| /usr/local/bin/gpg --batch --no-tty --passphrase-fd 0 -o "${i}"_decrypt -d $i done Can you help me please. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at ruderich.org Thu Apr 2 14:06:43 2009 From: simon at ruderich.org (Simon Ruderich) Date: Thu, 2 Apr 2009 14:06:43 +0200 Subject: crontab + openbsd In-Reply-To: References: Message-ID: <20090402120643.GA5450@ruderich.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 01, 2009 at 03:44:19PM +0200, Nix wrote: > Hi > > I got a problem with a crypt file. > When i execute my script no problem everything work, but when i schedule it > in a crontab there is a problem with the passphrase "gpg: decryption failed: > secret key not available" > > #!/bin/sh > > gpgdir=/appli/ > > for i in `find $gpgdir -name '*.TOTO'`; do > echo ma_passphrase| /usr/local/bin/gpg --batch --no-tty --passphrase-fd 0 -o > "${i}"_decrypt -d $i > done > > Can you help me please. Hi, GnuPG can't find the keyrings, point --homedir to your .gnupg directory (it may differ when running as cronjob). See man gnupg. Hope this helps, Simon PS: Please don't post the same message again after two days, please wait a bit longer. Thanks. - -- + privacy is necessary + using http://gnupg.org + public key id: 0x6115F804EFB33229 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknUqlMACgkQYRX4BO+zMin8pgCeL7Wu5cmm7WZubgp/TM03jNUs NvcAnREdf6rfL4F8J9jhCp43IO32EkyO =FmQC -----END PGP SIGNATURE----- From jpaulo.melo at gmail.com Thu Apr 2 00:47:38 2009 From: jpaulo.melo at gmail.com (Joao Paulo Fernandes) Date: Wed, 1 Apr 2009 19:47:38 -0300 Subject: Using GPG exported key In-Reply-To: <49D3C191.20809@Mozilla-Enigmail.org> References: <1a27245d0904011211s79b6ec23va71036b23906c57d@mail.gmail.com> <49D3C191.20809@Mozilla-Enigmail.org> Message-ID: <1a27245d0904011547u7bbf3558s1e95dfb1829df368@mail.gmail.com> Thanks, that worked fine. 2009/4/1 John Clizbe > Joao Paulo Fernandes wrote: > > Hi everyboby, > > > > Im exporting my gpg key from my unix server > > gpg --armor --output "key.txt" --export myserver > > > > i import the key.txt in other computer > > gpg --import key.txt > > > > i trust ultimately the myserver key with --edit-key > > but i still get the error when i try to encrypt files with the key: > > gpg -r myserver --output "test.gpg" -e mytext.txt > > > > gpg: myserver: skipped: public key not found > > gpg: mytext.txt: encryption failed: public key not found > > > > I saw this is a common error people have but no solution. > > Somebody could help me ? > > gpg --export-secret-keys 0xdecafbad > secret.asc > gpg --export 0xdecafbad > public.asc > > On other machine: > gpg --import secret.asc > gpg --import public.asc > > FWIW, the GnuPG keyring files {pubring,secring,trustdb}.gpg are binary > compatible. I find it's just as convenient to copy or import entire > keyrings. > > -- > John P. Clizbe Inet:John (a) Mozilla-Enigmail.org > You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or > mailto:pgp-public-keys at gingerbear.net?subject=HELP > > Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" > A:"An odd melody / island voices on the winds / surplus of vowels" > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jtickyp at hotmail.com Thu Apr 2 11:27:27 2009 From: jtickyp at hotmail.com (jeerawan pinturong) Date: Thu, 2 Apr 2009 16:27:27 +0700 Subject: Auto Encrypted with public key from PGP not work Message-ID: Dear sir / Madam I test batch file in my computer (Windows XP) to auto encrypt word document with the public key that create by PGP program but it always show message usage: gpg [options] --encrypt [filename] I used this batch C:\>gpg --output "Encrypted File" --encrypt --recipient User "C:\Test\GPG.doc" However when I used same batch which the key was created from my machine + gpg program. It works Thank you in advance for your help. Best Regards JtickyP ************************************************ Jack Welch: Before you are a leader, Success is all about growing yourself. When you become a leader, Success is all about growing other ************************************************ _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: From robster3323 at yahoo.com Thu Apr 2 19:41:00 2009 From: robster3323 at yahoo.com (Rob Desjarlais) Date: Thu, 2 Apr 2009 10:41:00 -0700 (PDT) Subject: GPG decrypt error ctb=4c Message-ID: <377876.72174.qm@web110408.mail.gq1.yahoo.com> When I decypt a file I am getting the following errors when I decrypt a file. I can't for the life of me figure out why. I am running GPG 1.4.9. The file is encrypted with a standard asymetric encryption, and not ascii armored. gpg: [don't know]: invalid packet (ctb=4c) -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Thu Apr 2 21:11:06 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 02 Apr 2009 15:11:06 -0400 Subject: Auto Encrypted with public key from PGP not work In-Reply-To: References: Message-ID: <49D50DCA.2040806@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 jeerawan pinturong escribi?: > Dear sir / Madam > I test batch file in my computer (Windows XP) to > auto encrypt word document with the public key that create by PGP > program but it always show message > *usage: gpg [options] --encrypt [filename]* I don't know much about using batch files, but, did you import the public key from PGP to GPG? You would need to import it and sign it (to make GPG 'trust' that key) before being able to encrypt things to that key... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ1Q3KAAoJEMV4f6PvczxACaQH/A5G+06UTfxeYIYCJAOmoPjX YktTF1y+JXELEy1UgvLnYod8TnLJEHk7Uoa7mm/Pk22knTm12pTz1msWXYp0zxmO LNh3cTAH+TvTT74kYR86jOcQIbkRM+e9vByfVa5i0ptlaB9OiZFw8MfhEwBR7pdg DDXmVEby/BBs7jlqjhD6G3Fd+jblmXMYgUZleWTSZqNXxUY54fMVYsKbksAGZtf7 eLc4yWOnyuc6uxN4lPVsOnmGPkPWgrWaxHpfYsgq29vxkr9YTLicpF6MvzEb6z7o 9aeuK6DtiLIBMZpztc/F5NeksGb7zYxI0WXkZHD/JnF9dI0dE/OlzDBN9+jai9o= =JL/w -----END PGP SIGNATURE----- From wk at gnupg.org Fri Apr 3 10:44:30 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 03 Apr 2009 10:44:30 +0200 Subject: GnuPG with pcsc-lite, scdaemon segfaults In-Reply-To: <49D277C7.5030600@ist-schlau.de> (Simon Ferber's message of "Tue, 31 Mar 2009 22:06:31 +0200") References: <49CFC4A0.6040500@ist-schlau.de> <87y6unufft.fsf@wheatstone.g10code.de> <49D277C7.5030600@ist-schlau.de> Message-ID: <87eiwaf7o1.fsf@wheatstone.g10code.de> On Tue, 31 Mar 2009 22:06, simon at ist-schlau.de said: > warning: core file may not match specified executable file. > Core was generated by `/usr/libexec/gnupg-pcsc-wrapper --verbose 1'. > Program terminated with signal 11, Segmentation fault. Are you sure that pcsc-wrapper loads the correct shared library? Are you onh a mixed 32/64 bit systems and both versions of libpcsclite.so are installed? The error seems to be right at the dlopen which is done pretty early. Check with strace libpcsclite.so gets loaded. If you know the full name of the 64 bit libpcsclite, you may run the wrapper this way: gnupg-pcsc-wrapper --verbose 1 /path/to/libcsclite.so Better? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From simon at ist-schlau.de Fri Apr 3 14:11:59 2009 From: simon at ist-schlau.de (Simon Ferber) Date: Fri, 03 Apr 2009 14:11:59 +0200 Subject: GnuPG with pcsc-lite, scdaemon segfaults In-Reply-To: <87d4budkes.fsf@wheatstone.g10code.de> References: <49CFC4A0.6040500@ist-schlau.de> <87y6unufft.fsf@wheatstone.g10code.de> <49D277C7.5030600@ist-schlau.de> <87eiwaf7o1.fsf@wheatstone.g10code.de> <49D5EDF0.7010407@ist-schlau.de> <87d4budkes.fsf@wheatstone.g10code.de> Message-ID: <49D5FD0F.5060108@ist-schlau.de> I have to say, it segfaults when using the static build of GnuPG. If I > > What do you mean by a static build? No shared libraries? That makes > dlopen a bit questionable. I have never tried to build gnupg2 > statically, at some points we use weak binding semantics and all kind of > problems may happen with a static link. > > What OS are you using? > Right, no shared libs. It's gentoo 2008.0: Linux ray 2.6.28-gentoo-r4 #2 SMP Sun Mar 29 15:51:52 CEST 2009 x86_64 AMD Phenom(tm) 9600 Quad-Core Processor AuthenticAMD GNU/Linux >> use the dynamic linked program, I get no segfault, but the same error >> in the logs _plus_ neither scdaemon nor pcscd can be stoped (kill >> -9). I have to reboot to start the next try. >> > > There is a problem with your OS. > Well, I don't really have an idea, where to look for an OS-problem. It is a fresh install and everything else works fine so far. The most obviously would be to switch to a differnt kernel, wich I already tried with two versions. What else could be the cause? Maybe the gcc version 4.1.2? Simon From rfransix at comcast.net Sat Apr 4 00:44:53 2009 From: rfransix at comcast.net (Richard Francis) Date: Fri, 3 Apr 2009 17:44:53 -0500 Subject: help with libgcrypt 1.4.4 on aix 4.3.2.0 Message-ID: <84C7A1B14A8442CDA55502C504941805@fortgolf58> Hi, I've followed the docs/help/install without any help. 1. the libgpg-error configured, compiled and installed okay on aix 4.3.2.0, as did libassuan, tls, and other libraries 2. the libgcrypt configures with ./configure --disable-asm or CFLAGS="-g -O2 -mcpu=powerpc" ./configure yet, it will not make (using aix' make and gnu's gcc++/gcc) 3. the make always returns errors 4. i don't have or access to an ibm c compiler, so that's out The goal is to compile gnupg. Thanks a lot for you clues. Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: From s0x7c0 at netspace.net.au Sat Apr 4 11:15:15 2009 From: s0x7c0 at netspace.net.au (caleb) Date: Sat, 04 Apr 2009 20:15:15 +1100 Subject: unable to send key to keyserver Message-ID: <49D72523.7090406@netspace.net.au> Hi, I have been reading a book about openPGP and have installed GnuPG. I have successfully created a keypair and have created a revocation certificate. But when I try and send my key to a keyserver with the command: gpg --keyserver subkeys.pgp.net --send-keys myemail at mydomain.com.au i get an error: gpg: "myemail at mydomain.com.au" not a key ID: skipping I dont know why this happens as this is the email address I used when creating the keypair and gpg printed that this address was part of my User ID. I tried another command: gpg --output pubkey.myemail at mydomain.com.au.gpg.asc --armor --export myemail at mydomain.com.au this worked and printed my public key to a text file. I have no idea why it is not accepting my email as part of my user id when I try and send keys to the keyserver. caleb. From shavital at mac.com Sat Apr 4 12:10:33 2009 From: shavital at mac.com (Charly Avital) Date: Sat, 04 Apr 2009 06:10:33 -0400 Subject: unable to send key to keyserver In-Reply-To: <49D72523.7090406@netspace.net.au> References: <49D72523.7090406@netspace.net.au> Message-ID: <49D73219.1090405@mac.com> caleb wrote the following on 4/4/09 5:15 AM: > Hi, > > I have been reading a book about openPGP and have installed GnuPG. I > have successfully created a keypair and have created a revocation > certificate. But when I try and send my key to a keyserver with the command: > > gpg --keyserver subkeys.pgp.net --send-keys myemail at mydomain.com.au > > i get an error: > > gpg: "myemail at mydomain.com.au" not a key ID: skipping >From man gpg: --send-keys key IDs Fingerprints may be used instead of key IDs. Option --keyserver must be used to give the name of this keyserver. Don't send your com- plete keyring to a keyserver --- select only those keys which are new or changed by you. > > I don't know why this happens as this is the email address I used when > creating the keypair and gpg printed that this address was part of my > User ID. I tried another command: This happens because your command line indicated as argument your e-mail address, that is your User ID, instead of the key ID, that is composed by the last eight digits of the key's fingerprint. As indicated above, you can use also the whole fingerprint. > > gpg --output pubkey.myemail at mydomain.com.au.gpg.asc --armor --export > myemail at mydomain.com.au > > this worked and printed my public key to a text file. I have no idea why > it is not accepting my email as part of my user id when I try and send > keys to the keyserver. As indicated above, because when sending to a keyserver, you have to include the Key(s) ID, not your User ID (UID) Best regards, Charly From s0x7c0 at netspace.net.au Sat Apr 4 13:12:06 2009 From: s0x7c0 at netspace.net.au (caleb) Date: Sat, 04 Apr 2009 22:12:06 +1100 Subject: unable to send key to keyserver In-Reply-To: <49D73219.1090405@mac.com> References: <49D72523.7090406@netspace.net.au> <49D73219.1090405@mac.com> Message-ID: <49D74086.3000705@netspace.net.au> Charly Avital wrote: > caleb wrote the following on 4/4/09 5:15 AM: > >> Hi, >> >> I have been reading a book about openPGP and have installed GnuPG. I >> have successfully created a keypair and have created a revocation >> certificate. But when I try and send my key to a keyserver with the command: >> >> gpg --keyserver subkeys.pgp.net --send-keys myemail at mydomain.com.au >> >> i get an error: >> >> gpg: "myemail at mydomain.com.au" not a key ID: skipping >> > > >From man gpg: > > --send-keys key IDs > Fingerprints may be used instead of key IDs. Option --keyserver must > be used to give the name of this keyserver. Don't send your com- > plete keyring to a keyserver --- select only those keys which > are new or changed by you. > >> I don't know why this happens as this is the email address I used when >> creating the keypair and gpg printed that this address was part of my >> User ID. I tried another command: >> > > This happens because your command line indicated as argument your e-mail > address, that is your User ID, instead of the key ID, that is composed > by the last eight digits of the key's fingerprint. > > As indicated above, you can use also the whole fingerprint. > > >> gpg --output pubkey.myemail at mydomain.com.au.gpg.asc --armor --export >> myemail at mydomain.com.au >> >> this worked and printed my public key to a text file. I have no idea why >> it is not accepting my email as part of my user id when I try and send >> keys to the keyserver. >> > > As indicated above, because when sending to a keyserver, you have to > include the Key(s) ID, not your User ID (UID) > > Best regards, > Charly Hi Charly, Thanks for the help, I found the fingerprint and the keyid and successfully sent the key to the keyserver. thanks again caleb. From jmoore3rd at bellsouth.net Sat Apr 4 13:23:35 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 04 Apr 2009 07:23:35 -0400 Subject: unable to send key to keyserver In-Reply-To: <49D72523.7090406@netspace.net.au> References: <49D72523.7090406@netspace.net.au> Message-ID: <49D74337.4000807@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 caleb wrote: > gpg --keyserver subkeys.pgp.net --send-keys myemail at mydomain.com.au > this worked and printed my public key to a text file. I have no idea why > it is not accepting my email as part of my user id when I try and send > keys to the keyserver. Try using the Key ID [0xDeadMeat] instead of the Email Address. JOHN ;) Timestamp: Saturday 04 Apr 2009, 07:23 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ10M2AAoJEBCGy9eAtCsPaEgH/3qmKCnFX6ciBfqaOJKu0IyV JCZL/U+z42Oeq2scqLejbRwFHB6FFVUcsg8wmS0VUe5MBKfdlZxTcTynjwpcxt9f pG7harvQU/wZQeE5ObZda9aG6CWmCHSM3Ms0cVcj60nUOtbnpb7mFdJ5UEeqJi73 UPKSb04SNE7nh6ZKRw9KzhEpzrXBC5qdT5B5b+Z3jKdy8SFHED95xIpMoyGcyiSq WbTY5efkUbjp67kCqTdX+kGsUEzmJc0sHCmKMDV/TsSuMKMtzdlD50Vim+07EwqQ Wjwtq+9YYdb68Cq4LGZbm+OhQhqspBF6TGtAsyJLyJXg3eijMmoIKUw5bU5OLfQ= =wBun -----END PGP SIGNATURE----- From shavital at mac.com Sat Apr 4 14:03:22 2009 From: shavital at mac.com (Charly Avital) Date: Sat, 04 Apr 2009 08:03:22 -0400 Subject: unable to send key to keyserver In-Reply-To: <49D74086.3000705@netspace.net.au> References: <49D72523.7090406@netspace.net.au> <49D73219.1090405@mac.com> <49D74086.3000705@netspace.net.au> Message-ID: <49D74C8A.8040001@mac.com> caleb wrote the following on 4/4/09 7:12 AM: [...] > Hi Charly, > > Thanks for the help, I found the fingerprint and the keyid and > successfully sent the key to the keyserver. > > thanks again > caleb. Couldn't find yet on the keyservers, but give it some time, it will show up. By the way, Caleb, please edit your answers, it is not necessary to quote the whole message or the whole thread. No harm done. Take care, Charly From benjamin at py-soft.co.uk Sat Apr 4 15:49:17 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 4 Apr 2009 14:49:17 +0100 Subject: Fwd: MacGPG2 v2.0.11 released! In-Reply-To: <732076a80903290628x320eca9bw195d1d45fac7fd47@mail.gmail.com> References: <732076a80903290628x320eca9bw195d1d45fac7fd47@mail.gmail.com> Message-ID: <732076a80904040649t30742195v59ff506b233d4627@mail.gmail.com> ---------- Forwarded message ---------- From: Benjamin Donnachie Date: 2009/3/29 Subject: MacGPG2 v2.0.11 released! To: macgpg2-users at lists.sourceforge.net MacGPG2 v2.0.11 is now available from http://sourceforge.net/project/showfiles.php?group_id=248469&package_id=303406&release_id=671824 Please use the accompanying signature to verify your download before extracting. A very rare bug has been reported whereby the pinentry package is not properly installed. ?If this occurs on your system please notify me and then download the separate pinentry package from https://sourceforge.net/project/showfiles.php?group_id=248469&package_id=304467 Report any problems to the macgpg2 team - http://macgpg2.sourceforge.net/ Changes to MacGPG2 since previous release: * Universal binary ie single download for Intel and PPC Macs. * Fully internationalised and will now messages correctly if LANG environment variable is set. * start-gpg-agent helper script now installed for all users * Executables now include MacGPG2 in banner to assist debugging. * Core upgraded to GnuPG v2.0.11 and gcrypt 1.4.4 Noteworthy changes in version GnuPG 2.0.11 (2009-03-03) ------------------------------------------------------- ?* Fixed a problem in SCDAEMON which caused unexpected card resets. ?* SCDAEMON is now aware of the Geldkarte. ?* The SCDAEMON option --allow-admin is now used by default. ?* GPGCONF now restarts SCdaemon if necessary. ?* The default cipher algorithm in GPGSM is now again 3DES. ?This is due to interoperability problems with Outlook 2003 which still can't cope with AES. Noteworthy changes in version Libgcrypt 1.4.4 (2009-01-22) ---------------------------------------------------------- ?* Publish GCRY_MODULE_ID_USER and GCRY_MODULE_ID_USER_LAST constants. This functionality has been in Libgcrypt since 1.3.0. ?* MD5 may now be used in non-enforced fips mode. ?* Fixed HMAC for SHA-384 and SHA-512 with keys longer than 64 bytes. ?* In fips mode, RSA keys are now generated using the X9.31 algorithm and DSA keys using the FIPS 186-2 algorithm. ?* The transient-key flag is now also supported for DSA key ? generation. ?DSA domain parameters may be given as well. From faramir.cl at gmail.com Mon Apr 6 21:43:56 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 06 Apr 2009 15:43:56 -0400 Subject: [Gpg4win-users-en] gpg4win, pgp-interaction and DSA2 support In-Reply-To: <200904061212.35575.bernhard@intevation.de> References: <200904061212.35575.bernhard@intevation.de> Message-ID: <49DA5B7C.1030206@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Bernhard Reiter escribi?: > Hi Matthias, ... >> After hours on the net I've realised that everything bigger than 1024 >> is DSA2, and this exists in the "real" gpg (with '--enable-dsa2') >> under linux, but not in the windows version? Did you create a gpg.conf file in the home folder for gpg? If you do that, and add that line to enable dsa2, you will be able to work with dsa keys size 1024, 2048 and 3072. Please note I tried it with gpg4win with just gpg 1.4.9 installed (I told the installer to don't install gpgp2). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ2lt8AAoJEMV4f6PvczxAc9gH/1Tj2ef0nOcitQAFJEojDnZC YlDthHWb1m5EGPEV4z+0z4SasuYKAP8SsobPhBbviahhVRO5fy2rSz2TTNcGPnbk DZIvq2l2K38WVuqKeDnaBzQcwAFyyV7lkXHk4UGE+cyOM1DvJ3L9uhP9ruDhnpu3 /jRrQldeMdK71IGUHT4+6GHst7AEHfnQpm8ffpm3BV4O+PIXhvT5Nz6X3uHVq866 IvyXOptQS6Kp27n4SyMx6FL7G1t/LxDFyRq+RbtT7H0K3iWvLvAUmr/f7TaMFj9z AiuvrHBOyEzTZhiRutxubOcF8KLtE/KLY8Lq5iR2sFAkT2UZTwBbi9L7rs318qs= =TuU1 -----END PGP SIGNATURE----- From holtzm at cox.net Tue Apr 7 00:25:40 2009 From: holtzm at cox.net (Robert Holtzman) Date: Mon, 6 Apr 2009 15:25:40 -0700 (MST) Subject: .gnupg/gpg.conf permissions Message-ID: Just tried to d/l a key and was greeted with [holtzm at localhost]~$ sudo gpg --recv --keyserver pgp.mit.edu A373FB480EC4FE05 [sudo] password for holtzm: gpg: WARNING: unsafe ownership on configuration file `/home/holtzm/.gnupg/gpg.conf' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: general error gpg: keyserver receive failed: general error I have downloaded keys from this server before with no problems. The ownership on the file in question is -rw------- 1 holtzm holtzm 9419 2008-10-04 21:58 ./.gnupg/gpg.conf If this is not correct what should I use? Tried making it root and got gpg: WARNING: unsafe enclosing directory ownership on configuration file `/home/holtzm/.gnupg/gpg.conf' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: general error gpg: keyserver receive failed: general error Does "enclosing directory" refer to /home/holtzm? What ownership and permissions should be used? Again, I recently downloaded a key from this server with no problem. I'm at a loss. Thanks -- Bob Holtzman "If you think you're getting free lunch, check the price of the beer" From dshaw at jabberwocky.com Tue Apr 7 01:14:05 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 6 Apr 2009 19:14:05 -0400 Subject: .gnupg/gpg.conf permissions In-Reply-To: References: Message-ID: <5C8AAB3C-E2F9-4EC9-BF22-0F158532C118@jabberwocky.com> On Apr 6, 2009, at 6:25 PM, Robert Holtzman wrote: > Just tried to d/l a key and was greeted with > > [holtzm at localhost]~$ sudo gpg --recv --keyserver pgp.mit.edu > A373FB480EC4FE05 > [sudo] password for holtzm: > gpg: WARNING: unsafe ownership on configuration file `/home/ > holtzm/.gnupg/gpg.conf' > gpg: external program calls are disabled due to unsafe options file > permissions > gpg: keyserver communications error: general error > gpg: keyserver receive failed: general error > > I have downloaded keys from this server before with no problems. The > ownership on the file in question is > -rw------- 1 holtzm holtzm 9419 2008-10-04 21:58 ./.gnupg/gpg.conf Why are you downloading keys as root (i.e. using sudo)? David From holtzm at cox.net Tue Apr 7 03:10:35 2009 From: holtzm at cox.net (Robert Holtzman) Date: Mon, 6 Apr 2009 18:10:35 -0700 (MST) Subject: .gnupg/gpg.conf permissions In-Reply-To: <5C8AAB3C-E2F9-4EC9-BF22-0F158532C118@jabberwocky.com> References: <5C8AAB3C-E2F9-4EC9-BF22-0F158532C118@jabberwocky.com> Message-ID: On Mon, 6 Apr 2009, David Shaw wrote: > On Apr 6, 2009, at 6:25 PM, Robert Holtzman wrote: > >> Just tried to d/l a key and was greeted with >> >> [holtzm at localhost]~$ sudo gpg --recv --keyserver pgp.mit.edu >> A373FB480EC4FE05 >> [sudo] password for holtzm: >> gpg: WARNING: unsafe ownership on configuration file >> `/home/holtzm/.gnupg/gpg.conf' >> gpg: external program calls are disabled due to unsafe options file >> permissions >> gpg: keyserver communications error: general error >> gpg: keyserver receive failed: general error >> >> I have downloaded keys from this server before with no problems. The >> ownership on the file in question is >> -rw------- 1 holtzm holtzm 9419 2008-10-04 21:58 ./.gnupg/gpg.conf > > Why are you downloading keys as root (i.e. using sudo)? It's a bad habit I got into when I started using ubuntu. Running the command from my user account worked. I may have to stick with debian. Thanks for pointing out my problem. -- Bob Holtzman To enjoy life take big bites. Moderation is for monks. Lazarus Long From bmearns at ieee.org Tue Apr 7 16:54:04 2009 From: bmearns at ieee.org (Brian Mearns) Date: Tue, 7 Apr 2009 10:54:04 -0400 Subject: Singing a key with a subkey Message-ID: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> I've exported a crippled version of my private keyset for use at work...I did not include the primary/master key in the export, only a signing subkey and an encryption subkey. Now I've imported them on a different system and want to sign a co-workers key with the subkey, but gpg complains that: gpg: secret key parts are not available gpg: signing failed: general error I'm able to sign files using the subkey (on the same system), so I'm not clear why I wouldn't be able to sign a key with it as well. Is there something I'm missing, is there a way around this, or is there something fundamental about this limitation? I'm using gpg 1.4.9 on Windows XP. Thanks for any help -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ From bdmeyer at cio.sc.gov Fri Apr 3 22:17:51 2009 From: bdmeyer at cio.sc.gov (Meyer, Bruce) Date: Fri, 3 Apr 2009 16:17:51 -0400 Subject: Requesting help with Changing expiry date of expired corporate key Message-ID: We have a corporate key pair that expired a few weeks ago. I believe that the proper way to change the expiry date is to follow the instructions on page 18 (--edit-key) and then selecting the appropriate sub key (key 1, key 2) and then entering 'expire' I tested this on my keyring and it works fine. Where I am having a hard time finding documentation is for this: We have a corporate key, that our policy says, all items that are encrypted whether file, emails etc, will ALSO always be encrypted against the corporate key. Since this key doesn't actually belong to a single person, I am wondering how to approach this. Do I use some sort of 'file' option, and point to the keypair, or do I temporarily move my keyring to a safe location, and replace it with one containing the corporate keypair and follow my own instructions above? Thanks for any help. --Bruce D. Meyer -------------- next part -------------- An HTML attachment was scrubbed... URL: From c.whoami at gmail.com Fri Apr 3 17:01:05 2009 From: c.whoami at gmail.com (Chrys M) Date: Fri, 3 Apr 2009 17:01:05 +0200 Subject: default symmetric algorithm used for private key In-Reply-To: <0AC4B673-2D31-4926-8E77-6CCBEC9E73E1@jabberwocky.com> References: <3f58ee9b0903291237y3e9af9cbg2855a0ed0b0e18b9@mail.gmail.com> <0AC4B673-2D31-4926-8E77-6CCBEC9E73E1@jabberwocky.com> Message-ID: <3f58ee9b0904030801s5d2df2dcy29abe2c1573045b7@mail.gmail.com> Thank you very much for your answer! :) Chrys On Wed, Apr 1, 2009 at 2:49 PM, David Shaw wrote: > On Mar 29, 2009, at 3:37 PM, Chrys M wrote: > > Hello, >> >> I am trying to find out which is the default algorithm that GPG uses to >> encrypt my private key with the passphrase provided. >> Is there a command that I can use? >> > > It's CAST5, unless: > > a) You don't have CAST5 compiled in > b) You run with --rfc24480, --rfc4880 or --openpgp > > In any of those cases, it's 3DES. > > (Basically, unless you're doing something fairly unusual, it's CAST5) > > David > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mukta_agarwal at readersdigest.com Mon Apr 6 18:35:11 2009 From: mukta_agarwal at readersdigest.com (mukta_agarwal at readersdigest.com) Date: Mon, 6 Apr 2009 12:35:11 -0400 Subject: GNUPG install help Message-ID: Hello, I want to install GNUPG on my machine, I am not able to locate which one to install. Please help. I use a windows machine. Regards, Mukta -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Tue Apr 7 18:37:27 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 07 Apr 2009 12:37:27 -0400 Subject: GNUPG install help In-Reply-To: References: Message-ID: <49DB8147.6060104@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 mukta_agarwal at readersdigest.com wrote: > I want to install GNUPG on my machine, I am not able to locate which one > to install. Please help. I use a windows machine. Without any further information as to what/how You intend to use GnuPG I suggest 1.4.9 available here: http://www.gnupg.org/download/ Go ~ a third of the way down the Screen and look for: ? GnuPG 1.4.9 compiled for Microsoft Windows. B FTP Left click on 'FTP' and choose 'Save' then click on the downloaded File after downloading. HTH JOHN 8-) Timestamp: Tuesday 07 Apr 2009, 12:36 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ24FFAAoJEBCGy9eAtCsPzX0H/2ZYN7OrKAMYGRvtWxcU/nIX 07723MPx5RvvzRITTUjkLWdW0H987jRTPHepGr87ZwfayV4sJkauUbI2GzN3Bx9C Qdk9cY6wZS4xas4NTYJ2jMRqc4rBZza2OGrkgGXGv1dcR9aYMzM7PtgCj2hI8OjO Tn60Xy7XZfWF83Qc1DHrPs6/CPQJZz/nR2yNWIIspwGSrU7GA8iETg2RGhYFcqkx yscPR1Z1ocZ36Nazvg1c08NH503laov2NF2pG/gb7GBMOrGiYiLdxFc0HvAuP8hW 851UfLTpu//oLTPjjULdS0PjspnKy21H4le+ZtQ8pNPxrlSky6FM5ShuJ53xsxA= =hcdc -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Apr 7 19:50:46 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 07 Apr 2009 13:50:46 -0400 Subject: GNUPG install help In-Reply-To: References: Message-ID: <49DB9276.90002@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 mukta_agarwal at readersdigest.com escribi?: > > Hello, > > I want to install GNUPG on my machine, I am not able to locate which one > to install. Please help. I use a windows machine. http://www.gnupg.org/download/ Go to Binaries section of the page, and download the file GnuPG 1.4.9 compiled for Microsoft Windows. (click on the FTP link). Probably you will want a GUI to use gpg, I recommend GPGShell. In order to be able to run GPGShell, you will need to manually add the folder of gpg to Windows PATH environment variable... if you don't know how to do it, can tell you. However, that is needed ONLY if you want to use GPGShell or to use gpg from command line in any folder, otherwise that change it's not needed. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ25J2AAoJEMV4f6PvczxA9+gH/jFMDHuzVpTfv+N1cYXqSO+r xxAB7emFBqZnKuTt5v6yubqiiJ7qWXcq6XBHyL3j8LA4/j8k2Cm06zUHCKgFQAjo BN6JcWw8HtzPDSPyzqetKs2Nkaz5K8jdYANu6yp4EXZGqbdeNRQuRp+MVZSsc2vC sZwv8tZc8gRV45cXGtFU+LF+hkuoRIrLNw8M9NeFTVXuEiurctZV8Uzz71s1Q8kS Fn26ugFmMUWsBeUZoL4Oa+laampQrNPe+GrCsEfeckfLBeDTNCBky+gVpdlvloue MJyWv2Fu4nhG7CSxWv8EkHFXK9A++T1nUCqq2shbjpul95/v8/Bk0kZ/UePnW58= =gDju -----END PGP SIGNATURE----- From email at sven-radde.de Tue Apr 7 20:09:55 2009 From: email at sven-radde.de (Sven Radde) Date: Tue, 07 Apr 2009 20:09:55 +0200 Subject: GNUPG install help In-Reply-To: References: Message-ID: <49DB96F3.30306@sven-radde.de> Hi! mukta_agarwal at readersdigest.com schrieb: > I want to install GNUPG on my machine, I am not able to locate which one > to install. Please help. I use a windows machine. I'd suggest to check out www.gpg4win.org and use the most recent non-beta from there. Apart from GnuPG itself (which is "only" a console application), it gives you GUIs/plugins to integrate GnuPG into Windows Explorer and Outlook. If you use Thunderbird as your mail program, you will want to have a look at the "Enigmail" plugin after installing GnuPG. HTH, Sven From protektor.blog at gmail.com Tue Apr 7 20:22:30 2009 From: protektor.blog at gmail.com (Protektor Blog) Date: Tue, 7 Apr 2009 14:22:30 -0400 Subject: GNUPG install help In-Reply-To: References: Message-ID: <5eb331970904071122t2ea68897l577b8a31b6c6fe00@mail.gmail.com> and to make live even easier: http://www.gpg4win.org/ If you need help with it let me know... Cheerz, Tom On Mon, Apr 6, 2009 at 12:35 PM, wrote: > > Hello, > > I want to install GNUPG on my machine, I am not able to locate which one to > install. Please help. I use a windows machine. > > Regards, > Mukta > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Tue Apr 7 23:01:41 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 07 Apr 2009 17:01:41 -0400 Subject: GNUPG install help In-Reply-To: <49DB96F3.30306@sven-radde.de> References: <49DB96F3.30306@sven-radde.de> Message-ID: <49DBBF35.4050304@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Sven Radde wrote: > I'd suggest to check out www.gpg4win.org and use the most recent > non-beta from there. And I strongly suggest that You _avoid_ gpg4win and simply install GnuPG 1.4.9 which proves nothing more than 2 folks have strong opinions regarding which package You decide to use. I do know that far less Questions arise once someone downloads/installs the Current GnuPG 1.4.x version from ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe than "We" receive from folks who grab gpg4win since it 'sounds' like the Windows favorite and then they discover it is like far too many 'kitchen sink' M$ Apps. :( You should _only_ need to Answer 2 Questions: This directory OK? & Create Start Menu location? Apply 'YES' to both and You are good2go! You will also probably desire a 'Frontend' for GnuPG and I heartily recommend Enigmail if You use Thunderbird or SeaMonkey. If not I then would like to 'push' You toward GPGshell: http://www.jumaros.de/rsoft/index.html But this is Me and others always 'suggest' differently. :-D JOHN 8-) Timestamp: Tuesday 07 Apr 2009, 17:01 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ278yAAoJEBCGy9eAtCsPMQwH/19wffrU7GNauFxYNesm4iyy lDsvXANaeYmrRZYHqCA9VC4w+HSUAi//NpLDAk2uPoKFz5YJhojUDl5wdW04fES/ GRorwls2tIWXSXhBZYTJBEfnzwHmwbjtfhEDYpIlJBWEWdI+LtZEQNIT08jYOCXp B/HA1L2cCMxzGTgLtJOkOA+afLN8n9O8hOTGPMCrbg7QM7rewJ1qcWLw2lUM/si3 mWhhvTkhY0wJzmV0lKJIMytWQzAyeN620WuzYJjls2MZpMWBvlBNzANJlWXM7RIG Wfo4weAORB/uIco++ffcuD9BA0Jh+L7xEfnypXc8Ro1QFh4S9NXdvh2MGOuHXjg= =f7gc -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Apr 7 23:04:13 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 07 Apr 2009 17:04:13 -0400 Subject: GNUPG install help In-Reply-To: <5eb331970904071122t2ea68897l577b8a31b6c6fe00@mail.gmail.com> References: <5eb331970904071122t2ea68897l577b8a31b6c6fe00@mail.gmail.com> Message-ID: <49DBBFCD.2030203@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Protektor Blog wrote: > and to make live even easier: > http://www.gpg4win.org/ > > If you need help with it let me know... I am silently screaming No, No, No and praying that You will 1st try ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe. But this is just Me and I always push the easier, softer way. :) JOHN 8-) Timestamp: Tuesday 07 Apr 2009, 17:03 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ27/MAAoJEBCGy9eAtCsPOPUH/iYL6wIcWj7Fl8z3SZJxyLgR AXHe2SaxrZZsoF1WMCsknJo++elS6VmcY1ey6QB/9ZsYAGeK02eaeRsdycJ5lzP+ SrpnH82HK3iOkvWuvS4wvdcFRy1tzHzGbBtYtQLZWEhMYCNR/F0Xvn6gdxBgPIOH dZ30E8WXmQSFWQA7bq29eNIlM3684JTFjwK55m+/MYr1epQPWULWdGhnmeVjBk9v PuPLQHkSsEtgmlh4MmzPpYoaLX70VT5U5IbLcwu0IzJniCZhR5BPVa2T+gTL0Hhi J1JxkLdvZ6hLEYVa0RPuZZlCW5BdrMTuxDKzIkslaMb+6oHqF8s1M0RoK09q82w= =JHU3 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Apr 8 05:02:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 7 Apr 2009 23:02:31 -0400 Subject: Singing a key with a subkey In-Reply-To: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> Message-ID: <83E61BF6-4B27-4930-9122-78D8614E2B80@jabberwocky.com> On Apr 7, 2009, at 10:54 AM, Brian Mearns wrote: > I've exported a crippled version of my private keyset for use at > work...I did not include the primary/master key in the export, only a > signing subkey and an encryption subkey. Now I've imported them on a > different system and want to sign a co-workers key with the subkey, > but gpg complains that: > > gpg: secret key parts are not available > gpg: signing failed: general error > > I'm able to sign files using the subkey (on the same system), so I'm > not clear why I wouldn't be able to sign a key with it as well. Is > there something I'm missing, is there a way around this, or is there > something fundamental about this limitation? Fundamental. The OpenPGP web of trust is built from signatures from primary keys. Signing a key with a subkey (which can belong to more than one primary) does not make sense in this context. David From faramir.cl at gmail.com Wed Apr 8 06:45:19 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 08 Apr 2009 00:45:19 -0400 Subject: Singing a key with a subkey In-Reply-To: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> Message-ID: <49DC2BDF.3020804@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian Mearns escribi?: > I've exported a crippled version of my private keyset for use at > work...I did not include the primary/master key in the export, only a > signing subkey and an encryption subkey. Now I've imported them on a > different system and want to sign a co-workers key with the subkey, > but gpg complains that: ... > I'm able to sign files using the subkey (on the same system), so I'm > not clear why I wouldn't be able to sign a key with it as well. Is > there something I'm missing, is there a way around this, or is there > something fundamental about this limitation? Because signing another key is known as "certification" and the subkeys don't have that capabily. It is one of the reasons to keep the primary key safely at home, because with it, somebody can sign keys as if you had signed them... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ3CveAAoJEMV4f6PvczxAhXoH/R3K7IytW9YZzPCQII5MXWtV n6ZWyg4nfXGwqW8x9ADYA0MsxgtNVLicqLXci+MrgkClGD+Ji27E+r/9kPkStV5u tNfzNLkkORSch6tWcpinZeTzOmj6eaVsGBUdK/tq7cdvJp6Mw2IgYKVpuL6fBQr+ GhFAHfQlukw3BSTpZkOd/CWrzMJcOJuuIm1FzU317lzpSnEipSTTg/igd37N/8vH laogkMxKtR5Mo5O7vfuBnXURCKWb5VhoREJZV+uN0X8QiZwDlLWA0+SpGqnYzkC5 ooaMT1E0djCZII/KKeNPdYOGpXOp2ZI1AqeKrdy3fAMEsqT/dledk9dHGXjH5jU= =sXSi -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Wed Apr 8 08:54:57 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 08 Apr 2009 02:54:57 -0400 Subject: Singing a key with a subkey In-Reply-To: <49DC2BDF.3020804@gmail.com> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> <49DC2BDF.3020804@gmail.com> Message-ID: <49DC4A41.3040506@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > Because signing another key is known as "certification" and the > subkeys don't have that capabily. It is one of the reasons to keep the > primary key safely at home, because with it, somebody can sign keys as > if you had signed them... At the risk of exposing Myself to ridicule; whether or not One chooses to utilize a Signing-subkey or not; during construction of /any/ Key the choice is made available to assign attributes to said Key. {Sign, Certification, etc.] therefore, without knowing which Key it is difficult to fully diagnose the issue in Question. Could You possibly provide the Key ID? [0xWTFxxxxx] This will allow other folks a chance to examine possible causes. [this assumes the Key is retrievable via ID from Key Servers] If the Key is unavailable from Keyservers, could You kindly provide the Key Block for Import/Examination? HTH JOHN 8-) Timestamp: Wednesday 08 Apr 2009, 02:54 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ3Eo+AAoJEBCGy9eAtCsPbuUH/1n+H61Eju3wguAPHZGK/Za7 5GLKhcZXjni8yIi87GkaCQx8QEo9Qqtvk0vvzJG0uZnaenewX6CIGLgA/CVTPlxm bGxmge2hZMKltohsgL+VPbWD/2uuJw6Apl02Y7aR5tiWsP2K7rav6zvLIIc7BvwP M/we1aoMyXDXm/VwOPOChwodhenYwqIHXxJppOG+vG7w7mKNR4/gajH81Wo/1RrV evlCLCW+SFDJxPCr1TD6tlMidwOFQS/5PgDhfF0sTbFB0KliUbTk4f/djbXQ6id4 n3fBfLfiFOZBMASOKamHeHecJWk3k472ELVfW3RDe9yaXLYRpLq31yGOe4oV3LQ= =XuRP -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Wed Apr 8 08:59:17 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 08 Apr 2009 02:59:17 -0400 Subject: Singing a key with a subkey In-Reply-To: <49DC2BDF.3020804@gmail.com> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> <49DC2BDF.3020804@gmail.com> Message-ID: <49DC4B45.4030600@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > Brian Mearns escribi??: >> I've exported a crippled version of my private keyset for use at >> work...I did not include the primary/master key in the export Closer reading of the above begs the Question; define 'crippled' and is it possible that without the Master/Base Key presence on the 'other' system is this affecting anything? i.e. More Info needed on My end. :-\ JOHN ;) Timestamp: Wednesday 08 Apr 2009, 02:59 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ3EtEAAoJEBCGy9eAtCsP7lAH/R6+I+LhN5o+q1zyCOekc5j1 YvsuCl/fccL7+5szSMkJEYjiRPyrrqPVbD0kgfzp2m0DqQzqwDDuescCaZlnCDrR xkcqKRzRfUN0A6wFpgl2l0hIXcphJNMKnUJur2xSRwdEbc+lG98XA7toe3iZ+j16 K3dhug0Ip7t44x6wnyMwAuN4YUAOe/hXZ0Qu3k8OaOPB08esA9CQtT2iavEK5X2T ZJ6Mt1bVc28Xah/eVZQw8eyIJRo6UmzOLXUPNndjlP/q92e4py2NyWm4wy/VJnWa c9pcT5bi3qn2Lvqrsx6I3ooqxvpE6auQT/Z+ngUlsET8T9pczFXolLPN4rVzLK0= =OkMD -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Apr 8 09:38:36 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 08 Apr 2009 03:38:36 -0400 Subject: Singing a key with a subkey In-Reply-To: <49DC4B45.4030600@bellsouth.net> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> <49DC2BDF.3020804@gmail.com> <49DC4B45.4030600@bellsouth.net> Message-ID: <49DC547C.3040103@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John W. Moore III escribi?: > Faramir wrote: >> Brian Mearns escribi??: >>> I've exported a crippled version of my private keyset for use at >>> work...I did not include the primary/master key in the export > > Closer reading of the above begs the Question; define 'crippled' and is > it possible that without the Master/Base Key presence on the 'other' > system is this affecting anything? i.e. More Info needed on My end. :-\ Probably he followed that tutorial about protecting the primary key by using only the subkeys on daily basis... First you create a primary key with encryting subkey, then add a signing subkey, and export the subkeys and bring them to the less secure environment... (aka his workplace). My advice is to just take the key he wants to sign to home, and bring it signed the next day... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ3FR8AAoJEMV4f6PvczxARXoH/39Rnm1UnYAtFmyvV2sRP6Jy M+8T9+tlqsmCGQ5sq30Zbw6WA8aYohjlXnUDTciw9/60mUWN3y5eepw4Kfqgh2Q9 z0wmf9plRJ3rLTbnDjA+W4aow2AB3jVRkvIe+Gr2SpIb7EBrqTFVnjQ9JiffUz2P e9pinYQH2h+P+z77XyZy+huZMNpmOuUQ1eSZAMyAyshfObhRF/YekQXbQ94rtXpm qWj9pq+gVNy88iFTMGYv1cbjhkD3xTb+GDYue1ndic8s2vVkC9uWZyLeANfoA2m0 fjZYK3bJ24rojpKUSHM7SX244AbcYRgKOhh5Ro4PDLIhpf37RuJFUdLXAtiY1ZM= =lKtQ -----END PGP SIGNATURE----- From er.rahulkausik at gmail.com Wed Apr 8 11:36:14 2009 From: er.rahulkausik at gmail.com (rahul kaushik) Date: Wed, 8 Apr 2009 02:36:14 -0700 (PDT) Subject: Help Solicited to implement a new pgp key server Message-ID: <22946814.post@talk.nabble.com> I have been asked to support PGP for a application. the most likely scenario would be to implement a key server that would allow customers to manage their keys. This will of course come with some complications, in terms of interface, provisioning and management. Could anybody please help me out in knowing how can i write a server using unix c/C++. If there is any document available on internet which can be helpful. It would be great if you could please let me know. Thanks in advance -- View this message in context: http://www.nabble.com/Help-Solicited-to-implement-a-new-pgp-key-server-tp22946814p22946814.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Wed Apr 8 14:41:17 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 8 Apr 2009 08:41:17 -0400 Subject: Help Solicited to implement a new pgp key server In-Reply-To: <22946814.post@talk.nabble.com> References: <22946814.post@talk.nabble.com> Message-ID: <48ED0A9B-09F3-4CE8-B00B-456ECE727D9E@jabberwocky.com> On Apr 8, 2009, at 5:36 AM, rahul kaushik wrote: > > I have been asked to support PGP for a application. the most likely > scenario would be to implement a key server that would allow > customers to > manage their keys. This will of course come with some complications, > in > terms of interface, provisioning and management. > > Could anybody please help me out in knowing how can i write a server > using > unix c/C++. > > If there is any document available on internet which can be helpful. > It > would be great if you could > please let me know. My advice is to not reinvent the wheel unless you need something substantially different from the two standard keyservers on the net: 1) SKS: http://www.nongnu.org/sks/ Main pro: Syncing with other keyservers Main con: Client cannot manage keys beyond adding to them (i.e. no deletes or replacements - you can only add new signatures/subkeys). 2) LDAP: (any LDAP server you have handy) Main pro: Allows client to completely manage keys (i.e. deletes, replacements work) Main con: No syncing with other keyservers David From roam at ringlet.net Wed Apr 8 15:10:35 2009 From: roam at ringlet.net (Peter Pentchev) Date: Wed, 8 Apr 2009 16:10:35 +0300 Subject: Help Solicited to implement a new pgp key server In-Reply-To: <22946814.post@talk.nabble.com> References: <22946814.post@talk.nabble.com> Message-ID: <20090408131035.GB877@straylight.m.ringlet.net> On Wed, Apr 08, 2009 at 02:36:14AM -0700, rahul kaushik wrote: > > I have been asked to support PGP for a application. the most likely > scenario would be to implement a key server that would allow customers to > manage their keys. This will of course come with some complications, in > terms of interface, provisioning and management. > > Could anybody please help me out in knowing how can i write a server using > unix c/C++. > > If there is any document available on internet which can be helpful. It > would be great if you could > please let me know. Is there a reason why you can't use any of the existing keyserver software? Avoided: http://www.mit.edu/people/marc/pks/ Preferred: http://minskyprimus.net/sks/ If you need it in C/C++ for better integration with your application, that's another thing. Still, even in that case, you might want to take a look at the SKS source to see how things are done. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I had to translate this sentence into English because I could not read the original Sanskrit. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From faramir.cl at gmail.com Wed Apr 8 20:06:26 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 08 Apr 2009 14:06:26 -0400 Subject: Singing a key with a subkey In-Reply-To: <4df3a1330904080406p39909d32g9fd7e702a5e1228b@mail.gmail.com> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> <49DC2BDF.3020804@gmail.com> <49DC4B45.4030600@bellsouth.net> <49DC547C.3040103@gmail.com> <4df3a1330904080406p39909d32g9fd7e702a5e1228b@mail.gmail.com> Message-ID: <49DCE7A2.20203@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian Mearns escribi?: ... > As a possible "work around", is there any way I can keep my private > key on a flash drive, for instance, and just point GPG to it when I > want to sign something with it, without having to actually import it > into the keyring? I'm probably not going to do this anyway, because I > don't have a good record with flash drives, but I'm just curious if > it's even possible. Yes, I do that by making a change to gpg.conf file, each time I need to sign another key... well, GPGShell does it for me (I can chose between 2 saved config files), let me check what would be the line to add to gpg.conf file. Please note probably it is possible to do this without changing the gpg.conf file, by using gpg from CMD prompt instead of using a GUI, but I am not sure how to do that... The line it adds to the config file is: secret-keyring p:\gpgfolder\secring.gpg no-default-keyring where p is the letter assigned to the pendrive, and gpgfolder is the folder where your secret ring is. I am not sure why I need the no-default-keyring line, but I tried without that line and things didn't work so fine... Best Regards P.S: if you are going to carry your whole private key in a pendrive, make very sure it is protected with a good passphrase... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ3OeiAAoJEMV4f6PvczxA7HAH/0zu7O+AvrH+WOOkzBcGdVmf R9q9kAMfbG74AFLoYwK2yIF729hvdT01cPm7w2xrV0czjQcyT/4s4Fcy0o1w1IMH LycSsrM+hmb4BRY/9D1KKjDDE5X+MknbSfmhQJZGrrwzQKU5G8PyTI+NfYQ3aAO0 JryHEwKc4hJVvgFRN3KFdddDjsQhYTgUnU1jApSXP9PyHYUJIDFaEgKAkeSziPqT paH4MUO54tyObHQA4TqOzwj6K0NMjOUOlIm/sfdqDh/AWpK2Z9vxJsulOf4PUF6d 3is1tsez8PK2ALo1x5X+U5ZAn9GixfDemBHogYnjVghsFufi2kSu3JYpBkUuhls= =ve9c -----END PGP SIGNATURE----- From bmearns at ieee.org Wed Apr 8 20:21:54 2009 From: bmearns at ieee.org (Brian Mearns) Date: Wed, 8 Apr 2009 14:21:54 -0400 Subject: Etiquette for other people's signatures in responses Message-ID: <4df3a1330904081121x3d403d20g16b485aa6e6a63d8@mail.gmail.com> Hey, I'm relatively new to PGP and I just wanted to get some feedback on the proper etiquette for quoting signed messages in responses. Clearly, it's inappropriate to edit a person's response if they're signed it, but is it considered rude to remove their signature from the message in the response? For instance, if I did just want to include part of their message in the response, could I clip that part out and delete the signature? Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ From faramir.cl at gmail.com Wed Apr 8 21:01:33 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 08 Apr 2009 15:01:33 -0400 Subject: Singing a key with a subkey In-Reply-To: <4df3a1330904081118n34579a44k8204add46240e8d2@mail.gmail.com> References: <4df3a1330904070754v224a5ceu1c71d90544bb6c40@mail.gmail.com> <49DC2BDF.3020804@gmail.com> <49DC4B45.4030600@bellsouth.net> <49DC547C.3040103@gmail.com> <4df3a1330904080406p39909d32g9fd7e702a5e1228b@mail.gmail.com> <49DCE7A2.20203@gmail.com> <4df3a1330904081118n34579a44k8204add46240e8d2@mail.gmail.com> Message-ID: <49DCF48D.8050202@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian Mearns escribi?: ... > secret-keyring p:\gpgfolder\secring.gpg > no-default-keyring > > where p is the letter assigned to the pendrive, and gpgfolder is the > folder where your secret ring is. I am not sure why I need the > no-default-keyring line, but I tried without that line and things didn't > work so fine... ... > Thanks for the follow up, and the advice. Is the > p:\gpgfolder\secring.gpg file just your secret key (e.g., > --export-secret-key)? In my case, it is a secret ring containing all my secret keys... I have many keys (maybe more than I should have). But you can export your key, backup your secring.gpg file (maybe by adding a .bak extension to it) and then import the secret key, a new secring.gpg will be created, and you can use it in the pendrive. Don't forget to restore your original secring... By the way, it would be a good idea to make a backup of your pubring.gpg and trustdb.gpg too, since removing the private keys can mess the trust calculated... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ3PSNAAoJEMV4f6PvczxA9+MH/0VFIY2chzsTpmHymBsBkThJ jNLzhysiMxTeJgyitXFTpnGB2yJHVVr5aRe3VA5Yla8CnXBwEvYMxLVAqQV7xcyz LGiAMPFdBsDrRCUjyE6FN9iSmi8b9ugP2PuIeWt1xvD7AgOIs5chAc4r7WBF0NhO aSeTqahByMrftL68w6RKbwtGotWnDi1xYQ+wRf/BSVx5umuM4Hmih5WLElcXfPEz 0ZuJaBCGY5JeXDqlR3R5GebirF1DfKdrXbhN9FwedBEwmVmCWDI23mRVkxYbpt4g +UvECLufyvYhfeFvmb6lYcbSYNWwAnnp/tQTc/9GRpgmrQaxx/lGm37P0iIkwuk= =nZ4Z -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Wed Apr 8 21:14:44 2009 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 08 Apr 2009 14:14:44 -0500 Subject: Etiquette for other people's signatures in responses In-Reply-To: <4df3a1330904081121x3d403d20g16b485aa6e6a63d8@mail.gmail.com> References: <4df3a1330904081121x3d403d20g16b485aa6e6a63d8@mail.gmail.com> Message-ID: <49DCF7A4.8090206@tx.rr.com> Brian Mearns wrote: > Hey, I'm relatively new to PGP and I just wanted to get some feedback > on the proper etiquette for quoting signed messages in responses. > Clearly, it's inappropriate to edit a person's response if they're > signed it, but is it considered rude to remove their signature from > the message in the response? For instance, if I did just want to > include part of their message in the response, could I clip that part > out and delete the signature? Edit away. The signature only applies to the original message. Usually replying will break the signature. If not, the the custom on interleaved responses certainly will. It is not rude to remove the original signature. I think it's preferred. Most MUAs remove both the Usenet sig ('-- ') as well as the OpenPGP sig, though some webmail apps are broken in this respect. But those broken ones tend not to handle quoting very well either. The original message context may usually be found unless one is using a webmail app with broken threading. > Feel free to contact me using PGP Encryption: > Key Id: 0x3AA70848 > Available from: http://pgp.mit.edu/ That's a very old and unmaintained server. Please use and direct others to a modern keyserver. Round-robin DNS pools such as keys.gnupg.net, pool.sks-keyservers, and subkeys.pgp.net are useful. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Wed Apr 8 21:26:00 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 08 Apr 2009 15:26:00 -0400 Subject: Etiquette for other people's signatures in responses In-Reply-To: <4df3a1330904081121x3d403d20g16b485aa6e6a63d8@mail.gmail.com> References: <4df3a1330904081121x3d403d20g16b485aa6e6a63d8@mail.gmail.com> Message-ID: <49DCFA48.20201@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian Mearns escribi?: > Hey, I'm relatively new to PGP and I just wanted to get some feedback > on the proper etiquette for quoting signed messages in responses. I just remove the parts unneeded, and just like in this message. If I have to insert replies between different text portions, I add 3 dots (...) where there was text that was deleted, in order to don't put the original message out of context (I mean, at least people would know the original message had more text on it, and that trimming it could change the context). And if the email client didn't removed the signature, I remove it manually, since it can cause problems to my own signature, or be interpreted as a bad signature... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ3PpIAAoJEMV4f6PvczxAdcwH/0ZxqwbxWjJB6VXWKDWKXuDB t8oEX2woZbVCkSLhB7mmRkZbud1IKFCgqRsvUSbgvG4sTfroVDVz8drahmzPaJBG 9A+udA43d7ItTBNmRDri2i9i7BFiAqq/xafIhRkZgp2sehaBwRFXqMP1I2bwmLzp FTW9yCZX++iOIyHtdjfQMT4jCQ5g3H2Q60DjugIvtQaUubvV+elfERixJRj6MvaF sZ74mdOglhKTnvwy1GqOw0itGBbCzJkqhASfRRfWUOXVOIm4eOzu8z4FUXvEuRmb yhurrquhMUuWxWIVjk9877gsGZQxypOdBLZOPvGPcy8ymSkn4kTEqRD2eNWLKnw= =GPUu -----END PGP SIGNATURE----- From tuskentower at gmail.com Wed Apr 8 23:21:28 2009 From: tuskentower at gmail.com (TuskenTower) Date: Wed, 8 Apr 2009 17:21:28 -0400 Subject: EGD vs /dev/*random as a source of entropy Message-ID: <741eae780904081421p101d9792pd2ab66dca6a9a78a@mail.gmail.com> We have a bit of a quandary on our Debian 5 (aka Lenny) test servers. We run an automated test system that frequently bogs down with "Not enough random bytes available" when a test generates a key to test some encryption feature. Since each test is meant to run in a standalone fashion, we end up generating keys a lot. When I "cat /proc/sys/kernel/random/entropy_avail", it consistently shows a small amount of entropy.? Does anyone know if EGD will help on what is essentially a test server on which people don't do much interactive work? thanks, Amul From kaustubh.gadkari at gmail.com Fri Apr 10 20:00:20 2009 From: kaustubh.gadkari at gmail.com (Kaustubh Gadkari) Date: Fri, 10 Apr 2009 12:00:20 -0600 Subject: libgpgme error Message-ID: Hi, I've got an error with libgpgme that I haven't been able to figure out. I wrote a simple program to check if libgpgme works, and I get an error on line 136 of my code (attached to the email); the error code returned is 2. My platform is Ubuntu 6.06 LTS i686, with libgpgme v1.1.8 and libgpgerror v1.7. libgpgme is in /usr/local/lib and that path is in LD_LIBRARY_PATH. The program was compiled as follows: g++ -L/usr/local/lib -I/usr/local/include simple-signer.cc -lgpgme-pthread -lgpg-error -o simple-signer Can anyone point me to figuring out what's wrong? -- Kaustubh Gadkari kaustubh [dot] gadkari [at] gmail [dot] com -------------- next part -------------- A non-text attachment was scrubbed... Name: simple-signer.cc Type: text/x-c++src Size: 5419 bytes Desc: not available URL: From m_d_berger_1900 at yahoo.com Sat Apr 11 16:57:45 2009 From: m_d_berger_1900 at yahoo.com (Mike -- EMAIL IGNORED) Date: Sat, 11 Apr 2009 14:57:45 +0000 (UTC) Subject: Files to Backup Message-ID: To protect all my gpg keys against disk failure, what files or directories should I back up? Thanks, Mike. From jmoore3rd at bellsouth.net Sat Apr 11 17:46:53 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 11 Apr 2009 11:46:53 -0400 Subject: Files to Backup In-Reply-To: References: Message-ID: <49E0BB6D.6080506@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Mike -- EMAIL IGNORED wrote: > To protect all my gpg keys against disk failure, > what files or directories should I back up? secring.gpg, pubring.gpg & trustdb.gpg These 3 Files _are_ Your Keyring with Trust Settings. Remember to back them up fairly regularly as auto-key retrieval will cause the Keyring to change regularly. JOHN ;) Timestamp: Saturday 11 Apr 2009, 11:46 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ4LtpAAoJEBCGy9eAtCsPphwH/0Y1C1Lb8DGa969fY75at05r d7WyqS/3Av9KnYIFTKCFscABOfFiLjcYA/e4cm1iI8jVLur15uqYtDIhnD52Tu/m h8Ya01Ro4ZclQfWUAZ1LnCb6oiMSLgoMO7Ytj+cPDiROJfYZ8fAb0snzBdUYNT4N +ms4bk/FXxhE/dBxvlGvekOMWBai9mZOtL+LKiW5/F7hhQc1YuoQ3JTMMNaiYnA2 q06H8HJDykWs+yRrVUXAtWar1okeW2NMVjQHrHO5lbHAj6eltlBcSnm+IBgYJvmX kYz4yrYsk9kK61X5rLq68XyU2TuhytAINi5RnlntG/rBIeKidkJz/tsdslbT7iw= =Wywm -----END PGP SIGNATURE----- From m_d_berger_1900 at yahoo.com Sat Apr 11 19:58:21 2009 From: m_d_berger_1900 at yahoo.com (Mike -- EMAIL IGNORED) Date: Sat, 11 Apr 2009 17:58:21 +0000 (UTC) Subject: Files to Backup References: <49E0BB6D.6080506@bellsouth.net> Message-ID: On Sat, 11 Apr 2009 11:46:53 -0400, John W. Moore III wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Mike -- EMAIL IGNORED wrote: >> To protect all my gpg keys against disk failure, what files or >> directories should I back up? > > secring.gpg, pubring.gpg & trustdb.gpg > > These 3 Files _are_ Your Keyring with Trust Settings. Remember to back > them up fairly regularly as auto-key retrieval will cause the Keyring to > change regularly. > > JOHN ;) [...] Thanks for this. This auto-key retrieval sounds like something I would like to disable. Is there a way to do that? Thanks, Mike. From John at Mozilla-Enigmail.org Sat Apr 11 20:37:40 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 11 Apr 2009 13:37:40 -0500 Subject: Files to Backup In-Reply-To: References: <49E0BB6D.6080506@bellsouth.net> Message-ID: <49E0E374.1040707@Mozilla-Enigmail.org> Mike -- EMAIL IGNORED wrote: > > Thanks for this. This auto-key retrieval sounds like something > I would like to disable. Is there a way to do that? Not turning it on would seem like an obvious solution. It's not on by default. It allows GnuPG to automatically search and fetch keys needed to verify a signature. If you prefer to do that manually, fine. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Sat Apr 11 20:40:50 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 11 Apr 2009 14:40:50 -0400 Subject: Files to Backup In-Reply-To: References: Message-ID: <49E0E432.9040307@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mike -- EMAIL IGNORED escribi?: > To protect all my gpg keys against disk failure, > what files or directories should I back up? secring.gpg, pubring.gpg, trustdb.gpg and gpg.conf (if the last one exists). The most important ones are secring.gpg and pubring.gpg, trustdb.gpg is important, but not critical, and gpg.conf (if exists) is very convenient. If you don't know where to locate them, open a CMD prompt window, and run the command gpg --version, and you will get, among other info, the location of the Home folder where gpg stores the files. I'd backup the whole folder. If you use windows, I'd recommend Comodo Backup, it's free, and allows you to automate your backups. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ4OQxAAoJEMV4f6PvczxAAHcIAIGoSDFiMDtMC3nDrQsUoAoy OqqJo2yXIICwAR457bh8n69I2lg8tFxbrinGXGgaDDTfGdlIFwyMbNYttXgbvhn0 Lc3a/drS34VXNN9X2+8zkNVFZsaYK23TAS7QdX/989YI3eH+tMh5dy6Y7TNqACkm ga1zUmNVmNidUOLABfSB1X6qYpE0ofzBBWIzsJGYiCG56blEVrIvjUXf+IHIljL5 iSDf0KMn4vfSLDntGtkoVcbPQdy5i6/kzyJvJKTjchnxgYwc7EmdFSKJGIwz98Ga xZjjLyqdb9WXHSNS6KmjLROJymPOE58aIzoCr03AKmPrDLQXlw+JMo4YKOxFIcU= =Aa/x -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat Apr 11 21:07:15 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 11 Apr 2009 15:07:15 -0400 Subject: Files to Backup In-Reply-To: References: <49E0BB6D.6080506@bellsouth.net> Message-ID: <49E0EA63.4020804@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mike -- EMAIL IGNORED escribi?: > On Sat, 11 Apr 2009 11:46:53 -0400, John W. Moore III wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Mike -- EMAIL IGNORED wrote: >>> To protect all my gpg keys against disk failure, what files or >>> directories should I back up? >> secring.gpg, pubring.gpg & trustdb.gpg Also, provided your public keys have been uploaded to keyservers, you can use Paperkey program to make printed backups of the most important thing: your secret keys. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ4OpjAAoJEMV4f6PvczxAai0IAKXtC3aRWIPw9dbx7z2Bni33 b6B3n6Rer0EI7LzB5NMfeQ0Sc5aMNS/oKRegfZbedQs4iOaBGCMdV6o/oSjHiRM/ NNbZGbAkfzvX/K8IbNdKd7UEsC4wmyONZY3AaExENcHDucu37uJ57CQFSQX39MGR pyZg6/7TWiGOHRWjo19AxUSMwDE4lm0oVSlxG4D4sjMciHECFmuR0CBI/tlQ1A71 LICvXjaJx2yumoM2ZAYS560jCXBInR3rsQY6oShY5DuVl5ofleWmie1CoQ5Yhado 1TfoujYFKJMD9/JrLW5PFvv+G3KueF30fTxGPGFdine7gzcDpLPRp6T/DC/H33E= =Xzpr -----END PGP SIGNATURE----- From nik at naturalnet.de Sun Apr 12 12:09:38 2009 From: nik at naturalnet.de (Dominik George) Date: Sun, 12 Apr 2009 12:09:38 +0200 Subject: Keyserver doesn't honour signature removal Message-ID: <49E1BDE2.1070003@naturalnet.de> == I think my last post went wild because the subscription process wasn't completed yet ... Hi list, due to dome issues, I have pretty many signatures on my key that I don't want (or need) anymore. I can remove them locally, but when sending the key to the keyserver afterwards, the changes are just ignored. Is it even possible to remove signatures from a key and distribute this change? Or am I doing something wrong? Regards, Nik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Sun Apr 12 14:01:22 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 12 Apr 2009 08:01:22 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E1BDE2.1070003@naturalnet.de> References: <49E1BDE2.1070003@naturalnet.de> Message-ID: <49E1D812.40400@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dominik George wrote: > Is it even possible to remove signatures from a key and distribute this > change? Or am I doing something wrong? What lands on the Keyservers stays on the Keyservers, forever. :( This is due to the sharing/gossip nature of most Keyservers. There are 2 Keyservers I am aware of which do not share/gossip; Big Lumber & PGP Global Directory. Of these 2 _only_ BL prevents anyone but the Key/Account Owner from 'changing' the listed Key. Listing Your Key at www.biglumber.com will allow You to display Your Key exactly as You desire it to appear and folks may be directed to retrieve it from there via a Comment line or a signature tagline. I am not aware of the ability to specify the Big Lumber listing in a 'Preferred Keyserver' flag. IMO, the benefits of having One's Key available via auto-retrieval outweighs the hassle of undesired Signatures and the 'baggage' of old/revoked UID's. YMMV JOHN ;) Timestamp: Sunday 12 Apr 2009, 08:00 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ4dgNAAoJEBCGy9eAtCsPzH4H/3Xnt6nJw60DBZB0TU2L85s5 dBP5mjLYaUzLL0CXj4dtoWgHdfUcJRTuGyeQKNHuXEnjA9ksMjGGwozSLEk1cZTd +zxzLEK8RYEB6M0Fk8h4RrDpXTIDHLZen33JDfVIfDeWNTbHXcwaS6YAHSb7YACR /nAwYPyYryYoaTuuBz0zB+SZHpu3N71tnGciIzbBh5CvlutHOwxTQcv55Yg3daDa Yf/OCnzSWjN8H6VFBMKtRIBsBt89uzBe2V3RjKH1kh/CSkba3tVB0JBwoXc32eo3 VHeqPLoijghAz9PBXX36dJ9JKmsILKJzQ7aILAtePagFwE8k2uauG48/YRFQnYA= =KhC/ -----END PGP SIGNATURE----- From nik at naturalnet.de Sun Apr 12 14:35:34 2009 From: nik at naturalnet.de (Dominik George) Date: Sun, 12 Apr 2009 14:35:34 +0200 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E1D812.40400@bellsouth.net> References: <49E1BDE2.1070003@naturalnet.de> <49E1D812.40400@bellsouth.net> Message-ID: <49E1E016.8030701@naturalnet.de> Hi John, that is, I can add anything I want to my key, but never remove it? Not even signatures? I understand that I cannot remove keys, but I think any changes that require my secret key would be ok :( ... -nik John W. Moore III schrieb: > Dominik George wrote: > > > Is it even possible to remove signatures from a key and distribute this > > change? Or am I doing something wrong? > > What lands on the Keyservers stays on the Keyservers, forever. :( > > This is due to the sharing/gossip nature of most Keyservers. There are > 2 Keyservers I am aware of which do not share/gossip; Big Lumber & PGP > Global Directory. Of these 2 _only_ BL prevents anyone but the > Key/Account Owner from 'changing' the listed Key. > > Listing Your Key at www.biglumber.com will allow You to display Your Key > exactly as You desire it to appear and folks may be directed to retrieve > it from there via a Comment line or a signature tagline. I am not aware > of the ability to specify the Big Lumber listing in a 'Preferred > Keyserver' flag. > > IMO, the benefits of having One's Key available via auto-retrieval > outweighs the hassle of undesired Signatures and the 'baggage' of > old/revoked UID's. YMMV > > JOHN ;) > Timestamp: Sunday 12 Apr 2009, 08:00 --400 (Eastern Daylight Time) _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Sun Apr 12 18:25:11 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 12 Apr 2009 12:25:11 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E1E016.8030701@naturalnet.de> References: <49E1BDE2.1070003@naturalnet.de> <49E1D812.40400@bellsouth.net> <49E1E016.8030701@naturalnet.de> Message-ID: <49E215E7.3080907@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dominik George wrote: > that is, I can add anything I want to my key, but never remove it? Not > even signatures? This is Correct! Upload a Key with signatures removed and as soon as that Keyserver 'refreshes' during the next round of updating from all other Keyservers it is linked to the removed signatures are restored. End of story! > I understand that I cannot remove keys, but I think any changes that > require my secret key would be ok :( ... Err.... How? The only time Your passphrase is required is when You are a revoking a Signature You, yourself, made. Your Secret Key isn't, or shouldn't be, on the Keyservers. Anybody can Sign Your Key and upload it to the Keyservers whenever they desire. Your Public Key is in the public domain. This is why some folks maintain a listing of their clean, desired Key on Big Lumber or the PGP GD. With Big Lumber only You may access Your listed Key to make 'changes' and with PGP GD any uploaded Key requires verification of each UID email address via a Ping/Pong challenge before it is listed for dissemination. JOHN 8-) Timestamp: Sunday 12 Apr 2009, 12:25 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ4hXkAAoJEBCGy9eAtCsPB8YIAINKj7JjbwEasf7tL6KXpKwJ y4cfIAqUlA6AtIjvI9lkLIAYtAvMZnAGRNpesUI9T9LBD4M2WzK3lEl93sBzQnPs 99FhCrs8POySWkx6hLuY5zJMzvon1C/xz9JMTWbgdyVct+d+ZMsMTPuRNbJuqhTz ufn4ynlKCApP+UGCD4wi/aWb7u1+8lt6sjmet/zP04GN0e6EtB5Gu+jdTnbEMu6w cYhGWQB5AyCU+3j/dhRAmovx2ekyoRMk6tFsJT+OVGYZMbZMYJ7IzZAMZ5/q/NBx +6I5CMm75opKlmCILMwAYEwb1UFPXQsqhcGfgvrwFwWvxFLOFWjO9bCSZ19qOgA= =TVRF -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Sun Apr 12 22:42:34 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 12 Apr 2009 15:42:34 -0500 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E1BDE2.1070003@naturalnet.de> References: <49E1BDE2.1070003@naturalnet.de> Message-ID: <49E2523A.8010405@Mozilla-Enigmail.org> Dominik George wrote: > due to dome issues, I have pretty many signatures on my key that I don't > want (or need) anymore. I can remove them locally, but when sending the > key to the keyserver afterwards, the changes are just ignored. That is correct, by design keyservers are merge only. It prevents attacks on the keys stored on keyservers such as removing revocations. > Is it even possible to remove signatures from a key and distribute this > change? Or am I doing something wrong? You can remove any cruft you wish and distribute that key yourself. You just can't use the keyserver networks to do it. Also anyone who refreshes that key from a keyserver will pick up all the pieces you decided needed deleting. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From email at sven-radde.de Mon Apr 13 11:23:36 2009 From: email at sven-radde.de (Sven Radde) Date: Mon, 13 Apr 2009 11:23:36 +0200 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E2523A.8010405@Mozilla-Enigmail.org> References: <49E1BDE2.1070003@naturalnet.de> <49E2523A.8010405@Mozilla-Enigmail.org> Message-ID: <49E30498.5040109@sven-radde.de> Hi! John Clizbe schrieb: > You can remove any cruft you wish and distribute that key yourself. You > just can't use the keyserver networks to do it. Also anyone who > refreshes that key from a keyserver will pick up all the pieces you > decided needed deleting. If you distribute the key yourself, you can set a preferred keyserver flag on your key. You can have that point to, e.g., http://yoursite.com/yourkey.asc and refreshes should be done from there (unless the other user changes "keyserver-options honor-keyserver-url"). With PKA, you can even get automatic key retrieval without a keyserver. cu, Sven From ravi.darira at gmail.com Thu Apr 9 16:37:27 2009 From: ravi.darira at gmail.com (ravi darira) Date: Thu, 9 Apr 2009 10:37:27 -0400 Subject: Decrypting ZIP files Message-ID: <6dedae200904090737m6b672fd6pae0ac25f83fa2ebe@mail.gmail.com> Hello, I am trying to decrypt ZIP Files which have been encrypted using the PGP. I am usign the following command: "echo" + "passphrase" + "| gpg.exe --passphrase-fd 0 -o \"" + outputFileNameFullPath + "\" --decrypt \"" + encryptedFile.FullName + "\""; It works fine for encrypted text files. But I cannot get it to work for Zip files. Any help will be greatly appreciated Thanks Ravi -------------- next part -------------- An HTML attachment was scrubbed... URL: From legal at puc.bz Thu Apr 9 18:49:58 2009 From: legal at puc.bz (legal) Date: Thu, 09 Apr 2009 10:49:58 -0600 Subject: hi Message-ID: <49DE2736.3030300@puc.bz> hi, Iam having trouble uploading the my public key to the keyserver. thnaks elias From brian.kumfer at ggp.com Fri Apr 10 21:56:45 2009 From: brian.kumfer at ggp.com (bkumfer) Date: Fri, 10 Apr 2009 12:56:45 -0700 (PDT) Subject: Help with encrypting using my PGP Public key Message-ID: <22993706.post@talk.nabble.com> I have implemented GnuPG on a server and created a public and private key. In working with a partner, they were able to use the public key to encrypt a file while using the gnupg tool. However, in working with the banks (the reason for the need), they tell me the key is causing the issue below - they will not necessarily use gnupg. Wed Apr 1 12:30:11 EDT 2009 Encrypt - complete failure during an encode. : encrypt (3063:key unable to encrypt) : command /usr/bin/pgpce3.sh -e ack.252268.testfile.2482414 252268 Any help would be great? -- View this message in context: http://www.nabble.com/Help-with-encrypting-using-my-PGP-Public-key-tp22993706p22993706.html Sent from the GnuPG - User mailing list archive at Nabble.com. From nik at naturalnet.de Sun Apr 12 01:27:40 2009 From: nik at naturalnet.de (Dominik George) Date: Sun, 12 Apr 2009 01:27:40 +0200 Subject: Keyserver doesn't honour removed signatures Message-ID: <49E1276C.5090703@naturalnet.de> Hi list, due to dome issues, I have pretty many signatures on my key that I don't want (or need) anymore. I can remove them locally, but when sending the key to the keyserver afterwards, the changes are just ignored. Is it even possible to remove signatures from a key and distribute this change? Or am I doing something wrong? Regards, Nik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From er.rahulkausik at gmail.com Tue Apr 14 05:04:33 2009 From: er.rahulkausik at gmail.com (rahul kaushik) Date: Mon, 13 Apr 2009 20:04:33 -0700 (PDT) Subject: Help Solicited to implement a new pgp key server In-Reply-To: <20090408131035.GB877@straylight.m.ringlet.net> References: <22946814.post@talk.nabble.com> <20090408131035.GB877@straylight.m.ringlet.net> Message-ID: <23032448.post@talk.nabble.com> Hi Peter, Thanks for your pains taking attention towards my problem. I am still in dilemma . I would like to know what are the steps to be taken to write a pgp key server in C++ using. Recently i have used GNUPG for my application so have limited knowledge for that. I went through the sks source code ( whatever available in link give by you. ). I tried understand that but it did not make sense to me.So please guide me in accomplishing this task. It would be great if you could help me out. Please reply me ASAP. Regards, Rahul Kaushik Peter Pentchev wrote: > > On Wed, Apr 08, 2009 at 02:36:14AM -0700, rahul kaushik wrote: >> >> I have been asked to support PGP for a application. the most likely >> scenario would be to implement a key server that would allow customers to >> manage their keys. This will of course come with some complications, in >> terms of interface, provisioning and management. >> >> Could anybody please help me out in knowing how can i write a server >> using >> unix c/C++. >> >> If there is any document available on internet which can be helpful. It >> would be great if you could >> please let me know. > > Is there a reason why you can't use any of the existing keyserver > software? > > Avoided: http://www.mit.edu/people/marc/pks/ > Preferred: http://minskyprimus.net/sks/ > > If you need it in C/C++ for better integration with your application, > that's another thing. Still, even in that case, you might want to > take a look at the SKS source to see how things are done. > > G'luck, > Peter > > -- > Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > I had to translate this sentence into English because I could not read the > original Sanskrit. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/Help-Solicited-to-implement-a-new-pgp-key-server-tp22946814p23032448.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Tue Apr 14 14:01:39 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 14 Apr 2009 08:01:39 -0400 Subject: Help Solicited to implement a new pgp key server In-Reply-To: <23032448.post@talk.nabble.com> References: <22946814.post@talk.nabble.com> <20090408131035.GB877@straylight.m.ringlet.net> <23032448.post@talk.nabble.com> Message-ID: <49E47B23.8030005@sixdemonbag.org> rahul kaushik wrote: > I am still in dilemma . I would like to know what are the steps to be > taken to write a pgp key server in C++ using. Peter asked an excellent question: "Is there a reason why you can't use any of the existing keyserver software?" You may find it useful to try answering it. You may learn that you don't need to write one in the first place. From John at Mozilla-Enigmail.org Tue Apr 14 14:01:30 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 14 Apr 2009 07:01:30 -0500 Subject: hi In-Reply-To: <49DE2736.3030300@puc.bz> References: <49DE2736.3030300@puc.bz> Message-ID: <49E47B1A.50109@Mozilla-Enigmail.org> legal wrote: > hi, > > I am having trouble uploading the my public key to the keyserver. > > thanks > elias You'll need to be a bit more specific for anyone to offer meaningful assistance. At this point, all anyone could do is speculate. Is this an Enigmail issue or a GnuPG issue? No way for us to know at this point. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Apr 14 14:27:26 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Apr 2009 14:27:26 +0200 Subject: libgpgme error In-Reply-To: (Kaustubh Gadkari's message of "Fri, 10 Apr 2009 12:00:20 -0600") References: Message-ID: <8763h7v2s1.fsf@wheatstone.g10code.de> On Fri, 10 Apr 2009 20:00, kaustubh.gadkari at gmail.com said: > out. I wrote a simple program to check if libgpgme works, and I get an > error on line 136 of my code (attached to the email); the error code > returned is 2. My platform is Ubuntu 6.06 LTS i686, with libgpgme size_t uDataSize = sData.size(); [...] else if (-1 == (lRet = gpgme_data_write(tData, sData.c_str(), uDataSize)) || uDataSize != (size_t) lRet || 0 != (lRet = gpgme_data_seek(tData, 0, SEEK_SET))) What is the size of your off_t? Did you really follow the instructions in the "Largefile Support (LFS)" section of the manual? Shalom-Salam, Werner p.s. For better readability I strongly suggest not to use long else-if chains but return or goto statements. Given that the English language is written left to right, it is also better to follow this practise and avoid the ill advised method of always writing constants in a comparison on the left. -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Apr 14 14:32:06 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Apr 2009 14:32:06 +0200 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <49E1276C.5090703@naturalnet.de> (Dominik George's message of "Sun, 12 Apr 2009 01:27:40 +0200") References: <49E1276C.5090703@naturalnet.de> Message-ID: <871vrvv2k9.fsf@wheatstone.g10code.de> On Sun, 12 Apr 2009 01:27, nik at naturalnet.de said: > Is it even possible to remove signatures from a key and distribute this > change? Or am I doing something wrong? No. The Net never forgets. A keyservers will never remove signatures because signatures go into the key validation computation and thus removing signatures would change the validity of your key. Signatures are also used for revocations. What you can do is to revoke a signature, which is technically yet another signature. But that is in general not helpful in any way. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Apr 14 14:44:51 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Apr 2009 14:44:51 +0200 Subject: Help with encrypting using my PGP Public key In-Reply-To: <22993706.post@talk.nabble.com> (brian.kumfer@ggp.com's message of "Fri, 10 Apr 2009 12:56:45 -0700 (PDT)") References: <22993706.post@talk.nabble.com> Message-ID: <87skkbtnek.fsf@wheatstone.g10code.de> On Fri, 10 Apr 2009 21:56, brian.kumfer at ggp.com said: > file while using the gnupg tool. However, in working with the banks (the > reason for the need), they tell me the key is causing the issue below - they > will not necessarily use gnupg. > > Wed Apr 1 12:30:11 EDT 2009 Encrypt - complete failure during an encode. : > encrypt (3063:key unable to encrypt) : command /usr/bin/pgpce3.sh -e You need to check with them to see why there software does not work or whether you provided a key which is not supported by their software. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Apr 14 14:42:29 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Apr 2009 14:42:29 +0200 Subject: Help Solicited to implement a new pgp key server In-Reply-To: <23032448.post@talk.nabble.com> (rahul kaushik's message of "Mon, 13 Apr 2009 20:04:33 -0700 (PDT)") References: <22946814.post@talk.nabble.com> <20090408131035.GB877@straylight.m.ringlet.net> <23032448.post@talk.nabble.com> Message-ID: <87ws9ntnii.fsf@wheatstone.g10code.de> On Tue, 14 Apr 2009 05:04, er.rahulkausik at gmail.com said: > I went through the sks source code ( whatever available in link give by you. > ). I tried understand that but it did not make sense to me.So please guide > me in accomplishing this task. If you don't know the OCalm language and don't want to look into it, I suggest to look at the ONAK keyserver[1] which is written in plain C. Shalom-Salam, Werner [1] http://www.earth.li/projectpurple/progs/onak.html -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From kaustubh.gadkari at gmail.com Tue Apr 14 16:51:40 2009 From: kaustubh.gadkari at gmail.com (Kaustubh Gadkari) Date: Tue, 14 Apr 2009 08:51:40 -0600 Subject: libgpgme error In-Reply-To: <8763h7v2s1.fsf@wheatstone.g10code.de> References: <8763h7v2s1.fsf@wheatstone.g10code.de> Message-ID: Hi, > ? ?size_t uDataSize = sData.size(); > [...] > ? ?else if (-1 == (lRet = gpgme_data_write(tData, sData.c_str(), uDataSize)) > ? ? ? ? ? ? || uDataSize != (size_t) lRet > ? ? ? ? ? ? || 0 != (lRet = gpgme_data_seek(tData, 0, SEEK_SET))) > > What is the size of your off_t? ?Did you really follow the instructions > in the "Largefile Support (LFS)" section of the manual? > off_t is 4 bytes, although I am not sure how that could be a problem, since the error I get does not occur on the line where off_t is used. I've tried this program out on other Ubuntu, FreeBSD and MacOS X boxes, and it runs correctly on all of them, if that helps narrow down the problem. Thanks, Kaustubh > Shalom-Salam, > > ? Werner > > > p.s. > For better readability I strongly suggest not to use long else-if chains > but return or goto statements. ?Given that the English language is > written left to right, it is also better to follow this practise and > avoid the ill advised method of always writing constants in a comparison > on the left. > > -- > Die Gedanken sind frei. ?Auschnahme regelt ein Bundeschgesetz. > > -- Kaustubh Gadkari kaustubh [dot] gadkari [at] gmail [dot] com From faramir.cl at gmail.com Tue Apr 14 18:26:29 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 14 Apr 2009 12:26:29 -0400 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <871vrvv2k9.fsf@wheatstone.g10code.de> References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf@wheatstone.g10code.de> Message-ID: <49E4B935.5070303@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch escribi?: > On Sun, 12 Apr 2009 01:27, nik at naturalnet.de said: > >> Is it even possible to remove signatures from a key and distribute this >> change? Or am I doing something wrong? ... > What you can do is to revoke a signature, which is technically yet > another signature. But that is in general not helpful in any way. By the way, you can also revoke UIDs, but not delete them. So if you have a key with a nickname, and you add your real name, there is no way to go back to anonymity anymore, once you have uploaded your key to a keyserver. That means you need to be careful, but other than that, is not a big problem. My advice is you should not care about having too many signatures, just focus in no losing the ones you want to have, and keyservers are perfect for that. Each person is free to "clean" their copy of your public key, including you. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ5Lk1AAoJEMV4f6PvczxA2E8H/3FGlG6kxQ/ouh0pIfnmMkbh g0KgqT7vseQB+qht5ZIXbI4ZbDbhkFS0O3BFINzRWNyvO54lgFmD4maD9bHOkzzN 34poRhzqDOmnK3lde/Ijkm5ERGP+PrO2GZy3iLzRrrW71DzN4HBbGWZspI+g2mcI DTDyByFhrW3zglQQj0xjAd3BUOlTgXeNqLKyCkU02xWY8Z2voKzQXL+n+0zuCBWY KtIQVGCW4FUiGF2RL/IhZC4e3pWxUQtnntOFhIn7/cA5TMLGNt5rjs8qjDHOzWYu 1Pq2HJ6umaqHJMWrpPJ92g/DqszqyU3D3N7Vp2I365+nmAGlUINEtRVS7jFGLm8= =DiD6 -----END PGP SIGNATURE----- From n1zhi at mac.com Wed Apr 15 03:10:19 2009 From: n1zhi at mac.com (Ronald Cook) Date: Tue, 14 Apr 2009 21:10:19 -0400 Subject: Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP Message-ID: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> Hi. I've been scouring the gnupg-users mail archives but haven't yet seen a solution to this. One of our clients recently upgraded their production installation of GnuPG 1.4.5 to version 1.4.9. They send encrypted / signed files to us almost daily for real-time financial processing. Prior to their upgrade, files received from them passed signature verification and decrypted successfully in our production installation of PGP 6.x, circa 1999-2000. Since the upgrade, signature verification fails. They've not changed their key and manual decryption / verification works correctly through a stand-alone GnuPG 1.4.9. It took a while for us to get them to admit to the upgrade; now they can't recall if they had any specific command line options in place that might not have been replicated to the new version. Might anyone have any ideas as to anything we can suggest to them, or any comments as to what might have changed in their process? Feel free to request more information. If I can provide it without violating my employer's NPI regulations, I'll be glad to do so. Thank you. Ron Cook n1zhi at mac.com From faramir.cl at gmail.com Wed Apr 15 04:37:09 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 14 Apr 2009 22:37:09 -0400 Subject: Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP In-Reply-To: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> References: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> Message-ID: <49E54855.2030300@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ronald Cook escribi?: ... > One of our clients recently upgraded their production installation of > GnuPG 1.4.5 to version 1.4.9. They send encrypted / signed files to > us almost daily for real-time financial processing. > > Prior to their upgrade, files received from them passed signature > verification and decrypted successfully in our production installation > of PGP 6.x, circa 1999-2000. Since the upgrade, signature > verification fails. Maybe they need to force compatibility with PGP 6.x... I recall recently there was some talk about the length of supported hash algorithms in PGP 6.x, but it was in another list (PGP-Basics list maybe?). > They've not changed their key and manual decryption / verification > works correctly through a stand-alone GnuPG 1.4.9. I _think_ what has changed is the standard with which GnuPG 1.4.9 operates, when they upgraded, they moved to RFC 4880, and you are still using an older way to do things... > It took a while for us to get them to admit to the upgrade; now they > can't recall if they had any specific command line options in place > that might not have been replicated to the new version. Maybe you should consider upgrading too... I don't know how complex would that be for you. PGP 6.x is too old currently, and the standard advice is to upgrade to something that supports the current standards, but that advice is mostly for end users, maybe migrating would not be trivial for your system > Might anyone have any ideas as to anything we can suggest to them, or > any comments as to what might have changed in their process? Tell them to force PGP 6.x compatibility, it's done by adding the line: pgp6 to gpg.conf file in the home folder of GnuPG (the folder where the keyrings are placed). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ5UhVAAoJEMV4f6PvczxABFkIAJ2JkcFmrfRDFz/FDzAu7rbO Ef0LvivXzOPCfs6UJhMYd6lneAuUo6uJNDtT3D4B4YpU76UpthxhVMywxJbtaah2 AUJegkmaCC71SefIZ8u8Kka2oMxICB0/RsZqVqzbPfl01xJ6ZrEgTJiu0zy0KgBX xQaEgVFTpgo2kkOrSYG4ZhefRWSelDOAqAv011zByhba6x4C5RglaCjhspjTmiAA RAHP0x6Bj84vOdC+2UyQMoFGvVn8l/vdM+vcvlf3JK+1eFAiLwsSr1sMJhGwl4MK +reE8jkDjLpZbqsVCQ25MiWXGTWRAktybp6hfC/Luw5TPBlAUkdgiaY9OpuFJvY= =84EX -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Apr 15 05:03:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 14 Apr 2009 23:03:31 -0400 Subject: Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP In-Reply-To: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> References: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> Message-ID: <755AF8E1-2283-4A83-99F5-7681B468A582@jabberwocky.com> On Apr 14, 2009, at 9:10 PM, Ronald Cook wrote: > Hi. > > I've been scouring the gnupg-users mail archives but haven't yet seen > a solution to this. > > One of our clients recently upgraded their production installation of > GnuPG 1.4.5 to version 1.4.9. They send encrypted / signed files to > us almost daily for real-time financial processing. > > Prior to their upgrade, files received from them passed signature > verification and decrypted successfully in our production installation > of PGP 6.x, circa 1999-2000. Since the upgrade, signature > verification fails. > > They've not changed their key and manual decryption / verification > works correctly through a stand-alone GnuPG 1.4.9. > > It took a while for us to get them to admit to the upgrade; now they > can't recall if they had any specific command line options in place > that might not have been replicated to the new version. > > Might anyone have any ideas as to anything we can suggest to them, or > any comments as to what might have changed in their process? > > Feel free to request more information. If I can provide it without > violating my employer's NPI regulations, I'll be glad to do so. So, the decryption and verification works with GPG 1.4.9, but not with a PGP 6.x. It might be an algorithm conflict, or possibly a hashing problem. Can you tell me about what error is returned when PGP 6.x tries to process the file? Other questions: - are the files encrypted and signed in one piece, or are the signatures detached signatures? - is this a DSA or RSA signature? (when you did the test with 1.4.9, it would say "using DSA key" or "using RSA key" when it verified). - Can you repeat the test decrypt/verify that you did with the standalone 1.4.9, except add a "-v" to the command line. This will make GPG print out some extra information. The pieces that are most relevant to the problem are the lines that read "gpg: XXXXXX encrypted data" and "gpg: YYYYYY signature, digest algorithm ZZZZZZ". Can you send me XXXXXX, YYYYYY, and ZZZZZZ? You might try asking your client to add "--pgp6" to their GPG command line. PGP 6 is not really completely up to the modern PGP spec (it's a good few years out of date), and --pgp6 tells GPG to try and be compatible with the older version. David From jmoore3rd at bellsouth.net Wed Apr 15 05:40:50 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 14 Apr 2009 23:40:50 -0400 Subject: Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP In-Reply-To: <755AF8E1-2283-4A83-99F5-7681B468A582@jabberwocky.com> References: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> <755AF8E1-2283-4A83-99F5-7681B468A582@jabberwocky.com> Message-ID: <49E55742.8030202@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 David Shaw wrote: > You might try asking your client to add "--pgp6" to their GPG command > line. PGP 6 is not really completely up to the modern PGP spec (it's a > good few years out of date), and --pgp6 tells GPG to try and be > compatible with the older version. Succinctly understated. I admire Your self control. :-D JOHN ;) Timestamp: Tuesday 14 Apr 2009, 23:40 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ5Vc/AAoJEBCGy9eAtCsP9lQH/3J7V2MCgxutGJDXyVIPeUWF VQI5bU6XnpsssMRNiEV634SvzBE0P+Hw7W/T3GbOmnzPU3SP3I/L72Qlr3bkr/h/ EeawAvvDPNcRr05SMbyMH2sThm90KQWQMsdqWfuhL/6rf3oaI2PmLIHiYdltIghS W5qvervBnI40raep0vq4vdaUIb7C1e3C+5LKar9AIThoIO0AGsF4GvJQ1MgcPFcO hO8gO9Q6AcuXCur72E/o5DUcXCu3BSza2K0zSbRhk+iBosxR15mB7eNI0pJEeqJD mfGIYtemWS6Xr/79gYGgRn6Y+fJSOCUVSw5w+hHQVHcL8fp6F+IlyDobOxWNcaI= =h1qV -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Apr 15 05:45:52 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 14 Apr 2009 23:45:52 -0400 Subject: Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP In-Reply-To: <49E54855.2030300@gmail.com> References: <97154806-5E5F-4023-9522-0B95323B43AB@mac.com> <49E54855.2030300@gmail.com> Message-ID: <49E55870.2080400@sixdemonbag.org> Faramir wrote: > Maybe they need to force compatibility with PGP 6.x... I recall > recently there was some talk about the length of supported hash > algorithms in PGP 6.x, but it was in another list (PGP-Basics list maybe?). IIRC, it was regarding John Moore's signatures failing to verify under PGP 8.x. This was due to John using SHA512 as a signature algorithm, and PGP 8.x not supporting that algorithm. As David says, PGP 6.x is long in the tooth. It's a decade old at this point -- more; I think it came out in '98. IMO, it ought be abandoned for security reasons. It was written in '97-'98. That means it predates even Windows 98. Windows has changed /enormously/ since then. Neither Network Associates nor PGP Corporation ever certified PGP 6.x for use on Windows 2000 machines, and now that we've seen XP come and go, are seeing Vista get deployed, and have Windows 7 on the way... ... well. You have to ask some questions. What are the odds that something PGP 6.x depends upon will have changed in some subtle way over the last ten years? And do you really want to take that risk? From wk at gnupg.org Wed Apr 15 11:12:02 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 15 Apr 2009 11:12:02 +0200 Subject: libgpgme error In-Reply-To: (Kaustubh Gadkari's message of "Tue, 14 Apr 2009 08:51:40 -0600") References: <8763h7v2s1.fsf@wheatstone.g10code.de> Message-ID: <87zleis2l9.fsf@wheatstone.g10code.de> On Tue, 14 Apr 2009 16:51, kaustubh.gadkari at gmail.com said: > off_t is 4 bytes, although I am not sure how that could be a problem, > since the error I get does not occur on the line where off_t is used. The manual explains that. libgpgme is compiled with large file system support and thus requires that you do the same. You will mess up the stack if you don't. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From chaz at chaz6.com Wed Apr 15 14:35:42 2009 From: chaz at chaz6.com (Chris Hills) Date: Wed, 15 Apr 2009 14:35:42 +0200 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> Message-ID: On 14/04/09 14:32, Werner Koch wrote: > No. The Net never forgets. A keyservers will never remove signatures > because signatures go into the key validation computation and thus > removing signatures would change the validity of your key. Signatures > are also used for revocations. Hypothetically, if a key is signed using another key which contains a jpg image of something illegal in the keyserver's location, what then? It would seem to me that the only option would be to remove the keyserver from the keyserver network. From rjh at sixdemonbag.org Wed Apr 15 17:43:20 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 15 Apr 2009 08:43:20 -0700 Subject: Keyserver doesn't honour removed signatures In-Reply-To: References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> Message-ID: <20090415084320.82023e360tvctmsk@mail.monkeyblade.net> > Hypothetically, if a key is signed using another key which contains > a jpg image of something illegal in the keyserver's location, what > then? It would seem to me that the only option would be to remove > the keyserver from the keyserver network. ... that's a truly /ghastly/ little attack against the keyserver network, and I'm ashamed that I didn't think of it first. The keyserver network is principally guided by this design goal: do not ever lose key material. New data may be entered, but old data must persist. Now, if a photo is attached to a key and the photo must be removed for legal reasons, one of three things will occur: (a) the keyserver network gets taken down (b) the keyserver network gets taken over by people trafficking in illegal images (c) a way to remove UIDs without the owner's permission is added to the keyserver network I don't really like those prospects. Any of them. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From faramir.cl at gmail.com Wed Apr 15 18:25:05 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 15 Apr 2009 12:25:05 -0400 Subject: Keyserver doesn't honour removed signatures In-Reply-To: References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> Message-ID: <49E60A61.8010200@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chris Hills escribi?: > Hypothetically, if a key is signed using another key which contains a > jpg image of something illegal in the keyserver's location, what then? > It would seem to me that the only option would be to remove the > keyserver from the keyserver network. Even worst, because the servers usually (there are exceptions) "talk" to each other, and propagate the new keys, so every server in that network will have that illegal jpg image. Anyway, I think the owner of the key signed by another key which containst an illegal picture, would be safe, because he/she can't prevent people from signing his/her key. The ones in problems would be the keyservers themselves, and the admins and owners of these keyservers, and the owner of the key with the illegal picture (who probably lives in a place where he is safe). I suppose that could lead to litigation, but I don't know anything about legal stuff. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEbBAEBCAAGBQJJ5gphAAoJEMV4f6PvczxA+NAH9R9sSYlxAl4Ot7pLBkasY9eq Kx484lhuCblAdxK3tKIOsZMnC8hnoy7Kfo0DCcSO1Jp1+DOwVFQn/yZMgLtb/srC /yAFFoDZP4FACiek4yEQXhUbI5anyZFWXLv6Ne2W1Sw7e7Pl+YuFoISwSiG7zjjG p+n5Y61Gxy81AHLU+/X7Ki0jkAVy9TnhclljceW9B7Wopx7EHtCEvIY/k0nNqf/M a7iGV2SPgHfx6/ocgBy2UYuiSb7IPOaM/g0ov6GJPm650aS2hmYxaLT5/gwxedjc t5LJDqHYWwfnN46ClMGNa2DWCc1dAaF6Rxp/9PwRpscptvrN4Yf9XCbwNZaYhg== =VdaO -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Apr 15 19:00:19 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 15 Apr 2009 13:00:19 -0400 Subject: Keyserver doesn't honour removed signatures In-Reply-To: References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> Message-ID: <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> On Apr 15, 2009, at 8:35 AM, Chris Hills wrote: > On 14/04/09 14:32, Werner Koch wrote: >> No. The Net never forgets. A keyservers will never remove >> signatures >> because signatures go into the key validation computation and thus >> removing signatures would change the validity of your key. >> Signatures >> are also used for revocations. > > Hypothetically, if a key is signed using another key which contains > a jpg image of something illegal in the keyserver's location, what > then? It would seem to me that the only option would be to remove > the keyserver from the keyserver network. Yes, this has been pointed out in the past. The attack that I came up with was a bit different - use the keyserver net as your porn/warez/ kiddie porn/etc distribution point. Just upload keys with whatever you like embedded in them. The keyserver net takes care of distribution for you, and your "customers" can download your material from whichever keyserver they like (or run their own keyserver and get content synced to them on a regular basis). David From wk at gnupg.org Wed Apr 15 19:16:50 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 15 Apr 2009 19:16:50 +0200 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> (David Shaw's message of "Wed, 15 Apr 2009 13:00:19 -0400") References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> Message-ID: <877i1lsupp.fsf@wheatstone.g10code.de> > from whichever keyserver they like (or run their own keyserver and get > content synced to them on a regular basis). An easy countermeasure would be to limit the size of the meta data (user IDs, attribute id, notations and so). Well, until people start to chop this data up into several signatures. Anyway, I don't think that the keyserver network has the capacity to work as a content delivery services. P2P is a far easier system for that. Of course, the keyservers could than act as a directory service ... Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Wed Apr 15 19:47:40 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 15 Apr 2009 13:47:40 -0400 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <877i1lsupp.fsf@wheatstone.g10code.de> References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> Message-ID: On Apr 15, 2009, at 1:16 PM, Werner Koch wrote: > >> from whichever keyserver they like (or run their own keyserver and >> get >> content synced to them on a regular basis). > > An easy countermeasure would be to limit the size of the meta data > (user > IDs, attribute id, notations and so). Well, until people start to > chop > this data up into several signatures. Anyway, I don't think that the > keyserver network has the capacity to work as a content delivery > services. P2P is a far easier system for that. Of course, the > keyservers could than act as a directory service ... The difference is that the keyserver network allows anyone to submit data, and the keyserver net will then serve it on their behalf. It's like a publicly writable web site with multiple replicas and with no ability to delete. In the P2P case, only those people who choose to participate in a given shared item are involved in the distribution of that item (legal and illegal content can be processed at the same time, and each participant gets to pick what they want to do). The keyserver net, as currently implemented, carries everything regardless of the desires of the operator of the server. David From m.mansfeld at mansfeld-elektronik.de Wed Apr 15 18:55:44 2009 From: m.mansfeld at mansfeld-elektronik.de (Matthias Mansfeld) Date: Wed, 15 Apr 2009 18:55:44 +0200 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <49E60A61.8010200@gmail.com> References: <49E1276C.5090703@naturalnet.de>, , <49E60A61.8010200@gmail.com> Message-ID: <49E62DB0.17307.A1312DB@m.mansfeld.mansfeld-elektronik.de> On 15 Apr 2009 at 12:25, Faramir wrote: > Chris Hills escribi?: > > > Hypothetically, if a key is signed using another key which contains > > a jpg image of something illegal in the keyserver's location, what > > then? It would seem to me that the only option would be to remove > > the keyserver from the keyserver network. > > Even worst, because the servers usually (there are exceptions) > "talk" > to each other, and propagate the new keys, so every server in that > network will have that illegal jpg image. > > Anyway, I think the owner of the key signed by another key which > containst an illegal picture, would be safe, because he/she can't > prevent people from signing his/her key. Outch. I'm not convinced at all that lawyers and judges are always willing to understand that. See some decisions concerning liability for links to links to links. And we have here politicians who don't know what a browser is and who say "Oh, internet, yes, I know, I let my staff print out the internet for me everyday". :-\ > The ones in problems would be the keyservers themselves, and the > admins and owners of these keyservers, and the owner of the key > with the illegal picture (who probably lives in a place where he is > safe). I suppose that could lead to litigation, but I don't know > anything about legal stuff. Best regards Matthias From wk at gnupg.org Thu Apr 16 09:18:15 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 16 Apr 2009 09:18:15 +0200 Subject: Keyserver doesn't honour removed signatures In-Reply-To: (David Shaw's message of "Wed, 15 Apr 2009 13:47:40 -0400") References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> Message-ID: <871vrtrrrc.fsf@wheatstone.g10code.de> On Wed, 15 Apr 2009 19:47, dshaw at jabberwocky.com said: > The difference is that the keyserver network allows anyone to submit > data, and the keyserver net will then serve it on their behalf. It's Like Usenet. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Thu Apr 16 15:13:35 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 16 Apr 2009 09:13:35 -0400 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <871vrtrrrc.fsf@wheatstone.g10code.de> References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> <871vrtrrrc.fsf@wheatstone.g10code.de> Message-ID: On Apr 16, 2009, at 3:18 AM, Werner Koch wrote: > On Wed, 15 Apr 2009 19:47, dshaw at jabberwocky.com said: > >> The difference is that the keyserver network allows anyone to submit >> data, and the keyserver net will then serve it on their behalf. It's > > Like Usenet. Not exactly. Usenet has delete :) Even so, Usenet is a good example. Note that even with delete, Usenet is full of random junk dumped into it. Publicly writable resources on the net, be they Usenet, Wikipedia, blog comments, or some random ftp server that isn't set up as a blind drop-box, tend to be written in ways not necessarily desired by their operators. All of these resources have some means (of varying effectiveness, but they do at least exist) to "clean up" the abuse (cmsg cancel, wiki editors, kicking the admin who set the permissions that way), that the keyserver net lacks. Another way the current keyserver net differs from the earlier examples is that many servers don't keep logs for very long (or at all). That's a good feature when we're talking about keys, but it's also a good feature for someone who wants to throw some illegal material on there for later download. Of course, massive dumping of junk into a keyserver would eventually be noticed, but a few items, here and there, would easily fly below the radar. I do like Usenet though. I once thought (before Yaron Minsky came up with the gossip protocol) that if we ever needed a good keyserver protocol that could scale to massive sizes, that a slightly modified NNTP would be ideal for it. Use the key fingerprint as the NNTP message-id field for IHAVE, and NNTP takes care of the distribution. (You'd still need a keyserver front-end on top of the "article" database, of course). I think we're pretty far off from needing to scale to that level, though. David From wk at gnupg.org Thu Apr 16 15:31:10 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 16 Apr 2009 15:31:10 +0200 Subject: Keyserver doesn't honour removed signatures In-Reply-To: (David Shaw's message of "Thu, 16 Apr 2009 09:13:35 -0400") References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> <871vrtrrrc.fsf@wheatstone.g10code.de> Message-ID: <8763h4raht.fsf@wheatstone.g10code.de> On Thu, 16 Apr 2009 15:13, dshaw at jabberwocky.com said: > Not exactly. Usenet has delete :) I bet not right away from the start; control messages were likely introduced somewaht later. We would need to ask a graybeard to be sure or look at the B-news sources. For the average user keyservers are pretty young if at all existent. Thus we are in the same state as the old Usenet. > NNTP would be ideal for it. Use the key fingerprint as the NNTP > message-id field for IHAVE, and NNTP takes care of the distribution. Which would also help to distribute revocations. A client running on a server (e.g. your mail smarthost) could filter out revocation messages for your keyring from a Usenet group and forward them to you. In fact the client could do that automagically by looking on your mail traffic to collect keyids. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Thu Apr 16 19:12:39 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 16 Apr 2009 10:12:39 -0700 Subject: Keyserver doesn't honour removed signatures In-Reply-To: References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> <871vrtrrrc.fsf@wheatstone.g10code.de> Message-ID: <20090416101239.63886x991j5nmgco@mail.monkeyblade.net> Quoting David Shaw : > Not exactly. Usenet has delete :) I think it's also worth considering just how rare USENET is nowadays. A lot of places that used to host full USENET feeds are gone. I suspect that most people's access to USENET is done through Google Groups or similar services. From what I understand, the two major concerns which led to USENET being dropped in a lot of places are (a) bandwidth concerns and (b) the possibility of lawsuits. (Not just child porn, either: some things that are clearly legal in one jurisdiction are grossly illegal in another. E.g., in the United States the First Amendment protects your right to deny the Holocaust, but in Germany it's a serious crime.) Add it all together and USENET was at best a network-choking bandwidth hog, and at worst was a lawsuit waiting to happen. And thus, many full USENET feeds fell off the face of the net. It might be worth wondering whether the same could happen to the keyserver network. It seems less likely, due to how difficult it would be to share large files that way -- but the possibility should be considered. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From bhushan1988 at gmail.com Thu Apr 16 21:59:14 2009 From: bhushan1988 at gmail.com (Bhushan Jain) Date: Fri, 17 Apr 2009 01:29:14 +0530 Subject: OpenPGP offering - easy way to secure files for storage. Message-ID: <62fd3c0a0904161259y52a98bf5ofe9ad6ab4672e4eb@mail.gmail.com> Hi, Here is a technology titled "Policy-Driven File Encryption Explorer Based on OpenPGP for Secure Storage Solutions" release recently on IBM alphaWorks , dowloadable for anyone and everyone. All it requires is a simple user register. http://www.alphaworks.ibm.com/tech/fileencryption It makes use of bouncycastel and SWT libraries and is very user friendly and consumable. Worth a try to easily secure your files over desktops/laptops or filebased storage. One of the most effctive way to use bouncycastel open libraries PS : Read the Readme file first to have a kick and quick start to it. -- Thanks, -------------- Bhushan -------------- next part -------------- An HTML attachment was scrubbed... URL: From incomex at hotmail.com Thu Apr 16 09:38:52 2009 From: incomex at hotmail.com (Incomex) Date: Thu, 16 Apr 2009 00:38:52 -0700 (PDT) Subject: syntax for encrypting only the string passed in an argument Message-ID: <23072963.post@talk.nabble.com> I want to be able to call a shell from within a development environment and pass a string of data to it to be de/en/crypted. The idea would look like this: read from file "data.txt" line z and put it into variableY variablex = call shell(gpg -e -r Joe variableY) print variablex rem: variableY is the plaintext, variablex is the returned cyphertext you can email me directly at incomex at hotmail.com thanks -- View this message in context: http://www.nabble.com/syntax-for-encrypting-only-the-string-passed-in-an-argument-tp23072963p23072963.html Sent from the GnuPG - User mailing list archive at Nabble.com. From viceversasport at gmail.com Fri Apr 17 12:02:29 2009 From: viceversasport at gmail.com (Jan Banan) Date: Fri, 17 Apr 2009 12:02:29 +0200 Subject: GPG executable for Unix/Apache ? Message-ID: Hi, I am completely new to encryption as well as Unix-server programs etc. I am trying to set up a form on a webpage that should be encrypted when the data is sent to me. I have found a freeware package from VerySimple which is called simplesecure 3.33 (http://www.verysimple.com/products.page) and it looks excactly what I need it to be. I have installed it on my hosting server and started configuring it, but when it comes to the part of specifying the path to the GPG executable I realize that I have no such file. I quote from the installation instructions: > *"**Step Three: Configure GPG/PGP Path:** > * * * *(This step is only necessary if you plan to use the encryption features of SimpleSecure)** * * * *The "Encrypting Settings" tab of the System Settings page contains fields for PGP and GPG (see screenshot).** * * * *GPG & PGP Executable paths should be something like "/usr/bin/pgp" or "/usr/bin/gpg". If your site is hosted on a Windows server, The path may be something like "C:/Program Files/PGP/pgp.exe" (In the case of Windows servers, leave the quotes around the path).** * * * *The Keyring path can be configured in two ways.** * * * *A. (recommended). Specify the full path to th e ~/cgi-bin/ssecure/keys directory. (for example "/usr/www/public_html/myaccount/cgi-bin/ssecure/keys") Use the same value for both GPG and PGP keyring path.** * * * *B. (advanced). If you already have a location where you store GPG/PGP keyrings, you may specify the full path here. (for example "/usr/home/myaccount/.pgp"). If you decide to configure the path this way, you must also allow world-read access to your keyring folder.** * * * *SimpleSecure is now configured and ready to test...** * *"* I presume I have to download it from GnuPG. But since I have no experience with Unix software I have no clue what to download and how to tell if it is an executable. Can someone help me and give me a few pointers, please. If I know I am on the right road I can usually find my way by myself, but here I am a bit lost in the forest. The server is running Apache version 2.2.11 (Unix). Thanks! /peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From mearns.b at gmail.com Fri Apr 17 13:18:59 2009 From: mearns.b at gmail.com (Brian Mearns) Date: Fri, 17 Apr 2009 07:18:59 -0400 Subject: syntax for encrypting only the string passed in an argument In-Reply-To: <23072963.post@talk.nabble.com> References: <23072963.post@talk.nabble.com> Message-ID: <4df3a1330904170418y6c4959fbvb34f82f586fb14b4@mail.gmail.com> On Thu, Apr 16, 2009 at 3:38 AM, Incomex wrote: > > I want to be able to call a shell from within a development environment > and pass a string of data to it to be de/en/crypted. ?The idea would look > like > this: > > read from file "data.txt" line z and put it into variableY > variablex = call shell(gpg -e -r Joe variableY) > print variablex > > rem: ?variableY is the plaintext, variablex is the returned cyphertext > > you can email me directly at incomex at hotmail.com > thanks > -- > View this message in context: http://www.nabble.com/syntax-for-encrypting-only-the-string-passed-in-an-argument-tp23072963p23072963.html > Sent from the GnuPG - User mailing list archive at Nabble.com. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Does you "development environment" allow you to feed things to stdin? Because that's how gpg would normally expect to receive the text, if an input file is not specified. I don't know whether or not there's a way to specify the text directly in an argument (seems very unlikely, most plaintext would be difficult to escape for use on a command line). Depending on how the shell function commands, you might be able to do it directly from there, e.g., `cat myfile | gpg -e -r joe`. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From viceversasport at gmail.com Fri Apr 17 14:23:15 2009 From: viceversasport at gmail.com (Jan Banan) Date: Fri, 17 Apr 2009 14:23:15 +0200 Subject: GPG executable for Unix/Apache ? In-Reply-To: <4df3a1330904170412v46e761f8ve0e5626185c84a12@mail.gmail.com> References: <4df3a1330904170412v46e761f8ve0e5626185c84a12@mail.gmail.com> Message-ID: 2009/4/17 Brian Mearns > On Fri, Apr 17, 2009 at 6:02 AM, Jan Banan > wrote: > > Hi, > > > > I am completely new to encryption as well as Unix-server programs etc. I > am > > trying to set up a form on a webpage that should be encrypted when the > data > > is sent to me. I have found a freeware package from VerySimple which is > > called simplesecure 3.33 (http://www.verysimple.com/products.page) and > it > > looks excactly what I need it to be. I have installed it on my hosting > > server and started configuring it, but when it comes to the part of > > specifying the path to the GPG executable I realize that I have no such > > file. > > > > I quote from the installation instructions: > >> > >> "Step Three: Configure GPG/PGP Path: > > > > (This step is only necessary if you plan to use the encryption features > of > > SimpleSecure) > > > > The "Encrypting Settings" tab of the System Settings page contains fields > > for PGP and GPG (see screenshot). > > > > GPG & PGP Executable paths should be something like "/usr/bin/pgp" or > > "/usr/bin/gpg". If your site is hosted on a Windows server, The path may > be > > something like "C:/Program Files/PGP/pgp.exe" (In the case of Windows > > servers, leave the quotes around the path). > > > > The Keyring path can be configured in two ways. > > > > A. (recommended). Specify the full path to th e ~/cgi-bin/ssecure/keys > > directory. (for example > > "/usr/www/public_html/myaccount/cgi-bin/ssecure/keys") Use the same value > > for both GPG and PGP keyring path. > > > > B. (advanced). If you already have a location where you store GPG/PGP > > keyrings, you may specify the full path here. (for example > > "/usr/home/myaccount/.pgp"). If you decide to configure the path this > way, > > you must also allow world-read access to your keyring folder. > > > > SimpleSecure is now configured and ready to test... > > > > " > > > > I presume I have to download it from GnuPG. But since I have no > experience > > with Unix software I have no clue what to download and how to tell if it > is > > an executable. > > > > Can someone help me and give me a few pointers, please. If I know I am on > > the right road I can usually find my way by myself, but here I am a bit > lost > > in the forest. > > > > The server is running Apache version 2.2.11 (Unix). > > > > Thanks! > > > > /peter > > > > Are you using actual Unix or a Linux distro? (Or BSD?) If you're using > Linux, most distros have some sort of package manager, e.g., Fedora > uses rpm packages (an yum to manage rpms), some others use apt-get, > etc. I think BSD has some sort of package manager, too, but I'm not > sure what it is. I have know idea about Unix. These should allow to > install the binaries pretty easily. The alternative is to build from > source, which is generally easier than it may sound to a new *nix > user. Especially with GNU software, the build routine is usually very > straight forward. In any event, you can download the source and find > links to binaries for different package managers from > http://www.gnupg.org/download/index.en.html. > > I can't help but wonder, though, why you're encrypting something > /after/ it's sent to you over the Internet...once it's been out on the > net, you can't be sure who has a copy (unless of course you're using > secure HTTP). > > -Brian > > Hi, and thanks for answering! Well, just to avoid misunderstandings, I have a form on a secure HTTP page on a third-party server. The form data is sent secured from the browser to the server. When it reaches the server it is to get encrypted before it is sent to me via email. Once arrived at my local email-inbox it is decrypted. (And anyway, I am not dealing with credit card numbers or any really sensitive information, I just want to be able to offer a more or less secure processing of the form data). I am actually on a Windows machine myself so when it comes to my end I guess I should install one of the win-versions to be able to decrypt the incoming emails. But it is getting the GPG executable onto the Unix/Apache server that is confusing to me at this point. I have already uploaded and configured a perl script that will encrypt the form data and send it to me, but for the encryption bit it needs to work together with a "GPG executable". And that's the piece of the puzzle I am currently missing. Are you saying that I could download the source code for e.g. gnupg-1.4.9.tar.gz and then extract it to my Windows harddrive and get a compiler to compile the code to a single file, which I then upload to my hosting server? If so, what kind of compiler should I look for? Do I need it to support special features or a special programming language? /peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From webmaster at felipe1982.com Fri Apr 17 14:09:46 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Fri, 17 Apr 2009 22:09:46 +1000 Subject: GPG executable for Unix/Apache ? In-Reply-To: References: Message-ID: <200904172209.58234.webmaster@felipe1982.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 17 Apr 2009 20:02:29 Jan Banan wrote: > Hi, > > I am completely new to encryption as well as Unix-server programs etc. I am > trying to set up a form on a webpage that should be encrypted when the data > is sent to me. I have found a freeware package from VerySimple which is > called simplesecure 3.33 (http://www.verysimple.com/products.page) and it > looks excactly what I need it to be. I have installed it on my hosting > server and started configuring it, but when it comes to the part of > specifying the path to the GPG executable I realize that I have no such > file. > > I quote from the installation instructions: > > *"**Step Three: Configure GPG/PGP Path:** > > * > > * > * > > *(This step is only necessary if you plan to use the encryption features of > SimpleSecure)** > * > > * > * > > *The "Encrypting Settings" tab of the System Settings page contains fields > for PGP and GPG (see screenshot).** > * > > * > * > > *GPG & PGP Executable paths should be something like "/usr/bin/pgp" or > "/usr/bin/gpg". If your site is hosted on a Windows server, The path may be > something like "C:/Program Files/PGP/pgp.exe" (In the case of Windows > servers, leave the quotes around the path).** > * > > * > * > > *The Keyring path can be configured in two ways.** > * > > * > * > > *A. (recommended). Specify the full path to th e ~/cgi- bin/ssecure/keys > directory. (for example > "/usr/www/public_html/myaccount/cgi-bin/ssecure/keys") Use the same value > for both GPG and PGP keyring path.** > * > > * > * > > *B. (advanced). If you already have a location where you store GPG/PGP > keyrings, you may specify the full path here. (for example > "/usr/home/myaccount/.pgp"). If you decide to configure the path this way, > you must also allow world-read access to your keyring folder.** > * > > * > * > > *SimpleSecure is now configured and ready to test...** > * > > *"* > > I presume I have to download it from GnuPG. But since I have no experience > with Unix software I have no clue what to download and how to tell if it is > an executable. > > Can someone help me and give me a few pointers, please. If I know I am on > the right road I can usually find my way by myself, but here I am a bit > lost in the forest. > > The server is running Apache version 2.2.11 (Unix). > > Thanks! > > /peter Who is your hosting provider? Do they have gpg already installed on their systems for you to use? I don't think you will be allowed to install software onto their computers ... Do you have SSH access to your account on your hosting provider? If so, you can try "which gpg" and see what you get back. Felipe -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknocZYACgkQRBFtri/y/Nda2ACfYYg1K5OKuJbMD+TyYa+t0FnX GrYAn3uVTK1Kysi4OCu3r2Jhjm7oICwO =nR5R -----END PGP SIGNATURE----- From mearns.b at gmail.com Fri Apr 17 14:51:38 2009 From: mearns.b at gmail.com (Brian Mearns) Date: Fri, 17 Apr 2009 08:51:38 -0400 Subject: GPG executable for Unix/Apache ? In-Reply-To: References: <4df3a1330904170412v46e761f8ve0e5626185c84a12@mail.gmail.com> Message-ID: <4df3a1330904170551r68e8da98wd93c9a8d311f0503@mail.gmail.com> On Fri, Apr 17, 2009 at 8:23 AM, Jan Banan wrote: > Hi, and thanks for answering! > Well, just to avoid misunderstandings, I have a form on a secure HTTP page > on a third-party server. The form data is sent secured from the browser to > the server. When it reaches the server it is to get encrypted before it is > sent to me via email. Once arrived at my local email-inbox it is decrypted. > (And anyway, I am not dealing with credit card numbers or any really > sensitive information, I just want to be able to offer a more or less secure > processing of the form data). > I am actually on a Windows machine myself so when it comes to my end I guess > I should install one of the win-versions to be able to decrypt the incoming > emails. But it is getting the GPG executable onto the Unix/Apache server > that is confusing to me at this point. I have already uploaded and > configured a perl script that will encrypt the form data and send it to me, > but for the encryption bit it needs to work together with a "GPG > executable". And that's the piece of the puzzle I am currently missing. > Are you saying that I could download the source code for e.g. > gnupg-1.4.9.tar.gz and then extract it to my Windows harddrive and get a > compiler to compile the code to a single file, which I then upload to my > hosting server? If so, what kind of compiler should I look for? Do I need it > to support special features or a special programming language? > /peter No you can't build it on Windows...well, you might be able to build it on windows if you have the proper tools (most likely GNU make, gcc and possibly others), but that will only build a Windows executable, which cannot be executed natively on a Unix-like system. What I meant by source is to download and extract the tar.gz on your web server, and build it there. The usual sequence is './configure; make; make install', but you will likely need super-user (root) permission to install it. You could try configuring it to install to a directory you have permissions to write to, and then you shouldn't need special permissions to install it: if you decide to go this route, I can try to help you configure it. But this is all assuming that you have some sort of shell access to the server, so that you can issue the commands. The same is true for the alternative of installing a binary using a package manager. Basically, it comes down to that fact that gnupg is software that needs to be installed on your server, and you need to have permission and the ability to do this, or you're pretty much out of luck, unless you talk your host into installing it for you. You are correct about decrypting; you will need to install a Windows version in order to decrypt the message, and you will need to have your secret key on your windows machine. There are easy to use installers for Windows available on that same link I sent you before, should be straightforward. Let us know if you can get shell access to the server and, if possible, what distribution of Linux (if it is Linux) the server is running, and we can go from there. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From roam at ringlet.net Fri Apr 17 15:01:45 2009 From: roam at ringlet.net (Peter Pentchev) Date: Fri, 17 Apr 2009 16:01:45 +0300 Subject: syntax for encrypting only the string passed in an argument In-Reply-To: <23072963.post@talk.nabble.com> References: <23072963.post@talk.nabble.com> Message-ID: <20090417130145.GA953@straylight.m.ringlet.net> On Thu, Apr 16, 2009 at 12:38:52AM -0700, Incomex wrote: > > I want to be able to call a shell from within a development environment > and pass a string of data to it to be de/en/crypted. The idea would look > like > this: > > read from file "data.txt" line z and put it into variableY > variablex = call shell(gpg -e -r Joe variableY) > print variablex > > rem: variableY is the plaintext, variablex is the returned cyphertext I don't think GnuPG supports this syntax; however, you can do it somewhat indirectly by: echo $variableY | gpg -e -r Joe -o var_y.txt.gpg You could even write a simple program (or shell script, or Perl script, or something) that uses the mktemp() or mkstemp() standard C library functions, or the mktemp(1) command-line utility, creates a temporary file, has GnuPG output to it, displays it, and removes it. Actually, come to think of it, here's a shell script and a Perl script that do that - down there, right after the signature. Hope you can at least read the code to see the ideas if you can't use them directly :) Caveat emptor: the shell script does not deal very well with recipient names containing whitespace or special characters! Also, the use of "echo ... | gpg" makes it susceptible to a "ps awwfux" attack whereby somebody who runs a "ps" command on the right server at the right time might see the arguments to the "echo" command in the process list and learn what you want to encrypt. Hope that helps! G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. #!/usr/bin/perl -w # # Copyright (c) 2009 Peter Pentchev # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $Ringlet: security/gpgenv/trunk/gpgenv/gpgenv.pl 3525 2009-04-17 12:58:10Z roam $ use strict; use File::Temp; MAIN: { my ($var, $value, $f, $p, $pid, $buf); my (@recip); if ($#ARGV < 1) { die("Usage: gpgenv varname recipient...\n"); } ($var, @recip) = @ARGV; $value = $ENV{$var} || ''; $f = new File::Temp or die("Creating a temp file: $!\n"); chmod(0600, $f) or die("Setting a mode on ".$f->filename().": $!\n"); $pid = open($p, '|-'); if (!defined($pid)) { die("Forking for GnuPG: $!\n"); } elsif ($pid == 0) { $ENV{'PATH'} = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/X11R6/bin'; delete @ENV{qw/IFS CDPATH ENV BASH_ENV/}; exec('gpg', '--batch', '--yes', '-e', '-o', $f->filename(), map { ('-r', $_) } @recip); die("Executing GnuPG: $!\n"); } print $p "$value\n" or die("Sending the value of the $var variable to the child: $!\n"); close($p) or die("The child process exited with an error\n"); seek($f, 0, SEEK_SET) or die("Rewinding the output file: $!\n"); while (read($f, $buf, 4096) > 0) { print $buf; } } #!/bin/sh # # Copyright (c) 2009 Peter Pentchev # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $Ringlet: security/gpgenv/trunk/gpgenv/gpgenv.sh 3525 2009-04-17 12:58:10Z roam $ set -e if [ "$#" -lt 2 ]; then echo 'Usage: gpgenv varname recipient...' 1>&2 exit 1 fi varname="$1" shift recip=`echo "$@" | sed -e 's/ / -r /g'` tmpd='/tmp' empty='' d="$TMPDIR" for i in TEMPDIR TMP TEMP tmpd empty; do if [ -z "$d" ] || [ ! -d "$d" ] || [ ! -w "$d" ]; then eval "d=\$$i" fi done if [ -z "$d" ]; then echo 'Could not find a temporary directory' 1>&2 exit 1 fi f=`mktemp "$d/gpgenv.XXXXXX"` trap "rm -f $f" EXIT HUP INT QUIT TERM chmod 600 "$f" eval "echo \$$varname" | gpg --batch --yes -e -r $recip -o "$f" cat "$f" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From BruderB at cation.de Fri Apr 17 14:19:36 2009 From: BruderB at cation.de (B) Date: Fri, 17 Apr 2009 14:19:36 +0200 Subject: GPG executable for Unix/Apache ? In-Reply-To: References: Message-ID: <49E873D8.8060804@cation.de> Jan Banan schrieb: > Hi, > > I am completely new to encryption as well as Unix-server programs etc. I > am trying to set up a form on a webpage that should be encrypted when > the data is sent to me. I have found a freeware package from VerySimple > which is called simplesecure 3.33 > (http://www.verysimple.com/products.page) and it looks excactly what I > need it to be. I have installed it on my hosting server and started > configuring it, but when it comes to the part of specifying the path to > the GPG executable I realize that I have no such file. > Hej Peter, you should tell about what Unix you ar using! On Debian Linux try apt-get install gnupg Boris From BruderB at cation.de Fri Apr 17 16:37:35 2009 From: BruderB at cation.de (B) Date: Fri, 17 Apr 2009 16:37:35 +0200 Subject: GPG executable for Unix/Apache ? In-Reply-To: References: <4df3a1330904170412v46e761f8ve0e5626185c84a12@mail.gmail.com> Message-ID: <49E8942F.6070601@cation.de> Jan Banan schrieb: > 2009/4/17 Brian Mearns > > > On Fri, Apr 17, 2009 at 6:02 AM, Jan Banan > wrote: > > Hi, > > > > I am completely new to encryption as well as Unix-server programs > etc. I am [snip] ". And that's the piece of the puzzle I am > currently missing. The peace of the puzzle that makes it possible for someone to help aout is answering the question: What kind of Unix/Linux?? > Are you saying that I could download the source code for e.g. > gnupg-1.4.9.tar.gz and then extract it to my Windows harddrive and get a > compiler to compile the code to a single file, which I then upload to my > hosting server? If so, what kind of compiler should I look for? Do I > need it to support special features or a special programming language? > /peter > No,no,no,no,no - to answer each question! ;-) On typical distribution there are binaries avaliable - no need to compile the sources. So: Which Distribution?? Boris From rayven at organicengineer.com Fri Apr 17 16:58:04 2009 From: rayven at organicengineer.com (rayven) Date: Fri, 17 Apr 2009 07:58:04 -0700 (PDT) Subject: trouble with gnu-agent and etoken Message-ID: <23099347.post@talk.nabble.com> I have been trying to get gpg working with my etoken. I'm thinking is something to do with pinenrty or gpg-agent. any and all help will be greatly appreciated. so far here is where i am: Let me know which systems you'd like info about and I'll post the version numbers and such. I've used the slackbuild scripts for gnupg, openct 0.6.15, opensc 0.11.7, pinentry 0.7.5 built from source : gnupg-pkcs11-scd-0.06 I'm not sure i have the card setup properly i've initilized it a few times on my windows box. I've added pgp keys to it. I've used the pkcs-init tool to generate a keypair on it and ad a cert.pem certificate to it. but.... when i go to gpg2 --card-edit and run a generate command if get this (after answering the questions): Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: DBG: got status line `KEY-FPR 8FDA0003BA061700DFF01B1C87EC43DF61D323FD' gpg: DBG: got status line `KEY-CREATED-AT 1239979297' gpg: DBG: got status line `SERIALNO D2760001240111111111111111111111 0' gpg: DBG: got status line `KEY-DATA n 0097E205092E2C3ED8574CC33F10A08FC160CB50ADAC83A85E50EB71589CC3FB6311B319E3C7CE3F0A818D642C26D28B7B47483480BCBE88C1AE90907F06B6D6BA9AED5987C03FDE2BB0220A6FA0D9DC2C4ACA03313E7F80D34FA8CB7E3646A2CBE89C58880462D00891504996350D9A17180EAC4AD4332A745D67D28D7629A073' gpg: DBG: got status line `KEY-DATA e 010001' gpg: checking created signature failed: Bad signature gpg: signing failed: Bad signature gpg: make_keysig_packet failed: Bad signature Key generation failed: Bad signature Sometimes i get a pinentry box and i get a different error messge (sorry coudn't reproduce this one anymore): Basically is said something about and improperly formated ICP line. ---------------------------------------------------------------------------------------------------------- Some other debug stuff root at bertha:~# gpg-connect-agent > scd learn S SERIALNO D2760001240111111111111111111111 0 S APPTYPE PKCS11 S KEY-FRIEDNLY 8FDA0003BA061700DFF01B1C87EC43DF61D323FD /C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Alex Pennington on OpenSC Card S KEY-FPR 3 8FDA0003BA061700DFF01B1C87EC43DF61D323FD S KEYPAIRINFO 8FDA0003BA061700DFF01B1C87EC43DF61D323FD OpenSC\x20Project/PKCS\x2315/2556CE181507/OpenSC\x20Card/45 OK > ---------------------------------------------------------------------------------------------------------------------- root at bertha:~# pkcs11-tool -t --login [opensc-pkcs11] reader-pcsc.c:887:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d [opensc-pkcs11] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found [opensc-pkcs11] reader-pcsc.c:887:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d [opensc-pkcs11] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (Private Key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: ERR: verification failed RSA-PKCS: ERR: verification failed SHA1-RSA-PKCS: ERR: verification failed MD5-RSA-PKCS: ERR: verification failed RIPEMD160-RSA-PKCS: ERR: verification failed Verify (currently only for RSA): testing key 0 (Private Key) RSA-X-509: ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5) Key unwrap (RSA) testing key 0 (Private Key) -- can't be used to unwrap, skipping Decryption (RSA) testing key 0 (Private Key) -- can't be used to decrypt, skipping Testing card detection Please press return to continue, x to exit: Available slots: Slot 0 Aladdin eToken PRO 64k token label: OpenSC Card token manuf: OpenSC Project token model: PKCS#15 token flags: token initialized serial num : 2556CE181507 Slot 1 (empty) Slot 2 (empty) Slot 3 (empty) Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) Slot 8 (empty) Slot 9 (empty) Slot 10 (empty) Slot 11 (empty) Slot 12 (empty) Slot 13 (empty) Slot 14 (empty) Slot 15 (empty) Please press return to continue, x to exit: ----------------------------------------------------------------------------------------------------------------------------------------- # ./.gnupg/gnupg-pkcs11-scd.conf # Log file. #log-file log1 # Default is not verbose. verbose # Default is no debugging. debug-all # Pin cache period in seconds; default is infinite. #pin-cache 20 # Comma-separated list of available provider names. Then set # attributes for each provider using the provider-[name]-attribute # syntax. providers opensc # Provider attributes (see below for detailed description) provider-opensc-library /usr/lib/opensc-pkcs11.so # Example gnupg-pkcs11-scd.conf file #providers p1 #provider-p1-library /usr/lib/libetpkcs11.so.3-60.14 #provider-p1-library /usr/lib/libetpkcs11.so emulate-openpgp openpgp-sign 8FDA0003BA061700DFF01B1C87EC43DF61D323FD openpgp-encr 8FDA0003BA061700DFF01B1C87EC43DF61D323FD openpgp-auth 8FDA0003BA061700DFF01B1C87EC43DF61D323FD -------------------------------------------------------------------------------------------------------------------- #./gnupg/gpg-agent.conf scdaemon-program /usr/bin/gnupg-pkcs11-scd pinentry-program /usr/bin/pinentry -------------------------------------------------------------------------------------------------------------------- -- View this message in context: http://www.nabble.com/trouble-with-gnu-agent-and-etoken-tp23099347p23099347.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rayven at organicengineer.com Fri Apr 17 16:51:36 2009 From: rayven at organicengineer.com (Alex Pennington) Date: Fri, 17 Apr 2009 10:51:36 -0400 Subject: subscribe Message-ID: <000e01c9bf6c$02e69990$08b3ccb0$@com> subscribe -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerry.lowry at abilitybusinesscomputerservices.com Fri Apr 17 17:47:02 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Fri, 17 Apr 2009 11:47:02 -0400 Subject: subscribe References: <000e01c9bf6c$02e69990$08b3ccb0$@com> Message-ID: Alex, you are likely already subscribed or your message would likely not have been posted. [ http://lists.gnupg.org/mailman/listinfo/gnupg-users ] ----- Original Message ----- From: Alex Pennington To: gnupg-users at gnupg.org Sent: Friday, April 17, 2009 10:51 AM Subject: subscribe subscribe _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From reynt0 at cs.albany.edu Fri Apr 17 23:28:55 2009 From: reynt0 at cs.albany.edu (reynt0) Date: Fri, 17 Apr 2009 17:28:55 -0400 (EDT) Subject: Keyserver doesn't honour removed signatures In-Reply-To: <20090416101239.63886x991j5nmgco@mail.monkeyblade.net> References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> <871vrtrrrc.fsf@wheatstone.g10code.de> <20090416101239.63886x991j5nmgco@mail.monkeyblade.net> Message-ID: On Thu, 16 Apr 2009, Robert J. Hansen wrote: . . . > Add it all together and USENET was at best a network-choking bandwidth hog, > and at worst was a lawsuit waiting to happen. And thus, many full USENET . . . Hmmmm :), when I was starting to learn about computers, I thought USENET was a candy store I could actually go into and get candy from instead of being out in the street wistfully looking through the window. And the RFCs were an ice cream store. From xano.tte at gmail.com Sat Apr 18 14:04:24 2009 From: xano.tte at gmail.com (Hashimoto) Date: Sat, 18 Apr 2009 09:04:24 -0300 Subject: keyservers Message-ID: <1240056264.10964.19.camel@debian-lap> Hi guys, The key posted in one keyserver will be synchronized with all of the other ? And how to find a keyserver to store my publickey ? And my last question is how to find for a specific key ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerry.lowry at abilitybusinesscomputerservices.com Sat Apr 18 17:26:38 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sat, 18 Apr 2009 11:26:38 -0400 Subject: keyservers References: <1240056264.10964.19.camel@debian-lap> Message-ID: <346B77831E6E4F0EB94C9ADFBBC83892@zentrumvegan> AFAIK you can publish your key to https://keyserver.pgp.com/vkd/GetWelcomeScreen.event; it will be synchronized AFAIK; you will need to confirm every so often that your key is valid so PGP do not drop it. You can publish to other keyservers and your public key will not find its way to the PGP Global Directory (https://keyserver.pgp.com/vkd/GetWelcomeScreen.event) AFAIK. I've been advised to avoid MIT's keyserver because apparently it's not well maintained. (I think it was MIT, could be some other server). Other members of this mailing list can give you much better advice. Also check Google for sources like http://en.wikipedia.org/wiki/Key_server_(cryptographic); remember that anybody can contribute to wikipedia articles. Your question about finding keys: GnuPG has a find option ... point it at a keyserver to retrieve. You can use ID, e-mail address, and possibly other data to retrieve the key(s) you require. Again, other members of this mailing list can give you much better advice. g, From rjh at sixdemonbag.org Sat Apr 18 17:33:36 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 18 Apr 2009 11:33:36 -0400 Subject: keyservers In-Reply-To: <346B77831E6E4F0EB94C9ADFBBC83892@zentrumvegan> References: <1240056264.10964.19.camel@debian-lap> <346B77831E6E4F0EB94C9ADFBBC83892@zentrumvegan> Message-ID: <49E9F2D0.9040203@sixdemonbag.org> gerry_lowry (alliston ontario canada) wrote: > AFAIK you can publish your key to https://keyserver.pgp.com... > it will be synchronized AFAIK PGP's server doesn't sync. > I've been advised to avoid MIT's keyserver because apparently > it's not well maintained. And broken. It doesn't play nice with modern keys. From jmoore3rd at bellsouth.net Sat Apr 18 17:42:03 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 18 Apr 2009 11:42:03 -0400 Subject: keyservers In-Reply-To: <346B77831E6E4F0EB94C9ADFBBC83892@zentrumvegan> References: <1240056264.10964.19.camel@debian-lap> <346B77831E6E4F0EB94C9ADFBBC83892@zentrumvegan> Message-ID: <49E9F4CB.4060003@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 gerry_lowry (alliston ontario canada) wrote: > AFAIK you can publish your key to https://keyserver.pgp.com/vkd/GetWelcomeScreen.event; > it will be synchronized AFAIK; you will need to confirm every so often > that your key is valid so PGP do not drop it. PGP GD doesn't gossip/share. I prefer hkp://pool.sks-keyservers.net After Uploading to this Server it'll take no more than 24-48 hours to have Your Key very well propagated. Earlier You asked "how" to accomplish this. Are You using a Frontend for GnuPG or doing everything from the Command line? JOHN ;) Timestamp: Saturday 18 Apr 2009, 11:41 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4979: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ6fTKAAoJEBCGy9eAtCsPxAgIAKW/Nl5M3q0yzC9YpySG54QY b9pB4gsfNs7biLgQyrwHlLWnZ0tAiv1llGXhcB5ylBTCAwXNByfxcdi5BEATm6Q0 dDOV0RbMTv9kEE2xes2G4EWC2SsywnDO67ntLvnHS3iOms/bVuZKUq4JiGsfyeSG gd3WLA4Dm9rLYzGcVAX1rN/f51smN/5eHT0r2HaJtBiPmXU1WnYgMIGDFJCfEoOM PkwIGI+9fHoQfO+bMl8yKDiHyEdNvKpbwrm9pWuUuSiojQ5QQNXtBT8yRdVaJ9wP 0DRKNwuq6H2+YA91tNXGWHiB9wJe7tB4cSP+q9f6N9Bp1ZXxSJpBmvtZitwWNMQ= =NMXg -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat Apr 18 21:28:43 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 18 Apr 2009 15:28:43 -0400 Subject: keyservers In-Reply-To: <1240056264.10964.19.camel@debian-lap> References: <1240056264.10964.19.camel@debian-lap> Message-ID: <49EA29EB.8080803@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hashimoto escribi?: > Hi guys, > > The key posted in one keyserver will be synchronized with all of the > other ? And how to find a keyserver to store my publickey ? Most of the will synchronize with others, but there are a few that doesn't do that. I suggest using pool.sks-keyservers.net both to store you public key, and to retrieve specific keys. Sometimes you'll need to take a look at some of the servers that doesn't synchronize, but that is unusual. You can use biglumber.com to store your public key right as you like it to be, it doesn't synchronize, so you can edit your public key, remove unused UIDs, revoked signatures, and so on, and then upload it to biglumber. > And my last question is how to find for a specific key ? I am not sure, the GUIs I use do that for me. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ6inrAAoJEMV4f6PvczxAuJwH/0r+nlGZL6zgUYZinX9RGDL2 ZVOkYJVEwj9Wei4+Hef7Sf4W3JSLsXnQNoYcjAdaMJ4ts0fUQI0mgESpf5+9Tcwa ovBc+jSSD0v9DjVAqBS2uk0b6utlVAKMvwRsMJAF/tafMnuIuCDgFNAJm2ja1D5o BcnudfBOrskpoIritGyK/3ABGjimd8T1/9Y5TtF6fHvwTPkwNk/mwLSoDdrJusJA zXR0q8S2j/XL28f/ZB6YQd3pYj3aUMu+5XIbR11R/cXzCMjFTp+FR9uFCyBpazmd hFE/GT93zz7tGvqtpAhDCFgAZ4RkXx27Ggzeh9m+82XKSTB0oijLxAJwdgxwNiU= =SPyy -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Apr 18 18:03:27 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 18 Apr 2009 12:03:27 -0400 Subject: keyservers In-Reply-To: <49EA29EB.8080803@gmail.com> References: <1240056264.10964.19.camel@debian-lap> <49EA29EB.8080803@gmail.com> Message-ID: <49E9F9CF.1050609@sixdemonbag.org> Faramir wrote: >> And my last question is how to find for a specific key ? > > I am not sure, the GUIs I use do that for me. gpg --keyserver x-hkp://pool.sks.keyservers.net --recv-key [keyID] From kloecker at kde.org Sat Apr 18 22:42:46 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat, 18 Apr 2009 22:42:46 +0200 Subject: keyservers In-Reply-To: <49E9F9CF.1050609@sixdemonbag.org> References: <1240056264.10964.19.camel@debian-lap> <49EA29EB.8080803@gmail.com> <49E9F9CF.1050609@sixdemonbag.org> Message-ID: <200904182242.52806@thufir.ingo-kloecker.de> On Saturday 18 April 2009, Robert J. Hansen wrote: > Faramir wrote: > >> And my last question is how to find for a specific key ? > > > > I am not sure, the GUIs I use do that for me. > > gpg --keyserver x-hkp://pool.sks.keyservers.net --recv-key [keyID] Or, if you do not know the key ID: gpg --keyserver x-hkp://pool.sks.keyservers.net --search-key [names] From gpg's man page: Search the keyserver for the given names. Multiple names given here will be joined together to create the search string for the keyserver. Option --keyserver must be used to give the name of this keyserver. Keyservers that support different search methods allow using the syntax specified in "How to specify a user ID" below. Note that different keyserver types support different search methods. Currently only LDAP supports them all. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From darshan.jain.1212 at gmail.com Mon Apr 20 17:05:22 2009 From: darshan.jain.1212 at gmail.com (Darshan Jain) Date: Mon, 20 Apr 2009 20:35:22 +0530 Subject: OpenPGP digital signature query Message-ID: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> Hi, Can OpenPGP digital signature be used to comply to FDA's 21 CFR Part 11 , or does it mandatorily require X.509 or PKI based signatures http://en.wikipedia.org/wiki/Title_21_CFR_Part_11 Thanks, Darshan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From barry at fantasymail.de Mon Apr 20 17:30:43 2009 From: barry at fantasymail.de (Barry) Date: Mon, 20 Apr 2009 17:30:43 +0200 Subject: New GnuPT-Version Message-ID: <49EC9523.6080103@fantasymail.de> Hello, yesterday a new GnuPT-Version has been released. Changelog for WinPT: The swapped hotkey situation was not 100% solved. This version also adjust the code to associate the keys for each hot key. Updated the libgpg-error component to 1.6.0.2. The passphrase control does now *allow* to paste text into the field. Swapped hotkey for the clipboard (encrypt, decrypt). The issue is now fixed. Fix a problem that keyserver which are marked as deleted are still displayed in the Key Manager context menu. Fix wrong prefix for added keyserver entries. Now it is hkp:// by default. The only exception is a port 80 entry which means http://. The new data transport format is UTF-8. This step is important for people who exchange encrypted message but they do not use the same charset. WinPT handles the case automatically, which means all clipboard data send to GPG is encoded in UTF-8 and all data we get back from GPG is decoded from UTF-8 into the locale charset. If external software is used, and the text contains 8-bit characters, no US-ASCII, the software is responsible for decoding the UTF-8 data into the locale setting. This should be the default case today. TRANSLATIONS: New Russian translation. Download at: http://www.gnupt.de -- Barry From ulricha at informatik.uni-tuebingen.de Sat Apr 18 14:24:06 2009 From: ulricha at informatik.uni-tuebingen.de (Alexander Ulrich) Date: Sat, 18 Apr 2009 14:24:06 +0200 Subject: keyservers In-Reply-To: <1240056264.10964.19.camel@debian-lap> (sfid-20090418_141040_365865_38985DDB) (Hashimoto's message of "Sat\, 18 Apr 2009 09\:04\:24 -0300") References: <1240056264.10964.19.camel@debian-lap> Message-ID: <871vrqno9l.fsf@roadw.wilhelma> Hashimoto writes: > The key posted in one keyserver will be synchronized with all of the > other Yes. > ? And how to find a keyserver to store my publickey ? See for example http://www.sks-keyservers.net for a list of synchronizing keyservers or use the pool x-hkp://pool.sks-keyservers.net. > And my last question is how to find for a specific key ? You can (a) point your web browser to one of the keyserver addresses, because (almost) all keyservers feature a web search form, (b) use the GnuPG command line client with "gpg --search-keys" or (c) use the search functionality provided by MUA plugins such as Enigmail (Mozilla Thunderbird). Alex -- PGP/GnuPG encrypted e-mail preferred. OpenPGP key ID: 0x6EE2F714 jabber: nop at jabber.ccc.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From John at Mozilla-Enigmail.org Mon Apr 20 22:04:53 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 20 Apr 2009 15:04:53 -0500 Subject: keyservers In-Reply-To: <871vrqno9l.fsf@roadw.wilhelma> References: <1240056264.10964.19.camel@debian-lap> <871vrqno9l.fsf@roadw.wilhelma> Message-ID: <49ECD565.2040908@Mozilla-Enigmail.org> Alexander Ulrich wrote: > Hashimoto writes: >> The key posted in one keyserver will be synchronized with all of the >> other > > Yes. Normally within a hour or two. The SKS keyservers use a very fast and efficient protocol to exchange updates. Updates are emailed to other keyservers running different software packages as well as the older PKS servers to try and keep them updated. >> ? And how to find a keyserver to store my publickey ? > > See for example http://www.sks-keyservers.net for a list of > synchronizing keyservers or use the pool > x-hkp://pool.sks-keyservers.net. The pool is best, hkp://pool.sks-keyservers.net Good SKS status pages are: http://www.pramberger.at/peter/services/keyserver/network/ and http://sks-keyservers.net/status/ >> And my last question is how to find for a specific key ? > > You can (a) point your web browser to one of the keyserver addresses, > because (almost) all keyservers feature a web search form, (b) use the > GnuPG command line client with "gpg --search-keys" or (c) use the search > functionality provided by MUA plugins such as Enigmail (Mozilla > Thunderbird). Keyserver web pages listen on port 11371, so one needs to add the port to the browser URL: http://keyserver.gingerbear.net:11371/ About 1/2 of the SKS servers also listen on port 80, the default http port, for users behind restrictive firewalls. There's even an email protocol for user behind REALLY restrictive firewalls. Peter Pramberger's status page indicates which servers have these capabilities. There are presently eight or so servers supporting IPv6. That should improve with time. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From John at Mozilla-Enigmail.org Mon Apr 20 22:50:01 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 20 Apr 2009 15:50:01 -0500 Subject: OpenPGP digital signature query In-Reply-To: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> Message-ID: <49ECDFF9.2040506@Mozilla-Enigmail.org> Darshan Jain wrote: > Can OpenPGP digital signature be used to comply to FDA's 21 CFR Part 11 > , or does it mandatorally require X.509 or PKI based signatures > > http://en.wikipedia.org/wiki/Title_21_CFR_Part_11 You check the DHHS HIPAA page, http://www.hhs.gov/ocr/hipaa/ ? Might be a bit more authoritative that Wikipedia. Best answer, maybe. Depends on the circumstances (HIPPA/HIPAA[0] provide different sets of protections. Encryption/Digital signatures may or may not be applicable.) OpenPGP can be used for HIPAA compliance - I've implemented it for several medical practices. Your interests would be best served by a) hiring the services of a security consultant knowledgeable in the dealings of HIPAA specifically as it relates to the FDA; b) consulting an attorney knowledgeable in technology, c) both of the above. [0] way back in the dark ages of the mid-90s, before HIPAA: the Health Insurance Portability & Accountability Act, there was HIPPA: Health Information Privacy Protection Act. Google "health information privacy protection act" in quotes to get references to HIPPA, without quotes you'll get HIPAA. EPIC has a good Bibliography[1] on the Confidentiality of Health Information. [1] http://www.epic.org/privacy/medical/gellman.html -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Tue Apr 21 01:08:11 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 20 Apr 2009 19:08:11 -0400 Subject: OpenPGP digital signature query In-Reply-To: <49ECDFF9.2040506@Mozilla-Enigmail.org> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> <49ECDFF9.2040506@Mozilla-Enigmail.org> Message-ID: <49ED005B.8090900@sixdemonbag.org> John Clizbe wrote: > Your interests would be best served by a) hiring the services of a > security consultant knowledgeable in the dealings of HIPAA specifically > as it relates to the FDA; b) consulting an attorney knowledgeable in > technology, c) both of the above. I'll go one step further: asking this query on an internet mailing list could itself be seen as failure to exercise due care. You don't know any of us here and cannot vouch for anyone's legal or technological acumen. As far as due diligence is concerned, asking here -- instead of asking lawyers and security consultants -- is pretty much reckless disregard. From dshaw at jabberwocky.com Tue Apr 21 03:26:19 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 20 Apr 2009 21:26:19 -0400 Subject: OpenPGP digital signature query In-Reply-To: <49ED005B.8090900@sixdemonbag.org> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> <49ECDFF9.2040506@Mozilla-Enigmail.org> <49ED005B.8090900@sixdemonbag.org> Message-ID: <07288203-603A-4EE1-8B23-9599949B3AB2@jabberwocky.com> On Apr 20, 2009, at 7:08 PM, Robert J. Hansen wrote: > John Clizbe wrote: >> Your interests would be best served by a) hiring the services of a >> security consultant knowledgeable in the dealings of HIPAA >> specifically >> as it relates to the FDA; b) consulting an attorney knowledgeable in >> technology, c) both of the above. > > I'll go one step further: asking this query on an internet mailing > list > could itself be seen as failure to exercise due care. You don't know > any of us here and cannot vouch for anyone's legal or technological > acumen. As far as due diligence is concerned, asking here -- > instead of > asking lawyers and security consultants -- is pretty much reckless > disregard. That's a pretty big step there. Asking a user community of GnuPG a question about OpenPGP is not reckless disregard. What you do with the *answer* might be reckless disregard, so John's advice to consult an attorney familiar with the issue is wise. Asking questions is good. Doing the right thing with the answers is, as always, the responsibility of the questioner. David From dshaw at jabberwocky.com Tue Apr 21 03:43:06 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 20 Apr 2009 21:43:06 -0400 Subject: Keyserver doesn't honour removed signatures In-Reply-To: <20090416101239.63886x991j5nmgco@mail.monkeyblade.net> References: <49E1276C.5090703@naturalnet.de> <871vrvv2k9.fsf__29007.7380989262$1239713093$gmane$org@wheatstone.g10code.de> <4B6ED883-3071-48A1-BD86-84F57EBA1C00@jabberwocky.com> <877i1lsupp.fsf@wheatstone.g10code.de> <871vrtrrrc.fsf@wheatstone.g10code.de> <20090416101239.63886x991j5nmgco@mail.monkeyblade.net> Message-ID: On Apr 16, 2009, at 1:12 PM, Robert J. Hansen wrote: > Add it all together and USENET was at best a network-choking > bandwidth hog, and at worst was a lawsuit waiting to happen. And > thus, many full USENET feeds fell off the face of the net. > > It might be worth wondering whether the same could happen to the > keyserver network. It seems less likely, due to how difficult it > would be to share large files that way -- but the possibility should > be considered. I suspect that many keyservers are run at sites that are happy enough to leave them running as long as they don't cause trouble of one sort or another. A concerted effort by someone to annoy and inconvenience those sites (via uploading porn? via something else?) would rather quickly reduce the number of keyservers. Not to zero, but we could lose a good number of them. David From rjh at sixdemonbag.org Tue Apr 21 04:07:42 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 20 Apr 2009 22:07:42 -0400 Subject: OpenPGP digital signature query In-Reply-To: <07288203-603A-4EE1-8B23-9599949B3AB2@jabberwocky.com> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> <49ECDFF9.2040506@Mozilla-Enigmail.org> <49ED005B.8090900@sixdemonbag.org> <07288203-603A-4EE1-8B23-9599949B3AB2@jabberwocky.com> Message-ID: <49ED2A6E.40309@sixdemonbag.org> David Shaw wrote: > That's a pretty big step there. "Is it true that you chose as a first source of information a mailing list where you did not know the people who were responding, nor their credentials, nor their professional expertise, and none of whom bore any responsibility for the accuracy of their answers?" I have a lot of respect for the abilities of attorneys to spin things all around. From dshaw at jabberwocky.com Tue Apr 21 04:12:35 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 20 Apr 2009 22:12:35 -0400 Subject: OpenPGP digital signature query In-Reply-To: <49ED2A6E.40309@sixdemonbag.org> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> <49ECDFF9.2040506@Mozilla-Enigmail.org> <49ED005B.8090900@sixdemonbag.org> <07288203-603A-4EE1-8B23-9599949B3AB2@jabberwocky.com> <49ED2A6E.40309@sixdemonbag.org> Message-ID: <6748712E-3F46-4AA7-9197-6ACDCF1E86C5@jabberwocky.com> On Apr 20, 2009, at 10:07 PM, Robert J. Hansen wrote: > David Shaw wrote: >> That's a pretty big step there. > > "Is it true that you chose as a first source of information a mailing > list where you did not know the people who were responding, nor their > credentials, nor their professional expertise, and none of whom bore > any > responsibility for the accuracy of their answers?" "Sure. They told me some stuff, and I treated it as anecdote until I got confirmation from an attorney." There is nothing wrong with asking questions. It's what you do with the answers that matters. David From dshaw at jabberwocky.com Tue Apr 21 06:19:48 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 21 Apr 2009 00:19:48 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E1D812.40400@bellsouth.net> References: <49E1BDE2.1070003@naturalnet.de> <49E1D812.40400@bellsouth.net> Message-ID: <2BDD3469-4228-4885-A48E-7F65940063D6@jabberwocky.com> On Apr 12, 2009, at 8:01 AM, John W. Moore III wrote: > Listing Your Key at www.biglumber.com will allow You to display Your > Key > exactly as You desire it to appear and folks may be directed to > retrieve > it from there via a Comment line or a signature tagline. I am not > aware > of the ability to specify the Big Lumber listing in a 'Preferred > Keyserver' flag. You can. Just list the Biglumber URL to your key as your preferred keyserver (i.e. "http://biglumber.com/Keys/......"). David From dshaw at jabberwocky.com Tue Apr 21 06:39:01 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 21 Apr 2009 00:39:01 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E30498.5040109@sven-radde.de> References: <49E1BDE2.1070003@naturalnet.de> <49E2523A.8010405@Mozilla-Enigmail.org> <49E30498.5040109@sven-radde.de> Message-ID: <7AA85112-F4B4-4A8E-8B3A-ECC630782E98@jabberwocky.com> On Apr 13, 2009, at 5:23 AM, Sven Radde wrote: > Hi! > > John Clizbe schrieb: >> You can remove any cruft you wish and distribute that key yourself. >> You >> just can't use the keyserver networks to do it. Also anyone who >> refreshes that key from a keyserver will pick up all the pieces you >> decided needed deleting. > > If you distribute the key yourself, you can set a preferred keyserver > flag on your key. You can have that point to, e.g., > http://yoursite.com/yourkey.asc and refreshes should be done from > there > (unless the other user changes "keyserver-options honor-keyserver- > url"). > > With PKA, you can even get automatic key retrieval without a > keyserver. That's not quite right. PKA records in DNS can point to a keyserver, but you still need the keyserver in the mix somewhere (though, like the "preferred keyserver" feature, that "keyserver" might be a key stored on a web server). You might be thinking of CERT. The CERT DNS record can store either a URL like PKA does, or can store the whole key so you don't need a keyserver. Of course, that can make for a pretty big DNS record... CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. PKA is a different sort of thing - it's a pretty neat way to leverage the ubiquity of DNS into a different trust model. It just happens that both CERT and PKA can do the "DNS lookup to find a key" trick. David From email at sven-radde.de Tue Apr 21 07:31:21 2009 From: email at sven-radde.de (Sven Radde) Date: Tue, 21 Apr 2009 07:31:21 +0200 Subject: Keyserver doesn't honour signature removal In-Reply-To: <7AA85112-F4B4-4A8E-8B3A-ECC630782E98@jabberwocky.com> References: <49E1BDE2.1070003@naturalnet.de> <49E2523A.8010405@Mozilla-Enigmail.org> <49E30498.5040109@sven-radde.de> <7AA85112-F4B4-4A8E-8B3A-ECC630782E98@jabberwocky.com> Message-ID: <49ED5A29.80406@sven-radde.de> Hi! David Shaw schrieb: >> With PKA, you can even get automatic key retrieval without a keyserver. > > That's not quite right. PKA records in DNS can point to a keyserver, > but you still need the keyserver in the mix somewhere (though, like the > "preferred keyserver" feature, that "keyserver" might be a key stored on > a web server). True, you still need some kind of server (one might argue that even using CERT, you have a 'keyserver' - the DNS server itself). The notable difference, however, is that a web server presents my key exactly as *I* desire, allowing for removed signatures, replacing the key by a new one etc. PKA is the way to get somebody to use my web server already for initial key retrieval (although this might not be the primary purpose of PKA) so that the (synchronizing merge-only) keyserver network is avoided. > CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. Unfortunately, my provider does not allow me to set CERT type DNS records. TXT is possible (for, e.g., SPF and PKA). I will ask whether they can do it (since it appears to be natively supported in BIND 9, right?) cu, Sven From faramir.cl at gmail.com Tue Apr 21 07:44:05 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 21 Apr 2009 01:44:05 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49ED5A29.80406@sven-radde.de> References: <49E1BDE2.1070003@naturalnet.de> <49E2523A.8010405@Mozilla-Enigmail.org> <49E30498.5040109@sven-radde.de> <7AA85112-F4B4-4A8E-8B3A-ECC630782E98@jabberwocky.com> <49ED5A29.80406@sven-radde.de> Message-ID: <49ED5D25.4070206@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sven Radde escribi?: > PKA is the way to get somebody to use my web server already for initial > key retrieval (although this might not be the primary purpose of PKA) so > that the (synchronizing merge-only) keyserver network is avoided. But if somebody, by mistake or on purpose uploads your key to a "normal" keyserver... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ7V0kAAoJEMV4f6PvczxAmNsH/R3NIptcocD+vxWylVIem2sR 7BRNMO7JsaGy1DWFVJ3dV9GGNZTLsLEpFJzu0vhlEfyq1dHoyHf5tMRKXnygur4P Aq1xHTDjM9BdiwSJ/uN4O09dMPI6o+fj4KH0fxZquw3/aDTQDmLYnvX9JzI+T3p9 2En3mqLlQX9fQzMqUIODrYXHA8nKxo0MJZbZRWdLWjEjuYZwKG8goE7C/5gY7/V0 lXAaVSi3XrxHXnVGYuJ+lUdf3pbyd2rpGbrS40YgWjyKwyW3N2TdSGtBFBT4ubvO VDqXcpjQwZPnVpfhtXQEz2qHp3PeUbZgWUPykJEewZv8Afx+jiAcCz4Kwx4bMZU= =ws64 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Apr 21 13:38:39 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 21 Apr 2009 07:38:39 -0400 Subject: OpenPGP digital signature query In-Reply-To: <6748712E-3F46-4AA7-9197-6ACDCF1E86C5@jabberwocky.com> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> <49ECDFF9.2040506@Mozilla-Enigmail.org> <49ED005B.8090900@sixdemonbag.org> <07288203-603A-4EE1-8B23-9599949B3AB2@jabberwocky.com> <49ED2A6E.40309@sixdemonbag.org> <6748712E-3F46-4AA7-9197-6ACDCF1E86C5@jabberwocky.com> Message-ID: <49EDB03F.70104@sixdemonbag.org> David Shaw wrote: > "Sure. They told me some stuff, and I treated it as anecdote until I > got confirmation from an attorney." The correct answer is "yes". On cross-examination you're not allowed to give exposition. So now you've just admitted that your first resource, the group you went to first rather than talking to an attorney, is a group that would fail to meet the standards of the law -- and from that, the lawyer argues your pattern of behavior has been similarly slipshod, etc., etc. > There is nothing wrong with asking questions. It's what you do with the > answers that matters. This is a statement about we wish was true about the world, not what is actually true about the world. Walking up to one's boss and asking, "so why did you screw up this project so badly, and why did you ignore all of our warnings of impending doom, and when are you going to turn around your managerial style?" is the sort of thing that tends to lead to conversations about unemployment benefits. I agree with you that questions can and should be answered in a dispassionate manner. I just disagree about that being the way the world actually _is_. From dshaw at jabberwocky.com Tue Apr 21 14:24:39 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 21 Apr 2009 08:24:39 -0400 Subject: OpenPGP digital signature query In-Reply-To: <49EDB03F.70104@sixdemonbag.org> References: <325f3cee0904200805s7c838e77s78d24e1b5e53e95b@mail.gmail.com> <49ECDFF9.2040506@Mozilla-Enigmail.org> <49ED005B.8090900@sixdemonbag.org> <07288203-603A-4EE1-8B23-9599949B3AB2@jabberwocky.com> <49ED2A6E.40309@sixdemonbag.org> <6748712E-3F46-4AA7-9197-6ACDCF1E86C5@jabberwocky.com> <49EDB03F.70104@sixdemonbag.org> Message-ID: On Apr 21, 2009, at 7:38 AM, Robert J. Hansen wrote: > David Shaw wrote: >> "Sure. They told me some stuff, and I treated it as anecdote until I >> got confirmation from an attorney." > > The correct answer is "yes". On cross-examination you're not > allowed to > give exposition. "Your Honor, I object. Assuming facts almost comically not in evidence." The original poster says nothing about using this list as a "first source of information" (your words), or even any words to that effect. In fact, allow me to repost the entire post: > Can OpenPGP digital signature be used to comply to FDA's 21 CFR Part 11 , or does it mandatorily require X.509 or PKI based signatures That's it. One line. You seem to be concluding from this that he has somehow done something wrong by merely asking the question, but I see no actual facts to base that on: merely a guess as to the situation underlying the question, and then scolding the questioner based on your guess. Maybe it would be better let the questioner be responsible for the questioner? I'm happy to continue this discussion offline if you like, but as this no longer has any bearing on GPG or OpenPGP, it seems inappropriate for this list. David From dshaw at jabberwocky.com Tue Apr 21 15:14:53 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 21 Apr 2009 09:14:53 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49ED5A29.80406@sven-radde.de> References: <49E1BDE2.1070003@naturalnet.de> <49E2523A.8010405@Mozilla-Enigmail.org> <49E30498.5040109@sven-radde.de> <7AA85112-F4B4-4A8E-8B3A-ECC630782E98@jabberwocky.com> <49ED5A29.80406@sven-radde.de> Message-ID: On Apr 21, 2009, at 1:31 AM, Sven Radde wrote: > Hi! > > David Shaw schrieb: >>> With PKA, you can even get automatic key retrieval without a >>> keyserver. >> >> That's not quite right. PKA records in DNS can point to a keyserver, >> but you still need the keyserver in the mix somewhere (though, like >> the >> "preferred keyserver" feature, that "keyserver" might be a key >> stored on >> a web server). > > True, you still need some kind of server (one might argue that even > using CERT, you have a 'keyserver' - the DNS server itself). > The notable difference, however, is that a web server presents my key > exactly as *I* desire, allowing for removed signatures, replacing the > key by a new one etc. > PKA is the way to get somebody to use my web server already for > initial > key retrieval (although this might not be the primary purpose of > PKA) so > that the (synchronizing merge-only) keyserver network is avoided. Absolutely. I do the same thing, just using CERT. CERT has two modes: "PGP" (where the whole key lives in DNS), and "IPGP" for Indirect PGP, where you give a URL as in PKA. IPGP and PKA are basically the same thing from the find-a-key perspective. It's sort of questionable how practical PGP mode is, with the whole key stuffed in to DNS. You'd get into DNS over TCP fairly quickly, and then (poor) firewalls can start being cranky. GnuPG does support getting keys this way, and I suppose it could be useful with a stripped down key (no 3rd party signatures, or even the output of "minimize") and expect that people will eventually learn the rest of the key info from a full keyserver. I suspect the basic idea is more useful for distributing other OpenPGP objects like revocations, as they are quite small and the DNS check for a revocation is quite cheap. IPGP, though, is very handy. >> CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. > > Unfortunately, my provider does not allow me to set CERT type DNS > records. TXT is possible (for, e.g., SPF and PKA). > I will ask whether they can do it (since it appears to be natively > supported in BIND 9, right?) Ugh, that's a problem. CERT has been supported since mid BIND 8 (and arguably longer since you can do stuff like "TYPE37" and raw encoding), but if your provider doesn't let you set arbitrary records, then you're stuck. I've seen providers that do DNS through a web GUI with a drop-down menu that allows you to choose A, CNAME, or TXT. I suppose we should be grateful they at least allow TXT! David From bhushan1988 at gmail.com Tue Apr 21 15:40:48 2009 From: bhushan1988 at gmail.com (Bhushan Jain) Date: Tue, 21 Apr 2009 19:10:48 +0530 Subject: OpenPGP digital signature query Message-ID: <62fd3c0a0904210640j3f13c76el4ea3ad818e72e10a@mail.gmail.com> Hi, Thanks all for your wise advice. I am basically an engineering student and I wanted the information for my studies. Affording a lawyer for it is beyond my pocket :-), but I highly appreciate your valued advice. Most of the references I read kind of state PKI based digital signatures , but since OpenPGP is so popular, i was wondering if even that can be deployed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Tue Apr 21 17:22:51 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 21 Apr 2009 11:22:51 -0400 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49ED5D25.4070206@gmail.com> References: <49E1BDE2.1070003@naturalnet.de> <49E2523A.8010405@Mozilla-Enigmail.org> <49E30498.5040109@sven-radde.de> <7AA85112-F4B4-4A8E-8B3A-ECC630782E98@jabberwocky.com> <49ED5A29.80406@sven-radde.de> <49ED5D25.4070206@gmail.com> Message-ID: <39E48A33-9152-49CF-8617-44B9074A9427@jabberwocky.com> On Apr 21, 2009, at 1:44 AM, Faramir wrote: > Sven Radde escribi?: > >> PKA is the way to get somebody to use my web server already for >> initial >> key retrieval (although this might not be the primary purpose of >> PKA) so >> that the (synchronizing merge-only) keyserver network is avoided. > > But if somebody, by mistake or on purpose uploads your key to a > "normal" keyserver... If your preferred keyserver field points to the web server, that would tend to (eventually) remove the normal keyserver from the equation. That way, if they find your key via the keyserver, then they'll still (assuming they haven't changed the default configuration) end up at your web site at refresh time. Personally, I don't worry too much about it. Given the client-centric design of OpenPGP, there will always be ways to get the key from the wrong place. When I update my key, I send it to the keyservers, and stick it on my web site. Whichever the person hits is fine with me (or put another way, it's not as if I have a choice in the matter, so I may as well be fine with it). What does worry me about the keyserver situation is that it is confusing for the newcomer to OpenPGP: there are several different round-robin keyserver setups (with different semantics between them!), there are some servers that still can't cope with subkeys, there is confusion on whether a syncing server is necessary or not, etc. This is visible every time someone asks a keyserver question on this list: each response gives a different recommended server. David From harakiri_23 at yahoo.com Tue Apr 21 17:25:41 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Tue, 21 Apr 2009 08:25:41 -0700 (PDT) Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file Message-ID: <580320.18996.qm@web52208.mail.re2.yahoo.com> When automatically processing files, i found that gnupg has an endless loop from stdin expecting something but no matter what you enter, it will never quit. 1. using -verify gpg --no-options --batch --status-fd 2 --yes --output out.out --verify in.in.asc gpg: no signed data gpg: can't hash datafile: file open error this is fine, gpg exits, and returns an error (i need to supply the signed data file) 2. using -decrypt without batch on detached signature file gpg --no-options --status-fd 2 --yes --output out.out --decrypt in.in.asc Detached signature. Please enter name of data file: No such file, try again or hit enter to quit. OK i should enter something and can quit with . 3. now using -decrypt with batch on detached signature file gpg --no-options --status-fd 2 --batch --yes --output out.out --decrypt in.in.asc i can enter what i want - gnupg will never quit - adding --debug-all or -v doesnt reveal anything, only control c will quit - but this doesnt help in a batch processing cronjob or similar. I know that --decrypt is not suited for detached signature files but im talking about batch processing here and i dont have control what files are were - at the very least GPG should quit with an error because of --status-fd 2. According to DETAILS.txt this would be the best case for UNEXPECTED Unexpected data has been encountered 0 - not further specified 1 From wk at gnupg.org Tue Apr 21 19:27:51 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Apr 2009 19:27:51 +0200 Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <580320.18996.qm@web52208.mail.re2.yahoo.com> (harakiri_23@yahoo.com's message of "Tue, 21 Apr 2009 08:25:41 -0700 (PDT)") References: <580320.18996.qm@web52208.mail.re2.yahoo.com> Message-ID: <871vrl6hns.fsf@wheatstone.g10code.de> On Tue, 21 Apr 2009 17:25, Harakiri said: > 2. using -decrypt without batch on detached signature file > i can enter what i want - gnupg will never quit - adding --debug-all or -v doesnt reveal anything, only control c will quit - but this doesnt help in a batch processing cronjob or similar. You must use --batch in unattended mode unless you write the necessary code to control gpg via --command-fd. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From harakiri_23 at yahoo.com Tue Apr 21 20:29:20 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Tue, 21 Apr 2009 11:29:20 -0700 (PDT) Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <871vrl6hns.fsf@wheatstone.g10code.de> Message-ID: <127190.99746.qm@web52211.mail.re2.yahoo.com> --- On Tue, 4/21/09, Werner Koch wrote: > From: Werner Koch > Subject: Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file > To: harakiri_23 at yahoo.com > Cc: gnupg-users at gnupg.org > Date: Tuesday, April 21, 2009, 1:27 PM > On Tue, 21 Apr 2009 17:25, Harakiri said: > > > 2. using -decrypt without batch on detached signature > file > > > > i can enter what i want - gnupg will never quit - > adding --debug-all or -v doesnt reveal anything, only > control c will quit - but this doesnt help in a batch > processing cronjob or similar. > > You must use --batch in unattended mode unless you write > the necessary > code to control gpg via --command-fd. > could you please be a bit more specific? Im using --batch in unattended mode but when i use --decrypt on a detached signature file there is no way to quit the program except control + c - what am i supposed to do? status-fd does not indicate that this is a signature file (not encrypted) - so i cant do anything From david at gbenet.com Tue Apr 21 21:05:29 2009 From: david at gbenet.com (david) Date: Tue, 21 Apr 2009 22:05:29 +0300 Subject: New to list - though lurking for a bit :) Message-ID: <49EE18F9.1010700@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I don't have any issues running gnupg - at least not on suse 11 with gpa and kde. I do have some issues. Normally, when I deliver boats I have two laptops - - one for navigation systems Professional 2000 and this linux dell latitude - but my other laptop (ibm a21e) died sea water spray not too good on repeated atlantic crossings. Lasted 10 years! Anyway I can take hard disk out of the dell - leave linux at home (cyprus) I've installed thunderbird on pro 2000 but not gnupg yet. Are there any issues I should be aware of prior to or installing gnupg? I want to add enigmail to thunderbird. Is it all plain sailing under Microsoft O/S? recommended frontends would be helpful. Regards, David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknuGPgACgkQYvuE3Ov+SsB9ygCeOJeXREcMYuzAl0xYKVGiz1kv uMEAnjZPj2yyL2Q2w2YLilcUO1TOR9I4 =7qnp -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Apr 21 22:03:43 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 21 Apr 2009 16:03:43 -0400 Subject: New to list - though lurking for a bit :) In-Reply-To: <49EE18F9.1010700@gbenet.com> References: <49EE18F9.1010700@gbenet.com> Message-ID: <49EE269F.7030009@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 david wrote: > Are there any issues I should be aware of prior to or installing gnupg? > I want to add enigmail to thunderbird. You should have no problems under W2K Pro. > > Is it all plain sailing under Microsoft O/S? recommended frontends would > be helpful. My personal favorite is GPGshell [http://www.jumaros.de/rsoft/index.html] but Others will surely differ. :) I also recommend that You acquire GnuPG from ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe and then follow the defaults. HTH JOHN ;) Timestamp: Tuesday 21 Apr 2009, 16:03 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ7iadAAoJEBCGy9eAtCsP9ToIAIutxlYvQ0EZ8wGtqi//j6Bw zP6N5TN1C74PxZiHubb3XDrRSn8FDeoSnrolC7HMRnzaRwtpRsPvR8f2rBz+5SjZ AP3TgFbpflpjWZaARTY+fse6iXw52XgI/D7iynyIoOst0HnronzR7Ae6cMpS+J8j 8ExrLpcCZDVu7qT+WzIt+gZECu3AM+3XEvKTUu6G6DFkhbAQ2Kyx5NEFfwnkci2f gbnHfQKOSdC/1rsgTW42OTrWSEfU9SsnbyCHyk5P987ZB1LgDl559iUOh4A3lLHJ T22SpQZxBvJ9aM45vxH9hN9ojZLK/kfqhR5gp2HIDabDAUgwPF4Hbaaw4EcyKRk= =51ap -----END PGP SIGNATURE----- From wk at gnupg.org Tue Apr 21 22:29:30 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Apr 2009 22:29:30 +0200 Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <127190.99746.qm@web52211.mail.re2.yahoo.com> (harakiri_23@yahoo.com's message of "Tue, 21 Apr 2009 11:29:20 -0700 (PDT)") References: <127190.99746.qm@web52211.mail.re2.yahoo.com> Message-ID: <87ocup4uol.fsf@wheatstone.g10code.de> On Tue, 21 Apr 2009 20:29, Harakiri said: > Im using --batch in unattended mode but when i use --decrypt on a detached signature file there is no way to quit the program except control + c - what am i supposed to do? status-fd does not indicate that this is a signature file (not encrypted) - so i cant do anything According to your problem description you are not using --batch: 2. using -decrypt without batch on detached signature file gpg --no-options --status-fd 2 --yes --output out.out --decrypt in.in.asc If there is a tty available gpg will ask the user. This is a consequence of the option to use gpg in a pipeline - then you need to ask the user for additional data (e.g. the passphrase) without getting into conflicts with the pipeline. Because it is not easy to decide whether a tty is available or not, unattended usage requires the use of the --batch option. Controlling gpg using --status-fd / --command-fd is an advanced method and I can't give an introduction to this right now. Check GPA to see how to write such code (gpa/src/gpgmeedit.c). However, I am pretty sure that you don't want to do this - this is intended for user frontends. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From david at gbenet.com Wed Apr 22 06:57:00 2009 From: david at gbenet.com (david) Date: Wed, 22 Apr 2009 07:57:00 +0300 Subject: Further thoughts on Windows Install Message-ID: <49EEA39C.3010505@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, installing gnupg enigma on pro 2000 I have to import files from this linux laptop - are file conventions the same? (a) put linux hard drive on usb and scan for keys public and private via enigmail or gui for gnupg b) copy just the folder of gnupg to usb and scan that (c) can I just copy directory to win 2000 hard drive? Any advice copying/importing between microsoft o/s and linux would be helpful :) Regards, David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknuo5wACgkQYvuE3Ov+SsAQQQCeJUad7SDuYp/JPRPiYVbQzxJB GYAAn3LTLvQ0u0QduUaV0d+c3iMa8r4K =fcW9 -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Wed Apr 22 07:17:49 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 22 Apr 2009 00:17:49 -0500 Subject: Further thoughts on Windows Install In-Reply-To: <49EEA39C.3010505@gbenet.com> References: <49EEA39C.3010505@gbenet.com> Message-ID: <49EEA87D.6030903@Mozilla-Enigmail.org> david wrote: > Hi All, > > installing GnuPG Enigmail on pro 2000 I have to import files from this > linux laptop - are file conventions the same? At present. This may change in some future version of GnuPG > (a) put linux hard drive on usb and scan for keys public and private via > enigmail or gui for gnupg > > b) copy just the folder of gnupg to usb and scan that > > (c) can I just copy directory to win 2000 hard drive? > > Any advice copying/importing between microsoft o/s and linux would be > helpful :) Copy the files from ~/.gnupg on your linux box to USB. You should have at minimum, pubring.gpg, secring.gpg, trustdb.gpg, and optionally gpg.conf. On Windows machine, copy all of the above files to %APPDATA%\GnuPG. APPDATA is an environment variable you may reference at a command prompt. You may also enter %APPDATA% into Explorer's Address bar and it will handle expanding things. APPDATA mormally expands to C:\Documents and Settings\\Application Data\ -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From harakiri_23 at yahoo.com Wed Apr 22 11:17:46 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Wed, 22 Apr 2009 02:17:46 -0700 (PDT) Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <87ocup4uol.fsf@wheatstone.g10code.de> Message-ID: <635213.98964.qm@web52203.mail.re2.yahoo.com> --- On Tue, 4/21/09, Werner Koch wrote: > From: Werner Koch > Subject: Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file > To: harakiri_23 at yahoo.com > Cc: gnupg-users at gnupg.org > Date: Tuesday, April 21, 2009, 4:29 PM > On Tue, 21 Apr 2009 20:29, Harakiri said: > > > Im using --batch in unattended mode but when i use > --decrypt on a detached signature file there is no way to > quit the program except control + c - what am i supposed to > do? status-fd does not indicate that this is a signature > file (not encrypted) - so i cant do anything > > According to your problem description you are not using > --batch: I DO, please reread what i wrote - the problem exists because i USE batch! I simply wanted to show how gnupg acts : a) using -decrypt *without* batch on detached signature file gpg --no-options --status-fd 2 --yes --output out.out --decrypt in.in.asc Detached signature. Please enter name of data file: No such file, try again or hit enter to quit. OK i should enter something and can quit with . *THIS IS FINE* Its not for unattended mode, just showing i could escape as a user with tty. b) now using -decrypt *with* batch on detached signature file gpg --no-options --status-fd 2 --batch --yes --output out.out --decrypt in.in.asc *THIS IS THE ISSUE* Automatic programs cannot escape this process ever. Its an endless loop, im requested to enter something in stdin but neither enter nor a filename will quit this modus, furthermore i believe that if --decrypt and status-fd 2 recognizes a DETACHED signatur it should show some kind of status or error and then QUIT because automatic programs cannot escape this call anymore > ask the user for additional data (e.g. the passphrase) > without getting > into conflicts with the pipeline. Because it is not easy > to decide > whether a tty is available or not, unattended usage > requires the use of > the --batch option. Im perfectly aware of --batch and piping passphrases, im using gnupg for unattended decryption/verification/signing/encryption. > > Controlling gpg using --status-fd / --command-fd is an > advanced method > and I can't give an introduction to this right now. You dont need to, i have been using it since at least 5 years and it works perfectly till i found this case with detached signatures and --batch --decrypt Thanks From wk at gnupg.org Wed Apr 22 14:01:05 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 22 Apr 2009 14:01:05 +0200 Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <635213.98964.qm@web52203.mail.re2.yahoo.com> (harakiri_23@yahoo.com's message of "Wed, 22 Apr 2009 02:17:46 -0700 (PDT)") References: <635213.98964.qm@web52203.mail.re2.yahoo.com> Message-ID: <87fxg0524e.fsf@wheatstone.g10code.de> On Wed, 22 Apr 2009 11:17, Harakiri said: > Its an endless loop, im requested to enter something in stdin but neither enter nor a filename will quit this modus, furthermore i believe that if --decrypt and status-fd 2 recognizes a DETACHED signatur it should show some kind of status or error and then QUIT because automatic programs cannot escape this call anymore GPG is expecting the data on stdin. Your controlling process did not connect stdin to /dev/null and seems to deliver data from a TTY to it. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From webmaster at felipe1982.com Wed Apr 22 13:03:05 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Wed, 22 Apr 2009 21:03:05 +1000 Subject: Further thoughts on Windows Install In-Reply-To: <49EEA39C.3010505@gbenet.com> References: <49EEA39C.3010505@gbenet.com> Message-ID: <200904222103.12616.webmaster@felipe1982.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 22 Apr 2009 14:57:00 david wrote: > Hi All, > > installing gnupg enigma on pro 2000 I have to import files from this > linux laptop - are file conventions the same? > > (a) put linux hard drive on usb and scan for keys public and private via > enigmail or gui for gnupg > > b) copy just the folder of gnupg to usb and scan that > > (c) can I just copy directory to win 2000 hard drive? > > Any advice copying/importing between microsoft o/s and linux would be > helpful :) > > Regards, > > David What's wrong with just --export ing the public/private keys, and importing them into win2000? Felipe -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknu+XAACgkQRBFtri/y/NdJfgCgg2ianJGPkoIldy16PK37OncP h6QAnRj/zim8B6FSdbo8ttfpDI2kvBKL =xMRy -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Apr 22 17:38:55 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 22 Apr 2009 11:38:55 -0400 Subject: Further thoughts on Windows Install In-Reply-To: <200904222103.12616.webmaster@felipe1982.com> References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> Message-ID: <49EF3A0F.5050706@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > What's wrong with just --export ing the public/private keys, and > importing them into win2000? Well, if he does it that way, he would have to re-download the keys of his contacts again, and set the trust level for each one again. If he keeps both his pubring and trustdb, he doesn't need to re do all that. And th config file would have to be rewritten, if he has such file (if he doesn't, then he doesn't need it). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ7zoPAAoJEMV4f6PvczxAGtwH/3DM9L81MwEFvjKCnJ8O1zNz 7h2sL9Y8farkrhWS8V8isY6i4aipgVYJ6KLLtuMVRyi2BTs7muNqV+CYqaSy5MRV 0CPDoWayaeZAMp13S6712g23+V6sjsUuNCeI841wV8okIrxbuW5kf9jDdJ6tkDcN Eivi8NsrP63EU9PDG4+TgmHYXkBQjcQG6nh7YuKVd6ylAJmZFRux2+sLC5Tyq6B6 +U09S5tKyOUinx/gPQ5feGVZc1xwd57FNYY4CXPoBb2Iupe7PTHnQVsdTanlqY3t hCNTNeQhOHopa/Z6yedaISiHMexOPhumt8jCFPk0DL9OOvCHSMhixAn5zX9bpgg= =01e8 -----END PGP SIGNATURE----- From harakiri_23 at yahoo.com Wed Apr 22 21:47:13 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Wed, 22 Apr 2009 12:47:13 -0700 (PDT) Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <87fxg0524e.fsf@wheatstone.g10code.de> Message-ID: <224284.39325.qm@web52203.mail.re2.yahoo.com> --- On Wed, 4/22/09, Werner Koch wrote: > From: Werner Koch > Subject: Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file > To: harakiri_23 at yahoo.com > Cc: gnupg-users at gnupg.org > Date: Wednesday, April 22, 2009, 8:01 AM > On Wed, 22 Apr 2009 11:17, Harakiri said: > > > > Its an endless loop, im requested to enter something > in stdin but neither enter nor a filename will quit this > modus, furthermore i believe that if --decrypt and status-fd > 2 recognizes a DETACHED signatur it should show some kind of > status or error and then QUIT because automatic programs > cannot escape this call anymore > > GPG is expecting the data on stdin. Your controlling > process did not > connect stdin to /dev/null and seems to deliver data from a > TTY to it. > i thought the option --notty is the same as stdin /dev/null ? I was only demonstrating with --batch --decrypt the issue - even with --notty nothing changes. Could you please try to call --batch --decrypt with a detached signature file - you will immediately see what i mean - even with --notty there is no way to escape this process without control+c From roam at ringlet.net Wed Apr 22 21:27:38 2009 From: roam at ringlet.net (Peter Pentchev) Date: Wed, 22 Apr 2009 22:27:38 +0300 Subject: Further thoughts on Windows Install In-Reply-To: <49EF3A0F.5050706@gmail.com> References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> Message-ID: <20090422192738.GA1063@straylight.m.ringlet.net> On Wed, Apr 22, 2009 at 11:38:55AM -0400, Faramir wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > > What's wrong with just --export ing the public/private keys, and > > importing them into win2000? > > Well, if he does it that way, he would have to re-download the keys of > his contacts again... No. That's what --export does by default. He would just have to add --export-secret-keys to *also* get his own secret keys :) > ...and set the trust level for each one again... No. That's what --export-ownertrust does. > If he keeps both his pubring and trustdb, he doesn't need to re do all that. Yes, that's true. However, this could lead to problems if some day the format of GnuPG's keyring files should change, and especially if it should change in some architecture-specific way. > And th config file would have to be rewritten, if he has such file (if > he doesn't, then he doesn't need it). Well, the config file could be copied, it's plain text. The issue here is that the keyring files are not guaranteed to be in any kind of format that is compatible with anything else, including a GnuPG version on any other architecture or even another GnuPG version on the same architecture. Well, of course, it would be a pain if a future GnuPG version would not be able to read the current version's files, but it *could* happen one day. Of course, I'm NOT speaking for the GnuPG developers in any way! It's just what I gather from the glaring lack of any mentioning of the format of the keyring files in any official documentation - IMHO, that's on purpose, and it's completely understandable and a good thing, too :) The only guaranteed, portable way to transfer one's keyrings is by running GnuPG three times: gpg --export --armor > pubkeys.txt gpg --export-secret-keys --armor > seckeys.txt gpg --export-ownertrust > ownertrust.txt ...then copying those files over to the other installation and importing them there with the --import, --import-secret-keys, and --import-ownertrust options. Still, for the present, all keyrings on all versions of GnuPG seem to be compatible, so, *for the present*, it is easier to just copy the files over. The whole point is, that's not guaranteed to work forever :) G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if it weren't self-referential? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From faramir.cl at gmail.com Wed Apr 22 23:21:20 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 22 Apr 2009 17:21:20 -0400 Subject: Further thoughts on Windows Install In-Reply-To: <20090422192738.GA1063@straylight.m.ringlet.net> References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> Message-ID: <49EF8A50.7070402@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter Pentchev escribi?: ... >> ...and set the trust level for each one again... > > No. That's what --export-ownertrust does. Ah... I was not aware of that option... shame on me. I also thought he would have to export the keys one by one... and again I was wrong. > The only guaranteed, portable way to transfer one's keyrings is > by running GnuPG three times: > > gpg --export --armor > pubkeys.txt > gpg --export-secret-keys --armor > seckeys.txt > gpg --export-ownertrust > ownertrust.txt Ok, I saved those commands in a txt file, just in case I forget about them. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ74pQAAoJEMV4f6PvczxAFV4IAJMTcuW4l8r2GjJfZMYuo+KR j8dYKYI8lgawvW6ndyWOYinXl2eMUR/x3A97xTLAeYzD1MpqdmOx8N9XpHJV4prW G++6bXuEmbqedJPB4zt+BTRqJVaDN7VA4H5/kNLgsmC82Zn38eJn1OB0tC7c9qgt RLgu7yQlgQUTpKe0R4YZ0ZtOgS3rnJtrrWVg1+uLbHoE9piNn+kc28qpEX4RaL67 O7IDHVCHyb1PQhrALOs2s8B1mqDkEZcoCqiT7XAPBtA7WJqFnTDmXFOBDk7jXEyK Ne5aO3gQeOIkzmt/E5gpMX5JZqKlTIBf74VquZLvnPFnIF9+SC1SYmc/ZTvdt+w= =2uj0 -----END PGP SIGNATURE----- From david at gbenet.com Thu Apr 23 00:13:51 2009 From: david at gbenet.com (david) Date: Thu, 23 Apr 2009 01:13:51 +0300 Subject: [Fwd: Re: Further thoughts on Windows Install] Message-ID: <49EF969F.2080506@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknvlpgACgkQYvuE3Ov+SsBdbgCcCxkds/ywCCC50Nl757OamUUM I4kAn2N5na3v3pbtwt2QZMYX8onXoWvF =pJhr -----END PGP SIGNATURE----- -------------- next part -------------- An embedded message was scrubbed... From: david Subject: Re: Further thoughts on Windows Install Date: Thu, 23 Apr 2009 01:10:59 +0300 Size: 4664 URL: From wk at gnupg.org Thu Apr 23 10:05:57 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 10:05:57 +0200 Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <224284.39325.qm@web52203.mail.re2.yahoo.com> (harakiri_23@yahoo.com's message of "Wed, 22 Apr 2009 12:47:13 -0700 (PDT)") References: <224284.39325.qm@web52203.mail.re2.yahoo.com> Message-ID: <87fxfz3ica.fsf@wheatstone.g10code.de> > i thought the option --notty is the same as stdin /dev/null ? No, it is not the same. Did you connect stdin to /dev/null ? Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Apr 23 10:16:40 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 10:16:40 +0200 Subject: Further thoughts on Windows Install In-Reply-To: <20090422192738.GA1063@straylight.m.ringlet.net> (Peter Pentchev's message of "Wed, 22 Apr 2009 22:27:38 +0300") References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> Message-ID: <87bpqn3huf.fsf@wheatstone.g10code.de> > Yes, that's true. However, this could lead to problems if some day > the format of GnuPG's keyring files should change, and especially > if it should change in some architecture-specific way. The latter won't ever happen. All file formats used by GnuPG are platform neutral; i.e. we use well defined lengths for all integers, utf-8 for string encoding and network byte ordering. > the same architecture. Well, of course, it would be a pain if > a future GnuPG version would not be able to read the current version's > files, but it *could* happen one day. Of course, I'm NOT speaking The time required to write and test the migration code is actually the reason why we are still using the old format ;-). > gpg --export --armor > pubkeys.txt > gpg --export-secret-keys --armor > seckeys.txt > gpg --export-ownertrust > ownertrust.txt You also better backup the config giles, whoever, they might need adjustments if gpg is installed somewhere else. The option --armor is not required but might be helpful in case the files are transported via FTP and and one forgets to use switch to binary mode. > Still, for the present, all keyrings on all versions of GnuPG seem > to be compatible, so, *for the present*, it is easier to just copy > the files over. The whole point is, that's not guaranteed to work > forever :) Exactly. The whole discussion makes me think about a backup and restore tool. This would in particular be useful for GnuPG-2, which requires a couple files more to be backed up. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From david at gbenet.com Thu Apr 23 11:21:05 2009 From: david at gbenet.com (david) Date: Thu, 23 Apr 2009 12:21:05 +0300 Subject: Further thoughts on Windows Install In-Reply-To: <87bpqn3huf.fsf@wheatstone.g10code.de> References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> <87bpqn3huf.fsf@wheatstone.g10code.de> Message-ID: <49F03301.6050602@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, that a back up export utility would be a good idea - one that selected all the files required. Changing file formats perhaps complicates the issue of export/import between operating systems - microsoft bringing out "new" versions (if that made a difference?) of it's operating system/s. A platform independent set of data files means no matter what o/s you choose one can switch between and share data. Core data formats could change for improved security - whatever as long as o/s independent. I'm not a developer :) just another end user! Regards, David Werner Koch wrote: >> Yes, that's true. However, this could lead to problems if some day >> the format of GnuPG's keyring files should change, and especially >> if it should change in some architecture-specific way. > > The latter won't ever happen. All file formats used by GnuPG are > platform neutral; i.e. we use well defined lengths for all integers, > utf-8 for string encoding and network byte ordering. > >> the same architecture. Well, of course, it would be a pain if >> a future GnuPG version would not be able to read the current version's >> files, but it *could* happen one day. Of course, I'm NOT speaking > > The time required to write and test the migration code is actually the > reason why we are still using the old format ;-). > >> gpg --export --armor > pubkeys.txt >> gpg --export-secret-keys --armor > seckeys.txt >> gpg --export-ownertrust > ownertrust.txt > > You also better backup the config giles, whoever, they might need > adjustments if gpg is installed somewhere else. The option --armor is > not required but might be helpful in case the files are transported via > FTP and and one forgets to use switch to binary mode. > >> Still, for the present, all keyrings on all versions of GnuPG seem >> to be compatible, so, *for the present*, it is easier to just copy >> the files over. The whole point is, that's not guaranteed to work >> forever :) > > Exactly. > > The whole discussion makes me think about a backup and restore tool. > This would in particular be useful for GnuPG-2, which requires a couple > files more to be backed up. > > > Salam-Shalom, > > Werner > - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknwMvkACgkQYvuE3Ov+SsDUaQCeIr3Md3nbdCPeTLuuD+xKdh55 R3IAoKciNBfdenXVyzS9I+/xqAOfeb9b =ofuf -----END PGP SIGNATURE----- From wk at gnupg.org Thu Apr 23 11:47:00 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 11:47:00 +0200 Subject: Further thoughts on Windows Install In-Reply-To: <49F03301.6050602@gbenet.com> (david@gbenet.com's message of "Thu, 23 Apr 2009 12:21:05 +0300") References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> <87bpqn3huf.fsf@wheatstone.g10code.de> <49F03301.6050602@gbenet.com> Message-ID: <87prf31z3f.fsf@wheatstone.g10code.de> > A platform independent set of data files means no matter what o/s you They are already platform independent. However they are bound to a specific gpg version. In practise there was only on minor format change with version 1.0.7, but other changes will eventually come. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From harakiri_23 at yahoo.com Thu Apr 23 12:09:12 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Thu, 23 Apr 2009 03:09:12 -0700 (PDT) Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <87fxfz3ica.fsf@wheatstone.g10code.de> Message-ID: <800177.23746.qm@web52203.mail.re2.yahoo.com> --- On Thu, 4/23/09, Werner Koch wrote: > From: Werner Koch > Subject: Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file > To: harakiri_23 at yahoo.com > Cc: gnupg-users at gnupg.org > Date: Thursday, April 23, 2009, 4:05 AM > > i thought the option --notty is the same as stdin > /dev/null ? > > No, it is not the same. Did you connect stdin to /dev/null > ? Ok, i found a similar issue in gnupg here from this user: https://bugs.g10code.com/gnupg/issue940 its exactly as described - adding "< /dev/null" to the end solves the problem. But as the user suggested why does --batch does not take care of it? I saw that it is "expected from unix" programs to behave like this - but what about windows? there is no dev null piping - at least there should be an option because users expect that --batch will work automatically. Furthermore there is still the issue that even with /dev/null status-fd does not tell me its a detached signature file it just asks for a public key first. Thanks From mearns.b at gmail.com Thu Apr 23 14:46:09 2009 From: mearns.b at gmail.com (Brian Mearns) Date: Thu, 23 Apr 2009 08:46:09 -0400 Subject: Further thoughts on Windows Install In-Reply-To: <87prf31z3f.fsf@wheatstone.g10code.de> References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> <87bpqn3huf.fsf@wheatstone.g10code.de> <49F03301.6050602@gbenet.com> <87prf31z3f.fsf@wheatstone.g10code.de> Message-ID: <4df3a1330904230546g3006ca2er26a3424977399173@mail.gmail.com> On Thu, Apr 23, 2009 at 5:47 AM, Werner Koch wrote: > >> A platform independent set of data files means no matter what o/s you > > They are already platform independent. ?However they are bound to a > specific gpg version. ?In practise there was only on minor format change > with version 1.0.7, but other changes will eventually come. > > Salam-Shalom, > > ? Werner > > -- > Die Gedanken sind frei. ?Auschnahme regelt ein Bundeschgesetz. > Anyone know if there's a specific reason the OpenPGP standard doesn't cover key ring file formats? -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From wk at gnupg.org Thu Apr 23 16:28:10 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 16:28:10 +0200 Subject: Further thoughts on Windows Install In-Reply-To: <4df3a1330904230546g3006ca2er26a3424977399173@mail.gmail.com> (Brian Mearns's message of "Thu, 23 Apr 2009 08:46:09 -0400") References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> <87bpqn3huf.fsf@wheatstone.g10code.de> <49F03301.6050602@gbenet.com> <87prf31z3f.fsf@wheatstone.g10code.de> <4df3a1330904230546g3006ca2er26a3424977399173@mail.gmail.com> Message-ID: <871vrj1m2t.fsf@wheatstone.g10code.de> > Anyone know if there's a specific reason the OpenPGP standard doesn't > cover key ring file formats? The standard defines cares only about the format on the wire and not about specific implementations. You may want to use an SQL DB in one implementation or get the key material from a punch card. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Apr 23 16:26:07 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 16:26:07 +0200 Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <800177.23746.qm@web52203.mail.re2.yahoo.com> (harakiri_23@yahoo.com's message of "Thu, 23 Apr 2009 03:09:12 -0700 (PDT)") References: <800177.23746.qm@web52203.mail.re2.yahoo.com> Message-ID: <8763gv1m68.fsf@wheatstone.g10code.de> > But as the user suggested why does --batch does not take care of it? I saw that it is "expected from unix" programs to behave like this - but what about windows? there is no dev null piping - at least there should be an option because users expect that --batch will work automatically. It works as expected, reading data from stdin - even on Windows. Why should that be different. Piping data into programs on Windows is as old as PCDOS 2.0.1a (~1983). There is and has always been a nul device in Windows, it is just named "/dev/nul" and not "/dev/null". However on the windows command line you better use just "nul" as the device - that is a special filename. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From harakiri_23 at yahoo.com Thu Apr 23 16:49:12 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Thu, 23 Apr 2009 07:49:12 -0700 (PDT) Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <8763gv1m68.fsf@wheatstone.g10code.de> Message-ID: <246802.47129.qm@web52209.mail.re2.yahoo.com> --- On Thu, 4/23/09, Werner Koch wrote: > > There is and has always been a nul device in Windows, it is > just named > "/dev/nul" and not "/dev/null". > However on the windows command line you > better use just "nul" as the device - that is a > special filename. > See, and this is exactly the reason why there should be an option to gnupg like --notty with --nostdin to make a generic for every platform - the caller does not really need to know about these OS specifics. He is using "--batch" as the name implies - it should be done automatically always - now i have to make a workaround because a) GNUPG does not inform the caller via status-fd that its a detached signature and halts the processing b) GNUPG needs "--batch" on "some" occasions to be really "batch mode" compatbile (this is undocumented and should be a flag) c) Since i do not know in advance if it is an encrypted or detached signature file (no status output) - i may need to pipe the passphrase too - but with stdin to dev/null - i cant anymore From brian.kumfer at ggp.com Thu Apr 23 17:04:39 2009 From: brian.kumfer at ggp.com (bkumfer) Date: Thu, 23 Apr 2009 08:04:39 -0700 (PDT) Subject: Help with encrypting using my PGP Public key In-Reply-To: <22993706.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> Message-ID: <23197385.post@talk.nabble.com> Thanks for your reply - but that does not give me a solution or answer. Is a key generated by GnuPG equivalent to another source created PGP key? I have multiple banks I need to have a single key created for, so I cannot troubleshoot the issue across different systems they use. -- View this message in context: http://www.nabble.com/Help-with-encrypting-using-my-PGP-Public-key-tp22993706p23197385.html Sent from the GnuPG - User mailing list archive at Nabble.com. From jmoore3rd at bellsouth.net Thu Apr 23 17:15:57 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 23 Apr 2009 11:15:57 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23197385.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23197385.post@talk.nabble.com> Message-ID: <49F0862D.9060702@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 bkumfer wrote: > Thanks for your reply - but that does not give me a solution or answer. Is a > key generated by GnuPG equivalent to another source created PGP key? I have > multiple banks I need to have a single key created for, so I cannot > troubleshoot the issue across different systems they use. Yes, there is cross-compatibility of Keys across all builds of OpenPGP. JOHN ;) Timestamp: Thursday 23 Apr 2009, 11:15 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8IYsAAoJEBCGy9eAtCsPuYMH/R1Lryi6bvDktrA5HDXVxaoP 97Z/NOa4XFVjdNl/MnjqOSxaH9Yh/hQjmEtVIkm//Tg5KGmPivawl5qA/ek/Cac8 RXuKwo+zNVg9lUIiZN3FIpo/KrG8YgaizLeOTrrkGuBDZ/yJ9y5oPkEa3cjai5uh n7XXSCv3YuZsc2ogoMJjO//4T0dISJNTNSki64dTzRoWonaHQgFx1JLyLsUvWDYL db85wB3oxBqTIxTvxZNZyysCDoBp0FV5MDlBKohoyBiQ3YVFnrxKH87U81Dvi9LR S+naW+05kHRQDHYMqStgEtVqJw8BBzyKMZ60Wl1VIqQzyxU3fvhyK8ccyMsXBpM= =t466 -----END PGP SIGNATURE----- From mearns.b at gmail.com Thu Apr 23 17:40:28 2009 From: mearns.b at gmail.com (Brian Mearns) Date: Thu, 23 Apr 2009 11:40:28 -0400 Subject: Further thoughts on Windows Install In-Reply-To: <871vrj1m2t.fsf@wheatstone.g10code.de> References: <49EEA39C.3010505@gbenet.com> <200904222103.12616.webmaster@felipe1982.com> <49EF3A0F.5050706@gmail.com> <20090422192738.GA1063@straylight.m.ringlet.net> <87bpqn3huf.fsf@wheatstone.g10code.de> <49F03301.6050602@gbenet.com> <87prf31z3f.fsf@wheatstone.g10code.de> <4df3a1330904230546g3006ca2er26a3424977399173@mail.gmail.com> <871vrj1m2t.fsf@wheatstone.g10code.de> Message-ID: <4df3a1330904230840r2089d8a8y1f79bddbe79d0283@mail.gmail.com> On Thu, Apr 23, 2009 at 10:28 AM, Werner Koch wrote: > >> Anyone know if there's a specific reason the OpenPGP standard doesn't >> cover key ring file formats? > > The standard defines cares only about the format on the wire and not > about specific implementations. ?You may want to use an SQL DB in one > implementation or get the key material from a punch card. > > > Shalom-Salam, > > ? Werner > > -- > Die Gedanken sind frei. ?Auschnahme regelt ein Bundeschgesetz. > > Fair enough, I hadn't considered the prospect of keys coming from other sources. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From faramir.cl at gmail.com Thu Apr 23 18:03:54 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 23 Apr 2009 12:03:54 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23197385.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23197385.post@talk.nabble.com> Message-ID: <49F0916A.5020706@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 bkumfer escribi?: > Thanks for your reply - but that does not give me a solution or answer. Is a > key generated by GnuPG equivalent to another source created PGP key? I have As long as all the programs are compilant with RFT4880, they should be. What I mean is too old programs maybe won't be compatible, but current versions should be. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ8JFpAAoJEMV4f6PvczxAogcIAKhjaz73grv3qhSG9n5CqahM B86IrAHH4XrF/I6ii8uPajBo7XnEeN18Y3D3U/Nu3+gJ9jW7kk4fEdkBO3MlCCzr pABDIOI5IvYlQF/heFj0CKgnDXYEA6U+x9hI9JWs4b4nhmzWLbfcMZ42l7LFJuzO 5GNi9yBkokgkt0p0sZwpZRgrCQJyzGyCMOhJykNvWzTqP4NOSHbMmj57GwD2mvgq FH8mL/+gOxKITRTkHUh6IdudPY8SlBokxzVj66DxL6i+YJ5qUmWpA2/20QQCOhIl +T5Dx64+Ec3YfcOFXL2eRgWJWL8ub75+Vkei591SWEp2jQmM3VZjaVNg7PBMpbU= =kx1J -----END PGP SIGNATURE----- From bmearns at ieee.org Thu Apr 23 18:12:49 2009 From: bmearns at ieee.org (Brian Mearns) Date: Thu, 23 Apr 2009 12:12:49 -0400 Subject: Bad signatures on Gmail messages In-Reply-To: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> Message-ID: <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just wanted to let people know that I finally woke up and realized that messages I was signing and sending with Gmail are bad because the mail client is inserting linebreaks in order to wrap lines. This is standard behavior for a lot of MUAs so that certain mail readers don't have problems displaying them. From now on, any messages I sign will be written offline with short lines, signed, and then pasted into my mail client, so that the signed message already contains the correct line breaks. - -Brian - -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJJ8JM+AAoJEHOUulIkSI7cr34H/3xHq3aFC+elUPKSfh5jkASS ZyKSUbcWt9sF9FMJllIQoPKjxQgdhTBzZCGPUm9qTWuF5b73Ds/hvHqCiXZXMQPI t2SkAY4w7rPH11tPdfwZf4AGlZuDSB4KR8v08R1O9X1+k8ycoxvuife3t/l2pNLt er4MqJ9jEffwwHL+SF3xb6CLArmRWfS+6Bd0zACMfKH2FnEUZ+e6Zg/Zb3A72oAQ qburrJC3vf4qsVhCb2rq2Bx0RPwVGdbkWC+hCmx4J9yKaku/UNKWPxIOsGJuyYZ6 mV0FxWi750wnJt1rfC2mb8ZiNEFjEkEtdjH/1n+7NcLi0xgcN+LHspH53Hrewyc= =xIIG -----END PGP SIGNATURE----- From Brian.Kumfer at ggp.com Thu Apr 23 18:23:37 2009 From: Brian.Kumfer at ggp.com (Kumfer, Brian K) Date: Thu, 23 Apr 2009 11:23:37 -0500 Subject: Help with encrypting using my PGP Public key In-Reply-To: <49F0862D.9060702@bellsouth.net> References: <22993706.post@talk.nabble.com> <23197385.post@talk.nabble.com> <49F0862D.9060702@bellsouth.net> Message-ID: <9EF98E6E3EDA374BBE932EFF876F475A026FD718@PPM1CRP01.generalgrowth.com> John- There must be some command line or option that I am missing when generating the key via GnuPG then? Any thoughts? -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of John W. Moore III Sent: Thursday, April 23, 2009 10:16 AM To: GnuPG Users List Subject: Re: Help with encrypting using my PGP Public key -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 bkumfer wrote: > Thanks for your reply - but that does not give me a solution or answer. Is a > key generated by GnuPG equivalent to another source created PGP key? I have > multiple banks I need to have a single key created for, so I cannot > troubleshoot the issue across different systems they use. Yes, there is cross-compatibility of Keys across all builds of OpenPGP. JOHN ;) Timestamp: Thursday 23 Apr 2009, 11:15 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8IYsAAoJEBCGy9eAtCsPuYMH/R1Lryi6bvDktrA5HDXVxaoP 97Z/NOa4XFVjdNl/MnjqOSxaH9Yh/hQjmEtVIkm//Tg5KGmPivawl5qA/ek/Cac8 RXuKwo+zNVg9lUIiZN3FIpo/KrG8YgaizLeOTrrkGuBDZ/yJ9y5oPkEa3cjai5uh n7XXSCv3YuZsc2ogoMJjO//4T0dISJNTNSki64dTzRoWonaHQgFx1JLyLsUvWDYL db85wB3oxBqTIxTvxZNZyysCDoBp0FV5MDlBKohoyBiQ3YVFnrxKH87U81Dvi9LR S+naW+05kHRQDHYMqStgEtVqJw8BBzyKMZ60Wl1VIqQzyxU3fvhyK8ccyMsXBpM= =t466 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From Brian.Kumfer at ggp.com Thu Apr 23 20:18:40 2009 From: Brian.Kumfer at ggp.com (Kumfer, Brian K) Date: Thu, 23 Apr 2009 13:18:40 -0500 Subject: Help with encrypting using my PGP Public key In-Reply-To: <4df3a1330904230904u37b6161ye434fc879002bdf2@mail.gmail.com> References: <22993706.post@talk.nabble.com> <23197385.post@talk.nabble.com> <4df3a1330904230904u37b6161ye434fc879002bdf2@mail.gmail.com> Message-ID: <9EF98E6E3EDA374BBE932EFF876F475A026FD866@PPM1CRP01.generalgrowth.com> While I appreciate the response, please note that I am unfamiliar with PGP and encryption, so this is my first attempt to work through an issue surrounding the problem. I never stated troubleshooting is a big burden. Rather, I did what I would expect would be normal troubleshooting activities given my novice status of dealing with PGP encryption: 1. Recreated the keys (this was done several times using command line version of GnuPG 1.4.9 compiled for Microsoft Windows installed on a Windows 2003 server). 2. I exported the key using this command : gpg --export --armor --output C:\tmp\my_public_key.asc 3. Sent the public key to the bank again to have them attempt to encrypt a file 4. The same error message was received back, as I initially included in my first posting 5. I then asked multiple banks if they had encountered this issue with other clients, to which they would not provide any assistance and suggested I use another method if I can get PGP to work. 6. I then googled, trying to find others who had encountered a similar issue, to which there were none. 7. Finally, I found this board and attempted to post my question. I am unaware of the details of this option: If this is not the case, then I would have them do a standard hash on the data you sent them (e.g., md5 or sha-1) and compare the output to your own hash of your copy of the data: if they match, you can pretty confidently elliminate (4). And the banks are not forthcoming on what software they are using. Any additional insight and help would be much appreciated. -----Original Message----- From: Brian Mearns [mailto:mearns.b at gmail.com] Sent: Thursday, April 23, 2009 11:05 AM To: Kumfer, Brian K Subject: Re: Help with encrypting using my PGP Public key On Thu, Apr 23, 2009 at 11:04 AM, bkumfer wrote: > > Thanks for your reply - but that does not give me a solution or answer. ?Is a > key generated by GnuPG equivalent to another source created PGP key? ?I have > multiple banks I need to have a single key created for, so I cannot > troubleshoot the issue across different systems they use. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's not a solution because your problem is far too vague. It's like saying "I created a document in OpenOffice, and when I try to perform some [unspecified] action on it in another [unspecified] program, I get an error". GnuPG is supposed to generate OpenPGP compliant packets, so either: 1) you did something wrong in generating what ever it is you sent to the bank, 2) the banks software is not OpenPGP compliant, 3) the person at the bank did something wrong, 4) the key data you sent got corrupted in transit, or 5) you uncovered a bug in GnuPG. While (5) is entirely possible, it's certainly not the conclusion I would jump to with the information you've provided. Based on the error message, I would guess that you've given the bank a sign-only key, which means the key can be used for signing data, but not for encrypting (i.e., number (1)). If this is not the case, then I would have them do a standard hash on the data you sent them (e.g., md5 or sha-1) and compare the output to your own hash of your copy of the data: if they match, you can pretty confidently elliminate (4). Beyond this, in order to get any help, you're going to need to determine and provide more details, such as: what version of gpg you're using, what software and version the bank is using, and what type of key you sent them. You said that the banks are using a different systems: have you confirmed that your key doesn't work on any of these systems? If troubleshooting is too big of a burden for you, then you'll just have to give up. That's not meant to sound snarky, but if things don't work they way you want them to, the only options are to accept it or fix it, and you can't fix something without troubleshooting it. - -Brian - -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJJ8JGPAAoJEHOUulIkSI7cl24H/2uY1VTK13PPhDgeJC4t/I9d 7WrEAqqWOA9KrmcuNN4GvVCSzIF5QeGkOIdvtPHFg0BlgMNwmBwIZH7/a2b9b+b5 j7eIehxnA85abeH0dESUqv7u79NqZ3O5dhe1tvKgrP7gj+eVwYIIOzB9L0BtdTbO m3Y+WulMHgbQX2k5p98xtO9z5ZripIb7j5tOcVVKgEpnf3o/JaRlapSBoFcFa93M FLyqEW1iwM4xU/uhiATBOKf85rmY4OpGomNXWthVG8ftwBVA+jI6KKw3cNWNPPCG oZhwIFM+gCdNy7/tu7TRZunHc6c/0zMI7FJlfTRokvnYSd/RN2dC5TdB+XXjAJo= =MV/+ -----END PGP SIGNATURE----- From faramir.cl at gmail.com Thu Apr 23 20:42:15 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 23 Apr 2009 14:42:15 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <9EF98E6E3EDA374BBE932EFF876F475A026FD866@PPM1CRP01.generalgrowth.com> References: <22993706.post@talk.nabble.com> <23197385.post@talk.nabble.com> <4df3a1330904230904u37b6161ye434fc879002bdf2@mail.gmail.com> <9EF98E6E3EDA374BBE932EFF876F475A026FD866@PPM1CRP01.generalgrowth.com> Message-ID: <49F0B687.7020702@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kumfer, Brian K escribi?: > While I appreciate the response, please note that I am unfamiliar with PGP and encryption, so this is my first attempt to work through an issue surrounding the problem. Well, maybe the problem is on their side, but it is strange you are the only one with a problematic key... Can you show us your public key? What kind of keys are you making? The default ones? Have you changed the default settings (by creating a gpg.conf file)? If you don't know what I'm talking about, then probably you have not changed the defaults (and most of times, sticking to defaults is a good idea). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ8LaHAAoJEMV4f6PvczxAlvkIAIAfoEjXqHSplkMaz98+KVMt OApHfv1+Ak89lrMSU3iRSuBQqiQpOSjHjASTMmah3sLBypiTYY8VRFEz09o2BfYc 2Won4XOMDp5cbGV6yGHszYhiBTnewLk2YZEZYFyK4v+ym6yx68gKoZ6p2oMh8Ttp Ih3/d1DYKgIh3dhetpiZP7hn1zGHkt1U/F3Y1WWqZYY4HydXiLzR49opQ/NqSt5N d8ML/ealQLUZ37TT4ZZ7pAuiuZogP004ATrJ6qJEHf/VwZOgUkWbHeDTUkMsA+Bz f0wXtXSkkRKK4hIrWZzfQNg1tBW7EfEXAtOoBYu4fq4ZAhmQnqUNKUqZUbW6fM4= =mIZ6 -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Thu Apr 23 22:15:04 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 23 Apr 2009 16:15:04 -0400 Subject: Bad signatures on Gmail messages In-Reply-To: <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> Message-ID: <49F0CC48.2020007@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Brian Mearns wrote: > I just wanted to let people know that I finally woke up and realized that > messages I was signing and sending with Gmail are bad because the mail client > is inserting linebreaks in order to wrap lines. This is standard behavior for > a lot of MUAs so that certain mail readers don't have problems displaying > them. From now on, any messages I sign will be written offline with short > lines, signed, and then pasted into my mail client, so that the signed message > already contains the correct line breaks. The Google Webmail interface allows the setting of word wrap within the Web Compose screen. Look under 'Settings'. JOHN ;) Timestamp: Thursday 23 Apr 2009, 16:14 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8MxBAAoJEBCGy9eAtCsPDTEIAJK9Fv3pUBMcoBy3BIO58Rhp TRhgmag5vg5v5y8abDxrzFIysymJ8e/d1Zv0DHlvz1qD8X+k0LVwlYU60NR/b0YH m29m9SPm464AF2kFp/5/+DkFEoie4KJ1FL+v0GBIKJvn+1PDWBRCMMiJFr6RV+3s 2UWPfO3+tuVN0CFV5s8+adrweHIQojCEI8rESG5KwOsCfLNnjG/ZWyz8dhtp5xse EuGbiNjFVu8V26X0PHEoYdvbdYF/zV+mzDG7LBD8hp35mmGfkxNe/Qx8PNpe/yd2 RkiYoO/tCGZbzi1D8PerxQF8pPU+VDN64FO++kNw7hWq+batBhwFBx6TiqEKssg= =f6Pl -----END PGP SIGNATURE----- From wk at gnupg.org Thu Apr 23 22:24:42 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 22:24:42 +0200 Subject: Bad signatures on Gmail messages In-Reply-To: <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> (Brian Mearns's message of "Thu, 23 Apr 2009 12:12:49 -0400") References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> Message-ID: <87bpqnyv79.fsf@wheatstone.g10code.de> On Thu, 23 Apr 2009 18:12, bmearns at ieee.org said: > I just wanted to let people know that I finally woke up and realized that > messages I was signing and sending with Gmail are bad because the mail client That is why PGP/MIME is the only robust format and higly recommended over of the simple clearsigning mode. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Apr 23 22:22:24 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Apr 2009 22:22:24 +0200 Subject: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file In-Reply-To: <246802.47129.qm@web52209.mail.re2.yahoo.com> (harakiri_23@yahoo.com's message of "Thu, 23 Apr 2009 07:49:12 -0700 (PDT)") References: <246802.47129.qm@web52209.mail.re2.yahoo.com> Message-ID: <87fxfzyvb3.fsf@wheatstone.g10code.de> On Thu, 23 Apr 2009 16:49, harakiri_23 at yahoo.com said: > a) GNUPG does not inform the caller via status-fd that its a detached signature and halts the processing It does not hold the processing but whats for input - this is by design and expected beahaviour for any Unix tool. > b) GNUPG needs "--batch" on "some" occasions to be really "batch mode" > compatbile (this is undocumented and should be a flag) It is already. > c) Since i do not know in advance if it is an encrypted or detached signature file (no status output) - i may need to pipe the passphrase too - but with stdin to dev/null - i cant anymore Use --passphrase-fd 5 or alike. And in fact you should know what you are doing. A detached signature and an encrypted file are very different things. If your question is how to figure out what this OpenPGP messag is about, you can just call it properly and check the output. If it is a detached signature it will says so. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Fri Apr 24 00:27:02 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 23 Apr 2009 18:27:02 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <9EF98E6E3EDA374BBE932EFF876F475A026FD866@PPM1CRP01.generalgrowth.com> References: <22993706.post@talk.nabble.com> <23197385.post@talk.nabble.com> <4df3a1330904230904u37b6161ye434fc879002bdf2@mail.gmail.com> <9EF98E6E3EDA374BBE932EFF876F475A026FD866@PPM1CRP01.generalgrowth.com> Message-ID: <95E49967-2F1C-4F5C-A1DD-2617DD1FFB10@jabberwocky.com> On Apr 23, 2009, at 2:18 PM, Kumfer, Brian K wrote: > While I appreciate the response, please note that I am unfamiliar > with PGP and encryption, so this is my first attempt to work through > an issue surrounding the problem. > > I never stated troubleshooting is a big burden. Rather, I did what > I would expect would be normal troubleshooting activities given my > novice status of dealing with PGP encryption: > > 1. Recreated the keys (this was done several times using command > line version of GnuPG 1.4.9 compiled for Microsoft Windows installed > on a Windows 2003 server). Recreated how? Can you give exactly the steps you followed? Even better, can you generate a key using those steps and send it here so we can examine it? The error message that you got looks like it came from the PGP command line product. I actually have a copy of that here somewhere, and I'm happy to check your GPG-generated key against it. David From kaustubh.gadkari at gmail.com Fri Apr 24 00:52:46 2009 From: kaustubh.gadkari at gmail.com (Kaustubh Gadkari) Date: Thu, 23 Apr 2009 16:52:46 -0600 Subject: Gpgme does not find key after setuid() Message-ID: Hi, I have code that sets uid after I start it as root. I have a user A that owns a key, and I su - to root. Then I do: ./simple-signer '' A In this case, gpgme does not find the key for user A. However, if I run the following as user A: ./simple-signer '' gpgme finds the key for user A. I am attaching my code, for reference. My question is : do I need to do something that will enable gpgme to find the key when I run my code as root? Thanks, Kaustubh -- Kaustubh Gadkari kaustubh [dot] gadkari [at] gmail [dot] com -------------- next part -------------- A non-text attachment was scrubbed... Name: simple-signer.cc Type: text/x-c++src Size: 5921 bytes Desc: not available URL: From bmearns at ieee.org Fri Apr 24 02:54:27 2009 From: bmearns at ieee.org (Brian Mearns) Date: Thu, 23 Apr 2009 20:54:27 -0400 Subject: Bad signatures on Gmail messages In-Reply-To: <87bpqnyv79.fsf@wheatstone.g10code.de> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> Message-ID: <4df3a1330904231754j6d4ed886o15a32511e487da52@mail.gmail.com> On Thu, Apr 23, 2009 at 4:24 PM, Werner Koch wrote: > On Thu, 23 Apr 2009 18:12, bmearns at ieee.org said: >> I just wanted to let people know that I finally woke up and realized that >> messages I was signing and sending with Gmail are bad because the mail client > > That is why PGP/MIME is the only robust format and higly recommended > over of the simple clearsigning mode. > > > Shalom-Salam, > > ? Werner Could you elaborate on this Werner? I'm not familiar with this...does gpg support this? Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From allen.schultz at gmail.com Fri Apr 24 01:21:13 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Thu, 23 Apr 2009 17:21:13 -0600 Subject: Bad signatures on Gmail messages In-Reply-To: <87bpqnyv79.fsf@wheatstone.g10code.de> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> Message-ID: <3f34f8420904231621w55a296f2kf65ec5126810242b@mail.gmail.com> On Thu, Apr 23, 2009 at 2:24 PM, Werner Koch wrote: > That is why PGP/MIME is the only robust format and higly recommended > over of the simple clearsigning mode. That's the format that attaches the .sig file to the email of the same email? -- Allen Schultz From jmoore3rd at bellsouth.net Fri Apr 24 05:15:41 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 23 Apr 2009 23:15:41 -0400 Subject: Bad signatures on Gmail messages In-Reply-To: <4df3a1330904231754j6d4ed886o15a32511e487da52@mail.gmail.com> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> <4df3a1330904231754j6d4ed886o15a32511e487da52@mail.gmail.com> Message-ID: <49F12EDD.1050805@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Brian Mearns wrote: > On Thu, Apr 23, 2009 at 4:24 PM, Werner Koch wrote: >> That is why PGP/MIME is the only robust format and higly recommended >> over of the simple clearsigning mode. > Could you elaborate on this Werner? I'm not familiar with this...does > gpg support this? GPG supports PGP/MIME without any trouble; but not all MUA's can handle PGP/MIME. Most notably, all of the MUA's distributed by M$. :-\ However, when used with a Frontend such as GPGrelay PGP/MIME is easily accomplished using even Outlook, Outlook Express or Windows Mail. JOHN ;) Timestamp: Thursday 23 Apr 2009, 23:15 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8S7aAAoJEBCGy9eAtCsPyDAH/3/bQ8fum/15CT9Nt2RxMhj+ d0izoEFkXBnf8tfNVm3OLPfQVo8tv+fhYhMAUkNWwt1iLmEOGIZCPeEjy0F6bJ7t Qo+ORKrhJjhUc3+IHJWECxNStQlKjzpTJsCY5nNbslnoy50LnitkOV3QC2/Xl8qF U4w0fK9N6tbQfpJD9fLCZC0ED7mbeMqw7LXLnrQQNO9T/ADg+X62Rpu9lYGQ72bT Rh406LCAmDZ/qugY2TtV+Wgn04ycQxxnveqw4sI3+AvdGP9LnlU/qR585BMj3Hqj H8ZnLU0r1qV75nPtjk9NCXpbyZeinIBun1M5yIZMjP9bhd/LvTMPZqV8ESJF6po= =ERy6 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Apr 24 10:07:55 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Apr 2009 10:07:55 +0200 Subject: Bad signatures on Gmail messages In-Reply-To: <49F12EDD.1050805@bellsouth.net> (John W. Moore, III's message of "Thu, 23 Apr 2009 23:15:41 -0400") References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> <4df3a1330904231754j6d4ed886o15a32511e487da52@mail.gmail.com> <49F12EDD.1050805@bellsouth.net> Message-ID: <87y6tqxyn8.fsf@wheatstone.g10code.de> On Fri, 24 Apr 2009 05:15, jmoore3rd at bellsouth.net said: > GPG supports PGP/MIME without any trouble; but not all MUA's can handle > PGP/MIME. Most notably, all of the MUA's distributed by M$. :-\ Well with GpgOL Outlook is able to parse PGP/MIME message. The newer version even shows such mails in a more standard way. Sending PGP/MIME works for a standalone Ooulook; sending via Exchange is in the works. IBM Notes is a bigger problem, there is no support yet for handling PGP/MIME in the client. I have heard about some promising experiments, though. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Fri Apr 24 10:12:48 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Apr 2009 10:12:48 +0200 Subject: Bad signatures on Gmail messages In-Reply-To: <3f34f8420904231621w55a296f2kf65ec5126810242b@mail.gmail.com> (Allen Schultz's message of "Thu, 23 Apr 2009 17:21:13 -0600") References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> <3f34f8420904231621w55a296f2kf65ec5126810242b@mail.gmail.com> Message-ID: <87tz4exyf3.fsf@wheatstone.g10code.de> On Fri, 24 Apr 2009 01:21, allen.schultz at gmail.com said: > That's the format that attaches the .sig file to the email of the same email? Right. It is a multipart message: One to contain the actual message, including attachments and one with the detached signature of the first part. I have signed this message along with a simple text attachment as an example. Note that some version of the mailing list manager Mailman unfortunately breaks all kinds of signatures. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: x URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: From allen.schultz at gmail.com Fri Apr 24 10:14:41 2009 From: allen.schultz at gmail.com (allen.schultz at gmail.com) Date: Fri, 24 Apr 2009 02:14:41 -0600 (Mountain Daylight Time) Subject: DH/DSS vs ElGame/DSS? Message-ID: What is the difference between DH/DSS and ElGamel/DSS? I was reading up on S/MIME v3 and PGP/MIME differences when that came up. Just curious, and thanks in advance. -- Allen Schultz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 268 bytes Desc: OpenPGP digital signature URL: From allen.schultz at gmail.com Fri Apr 24 10:24:36 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Fri, 24 Apr 2009 02:24:36 -0600 (Mountain Daylight Time) Subject: Bad signatures on Gmail messages In-Reply-To: <87tz4exyf3.fsf@wheatstone.g10code.de> Message-ID: On Fri, Apr 24, 2009 at 2:12 AM, Werner Koch wrote: > an example. ?Note that some version of the mailing list manager Mailman > unfortunately breaks all kinds of signatures. I never noticed a break in the PGP/MIME styled signing through a mailing list. Yours did come through just fine. -- Allen Schultz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 268 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Fri Apr 24 13:42:27 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 24 Apr 2009 07:42:27 -0400 Subject: Bad signatures on Gmail messages In-Reply-To: <87tz4exyf3.fsf@wheatstone.g10code.de> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> <3f34f8420904231621w55a296f2kf65ec5126810242b@mail.gmail.com> <87tz4exyf3.fsf@wheatstone.g10code.de> Message-ID: <49F1A5A3.5070903@bellsouth.net> Werner Koch wrote: > I have signed this message along with a simple text attachment as > an example. Note that some version of the mailing list manager Mailman > unfortunately breaks all kinds of signatures. gpg: armor header: Hash: SHA1 gpg: armor header: Version: GnuPG v2.0.12-svn4945 (GNU/Linux) gpg: original file name='' gpg: Signature made 04/24/09 04:12:59 using DSA key ID 3D52C282 gpg: NOTE: signature key 010A57ED expired 12/31/07 13:09:19 gpg: using subkey 3D52C282 instead of primary key 5B0358A2 gpg: NOTE: signature key 010A57ED expired 12/31/07 13:09:19 gpg: BAD signature from "Werner Koch " gpg: textmode signature, digest algorithm SHA1 I have Updated this Key to no avail. :( JOHN ;) Timestamp: Friday 24 Apr 2009, 07:41 --400 (Eastern Daylight Time) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 654 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Fri Apr 24 13:50:23 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 24 Apr 2009 07:50:23 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: References: Message-ID: <49F1A77F.1030608@sixdemonbag.org> allen.schultz at gmail.com wrote: > What is the difference between DH/DSS and ElGamel/DSS? I was reading up > on S/MIME v3 and PGP/MIME differences when that came up. I don't know how it's used in the S/MIME standard. However, the Elgamal encryption algorithm is often misnamed the Diffie-Hellman encryption algorithm. The DH key exchange algorithm (DHKEA) came first, way back in the '70s. Then an Egyptian-American named Taher Elgamal did some groundbreaking work in generalizing DHKEA, discovering the mathematical roots of why it worked as well as it does, and in the process developed a whole family of algorithms. This family is often called the "Elgamal family." He also developed the Elgamal encryption and signing algorithms. It is my understanding that the correct name for what OpenPGP uses is the Elgamal encryption algorithm. I don't know why PGP Corporation calls it Diffie-Hellman encryption; it seems to be an idiosyncratic usage. From dshaw at jabberwocky.com Fri Apr 24 15:04:58 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 24 Apr 2009 09:04:58 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <49F1A77F.1030608@sixdemonbag.org> References: <49F1A77F.1030608@sixdemonbag.org> Message-ID: <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> On Apr 24, 2009, at 7:50 AM, Robert J. Hansen wrote: > allen.schultz at gmail.com wrote: >> What is the difference between DH/DSS and ElGamel/DSS? I was >> reading up >> on S/MIME v3 and PGP/MIME differences when that came up. > > I don't know how it's used in the S/MIME standard. However, the > Elgamal > encryption algorithm is often misnamed the Diffie-Hellman encryption > algorithm. > > The DH key exchange algorithm (DHKEA) came first, way back in the > '70s. > Then an Egyptian-American named Taher Elgamal did some groundbreaking > work in generalizing DHKEA, discovering the mathematical roots of > why it > worked as well as it does, and in the process developed a whole family > of algorithms. This family is often called the "Elgamal family." He > also developed the Elgamal encryption and signing algorithms. > > It is my understanding that the correct name for what OpenPGP uses is > the Elgamal encryption algorithm. I don't know why PGP Corporation > calls it Diffie-Hellman encryption; it seems to be an idiosyncratic > usage. It's historical. Back in the late 1990s, the PGP developers were offered a free patent license if they called it Diffie-Hellman. Now that the patent has expired, though, it's a little hard to change their product without confusing a bunch of customers who would see their "Diffie-Hellman" keys suddenly become "Elgamal" keys. David From webmaster at felipe1982.com Fri Apr 24 16:34:20 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Sat, 25 Apr 2009 00:34:20 +1000 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> Message-ID: <200904250034.26364.webmaster@felipe1982.com> > It's historical. Back in the late 1990s, the PGP developers were > offered a free patent license if they called it Diffie-Hellman. Now > that the patent has expired, though, it's a little hard to change > their product without confusing a bunch of customers who would see > their "Diffie-Hellman" keys suddenly become "Elgamal" keys. > > David [citation needed]?? Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From gary.galloway at nagrastar.com Fri Apr 24 17:15:14 2009 From: gary.galloway at nagrastar.com (Galloway, Gary) Date: Fri, 24 Apr 2009 09:15:14 -0600 Subject: Encryption failing due to missing(?) or unsigned(?) keys Message-ID: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> [] I'm having an issue on a new server (Debian-Lenny) I'm migrating to. Encryption is failing with the following message: Some keys missing or need signing: usera at host.com userb at host.com To the best I can determine( since I'm new to this encryption stuff), the keys are not missing, they are signed and trusted. What am I missing? Gary AIX/pSeries Systems Engineer -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Fri Apr 24 17:39:56 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 24 Apr 2009 11:39:56 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <200904250034.26364.webmaster@felipe1982.com> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> Message-ID: <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> On Apr 24, 2009, at 10:34 AM, Felipe Alvarez wrote: >> It's historical. Back in the late 1990s, the PGP developers were >> offered a free patent license if they called it Diffie-Hellman. Now >> that the patent has expired, though, it's a little hard to change >> their product without confusing a bunch of customers who would see >> their "Diffie-Hellman" keys suddenly become "Elgamal" keys. >> >> David > [citation needed]?? Jon Callas, CTO of the PGP corporation. I'm afraid I don't have a URL to point you to. Note that this wasn't skullduggery of some sort or another. Whatever the product calls it, it the same algorithm as specified in the OpenPGP standard (that which we call a rose, by any other name would smell as sweet). The patent holders (Cylink) simply wanted to push the name Diffie-Hellman for marketing reasons. Back in the 1990s, crypto was really hampered by patent problems, and I imagine a free license would be a significant gift. David From jbruni at me.com Fri Apr 24 17:55:29 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Fri, 24 Apr 2009 08:55:29 -0700 Subject: Bad signatures on Gmail messages In-Reply-To: <87y6tqxyn8.fsf@wheatstone.g10code.de> References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> <4df3a1330904231754j6d4ed886o15a32511e487da52@mail.gmail.com> <49F12EDD.1050805@bellsouth.net> <87y6tqxyn8.fsf@wheatstone.g10code.de> Message-ID: <145134581957032192913017290068200767930-Webmail@me.com> On Friday, April 24, 2009, at 01:07AM, "Werner Koch" wrote: >On Fri, 24 Apr 2009 05:15, jmoore3rd at bellsouth.net said: > >> GPG supports PGP/MIME without any trouble; but not all MUA's can handle >> PGP/MIME. Most notably, all of the MUA's distributed by M$. :-\ > >Well with GpgOL Outlook is able to parse PGP/MIME message. The newer >version even shows such mails in a more standard way. Sending PGP/MIME >works for a standalone Ooulook; sending via Exchange is in the works. > Hi Werner, Any estimation of when GPGOL will be compatible with Outlook 2007? I noticed on your web site that it's in progress. Joe From rjh at sixdemonbag.org Fri Apr 24 18:29:37 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 24 Apr 2009 12:29:37 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> Message-ID: <49F1E8F1.8010907@sixdemonbag.org> David Shaw wrote: > The patent holders (Cylink) simply wanted to push the name > Diffie-Hellman for marketing reasons. Many people think Cylink has a history of regrettably close cooperation with the NSA. Some people consider their products to be suspect as a result of this. Given that, it should be pointed out that PGP Corporation was licensing the algorithm, not the implementation. PGP and GnuPG both use their own independent implementations of the algorithm. I'm not sure how much faith I put in the Cylink/NSA connection, but I know that some do. If you're one of them, you can rest easy. :) From brian.kumfer at ggp.com Fri Apr 24 18:40:07 2009 From: brian.kumfer at ggp.com (bkumfer) Date: Fri, 24 Apr 2009 09:40:07 -0700 (PDT) Subject: Help with encrypting using my PGP Public key In-Reply-To: <22993706.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> Message-ID: <23220310.post@talk.nabble.com> Thanks for your help. To create the key, I followed the --gpg -gen-key command - used key length of 1024 bits. Then I exported using this command: --gpg --export --armor --output c:\temp\file.asc The key is below: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (MingW32) mQGhBEnTgVQRBACLLIEZIVDvAnRQWRqxwCi9opSyfrzNwdi+d0r84bNezob7Wcwv ztmnJSPxtFznw8pyTFZ9BwAZrKTBTVBti+t30ID9U0GnMK0cVCEq1JDuH1ywq8Cq VV7jOMhLW4peKPJJYMpKfuEO+gEPIC8F34xMDbxR+5ICwFMm+mj93YAMpwCgg2gG Mm9uQH15p5dPht/zuoL8rKcD+I3Fw9jDH52Myc2j3orxuevm4wHRWqaXf2EARTSp TE/OyEXdc/+lMSN+lWaoRIUBJA0UHlu/bycJFI4yJHKBaRl8KB0CsFZJOLZCxRXG phYzyszX8M41/zvOYxbustiiV7Y2/BiKTTmQvMi7hx+A5trV9eQWZd9k7SlIuItv I0ED/AhTa4Gd+H9pWG6vpH305r2ZjzLzQC7ZASbxRGIPfoCyU/2wNXBIz+zNmAqU 4vAs3Wvy0Q6baR5pmbI2Sk2wfo/n8NJr/8JvHLYXgIH2m2Fme8zYO0d5Fd90X3Dz DCl4o74vXOclIatVcqk1V8/CsswfPXUOra+IFbvhG4fQ2ZEwtD1HR1BLZXkgTWFz dGVyIChHZW5lcmFsIEdyb3d0aCBQcm9wZXJ0aWVzKSA8a2V5bWFzdGVyQGdncC5j b20+iGAEExECACAFAknTgVQCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDE xMg046F/NmyQAJ4+yulkRaYYdYEkRKRBh/f1429LBQCdFkruz8gst5HwAfOCoMhu RQiqzEO5AQ0ESdOBVBAEAKV259s21wsRPWlAjfFRnt+rRNiYdzydKzpNLRjCCQns UyoI/1ZV1Miz+CM8ymt7QCWBKkS0Y2e1e9FcJPX28yB/wpSneU6mfDqcSVBt9Dne Fnnso/9lDEq40gekVSzjemzhkGWEwTQtf7XiJGdzhJTdEYaYhHmbrAU2NQJi5KD/ AAMHA/9SF+DyxDbsR2/BBAxZoJ6uaNxhniUcO5pR3XwRigxcuUsiLD7FD6/KnTna umkS5vPVjSDrq5KgU3xipIgR61c4th9q75BgX8VKpCLISLXRmMTta/+fnICwp+pE y2ZDlsaB6dBgQGYe8xaCzFT/iQjLHTrz5XbMmstZN5K6HhEO54hJBBgRAgAJBQJJ 04FUAhsMAAoJEMTEyDTjoX82i8EAoIG7I25x7NO5l7HLucwh01sK4+urAJ0bDSET bJpyUoxBwOo87UJLIGZ8vg== =pQMf -----END PGP PUBLIC KEY BLOCK----- -- View this message in context: http://www.nabble.com/Help-with-encrypting-using-my-PGP-Public-key-tp22993706p23220310.html Sent from the GnuPG - User mailing list archive at Nabble.com. From faramir.cl at gmail.com Fri Apr 24 18:59:52 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 24 Apr 2009 12:59:52 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23220310.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23220310.post@talk.nabble.com> Message-ID: <49F1F008.3080401@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 bkumfer escribi?: > Thanks for your help. To create the key, I followed the > > --gpg -gen-key command - used key length of 1024 bits. I successfully sent an encrypted message to you, and the preferences in your key looks "normal" to me... Encryption: AES256, AES192, AES, CAST5, 3DES Hashing: SHA1, SHA256, RIPEMD160 Compresi?n: ZLIB, BZIP2, ZIP, No compresion Caracter?sticas: MDC, Sevidor de claves no-modificar I don't know what could the problem be. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ8fAIAAoJEMV4f6PvczxAIEYH/jUQKNpNrRQtb6e8WDlDF/Fa B0yl35W8coG+iVYkkKzIMM0+0heKjffrZhFfp+/k/LCVLDxNTDyHQ8gxivd6fQwf lrpOEzmuwwQXlHVMKBkbwbyVqnE9kgrlMmMLnnCLN5QoD8lEGzrSm+2asg7zXyCE AvXwmIQDbKA0erE26WOV/HNXS/7c8JfQbtFwfhO5hiVKkUzCagnrEvSPBOXdcvaj PIAXKmLawxpAUQtSixjj97cqn6ptV1k1Zq26yilV28zEkmRIm9QS/J4hb9HV+5kp T+3NMU5Ib3zxZ2o5jgu9kubKC5ml0s8LsaB9VZb3AOBHXCfNHGAAnLM2JAPFMvs= =Og7q -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Apr 24 20:21:07 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 24 Apr 2009 14:21:07 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <49F1E8F1.8010907@sixdemonbag.org> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> <49F1E8F1.8010907@sixdemonbag.org> Message-ID: On Apr 24, 2009, at 12:29 PM, Robert J. Hansen wrote: > David Shaw wrote: >> The patent holders (Cylink) simply wanted to push the name >> Diffie-Hellman for marketing reasons. > > Many people think Cylink has a history of regrettably close > cooperation > with the NSA. Some people consider their products to be suspect as a > result of this. Given that, it should be pointed out that PGP > Corporation was licensing the algorithm, not the implementation. PGP > and GnuPG both use their own independent implementations of the > algorithm. Plus, both the GnuPG implementation and the PGP implementation are available for review by anyone who wants to look at them. (PGP isn't open source of course, but you can still get the source for review). David From brian.kumfer at ggp.com Fri Apr 24 20:28:58 2009 From: brian.kumfer at ggp.com (bkumfer) Date: Fri, 24 Apr 2009 11:28:58 -0700 (PDT) Subject: Help with encrypting using my PGP Public key In-Reply-To: <22993706.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> Message-ID: <23222432.post@talk.nabble.com> Thank you again. Is there a difference between encrypting a file vs. encrypting an email? We are using PGP in conjunction with the banks we do business with in order to get daily files of deposits into our accounts. -- View this message in context: http://www.nabble.com/Help-with-encrypting-using-my-PGP-Public-key-tp22993706p23222432.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Fri Apr 24 20:47:26 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 24 Apr 2009 14:47:26 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23222432.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23222432.post@talk.nabble.com> Message-ID: <49F2093E.7050202@sixdemonbag.org> bkumfer wrote: > Thank you again. Is there a difference between encrypting a file vs. > encrypting an email? This depends on how you use it. From the perspective of OpenPGP, everything's a file. An email message is just a file you send over the internet via the SMTP protocol. There is an enormous difference in how you use GnuPG for email versus how you use it for file storage. For instance, the Enigmail extension for Thunderbird lets you use GnuPG in email in a fairly straightforward fashion. If you get used to using GnuPG that way, it might be a rude shock to you when you have to use GnuPG at the command line to encrypt a file. This is why I say it depends on how you use it. From dshaw at jabberwocky.com Fri Apr 24 21:07:51 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 24 Apr 2009 15:07:51 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23220310.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23220310.post@talk.nabble.com> Message-ID: <34F93ED5-36DC-4755-BFAD-FCB645468B77@jabberwocky.com> On Apr 24, 2009, at 12:40 PM, bkumfer wrote: > > Thanks for your help. To create the key, I followed the > > --gpg -gen-key command - used key length of 1024 bits. I examined this key and there is nothing particularly unusual about it. The only thing that jumps out (and this is a reach) is that the Elgamal encryption subkey is rather small. It's possible (though odd) that the bank is configured to disallow keys of that size. If it is easy for you to try different keys with the bank, try making and submiting one with a 2048 bit subkey (i.e. gpg --gen-key, select option 1, then enter 2048). I'll check it against the PGP command line product later (the virtual machine it runs on is not powered on right now). David From christoph.anton.mitterer at physik.uni-muenchen.de Fri Apr 24 20:39:54 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Fri, 24 Apr 2009 20:39:54 +0200 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23222432.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23222432.post@talk.nabble.com> Message-ID: <1240598394.4234.14.camel@fermat.scientia.net> On Fri, 2009-04-24 at 11:28 -0700, bkumfer wrote: > Thank you again. Is there a difference between encrypting a file vs. > encrypting an email? Not really,... but with eMail,.. there mail be "additional" standards used (PGP for MIME). Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From jmoore3rd at bellsouth.net Fri Apr 24 22:32:23 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 24 Apr 2009 16:32:23 -0400 Subject: Encryption failing due to missing(?) or unsigned(?) keys In-Reply-To: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> References: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> Message-ID: <49F221D7.6070201@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Galloway, Gary wrote: > I'm having an issue on a new server (Debian-Lenny) I'm migrating to. > Encryption is failing with the following message: > > > Some keys missing or need signing: > usera at host.com > userb at host.com > > To the best I can determine( since I'm new to this encryption stuff), > the keys are not missing, they are signed and trusted. What am I missing? Just for Grins; try add this line to Your gpg.conf: trust-model always The only other 'thing' that comes to mind is perhaps some Keys are not properly cross certified. You could also try adding this line to gpg.conf as well: no-require-cross-certification JOHN :-\ Timestamp: Friday 24 Apr 2009, 16:32 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8iHVAAoJEBCGy9eAtCsPWkwIAJ6g1b7oUndc1kYg4XG5Ybri Gn0OudIUuZerJ3viNnWWPd5LpALakyaIjqvWrpLGUiVfOS/nBf0W+5af3Ip4Vien Q3etexTpokVjEukTGmoq/bH80P1pp6hUUrC8rf7LHEcKj82FWzVY6POdlFyrNDak P9NAT6rOSwkvAhMQPcCIH6JuuG1Q/yXLXqWjufTfN1Jt+08UxO536LxRAEZLo8W4 TogMdHkNXQ/S1biA25QieWVrptfi05wJ8r7nVKieKrzuXg/Y5PvP5U6ayBMlMziz y9mxld2ssbSFiz6Y6RYwiul+sYIK2OBhM2n0glI5fpp/53LfI5o1U6iSVfWqc0Q= =3auO -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Fri Apr 24 22:45:18 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 24 Apr 2009 16:45:18 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <49F1E8F1.8010907@sixdemonbag.org> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> <49F1E8F1.8010907@sixdemonbag.org> Message-ID: <49F224DE.9060205@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > Many people think Cylink has a history of regrettably close cooperation > with the NSA. Some people consider their products to be suspect as a > result of this. Given that, it should be pointed out that PGP > Corporation was licensing the algorithm, not the implementation. PGP > and GnuPG both use their own independent implementations of the algorithm. > > I'm not sure how much faith I put in the Cylink/NSA connection, but I > know that some do. If you're one of them, you can rest easy. :) Hmm... Well, if anyone is paranoid to the extreme of distrusting /every/ Vendor that NSA contracts with then Ya better stock up on the Xanax. At one time or another the Puzzle Palace has 'partnered with' or spent huge sums of money with almost every hardware & a helluva lot of software Vendors. [this particularly includes most Telecoms in the World] JOHN :-D Timestamp: Friday 24 Apr 2009, 16:45 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8iTdAAoJEBCGy9eAtCsPglMIAIWWYmsS1+N/v5qjkqRkVeOY ub9LKG0RKxhg2b+ZpqnS0nleMqM3qdUM0cszD1qKASsq3yigFBHSk+ytqy1SqeC0 A2eQTNppsrwR9gORbE+V9WKz4CZYEBaj1Bvzm/8nOAnVWI6vRM9coF32OYGfvbO9 fdZH8EpthjUdsCcyBHuRD121EPbeK9VFx38oqhF/w1lDnWN8w0qEMr77Wszk9JjO C+QihIIncY0ywI3dr+oORrPtQRwn1ZgZFt8N/7HCxIsB06gtpcMXPjg7bAkjIJFc ZwzuF5ZY+iH4gylTMkNzt0yiSxr5TXj4alYDoR0oR8iJGV1JBaKuiRHnSm2nrcM= =tf/M -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Apr 24 23:06:05 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 24 Apr 2009 17:06:05 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <49F224DE.9060205@bellsouth.net> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> <49F1E8F1.8010907@sixdemonbag.org> <49F224DE.9060205@bellsouth.net> Message-ID: <49F229BD.6040606@sixdemonbag.org> John W. Moore III wrote: > Hmm... Well, if anyone is paranoid to the extreme of distrusting > /every/ Vendor that NSA contracts with then Ya better stock up on the > Xanax. At one time or another the Puzzle Palace has 'partnered with' or > spent huge sums of money with almost every hardware & a helluva lot of > software Vendors. Absolutely true. That said, very few directors of the NSA have gone on to become CEOs of telephone companies. William P. Crowell served as DDO and Deputy Director for the NSA up until he joined Cylink in '98. He's hardly the only senior NSA type to join Cylink. When you see that kind of personnel crossover between the companies, it makes people a little more nervous than they are about dealing with, say, IBM (which has had a lot of NSA contacts, too). From jmoore3rd at bellsouth.net Sat Apr 25 00:57:12 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 24 Apr 2009 18:57:12 -0400 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: <49F229BD.6040606@sixdemonbag.org> References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> <49F1E8F1.8010907@sixdemonbag.org> <49F224DE.9060205@bellsouth.net> <49F229BD.6040606@sixdemonbag.org> Message-ID: <49F243C8.5000801@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > Absolutely true. That said, very few directors of the NSA have gone on > to become CEOs of telephone companies. William P. Crowell served as DDO > and Deputy Director for the NSA up until he joined Cylink in '98. Not CEO's but; many have become a paid Member of the Board of Directors whose major contribution has been to 'steer' Project Bids through the maze of NSA procurement. ;) Likewise, when the Agency requires "cooperation" from a Corporation it isn't shy about asking a former 'Official' currently 'advising' said Enterprise to gain the collaborative efforts desired. NSA is primarily a Military organization and the revolving door between retired Military and Defense Contractors spins just as fast between Ft. Meade and the local Technology Park as it does elsewhere in the Military-Industrial symbiotic relationship. JOHN ;) Timestamp: Friday 24 Apr 2009, 18:56 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ8kPFAAoJEBCGy9eAtCsPfDoH/3K4EAIZSQv63TelvA8fbQZ5 cw2xoGGir3yH466bJUnNRNfKqlCfEDJKOdercdQBOU4QHYtm9l2PovNaS9DEzNCX 7WNIhq1SgElnRK3SkjIpN6GdwHKBO39nplDzti1Ou3pC+nqy7cmkJDRC0Fqfk/0R n8ntz6QOWF4g5oI9kjMeDvynjQzd65VoCTF4uuIrpxX5abKNEbNaNu6APlHpltlQ iESBKQl/vQff2s6KeaOoh3H7O6E/XNOBfN2OLNllU0Ut3nUj/+LCYau6Rv9pKatH EytkI4KgJ4euPJ3u14y0Br+VunFTCFQ2V+dDKtvkuKIsmz1R24sVzIs3W1sD9ag= =Rm4K -----END PGP SIGNATURE----- From webmaster at felipe1982.com Sat Apr 25 02:54:27 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Sat, 25 Apr 2009 10:54:27 +1000 Subject: Help with encrypting using my PGP Public key In-Reply-To: <23222432.post@talk.nabble.com> References: <22993706.post@talk.nabble.com> <23222432.post@talk.nabble.com> Message-ID: <200904251054.35195.webmaster@felipe1982.com> On Sat, 25 Apr 2009 04:28:58 bkumfer wrote: > Thank you again. Is there a difference between encrypting a file vs. > encrypting an email? Not really. It just bits n bytes. Anything gpg takes in as input (files, plaintext, whatever) it just happily signs and/or encrypts. If you are emailing the output directly (copy paste) you should "--armor" the output, to prevent mailers destroying your "text." OTOH, you could just 'attach' the file (binary, ascii armored, or otherwise) as a regular email attachment and send it that way. As others have said, encrypting mail has been made trivially easy with tools such as Kmail and Enigmail. When you desire to encrypt a file (say a JPEG, or PDF), you may probably need to throw in some commands on a command-line interface. Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From shavital at mac.com Sat Apr 25 11:36:00 2009 From: shavital at mac.com (Charly Avital) Date: Sat, 25 Apr 2009 02:36:00 -0700 Subject: Libgcrypt on gpg 2.0.11 under Linux Ubuntu Jaunty 9.04_64bits In-Reply-To: <49F221D7.6070201@bellsouth.net> References: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> <49F221D7.6070201@bellsouth.net> Message-ID: <1240652160.17999.28.camel@Unibody> Hi, compiled 2.0.11 from source, on a freshly installed and updated copy of Ubuntu 9.04_64 bits. All required libraries were also compiled and installed, including libgcrypt 1.4.4, before compiling 2.0.11. In spite of compiling and installing twice libgcrypt 1.4.4, compiling and installing again 2.0.11, and logging out/in, I still get libgcrypt 1.4.1 in: $ gpg2 --version gpg (GnuPG) 2.0.11 libgcrypt 1.4.1 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB TIA for suggestions. Charly From mkrotzer at fastmail.fm Sat Apr 25 15:17:56 2009 From: mkrotzer at fastmail.fm (Matthew Krotzer) Date: Sat, 25 Apr 2009 09:17:56 -0400 Subject: --encrypt-to usage Message-ID: <20090425131756.GA20500@darkstar> Hello, I've recently started using Gnupg and public key encryption in general. In my research I believe I've read that the --encrypt-to option is a bad idea because it creates another option for an attacker. If the attacker has either key, then they can decode what was sent to the recipient. Is the usage of this common and acceptable or should I avoid it like the plague? Matthew Krotzer From rjh at sixdemonbag.org Sat Apr 25 15:45:27 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Apr 2009 09:45:27 -0400 Subject: --encrypt-to usage In-Reply-To: <20090425131756.GA20500@darkstar> References: <20090425131756.GA20500@darkstar> Message-ID: <49F313F7.3040806@sixdemonbag.org> Matthew Krotzer wrote: > I've recently started using Gnupg and public key encryption > in general. In my research I believe I've read that the > --encrypt-to option is a bad idea because it creates another > option for an attacker. If the attacker has either key, > then they can decode what was sent to the recipient. There is a lot of very bad advice out there. This idea is an example of it. The more people who know a secret, the more likely it is that secret will get out. That's a weakness in human beings, not a weakness in the cryptosystem. So long as you trust that your correspondents are using GnuPG safely and correctly, and you trust they're not working with your enemies, use --encrypt-to with confidence. From wk at gnupg.org Sat Apr 25 15:47:31 2009 From: wk at gnupg.org (Werner Koch) Date: Sat, 25 Apr 2009 15:47:31 +0200 Subject: Bad signatures on Gmail messages In-Reply-To: <145134581957032192913017290068200767930-Webmail@me.com> (Joseph Oreste Bruni's message of "Fri, 24 Apr 2009 08:55:29 -0700") References: <4df3a1330904230912x77ef5879g35aac70c8d4a9265@mail.gmail.com> <4df3a1330904230912x76207914vc646abba1b9d861b@mail.gmail.com> <87bpqnyv79.fsf@wheatstone.g10code.de> <4df3a1330904231754j6d4ed886o15a32511e487da52@mail.gmail.com> <49F12EDD.1050805@bellsouth.net> <87y6tqxyn8.fsf@wheatstone.g10code.de> <145134581957032192913017290068200767930-Webmail@me.com> Message-ID: <87r5zgx2to.fsf@wheatstone.g10code.de> On Fri, 24 Apr 2009 17:55, jbruni at me.com said: > Any estimation of when GPGOL will be compatible with Outlook 2007? I noticed on your web site that it's in progress. I have nor checked the last versions but the new GpgOL usually works on OL 2007. The ribbon bar or whatever it is called puts the buttons into a another area but aside from that I never had problems. My testbox is Vista with OL2007 but Marcus runs his tests with XP and OL2007. There is on reported problem which Vista which is probably due to the symlink like feature. That is related to GnuPG in general but I was not able to duplicate the problem. There are two main drawbacks: The user interface, based on KDE, has some minor problems and the alternative interface based on GPA is probably lacking some features. The second problem is that sending mails with Exchange does not anymore/yet work. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Sat Apr 25 15:52:33 2009 From: wk at gnupg.org (Werner Koch) Date: Sat, 25 Apr 2009 15:52:33 +0200 Subject: Libgcrypt on gpg 2.0.11 under Linux Ubuntu Jaunty 9.04_64bits In-Reply-To: <1240652160.17999.28.camel@Unibody> (Charly Avital's message of "Sat, 25 Apr 2009 02:36:00 -0700") References: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> <49F221D7.6070201@bellsouth.net> <1240652160.17999.28.camel@Unibody> Message-ID: <87mya4x2la.fsf@wheatstone.g10code.de> On Sat, 25 Apr 2009 11:36, shavital at mac.com said: > In spite of compiling and installing twice libgcrypt 1.4.4, compiling > and installing again 2.0.11, and logging out/in, I still get > > libgcrypt 1.4.1 in: You probably installed libgcrypt under /usr/local and thus you need to tell your system wfrom where to take it. Either LD_LIBRARY_PATH=/usr/loca/bin gpg2 or modify your /etc/ld.so.conf I assume that you build against 1.4.4; if you did not install the libgcrypr11-dev package from Ubuntu that should be the case. It should not matter anyway. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From allen.schultz at gmail.com Sat Apr 25 16:03:48 2009 From: allen.schultz at gmail.com (allen.schultz at gmail.com) Date: Sat, 25 Apr 2009 08:03:48 -0600 (Mountain Daylight Time) Subject: Troubleshooting signatures Message-ID: Ok. I'm getting a wierd signature verification message in two programs and I have a few questions. First the situation. Inline signatures received from more than one person. Recently checked Godwin Stewart's signature (0xD769AF76) first with FireGPG. It is giving me a flat out "Wrong signature". When I copy to clipboard and tried with WinPT (Using Windows 7), it gave me the following status below. Signature is good. Warning: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner. First. Does the trust warning screw up FireGPG's signature validity or am I missing something else? Second, is this the normal reaction from GnuPG v1.4.9? Any help in understanding this would be helpful. -- Allen Schultz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 268 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Sat Apr 25 16:50:53 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Apr 2009 10:50:53 -0400 Subject: Troubleshooting signatures In-Reply-To: References: Message-ID: <49F3234D.8000801@sixdemonbag.org> allen.schultz at gmail.com wrote: > First. Does the trust warning screw up FireGPG's signature validity or > am I missing something else? Second, is this the normal reaction from > GnuPG v1.4.9? Can't answer re: FireGPG. However, this is _a_ normal reaction, but not _the_ normal reaction. If you got a signature that purported to be from obama at whitehouse.gov, and it was signed with a key that purported to be from obama at whitehouse.gov, would you actually believe it was from President Obama? Or would you say, "wait a minute, /anyone/ can pretend to be /anyone/ on the internet, I need some confirmation before I'll actually believe the President is sending me an email"? That's what GnuPG is warning you about. There is no evidence the key really belongs to the person it claims to whom it claims to belong. Maybe it does, maybe it doesn't, there's no evidence either way. From shavital at mac.com Sat Apr 25 16:58:08 2009 From: shavital at mac.com (Charly Avital) Date: Sat, 25 Apr 2009 07:58:08 -0700 Subject: Libgcrypt on gpg 2.0.11 under Linux Ubuntu Jaunty 9.04_64bits In-Reply-To: <87mya4x2la.fsf@wheatstone.g10code.de> References: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> <49F221D7.6070201@bellsouth.net> <1240652160.17999.28.camel@Unibody> <87mya4x2la.fsf@wheatstone.g10code.de> Message-ID: <49F32500.2060509@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch wrote: [...] > LD_LIBRARY_PATH=/usr/loca/bin gpg2 I did LD_LIBRARY_PATH=/usr/local/bin/gpg2 [assuming some mistypes ;)] And I have now: $ gpg2 --version gpg (GnuPG) 2.0.11 libgcrypt 1.4.4 [.....] Thank you Werner. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ8yT3AAoJEM3GMi2FW4PvX9IH/R+ZJMe5lWvGJ1kGfxMBg+/T TncKAaCxLseJOyRm0VQ6jQj4pUHD+Mzw/DbdMIKvPsN2TELwISqI49PJHQ2I0Mdl EOI8iP7JjMQdWkWR4772Se9DZi00B8YmiBzhsIV0p1hcS02H6w9CaScXl+fIa0ZJ um8GPeKC7DLEg3mJ/LTRF47exxys8adkMPpkiFhUEgcyuTMPKjWG4HdeqEwxXSwf m6K8i00Y9XbLoxfrrakGc0orN/80+D/1ptc0WvlOE+1aYuddGx5pQ8/Zu14X0oxd 7i+ZvhkJup+RleDXyguQjxgJYYQpn9VP//g0S8ZoyazdDC6L6DsV1T9ehGjqazU= =0deX -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Apr 25 17:50:29 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 25 Apr 2009 11:50:29 -0400 Subject: Help with encrypting using my PGP Public key In-Reply-To: <34F93ED5-36DC-4755-BFAD-FCB645468B77@jabberwocky.com> References: <22993706.post@talk.nabble.com> <23220310.post@talk.nabble.com> <34F93ED5-36DC-4755-BFAD-FCB645468B77@jabberwocky.com> Message-ID: <7741290C-F4AD-4ADB-A577-700A9CDCF4A4@jabberwocky.com> On Apr 24, 2009, at 3:07 PM, David Shaw wrote: > On Apr 24, 2009, at 12:40 PM, bkumfer wrote: > >> >> Thanks for your help. To create the key, I followed the >> >> --gpg -gen-key command - used key length of 1024 bits. > > I examined this key and there is nothing particularly unusual about > it. The only thing that jumps out (and this is a reach) is that > the Elgamal encryption subkey is rather small. It's possible > (though odd) that the bank is configured to disallow keys of that > size. If it is easy for you to try different keys with the bank, > try making and submiting one with a 2048 bit subkey (i.e. gpg --gen- > key, select option 1, then enter 2048). > > I'll check it against the PGP command line product later (the > virtual machine it runs on is not powered on right now). I've checked it and it works just fine. I'm able to encrypt to it without any problems. I'm afraid that doesn't leave you with a good answer, though. I don't think it will help, but it's worth trying making a larger key, as I suggest above. Aside from that, your bank or whoever you are communicating with needs to give you some more information about why this is failing. David From lists at 404not-found.de Sat Apr 25 18:27:44 2009 From: lists at 404not-found.de (Raimar Sandner) Date: Sat, 25 Apr 2009 18:27:44 +0200 Subject: certificate chain depth Message-ID: <20090425162743.GA8264@ge-c705.uibk.ac.at> Hello, when gnupg trusts a key as a result of trustdb calculations, I would like to know what the chain depth for the given key is. I know that I can control the maximal acceptable depth with the max-cert-depth configuration parameter. I would like to keep the default of 5, but it is still a difference regarding the trustworthiness of a key if it is frully trusted in, say, third or fifth level. Manually following the trust chains can be annoying, and could also lead to false conclusions as in the following small example: Say we have marginals-needed=2, completes-needed=1 and the web of trust is # me -> A ---------> E # | \---> D ----/ # \-> B -> C / with the ownertrust values A: marginal D: marginal C: marginal B: full On a first glance one might think as we have the chains me->A->E and me->A->D->E, that E is fully trusted in third level. But because D only is trusted in third level (me->B->C->D), E is actually trusted in fourth level. This rapidly gets more complex with a growing web of trust. As of now I can only think of gradually reducing max-cert-depth, recalculating trustdb and see, if a given key stays fully trusted. Is there a better way to determin the cert depth? If not, I think this would be a nice feature to implement. Cheers, Raimar From david at gbenet.com Sat Apr 25 20:58:44 2009 From: david at gbenet.com (david) Date: Sat, 25 Apr 2009 21:58:44 +0300 Subject: certificate chain depth In-Reply-To: <20090425162743.GA8264@ge-c705.uibk.ac.at> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> Message-ID: <49F35D64.4010203@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raimar Sandner wrote: > Hello, > > when gnupg trusts a key as a result of trustdb calculations, I would > like to know what the chain depth for the given key is. > > I know that I can control the maximal acceptable depth with the > max-cert-depth configuration parameter. I would like to keep the > default of 5, but it is still a difference regarding the > trustworthiness of a key if it is frully trusted in, say, third or > fifth level. > > Manually following the trust chains can be annoying, and could also > lead to false conclusions as in the following small example: > > Say we have marginals-needed=2, completes-needed=1 and the web of > trust is > > # me -> A ---------> E > # | \---> D ----/ > # \-> B -> C / > > with the ownertrust values > A: marginal > D: marginal > C: marginal > B: full > > On a first glance one might think as we have the chains me->A->E and > me->A->D->E, that E is fully trusted in third level. But because D > only is trusted in third level (me->B->C->D), E is actually trusted > in fourth level. This rapidly gets more complex with a growing web > of trust. > > As of now I can only think of gradually reducing max-cert-depth, > recalculating trustdb and see, if a given key stays fully trusted. > Is there a better way to determin the cert depth? If not, I think > this would be a nice feature to implement. > > Cheers, > Raimar > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Hi, I don't wish to be over-simplistic, but I had thought that the web of trust was a people thing rather than a mathematical model. I can appreciate it's difficult to form a web of trust between people that you never meet - like me posting here - the idea I thought was to develop such networks through people that one knows - or gets to know via shared contacts - shared experiences - common interests and concerns. What is trust anyway? Common shared values? How does one measure that with the depth of signed keys? Ok so I'm being a bit philosophical Best Wishes :) David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknzXV4ACgkQYvuE3Ov+SsB4YgCg0aogBZ7fsuSw+Jyotn2PMofX E1gAnAlaa+501bbdFVx8Lbvqat/kvIpW =q/xg -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Apr 25 21:27:26 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Apr 2009 15:27:26 -0400 Subject: certificate chain depth In-Reply-To: <49F35D64.4010203@gbenet.com> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <49F35D64.4010203@gbenet.com> Message-ID: <49F3641E.1020605@sixdemonbag.org> > Hi, I don't wish to be over-simplistic, but I had thought that the web > of trust was a people thing rather than a mathematical model. Honestly, it's a little of one and a lot of the other. The questions of "whom do I trust and why?" is purely a human factor; the questions of "... and given I trust them, what can I deduce to be true?" is a mathematical question. > What is trust anyway? Generally, trust is the ability to break someone's security policy. E.g., I've given a friend of mine from college, John Hawley, a trusted signature. John can now screw over my local security policy. If I see a key which John has signed, I'm going to assume that key is valid. If John signs keys that aren't valid, he can break my security policy. This is why most uses of the phrase "trusted system" give security geeks the heebie-jeebies. A trusted system is, ironically, more dangerous than an untrusted system. An untrusted system has no capability to break your security policy; a trusted system can. That means trusted systems often need to be watched like hawks. In a similar vein, many Wall Street brokers were trusted with billions of client money -- and they should have been watched closely as a result of that trust. From lists at 404not-found.de Sat Apr 25 21:46:32 2009 From: lists at 404not-found.de (Raimar Sandner) Date: Sat, 25 Apr 2009 21:46:32 +0200 Subject: certificate chain depth In-Reply-To: <49F35D64.4010203@gbenet.com> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <49F35D64.4010203@gbenet.com> Message-ID: <200904252146.32381.lists@404not-found.de> On Saturday 25 April 2009 20:58:44 david wrote: > Raimar Sandner wrote: > > Hello, > > > > when gnupg trusts a key as a result of trustdb calculations, I would > > like to know what the chain depth for the given key is. [snip] > > Hi, I don't wish to be over-simplistic, but I had thought that the web > of trust was a people thing rather than a mathematical model. > I can appreciate it's difficult to form a web of trust between people > that you never meet - like me posting here - the idea I thought was to > develop such networks through people that one knows - or gets to know > via shared contacts - shared experiences - common interests and concerns. Not over-simplistic, you're definitely right about this. The best thing to do still is to go out, sign keys and thus establish trust. But as you say that is not always possible in a large community. In the end it is of course a people thing whether you trust a key or not, no mathematical model ever can replace your final decision. So there is a big difference in gpg saying "fully trusted" and you thinking "fully trusted". I think _because_ it's a people thing, feedback from gpg about the depth would be nice. Say over time I have added a lot of keys to my keyring, assigned ownertrust values, and now encounter a signature, gpg saying "Good signature, key fully trusted". I would appreciate an option to see at first glance whether gpg takes the key as fully trusted because I signed it or because a friend's friend signed it, to help me make a final decission. The web of trust is a great way to establish some amount of trust into new keys when you cannot meet the owner. But I think that maybe gpg could help differentiate a bit more between keys introduced through the web of trust and keys that I have signed personally, for example by showing the depth level. > What is trust anyway? Common shared values? How does one measure that > with the depth of signed keys? I'd rather say "give a hint about trust" than "measure trust" :) Greetings Raimar From jmoore3rd at bellsouth.net Sat Apr 25 22:00:05 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 25 Apr 2009 16:00:05 -0400 Subject: certificate chain depth In-Reply-To: <200904252146.32381.lists@404not-found.de> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <49F35D64.4010203@gbenet.com> <200904252146.32381.lists@404not-found.de> Message-ID: <49F36BC5.2000707@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Raimar Sandner wrote: > In the end it is of course a people thing whether you trust a key or not, no > mathematical model ever can replace your final decision. So there is a big > difference in gpg saying "fully trusted" and you thinking "fully trusted". This is why both Owner Trust & Calculated Trust exist. One is a mathematical result and the other is a Personal evaluation. JOHN ;) Timestamp: Saturday 25 Apr 2009, 15:59 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ82vEAAoJEBCGy9eAtCsPm5QH/RfSaHGZH+edqH37FByiwBJZ cDLodzPtQZRAy2ylgmjtLoAC7tIllGiNtN21Gj8V398+Iu3xeOboQ0sTKHYa8psq CarHkh2hrIqusTBgt5L7kUCy83wFwVeezlMiCCSNbQJ1bYTbRtJs7UPe5o4QUDkd t+dnTauyUZJg5ZoYRkQtdlbDQb9VVA7ehgVsS3SQ7HDzR7Pkk/pPLyaeEQ+LRYv3 hugGcqONscRofURAVSLYuir2dZB8alvud2imI0dYwLlzPVTTNTuWbp/cXHiy0/UM UZ1YxTDjeJsCElBZwT1/sb79KRUz5OEsOncnKIwCiPOLM3ZL5NVwEA7tDoLMIr8= =PzT0 -----END PGP SIGNATURE----- From david at gbenet.com Sat Apr 25 22:31:45 2009 From: david at gbenet.com (david) Date: Sat, 25 Apr 2009 23:31:45 +0300 Subject: certificate chain depth In-Reply-To: <49F3641E.1020605@sixdemonbag.org> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <49F35D64.4010203@gbenet.com> <49F3641E.1020605@sixdemonbag.org> Message-ID: <49F37331.6040208@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen wrote: >> Hi, I don't wish to be over-simplistic, but I had thought that the web >> of trust was a people thing rather than a mathematical model. > > Honestly, it's a little of one and a lot of the other. The questions of > "whom do I trust and why?" is purely a human factor; the questions of > "... and given I trust them, what can I deduce to be true?" is a > mathematical question. > >> What is trust anyway? > > Generally, trust is the ability to break someone's security policy. > > E.g., I've given a friend of mine from college, John Hawley, a trusted > signature. John can now screw over my local security policy. If I see > a key which John has signed, I'm going to assume that key is valid. If > John signs keys that aren't valid, he can break my security policy. > > This is why most uses of the phrase "trusted system" give security geeks > the heebie-jeebies. A trusted system is, ironically, more dangerous > than an untrusted system. An untrusted system has no capability to > break your security policy; a trusted system can. That means trusted > systems often need to be watched like hawks. > > In a similar vein, many Wall Street brokers were trusted with billions > of client money -- and they should have been watched closely as a result > of that trust. > I appreciate secure systems - being rigid are apt to get broken or people break out of them :) just as equally friendships based on common interests and concerns dissolve - may be there's no trust in keys at all. it's a value judgement - that over time, changing conditions may not reflect the "trust" one had in regard to the person. I'm not likely to put trust into systems. I appreciate the security of transmitted data and a requirement it's not going to leak out the edges or that some one's going to compromise oneself or others - or (it just struck me) that I may want to compromise some one (shudder) but then we are still making value judgements about people and who we trust and why we trust them. It was philosophical - radical politics - enabling people to protect their privacy - as a driving principle - where are we now then? a small group of people that's fairly secure - but the principle is for public world wide use of pgp to safeguard their privacy - with a fair few intent on breaking it. It's still a people thing - conflicts of interest, politics, philosophy the ethics or mores that govern how people interact. What they share - are we to become closed and only open if a key is trusted by so many? That in itself is a weakness. Must be the Med sea and the coffee ............ Happy Days David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknzcywACgkQYvuE3Ov+SsDvLwCgiAPXIx4jJ1qzvjEBm+NVQKtj 3yUAoNWbV6B6GAkK9NKDvVnwRBiJSSn9 =t+1X -----END PGP SIGNATURE----- From david at gbenet.com Sat Apr 25 22:59:10 2009 From: david at gbenet.com (david) Date: Sat, 25 Apr 2009 23:59:10 +0300 Subject: Just a thought Message-ID: <49F3799E.8000403@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt - but say I cc'd to a few people - because if those people are in my key ring will it encrypt for each? Some one must have tried it :) David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknzeZoACgkQYvuE3Ov+SsBz/wCgvU/ujxYhNmb/qYEKlAHiyzyL KWwAnAx9Q0XhXb+eed1waj0+bdGykTs4 =vgtz -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Apr 25 23:22:25 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Apr 2009 17:22:25 -0400 Subject: Just a thought In-Reply-To: <49F3799E.8000403@gbenet.com> References: <49F3799E.8000403@gbenet.com> Message-ID: <49F37F11.4060508@sixdemonbag.org> david wrote: > Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt - > but say I cc'd to a few people - because if those people are in my key > ring will it encrypt for each? Yes, although if you want Enigmail-specific answers you may want to ask on the Enigmail list. From John at Mozilla-Enigmail.org Sat Apr 25 23:25:02 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 25 Apr 2009 16:25:02 -0500 Subject: Just a thought In-Reply-To: <49F3799E.8000403@gbenet.com> References: <49F3799E.8000403@gbenet.com> Message-ID: <49F37FAE.7040702@Mozilla-Enigmail.org> david wrote: > Hi all, > > Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt - > but say I cc'd to a few people - because if those people are in my key > ring will it encrypt for each? If a valid key can be located for each recipient, the message will be encrypted to all. If a single recipient cannot be matched with a key, the message will be sent in the clear. The message will be encrypted once with a symmetric cipher and session key. Then the session key is encrypted to each recipient's public key and the encrypted session keys are attached to the message. For each recipient the first valid key with matching email address is the one selected. If this is not the preferred key, then Enigmail's Per-recipient rules may be setup to specify the correct key to use. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From david at gbenet.com Sat Apr 25 23:31:40 2009 From: david at gbenet.com (david) Date: Sun, 26 Apr 2009 00:31:40 +0300 Subject: Just a thought In-Reply-To: <49F37F11.4060508@sixdemonbag.org> References: <49F3799E.8000403@gbenet.com> <49F37F11.4060508@sixdemonbag.org> Message-ID: <49F3813C.4070700@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen wrote: > david wrote: >> Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt - >> but say I cc'd to a few people - because if those people are in my key >> ring will it encrypt for each? > > Yes, although if you want Enigmail-specific answers you may want to ask > on the Enigmail list. > Thank you Robert - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknzgS8ACgkQYvuE3Ov+SsDlNgCeNFbd1x1R+wohuxH3X3F0BeJB O2MAoOpHhQrgsXTq624f+p4CYo1XpFQJ =Hq28 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Apr 25 23:45:26 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Apr 2009 17:45:26 -0400 Subject: certificate chain depth In-Reply-To: <49F37331.6040208@gbenet.com> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <49F35D64.4010203@gbenet.com> <49F3641E.1020605@sixdemonbag.org> <49F37331.6040208@gbenet.com> Message-ID: <49F38476.5050301@sixdemonbag.org> david wrote: > it's a value judgement - that over time, changing conditions may not > reflect the "trust" one had in regard to the person. This is why signatures can be revoked. > I'm not likely to put trust into systems. Really? You already have. For instance, do you have the capability, right here, right now, to grow or obtain your own food? If not, then you're trusting in your local food distribution system. If it goes out, then you're in a world of hurt. Do you have the capability to obtain potable water? If not, then you're trusting your water system. The question is not _if_ you trust, but _who and what_ you trust, and whether that trust will be a blind trust or an examined trust. Blind trust tends to get people in a lot of trouble; examined trust lets you prepare for what happens if and when that trust is breached. There's a reason why I have three days of MREs and ten liters of drinking water in my pantry. I trust food distribution and I trust my water system. And it's because of that trust that I have backups. On balance, I think it is better to practice examined trust than unexamined trust. But that said... I am an advocate of trust. > or (it just struck me) that I may want to compromise some one > (shudder) Compromise means you have failed to uphold your publicly stated policy. If people are able to put you in a position where you have to compromise your policy, that should be the cause for some soul-searching about where you erred in your policy. If your policy is, "I will divulge communications if required to by a court, or if necessary to prevent lawless action, or to save human life," and you go out and do just that -- that's not a compromise at all. > where are we now then? a small group of people that's fairly secure If by "secure" you mean "my system is not compromisable and my communications cannot be intercepted," then none of us are secure. None of us are even fairly secure by that standard. Generally speaking, GnuPG gives excellent protection against one particular part of the communications security profile. It is not a comprehensive solution. If my system is secure and my communications are uncompromised, it is only because I have not yet risen to the notice of those who have the power to change it, while I have simultaneously put myself beyond the likely reach of amateurs. To the extent there is a "fairly secure" worth talking about, that's it. IMO, that's not "fairly secure" at all. It's best to keep a sense of proportion about these things, and not to fall into a false sense of security. From david at gbenet.com Sat Apr 25 23:47:15 2009 From: david at gbenet.com (david) Date: Sun, 26 Apr 2009 00:47:15 +0300 Subject: Just a thought In-Reply-To: <49F37FAE.7040702@Mozilla-Enigmail.org> References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> Message-ID: <49F384E3.9020905@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi John, I took a look at the per recipient rules - thanks for the direction Regards, David John Clizbe wrote: > david wrote: >> Hi all, >> >> Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt - >> but say I cc'd to a few people - because if those people are in my key >> ring will it encrypt for each? > > If a valid key can be located for each recipient, the message will be > encrypted to all. If a single recipient cannot be matched with a key, > the message will be sent in the clear. > > The message will be encrypted once with a symmetric cipher and session > key. Then the session key is encrypted to each recipient's public key > and the encrypted session keys are attached to the message. > > For each recipient the first valid key with matching email address is > the one selected. If this is not the preferred key, then Enigmail's > Per-recipient rules may be setup to specify the correct key to use. > - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmaster at gbenet.com. Thank you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknzhN4ACgkQYvuE3Ov+SsBOlgCgtjAJH7RVNhsSIXBUa7gcnFVF DfYAnRIJpythFDUnqW4SqBMGBJ9eYGwt =k7OR -----END PGP SIGNATURE----- From kloecker at kde.org Sat Apr 25 23:50:56 2009 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sat, 25 Apr 2009 23:50:56 +0200 Subject: Just a thought In-Reply-To: <49F37FAE.7040702@Mozilla-Enigmail.org> References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> Message-ID: <200904252351.03653@thufir.ingo-kloecker.de> On Saturday 25 April 2009, John Clizbe wrote: > david wrote: > > Hi all, > > > > Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt > > - but say I cc'd to a few people - because if those people are in > > my key ring will it encrypt for each? > > If a valid key can be located for each recipient, the message will be > encrypted to all. If a single recipient cannot be matched with a key, > the message will be sent in the clear. > > The message will be encrypted once with a symmetric cipher and > session key. Then the session key is encrypted to each recipient's > public key and the encrypted session keys are attached to the > message. > > For each recipient the first valid key with matching email address is > the one selected. If this is not the preferred key, then Enigmail's > Per-recipient rules may be setup to specify the correct key to use. How does Thunderbird/Enigmail handle bcc'd recipients? Does it create several differently encrypted copies of the message in case of bcc'd recipients, i.e. one copy of the message encrypted with the keys of all public recipients and additional copies of the message (one per bcc'd recipient) encrypted only with the key of the corresponding bcc recipient (and probably with the sender's key)? Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Sat Apr 25 23:59:31 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 25 Apr 2009 17:59:31 -0400 Subject: Just a thought In-Reply-To: <200904252351.03653@thufir.ingo-kloecker.de> References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> <200904252351.03653@thufir.ingo-kloecker.de> Message-ID: <49F387C3.9030809@sixdemonbag.org> Ingo Kl?cker wrote: > How does Thunderbird/Enigmail handle bcc'd recipients? Someone else may have a more definitive answer, but I would not recommend using bcc'd recipients with Enigmail. Enigmail is constrained by the Thunderbird architecture, which puts some severe limits on what Enigmail is allowed to do. As long as everything is done in one pass and it's a simple transform of the data, Thunderbird is quite happy to work with plugins; but as soon as plugins want to do complex things, Thunderbird says "no." E.g., with PGP/MIME messages, Enigmail has to go through some contortions since it doesn't know before the message is composed which hash algorithm will be used, meaning that it can't craft the PGP/MIME headers. So instead, a dummy message is sent (one which goes precisely nowhere), which Enigmail then reads to see the algorithm used, which is then used to construct a proper PGP/MIME header for the real message. It's a pretty repulsive hack, but it's the only game in town. Please note that I do not follow the Enigmail source tree, so any and/or all of this may be incorrect. It is correct as far as I know, though. This discussion should probably be moved to the Enigmail list. From John at Mozilla-Enigmail.org Sun Apr 26 00:14:30 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 25 Apr 2009 17:14:30 -0500 Subject: Just a thought In-Reply-To: <200904252351.03653@thufir.ingo-kloecker.de> References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> <200904252351.03653@thufir.ingo-kloecker.de> Message-ID: <49F38B46.6090509@Mozilla-Enigmail.org> Ingo Kl?cker wrote: > On Saturday 25 April 2009, John Clizbe wrote: >> >> The message will be encrypted once with a symmetric cipher and >> session key. Then the session key is encrypted to each recipient's >> public key and the encrypted session keys are attached to the >> message. >> >> For each recipient the first valid key with matching email address is >> the one selected. If this is not the preferred key, then Enigmail's >> Per-recipient rules may be setup to specify the correct key to use. > > How does Thunderbird/Enigmail handle bcc'd recipients? Does it create > several differently encrypted copies of the message in case of bcc'd > recipients, i.e. one copy of the message encrypted with the keys of all > public recipients and additional copies of the message (one per bcc'd > recipient) encrypted only with the key of the corresponding bcc > recipient (and probably with the sender's key)? Enigmail passes GnuPG a list of recipients to encrypt to. It does not generate separate messages, only the one. This is a constraint of Thunderbird's architecture. BCCed recipients are treated as just another recipient. There is only one copy of the message and one set of encrypted session keys. If one is going to encrypt *and, at the same time*, use BCC, he should seriously look at using GnuPG's throw-keyids option. From the man page: --throw-keyids --no-throw-keyids Do not put the recipient key IDs into encrypted messages. This helps to hide the receivers of the message and is a lim- ited countermeasure against traffic analysis. On the receiv- ing side, it may slow down the decryption process because all available secret keys must be tried. --no-throw-keyids dis- ables this option. This option is essentially the same as using --hidden-recipient for all recipients. The other alternative is to manually manage BCC copies. Personally, I'm not a big fan of BCC. PS: Rob's comments about how TB's architecture forces Enigmail's behavior and the suggestion that it should probably be moved are both correct. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From lists at 404not-found.de Sun Apr 26 00:18:05 2009 From: lists at 404not-found.de (Raimar Sandner) Date: Sun, 26 Apr 2009 00:18:05 +0200 Subject: certificate chain depth In-Reply-To: <49F36BC5.2000707@bellsouth.net> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <200904252146.32381.lists@404not-found.de> <49F36BC5.2000707@bellsouth.net> Message-ID: <200904260018.05654.lists@404not-found.de> On Saturday 25 April 2009 22:00:05 John W. Moore III wrote: > Raimar Sandner wrote: > > In the end it is of course a people thing whether you trust a key or not, > > no mathematical model ever can replace your final decision. So there is a > > big difference in gpg saying "fully trusted" and you thinking "fully > > trusted". > > This is why both Owner Trust & Calculated Trust exist. One is a > mathematical result and the other is a Personal evaluation. > Well, as I understand those two are quite different. The owner trust refers to my personal trust in the _owner_ of a key to correctyl sign other keys. The calculated trust refers to the validity of a _key_ (and is of course calculated based on the ownertrust values belonging to the signatures attached to this key). So one is trust in a key (here gpg can give a hint) and one is trust in people (here gpg cannot say anything). But they are not trust values refering to the same thing, one being my opinion and one gpg's. Greetings, Raimar From lists at 404not-found.de Sun Apr 26 00:27:57 2009 From: lists at 404not-found.de (Raimar Sandner) Date: Sun, 26 Apr 2009 00:27:57 +0200 Subject: certificate chain depth (technical) In-Reply-To: <20090425162743.GA8264@ge-c705.uibk.ac.at> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> Message-ID: <200904260027.57445.lists@404not-found.de> On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote: > Hello, > > when gnupg trusts a key as a result of trustdb calculations, I would > like to know what the chain depth for the given key is. [snip] > As of now I can only think of gradually reducing max-cert-depth, > recalculating trustdb and see, if a given key stays fully trusted. > Is there a better way to determin the cert depth? If not, I think > this would be a nice feature to implement. So as the discussion tends to drift a bit off-topic (no offense), I would like to dedicate this sub-thread to the technical question asked. Is there some way to determin the certificate depth? I regard it to be useful information, maybe someone else does too. I suppose the value should be present somewhere in the trustdb, just not accessible right now. Greetings, Raimar From dshaw at jabberwocky.com Sun Apr 26 01:10:24 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 25 Apr 2009 19:10:24 -0400 Subject: certificate chain depth In-Reply-To: <200904260018.05654.lists@404not-found.de> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <200904252146.32381.lists@404not-found.de> <49F36BC5.2000707@bellsouth.net> <200904260018.05654.lists@404not-found.de> Message-ID: <673945CE-06E3-4D8C-8FC9-89C9B77DD8B8@jabberwocky.com> On Apr 25, 2009, at 6:18 PM, Raimar Sandner wrote: > On Saturday 25 April 2009 22:00:05 John W. Moore III wrote: >> Raimar Sandner wrote: >>> In the end it is of course a people thing whether you trust a key >>> or not, >>> no mathematical model ever can replace your final decision. So >>> there is a >>> big difference in gpg saying "fully trusted" and you thinking "fully >>> trusted". >> >> This is why both Owner Trust & Calculated Trust exist. One is a >> mathematical result and the other is a Personal evaluation. >> > > Well, as I understand those two are quite different. The owner trust > refers to > my personal trust in the _owner_ of a key to correctyl sign other > keys. Yes. > The > calculated trust refers to the validity of a _key_ (and is of course > calculated based on the ownertrust values belonging to the signatures > attached to this key). Almost. The calculated trust actually refers to the validity of a given user ID on a given key. It is possible to have a key with multiple user IDs, some of which are calculated to be valid, and some of which are not. > So one is trust in a key (here gpg can give a hint) and > one is trust in people (here gpg cannot say anything). But they are > not trust > values refering to the same thing, one being my opinion and one gpg's. Yes. The terminology can get difficult if the term "trust" is used for both. Many people use the words "trust" (aka owner trust or personal trust) and "validity" for these two concepts. David From dshaw at jabberwocky.com Sun Apr 26 07:00:52 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 26 Apr 2009 01:00:52 -0400 Subject: certificate chain depth (technical) In-Reply-To: <200904260027.57445.lists@404not-found.de> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <200904260027.57445.lists@404not-found.de> Message-ID: On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote: > On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote: >> Hello, >> >> when gnupg trusts a key as a result of trustdb calculations, I would >> like to know what the chain depth for the given key is. > [snip] >> As of now I can only think of gradually reducing max-cert-depth, >> recalculating trustdb and see, if a given key stays fully trusted. >> Is there a better way to determin the cert depth? If not, I think >> this would be a nice feature to implement. > > So as the discussion tends to drift a bit off-topic (no offense), I > would like > to dedicate this sub-thread to the technical question asked. > > Is there some way to determin the certificate depth? I regard it to > be useful > information, maybe someone else does too. I suppose the value should > be > present somewhere in the trustdb, just not accessible right now. The trustdb actually doesn't store per-user ID depth values. Rather, one of the many possible depths is stored for the key as a whole, which is fine for our purposes, but may not give you what you want here. Take the case of A signs B(uid1), A signs C(uid1), and C signs B(uid2). B is thus fully valid as per B(uid1) being signed. But B(uid2) is also valid, and at one level of depth larger than B(uid1). B as a whole thus lives at both depth 0 and depth 1. We store this as 1, but I think you'd want it at 0. You can see this in action, and perhaps give you the information you want, by doing: gpg -v -v --check-trustdb. You will see (along with some other debug info), a bunch of records that look like this 0:1234567812345678:K::?:::: 0:1234567812345678:U:::f:::user at example.com: 0:1234567812345678:U:::m:::user at example.net: The first field is the depth. 0 means "signed by an ultimately trusted key", and 1 means one step beyond that, etc. The second field is the key ID The third field is K for keys and U for user IDs. You're more interested in user IDs here. The 6th field is the validity: q == undefined validity f == fully valid m == marginally valid The 9th field is a piece of the user ID string. You can see some keys appear at multiple depths if a particular user ID from that key becomes valid earlier than other user IDs on the key. David From lists at 404not-found.de Sun Apr 26 09:54:07 2009 From: lists at 404not-found.de (Raimar Sandner) Date: Sun, 26 Apr 2009 09:54:07 +0200 Subject: certificate chain depth (technical) In-Reply-To: References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <200904260027.57445.lists@404not-found.de> Message-ID: <20090426075407.GA5588@ge-c705.uibk.ac.at> On Sunday 26 April 2009 07:00:52 you wrote: > On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote: > > On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote: > >> Hello, > >> > >> when gnupg trusts a key as a result of trustdb calculations, I > >> would like to know what the chain depth for the given key is. > The trustdb actually doesn't store per-user ID depth values. > Rather, one of the many possible depths is stored for the key as a > whole, which is fine for our purposes, but may not give you what > you want here. Take the case of A signs B(uid1), A signs C(uid1), > and C signs B(uid2). B is thus fully valid as per B(uid1) being > signed. But B(uid2) is also valid, and at one level of depth > larger than B(uid1). B as a whole thus lives at both depth 0 and > depth 1. We store this as 1, but I think you'd want it at 0. With "we store this as 1", you mean that when B signs D(uid1), uid1 being the only uid on D, D(uid1) and thus D as a whole is regarded to be valid at level 2 (given sufficiant ownertrust of B)? I ask that because signatures are made by keys, not by uids. Gpg regards a signature to be valid, if and only if there is at least one fully valid uid on the signing key, right? Wouldn't it then be consistent to regard a key as a whole valid at level n, if it has a uid signed by a key which has at least one uid being valid at level n-1? > You can see this in action, and perhaps give you the information > you want, by doing: > > gpg -v -v --check-trustdb. Thank you, that actually helps me a lot. I didn't know the -v -v switch of --check-trustdb up to now. Raimar From dshaw at jabberwocky.com Sun Apr 26 16:52:25 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 26 Apr 2009 10:52:25 -0400 Subject: certificate chain depth (technical) In-Reply-To: <20090426075407.GA5588@ge-c705.uibk.ac.at> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <200904260027.57445.lists@404not-found.de> <20090426075407.GA5588@ge-c705.uibk.ac.at> Message-ID: On Apr 26, 2009, at 3:54 AM, Raimar Sandner wrote: > On Sunday 26 April 2009 07:00:52 you wrote: >> On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote: >>> On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote: >>>> Hello, >>>> >>>> when gnupg trusts a key as a result of trustdb calculations, I >>>> would like to know what the chain depth for the given key is. > >> The trustdb actually doesn't store per-user ID depth values. >> Rather, one of the many possible depths is stored for the key as a >> whole, which is fine for our purposes, but may not give you what >> you want here. Take the case of A signs B(uid1), A signs C(uid1), >> and C signs B(uid2). B is thus fully valid as per B(uid1) being >> signed. But B(uid2) is also valid, and at one level of depth >> larger than B(uid1). B as a whole thus lives at both depth 0 and >> depth 1. We store this as 1, but I think you'd want it at 0. > > With "we store this as 1", you mean that when B signs D(uid1), uid1 > being the only uid on D, D(uid1) and thus D as a whole is regarded > to be valid at level 2 (given sufficiant ownertrust of B)? Not exactly. The level for a single-uid key is what you'd expect it to be naturally. The question arises when there are two or more uids on a key, each becoming valid at a different level. For a given key, we store the highest level that covers all of the valid uids, or put another way, the key has the level for the most-distant valid uid. I believe you are looking for the key to have the level of the least- distant valid uid. > I ask that because signatures are made by keys, not by uids. Gpg > regards a signature to be valid, if and only if there is at least > one fully valid uid on the signing key, right? Wouldn't it then be > consistent to regard a key as a whole valid at level n, if it has a > uid signed by a key which has at least one uid being valid at level > n-1? It would be equally as correct as what we do now. The algorithm doesn't need those levels once the trustdb is built. David From dshaw at jabberwocky.com Sun Apr 26 18:51:24 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 26 Apr 2009 12:51:24 -0400 Subject: Just a thought In-Reply-To: <49F38B46.6090509@Mozilla-Enigmail.org> References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> <200904252351.03653@thufir.ingo-kloecker.de> <49F38B46.6090509@Mozilla-Enigmail.org> Message-ID: On Apr 25, 2009, at 6:14 PM, John Clizbe wrote: > Ingo Kl?cker wrote: >> On Saturday 25 April 2009, John Clizbe wrote: >>> >>> The message will be encrypted once with a symmetric cipher and >>> session key. Then the session key is encrypted to each recipient's >>> public key and the encrypted session keys are attached to the >>> message. >>> >>> For each recipient the first valid key with matching email address >>> is >>> the one selected. If this is not the preferred key, then Enigmail's >>> Per-recipient rules may be setup to specify the correct key to use. >> >> How does Thunderbird/Enigmail handle bcc'd recipients? Does it create >> several differently encrypted copies of the message in case of bcc'd >> recipients, i.e. one copy of the message encrypted with the keys of >> all >> public recipients and additional copies of the message (one per bcc'd >> recipient) encrypted only with the key of the corresponding bcc >> recipient (and probably with the sender's key)? > > Enigmail passes GnuPG a list of recipients to encrypt to. It does not > generate separate messages, only the one. This is a constraint of > Thunderbird's architecture. > > BCCed recipients are treated as just another recipient. There is only > one copy of the message and one set of encrypted session keys. I'm not sure if Enigmail has sufficient control here (due to the Thunderbird restrictions), but if possible, it might be wise to handle Bcc's recipients with --hidden-recipient instead of --recipient (i.e. "-r"). That would better duplicate the standard expectations of a user using Bcc: the regular recipients can all see who the recipients are, but not the Bcc'd people. As things stand now, any recipient can see who was Bcc'd, which sort of removes the "B" from the Bcc. --throw-keyids is a reasonable solution as well, but it's more of a sledgehammer, rather than a scalpel. David From mlisten at hammernoch.net Sun Apr 26 21:24:09 2009 From: mlisten at hammernoch.net (=?ISO-8859-15?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sun, 26 Apr 2009 21:24:09 +0200 Subject: Just a thought In-Reply-To: <200904252351.03653@thufir.ingo-kloecker.de> References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> <200904252351.03653@thufir.ingo-kloecker.de> Message-ID: <49F4B4D9.9020609@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Ingo Kl?cker wrote on 25.04.2009 23:50 Uhr: > How does Thunderbird/Enigmail handle bcc'd recipients? Does it create > several differently encrypted copies of the message in case of bcc'd > recipients, i.e. one copy of the message encrypted with the keys of all > public recipients and additional copies of the message (one per bcc'd > recipient) encrypted only with the key of the corresponding bcc > recipient (and probably with the sender's key)? There's only one copy encrypted. However, enigmail issues a warning box that states that the visible recipients can determine the BCC'd recipient from the encrypted part, so that the user can decide what to do. Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJJ9LTYAAoJEA52XAUJWdLjGugIAK4bFjfzJp3cNaS4xAOgoihM cQPngfDsU3N12acfvBVssoBJq9JuevZ5eQps0OkQNBuoHixKt1vRwtwXd9q0ay9q prHl4pES62Ihvc3xSEVR6nAlf+UxRFoiJeLlwllRk5hoX7Yqzx174WXpSvJtMR6z OAVPlb0wqIrZftn+j5I7AUujmQuvFMHbs7y/rgcug220bcTRCvAyQI/dKQ1Zy+hM WjyRIe91d4Rmu6lH6cfSptxTKZ1Mvv1XYj0ZXTJ5Z9QKwAeRGDmq2oPRrq87y+Hm lcuVdTL7pxn+8hk4XY/YDe0PQcwH/kDfsrJBoYOUilitRgui8sadKaWfLE98lPs= =Rzvt -----END PGP SIGNATURE----- From mlisten at hammernoch.net Sun Apr 26 21:26:48 2009 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sun, 26 Apr 2009 21:26:48 +0200 Subject: Just a thought In-Reply-To: References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> <200904252351.03653@thufir.ingo-kloecker.de> <49F38B46.6090509@Mozilla-Enigmail.org> Message-ID: <49F4B578.1070803@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 David Shaw wrote on 26.04.2009 18:51 Uhr: > I'm not sure if Enigmail has sufficient control here (due to the > Thunderbird restrictions), Yes, Enigmail is aware of BCC recipients (see my response to Ingo) > but if possible, it might be wise to handle > Bcc's recipients with --hidden-recipient instead of --recipient (i.e. > "-r"). Very good idea! Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJJ9LV3AAoJEA52XAUJWdLjqJYIAIcUDSRZ1LoefWzBQDty349z qTqEPEkhkXs7oxZTTUKqds7KsyLP175Q2pfogPitgHrd0SQ+BkFgavfYG8K2OGLA EkuYa2P3uf2eJiB6ryKnE0K1NAllo7cPcxGTcbFAbscH4PB7rxrD4UX/Lf6a0ipC xScnEBq2pvDcpyPcvO2T19DQSJf8hpvotZdEYHTIrzbtZplEbH0rbNV2oVJ0opO/ AkTAiuUFL831ZP7ppPGje33jD+Tz191mRF+GNOSnVSuXSIaLt3/kNTBGSKSJJNRl SaNDbk5Q+I3r9hfA+dunxE2DlcuOk9knoVapzlx/AzovHrXqA3XKZeeLvdlvZPo= =3eLZ -----END PGP SIGNATURE----- From htd at fancy-poultry.org Sat Apr 25 08:23:57 2009 From: htd at fancy-poultry.org (Heinz Diehl) Date: Sat, 25 Apr 2009 08:23:57 +0200 Subject: DH/DSS vs ElGame/DSS? In-Reply-To: References: <49F1A77F.1030608@sixdemonbag.org> <193FF1C2-BED2-4E19-ACCA-B9307B9F85A5@jabberwocky.com> <200904250034.26364.webmaster@felipe1982.com> <7C4262C1-8D02-4546-8A19-7FF7DE6939C5@jabberwocky.com> <49F1E8F1.8010907@sixdemonbag.org> Message-ID: <20090425062357.GA6271@fancy-poultry.org> On 25.04.2009, David Shaw wrote: > Plus, both the GnuPG implementation and the PGP implementation are > available for review by anyone who wants to look at them. (PGP isn't > open source of course, but you can still get the source for review). The PGP 9.xx sourcecode you can obtain from the PGP website doesn't even compile, so doin' a review on it IMO isn't worth a f*ckin' shit.. From John at Mozilla-Enigmail.org Mon Apr 27 00:04:16 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 26 Apr 2009 17:04:16 -0500 Subject: Just a thought In-Reply-To: References: <49F3799E.8000403@gbenet.com> <49F37FAE.7040702@Mozilla-Enigmail.org> <200904252351.03653@thufir.ingo-kloecker.de> <49F38B46.6090509@Mozilla-Enigmail.org> Message-ID: <49F4DA60.60902@Mozilla-Enigmail.org> David Shaw wrote: > On Apr 25, 2009, at 6:14 PM, John Clizbe wrote: >> >> Enigmail passes GnuPG a list of recipients to encrypt to. It does not >> generate separate messages, only the one. This is a constraint of >> Thunderbird's architecture. >> >> BCCed recipients are treated as just another recipient. There is only >> one copy of the message and one set of encrypted session keys. > > I'm not sure if Enigmail has sufficient control here (due to the > Thunderbird restrictions), but if possible, it might be wise to handle > Bcc's recipients with --hidden-recipient instead of --recipient (i.e. > "-r"). That would better duplicate the standard expectations of a > user using Bcc: the regular recipients can all see who the recipients > are, but not the Bcc'd people. As things stand now, any recipient can > see who was Bcc'd, which sort of removes the "B" from the Bcc. Excellent suggestion, David. Thank you. Filed as an RFE in Bugzilla: https://www.mozdev.org/bugs/show_bug.cgi?id=20867 -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Mon Apr 27 03:35:44 2009 From: faramir.cl at gmail.com (Faramir) Date: Sun, 26 Apr 2009 21:35:44 -0400 Subject: certificate chain depth In-Reply-To: <200904252146.32381.lists@404not-found.de> References: <20090425162743.GA8264@ge-c705.uibk.ac.at> <49F35D64.4010203@gbenet.com> <200904252146.32381.lists@404not-found.de> Message-ID: <49F50BF0.5060509@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Raimar Sandner escribi?: ... > The web of trust is a great way to establish some amount of trust into new > keys when you cannot meet the owner. But I think that maybe gpg could help > differentiate a bit more between keys introduced through the web of trust and > keys that I have signed personally, for example by showing the depth level. Well, I use GPGShell, a GUI for GPG in windows environment, and it shows 2 columns: Personal Trust and Calculated Trust. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ9QvwAAoJEMV4f6PvczxAzgwH/0uqigdZ1pTpBW6m1ShlCzRk s9vgOVYTvW2OELRu6jEUEQFp7q3Kf+lKv1s3tVC2qnkZjbPN0y4KMXIsP7+F2G93 Zb2ICXTFwPvaHRxaK0+hIF6hugpZKUkppzYbrVnDqYgMcuqtUpb8Dve52Y3Cz0SD kEEHjZAHpof1VSCCo3SoVvY3pRX+xebBY4l8MEbRJ6+4vnJVv8Org5BpU8PcWc1y +H0xvKbX2IH3BGF48PK/2QhPf2UxKnTcuLmFwZbZE7TpYuXVZia9Ze2Qg6QxZyEU g7lRsvDQUgUzaxTbhioyfaTk+Utpg3oMpskERB+qvFxGeE4ITOiSRMJLZZOSsJQ= =2DBW -----END PGP SIGNATURE----- From faramir.cl at gmail.com Mon Apr 27 03:47:10 2009 From: faramir.cl at gmail.com (Faramir) Date: Sun, 26 Apr 2009 21:47:10 -0400 Subject: Just a thought In-Reply-To: <49F3799E.8000403@gbenet.com> References: <49F3799E.8000403@gbenet.com> Message-ID: <49F50E9E.5000202@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 david escribi?: > Hi all, > > Late here in Cyprus, in Thunderbird, OpenPGP I can sign and encrypt - > but say I cc'd to a few people - because if those people are in my key > ring will it encrypt for each? Yes, I think with the defaults settings it will encrypt the message to all the recipients, unless one of them doesn't have a valid key in your keyring. In that case, TB will ask you what to do, before sending the message (if you have selected the message to go encrypted, it will not be sent unencrypted). > Some one must have tried it :) Yes, a lot of people, I think. There is even a mailing list which uses only encrypted messages, but that requires rules per recipients... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ9Q6eAAoJEMV4f6PvczxAsUEH/1ENQAQv85KZB3hBVeS5UM+O BiClEnyV1ZxfUmCOm0LUEgIo8Rw3Jni+NDYySWwJlcRqENnejkjJhrMUD+YjsfJh KVqVAOlDcaAwC1IxS1uTSj7uQXxMRVfqEMaNBIqz3u1IrhNZ/G2BQHR6FDVWmmfH qXUJzZcOTNcY2WX7hkXe2zNden2tbpr4qERYU7wNBpgElanJF2lvRQSISFfD+WyP 4I2HrC0O+oB7v3F9GqVwDdnhD5mm64HnY0zPfcuou10h1BqBnVmf7B6K2uMSXOTi 1miUqm268Qhu2DHBlApHCV+mWF7HSZf0HIMrJCY7ZQJNqyGCBF08iOBMJk8SnYc= =CN/P -----END PGP SIGNATURE----- From allen.schultz at gmail.com Mon Apr 27 03:47:11 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Sun, 26 Apr 2009 19:47:11 -0600 Subject: GPG and Gmail inline settings? Message-ID: <3f34f8420904261847h1e607b07xc162a79cd21c24a6@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is the recommended word wrap settings in gmail and gpg for inline messages to work more consistently? - -- Allen Schultz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5) iEYEARECAAYFAkn1DqMACgkQV5r3Eu55xjbnMQCeP6jl38KhqHeDrYoJtOHYQrS0 EkMAn2yTMkWBoEGFtGmSPqCzjV9N445z =f2Hx -----END PGP SIGNATURE----- From allen.schultz at gmail.com Mon Apr 27 06:13:13 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Sun, 26 Apr 2009 22:13:13 -0600 (Mountain Daylight Time) Subject: Help with encrypting using my PGP Public key In-Reply-To: <49F5224A.4030504@gmail.com> Message-ID: On Sun, Apr 26, 2009 at 9:11 PM, Faramir wrote: > Hash: SHA256 How do I set my default hash again? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 268 bytes Desc: OpenPGP digital signature URL: From jbruni at me.com Mon Apr 27 06:21:48 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Sun, 26 Apr 2009 21:21:48 -0700 Subject: Help with encrypting using my PGP Public key In-Reply-To: References: Message-ID: On Apr 26, 2009, at 9:13 PM, Allen Schultz wrote: > On Sun, Apr 26, 2009 at 9:11 PM, Faramir wrote: >> Hash: SHA256 > > How do I set my default hash again? First, you'll need a signing key that will support the larger hash size. I dropped my old DSA key in favor of RSA in order to do this. Then, in your ~/.gnupg/gpg.conf, set this option: "personal-digest- prefs SHA256 SHA1 RIPEMD160" -Joe From harakiri_23 at yahoo.com Mon Apr 27 13:04:13 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Mon, 27 Apr 2009 04:04:13 -0700 (PDT) Subject: Just a thought In-Reply-To: <49F4DA60.60902@Mozilla-Enigmail.org> Message-ID: <428544.87390.qm@web52205.mail.re2.yahoo.com> --- On Sun, 4/26/09, John Clizbe wrote: > From: John Clizbe > Subject: Re: Just a thought > To: "David Shaw" > Cc: "GnuPG Users" > Date: Sunday, April 26, 2009, 6:04 PM > David Shaw wrote: > > On Apr 25, 2009, at 6:14 PM, John Clizbe wrote: > >> > >> Enigmail passes GnuPG a list of recipients to > encrypt to. It does not > >> generate separate messages, only the one. This is > a constraint of > >> Thunderbird's architecture. > >> > >> BCCed recipients are treated as just another > recipient. There is only > >> one copy of the message and one set of encrypted > session keys. > > > > I'm not sure if Enigmail has sufficient control > here (due to the > > Thunderbird restrictions), but if possible, it might > be wise to handle > > Bcc's recipients with --hidden-recipient instead > of --recipient (i.e. > > "-r"). That would better duplicate the > standard expectations of a > > user using Bcc: the regular recipients can all see who > the recipients > > are, but not the Bcc'd people. As things stand > now, any recipient can > > see who was Bcc'd, which sort of removes the > "B" from the Bcc. > > Excellent suggestion, David. Thank you. > > Filed as an RFE in Bugzilla: > https://www.mozdev.org/bugs/show_bug.cgi?id=20867 Bad idea, read my comment on the bug - what good is a setting when you can only communicate with people which use GPG - and the other 80% which use PGP Desktop cant decrypt your message? From jmoore3rd at bellsouth.net Mon Apr 27 13:16:05 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 27 Apr 2009 07:16:05 -0400 Subject: GPG and Gmail inline settings? In-Reply-To: <3f34f8420904261847h1e607b07xc162a79cd21c24a6@mail.gmail.com> References: <3f34f8420904261847h1e607b07xc162a79cd21c24a6@mail.gmail.com> Message-ID: <49F593F5.4050004@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Allen Schultz wrote: > What is the recommended word wrap settings in gmail and gpg for inline > messages to work more consistently? 70 & 72 respectively. JOHN ;) Timestamp: Monday 27 Apr 2009, 07:15 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ9ZP0AAoJEBCGy9eAtCsPJf8H/0mQLGHtuNeEWfwHh6DyCY/V N8bRZCF862dqPpxxDb4M6NiebaJLwjIIWaUWwb5bfqBpbGG6NR+2mIqZnPbJCgZ0 3SG5D+8PCQPg/6E9EiZNDPes5WsBeyLz9k+73OUv7mIYQXyOv3CmAvkNRWLjuzJ4 i/0wsro345Wo+yhQCc8c2nKOqf0jb2GzGKMbHeERBAibrWKtLopAQP98L5IYX1uw GjCqF+tse04MSWiDAn5f4nx7aj0aoDnEG4fgQgZU+71zzZ8BRQNafveHWuZV+tZl dDHPaB62NG8qUaJ8CkcVwln92nY4HHhN+TNygEdGirOUF+Ufd+f3pF1qj25ijL4= =YW5B -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Apr 27 16:23:03 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 27 Apr 2009 10:23:03 -0400 Subject: Just a thought In-Reply-To: <428544.87390.qm@web52205.mail.re2.yahoo.com> References: <428544.87390.qm@web52205.mail.re2.yahoo.com> Message-ID: On Apr 27, 2009, at 7:04 AM, Harakiri wrote: >>> I'm not sure if Enigmail has sufficient control >> here (due to the >>> Thunderbird restrictions), but if possible, it might >> be wise to handle >>> Bcc's recipients with --hidden-recipient instead >> of --recipient (i.e. >>> "-r"). That would better duplicate the >> standard expectations of a >>> user using Bcc: the regular recipients can all see who >> the recipients >>> are, but not the Bcc'd people. As things stand >> now, any recipient can >>> see who was Bcc'd, which sort of removes the >> "B" from the Bcc. >> >> Excellent suggestion, David. Thank you. >> >> Filed as an RFE in Bugzilla: >> https://www.mozdev.org/bugs/show_bug.cgi?id=20867 > > Bad idea, read my comment on the bug - what good is a setting when > you can only communicate with people which use GPG - and the other > 80% which use PGP Desktop cant decrypt your message? I don't think I was nearly clear enough. My thought is that since the current Bcc doesn't actually give you Bcc - it's essentially a Cc (non- blind), it might be better to --hidden-recipient those on the Bcc line. Completely true that it means that PGP users can't be the Bcc people, but it is not at all true that it blocks all PGP users. PGP quite happily ignores hidden recipients, as per the RFC (it isn't required to implement them, but it is required to not blow up when it sees them). Sure, PGP people don't benefit from the Bcc... but they don't benefit now either. At least this allows for someone to benefit, rather than nobody. I don't think this really lets you get rid of the warning message from Enigmail, though. The user may not know if a given user is using PGP or GPG, and needs to be warned that a PGP user on the Bcc line won't be able to decrypt. David From gerard.schrago at eds.com Mon Apr 27 09:18:01 2009 From: gerard.schrago at eds.com (Schrago, Gerard) Date: Mon, 27 Apr 2009 09:18:01 +0200 Subject: GnuPG in batch mode. Message-ID: Hi all, I have to use GnuPG in batch mode to enable a running process to decrypt encrypted file. If I run the shell script through ssh (with the specific user that was previously used to set the keys and has its proper .gnupg directory) this works fine despite the following warning: WARNING: message was not integrity protected. But if I have the running process invoking the very same script, the response is: gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key I have then tried to modify the script to define home directory using --homedir and I got the following: gpg: WARNING: unsafe permissions on homedir `/home/superagt/'" gpg: keyring `/home/superagt//secring.gpg' created gpg: keyring `/home/superagt//pubring.gpg' created gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key It is to note that I see neither in /home/superagt/ nor in /home/superagt/.gnupg/ the secring.gpg pubring.gpg announced. Thanks per advance for your help and support. With my best regards. G?rard Schrago From wk at gnupg.org Tue Apr 28 10:49:12 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 28 Apr 2009 10:49:12 +0200 Subject: Libgcrypt on gpg 2.0.11 under Linux Ubuntu Jaunty 9.04_64bits In-Reply-To: <49F32500.2060509@mac.com> (Charly Avital's message of "Sat, 25 Apr 2009 07:58:08 -0700") References: <5C27B2F8693FA3458E71B4A81551253F041E2B0C@NSTAR-MAIL1.windows.nagrastar.com> <49F221D7.6070201@bellsouth.net> <1240652160.17999.28.camel@Unibody> <87mya4x2la.fsf@wheatstone.g10code.de> <49F32500.2060509@mac.com> Message-ID: <87ws95tb7b.fsf@wheatstone.g10code.de> On Sat, 25 Apr 2009 16:58, shavital at mac.com said: >> LD_LIBRARY_PATH=/usr/loca/bin gpg2 > > I did LD_LIBRARY_PATH=/usr/local/bin/gpg2 [assuming some mistypes ;)] Well there are typos, what I has in mind was: LD_LIBRARY_PATH=/usr/local/lib gpg2 Which says: Search along the PATH environment variable for the gpg2 binary and then run gpg2 with the environment variable LD_LIBRARY_PATH set or changed to "/usr/local/lib". That is so that the runtime linker first searches shared libraries in /usr/local/lib directory and only then in the standard places. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From gerard.schrago at eds.com Tue Apr 28 17:18:49 2009 From: gerard.schrago at eds.com (Schrago, Gerard) Date: Tue, 28 Apr 2009 17:18:49 +0200 Subject: Help with GPG in batch mode Message-ID: Hi all, Help needed in the following issue; I hope not to bother anyone but I need an advise from an expert. If the verbose provided by the --debug-level guru would be of some help I can send it in a further mail. I have to use GnuPG in batch mode to enable a running process to decrypt encrypted file. If I run the shell script through ssh (with the specific user that was previously used to set the keys and has its proper .gnupg directory) this works fine despite the following warning: WARNING: message was not integrity protected. But if I have the running process invoking the very same script, the response is: gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key I have then tried to modify the script to define home directory using --homedir and I got the following: gpg: WARNING: unsafe permissions on homedir `/home/superagt/'" gpg: keyring `/home/superagt//secring.gpg' created gpg: keyring `/home/superagt//pubring.gpg' created gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key It is to note that I see neither in /home/superagt/ nor in /home/superagt/.gnupg/ the secring.gpg pubring.gpg announced. Thanks per advance for your help and support. With my best regards. G?rard Schrago From allen.schultz at gmail.com Tue Apr 28 17:26:39 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Tue, 28 Apr 2009 09:26:39 -0600 Subject: Secure Key Generation Tutorial by TJL73 question and Linux Message-ID: <49F7202F.4070105@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was following TJL73's tutorial on secure key generation with the below link and was having problems with updating a subkey from the primary-secret key in another directory. http://tjl73.altervista.org/secure_keygen/en/index.html $ gpg --homedir backup1 --keyring pubring.gpg --secret-keyring secring.gpg -trustdb-name trustdb.gpg --list-secret-keys gpg: WARNING: unsafe permissions on homedir `backup1' I did a ls -al and found backup to have 744 access. I set it to 644 access and got the following. gpg: WARNING: unsafe permissions on homedir `backup1' gpg: failed to create temporary file `backup1/.#lk0x811a5c8.pubuntu.3675': Permission denied gpg: keyblock resource `backup1/secring.gpg': general error gpg: failed to create temporary file `backup1/.#lk0x811a5c8.pubuntu.3675': Permission denied gpg: keyblock resource `backup1/secring.gpg': general error gpg: failed to create temporary file `backup1/.#lk0x811a5c8.pubuntu.3675': Permission denied gpg: keyblock resource `backup1/pubring.gpg': general error gpg: failed to create temporary file `backup1/.#lk0x811a5c8.pubuntu.3675': Permission denied gpg: keyblock resource `backup1/pubring.gpg': general error Apparently I dont have the permissions right on the directory. Now with 644 I cannot access the directory. For the ring files in the directory and the directory itself, what is gpg looking for in permissions? Should I ask this in my LUG? Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn3IC8ACgkQV5r3Eu55xjbl+gCfZnYZm0RJDHlFDfaJrJ7vXrf4 gj8Ani9v6/liPeXANIbO9IGR+LDeFG1T =OU7m -----END PGP SIGNATURE----- From src=gnupg at lion.leolix.org Tue Apr 28 17:40:19 2009 From: src=gnupg at lion.leolix.org (Philipp Schafft) Date: Tue, 28 Apr 2009 17:40:19 +0200 Subject: Secure Key Generation Tutorial by TJL73 question and Linux In-Reply-To: <49F7202F.4070105@gmail.com> References: <49F7202F.4070105@gmail.com> Message-ID: <20090428154022.0C2EF7AC57@priderock.keep-cool.org> reflum, On Tue, 2009-04-28 at 09:26 -0600, Allen Schultz wrote: > I was following TJL73's tutorial on secure key generation with the below > link and was having problems with updating a subkey from the > primary-secret key in another directory. > > http://tjl73.altervista.org/secure_keygen/en/index.html > > $ gpg --homedir backup1 --keyring pubring.gpg --secret-keyring > secring.gpg -trustdb-name trustdb.gpg --list-secret-keys > gpg: WARNING: unsafe permissions on homedir `backup1' > > I did a ls -al and found backup to have 744 access. I set it to 644 > access and got the following. > > gpg: WARNING: unsafe permissions on homedir `backup1' > [...] > Apparently I dont have the permissions right on the directory. Now with > 644 I cannot access the directory. For the ring files in the directory > and the directory itself, what is gpg looking for in permissions? Should > I ask this in my LUG? Normaly GnuPG requires 700 (owner can do everything, nobody else can do anything) on the .gnupg directory. -- Philipp. (Rah of PH2) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 482 bytes Desc: This is a digitally signed message part URL: From brad at fineby.me.uk Tue Apr 28 18:15:52 2009 From: brad at fineby.me.uk (Brad Rogers) Date: Tue, 28 Apr 2009 17:15:52 +0100 Subject: Secure Key Generation Tutorial by TJL73 question and Linux In-Reply-To: <49F7202F.4070105@gmail.com> References: <49F7202F.4070105@gmail.com> Message-ID: <20090428171552.3d54f9c2@abydos.stargate.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 28 Apr 2009 09:26:39 -0600 Allen Schultz wrote: Hello Allen, > Now with 644 I cannot access the directory Correct. Directories need the "execute" bit set, although "execute" is a misnomer for directories. See the following for an explanation; http://www.zzee.com/solutions/linux-permissions.shtml#zzee_link_9_1077830297 - -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" I'd hate to look into those eyes and see an ounce of pain Sweet Child O'Mine - Guns 'N' Roses -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkn3K7gACgkQlKeS34uB62lVQQCfZZjUMrdW3WNyZq90IbzeU+2m 1isAmwbAG1rrVNHQgqxtHdE34pJZUfv2 =4BAd -----END PGP SIGNATURE----- From allen.schultz at gmail.com Wed Apr 29 03:48:52 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Tue, 28 Apr 2009 19:48:52 -0600 Subject: Subkeys... Message-ID: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I made a key with default settings. Can I delte the encrypting subkey that has not expiration date and remake one with an expiration date? - -- Allen Schultz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iEYEARECAAYFAkn3sgAACgkQV5r3Eu55xjb9fQCeJgel/jnIgjpcD0/fQweO84VG CvMAn0xsh7IraXAoiBs3REGINLzIAwAO =1DKh -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Apr 29 04:02:45 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 28 Apr 2009 22:02:45 -0400 Subject: Subkeys... In-Reply-To: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> Message-ID: <49F7B545.8080508@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen Schultz escribi?: > I made a key with default settings. Can I delte the encrypting > subkey that has not expiration date and remake one with an > expiration date? Yes, but you can also edit the expiration date of the encrypting subkey, if I am not wrong... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ97VFAAoJEMV4f6PvczxA218H/R+9G5sY9dZ7eLNyj2z6KwQ0 sugtuNbzrQMHqQejXzq6rtCryuECeGWOvis+jcpIKZlfwBmEHiGjw8MhIitSQJjq eioejPm7uGPPKoah1rZJa/9dQvO/nCbnh1wkBnY28XcF9yCtRyUo00j71KR8/SLd K6ZDn7xPQaUIZc6Sw2S9TLW43gCQQ4M98iGycVSwq4B3HjSijBMzErAvRyf1UK6j rKY+JRDkFoW+oXfzGza439RJVNcgthI4iW4r9ITDGRRIfmZq48ywdzNnJU+JG3JG /oVMKz7/mYL0Yej8DFMFjQKhHQFgrxBLjJkbDqc3i9FhnPAWrq31Pb7NThMfAC4= =MwVF -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Apr 29 04:36:07 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 28 Apr 2009 22:36:07 -0400 Subject: Subkeys... In-Reply-To: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> Message-ID: <49F7BD17.60604@sixdemonbag.org> Allen Schultz wrote: > I made a key with default settings. Can I delte the encrypting > subkey that has not expiration date and remake one with an > expiration date? http://www.gnupg.org/gph/en/manual.html#AEN305 From rjh at sixdemonbag.org Wed Apr 29 04:37:55 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 28 Apr 2009 22:37:55 -0400 Subject: Subkeys... In-Reply-To: <49F7B545.8080508@gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7B545.8080508@gmail.com> Message-ID: <49F7BD83.8030709@sixdemonbag.org> Faramir wrote: > Yes, but you can also edit the expiration date of the encrypting > subkey, if I am not wrong... Revoking the subkey is the canonical solution here. From jh at jameshoward.us Wed Apr 29 03:55:14 2009 From: jh at jameshoward.us (James P. Howard, II) Date: Tue, 28 Apr 2009 21:55:14 -0400 Subject: Subkeys... In-Reply-To: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> Message-ID: <49F7B382.2070401@jameshoward.us> On Tue Apr 28 21:48:52 2009, Allen Schultz wrote: > I made a key with default settings. Can I delte the encrypting > subkey that has not expiration date and remake one with an > expiration date? You may be better off revoking the subkey and adding a new encryption subkey. James -- James P. Howard, II, MPA jh at jameshoward.us From dshaw at jabberwocky.com Wed Apr 29 05:17:12 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 28 Apr 2009 23:17:12 -0400 Subject: Subkeys... In-Reply-To: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> Message-ID: <4FE5586B-D720-4136-8805-EFF995DCC076@jabberwocky.com> On Apr 28, 2009, at 9:48 PM, Allen Schultz wrote: > I made a key with default settings. Can I delte the encrypting > subkey that has not expiration date and remake one with an > expiration date? There are many answers to your question. Basically, yes, you could, but no, you almost certainly don't want to do it that way. In virtually all situations, the best way to handle this is to revoke the subkey you no longer want and then make a new subkey with whatever expiration date you desire. David From jmoore3rd at bellsouth.net Wed Apr 29 05:17:08 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 28 Apr 2009 23:17:08 -0400 Subject: Subkeys... In-Reply-To: <49F7B382.2070401@jameshoward.us> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7B382.2070401@jameshoward.us> Message-ID: <49F7C6B4.7020606@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 James P. Howard, II wrote: > On Tue Apr 28 21:48:52 2009, Allen Schultz wrote: > >> I made a key with default settings. Can I delte the encrypting >> subkey that has not expiration date and remake one with an >> expiration date? > > You may be better off revoking the subkey and adding a new encryption > subkey. Definitely Revoke the old sub-Key and send that to the Servers to prevent having a Key marked valid floating around on the Servers. JOHN ;) Timestamp: Tuesday 28 Apr 2009, 23:16 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ98azAAoJEBCGy9eAtCsPBMAH/3n32M4kKW41arszOodKfpwS AHzLM71QJGecZQZyq9PTM9WjLJ+N4zeuJpH7QzwFibbTr3b/0rbhPyNPxMMZf1bR iiN5XGkCY2iTK/USvy8Fe7Udbovda/g84QtPiDmByQcUrIHJ0/lFGm7sPQJN3oCE T6aELu4RmKSXCp5yYANl92vHSQ5rGe/b5fk5Cl/+31owcOMQGts4Ivx9hzVe7Ybp ybDQHwbSZ2mGcQ21hP8cXCsMpO0Mtb2EI7TpN44Rl0hSArq2ZmU+WgeHCGRhXLAq YDYOxqFCHK25lT2c5rWTSaDehAjkGgZu60QF5dq5FcXcUPewVbc6/QUenyV4uVM= =2PAN -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Apr 29 06:09:52 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 29 Apr 2009 00:09:52 -0400 Subject: Subkeys... In-Reply-To: <49F7BD83.8030709@sixdemonbag.org> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7B545.8080508@gmail.com> <49F7BD83.8030709@sixdemonbag.org> Message-ID: <49F7D310.5010805@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: > Faramir wrote: >> Yes, but you can also edit the expiration date of the encrypting >> subkey, if I am not wrong... > > Revoking the subkey is the canonical solution here. Yes, but if I'm not wrong, he is talking about a brand new subkey he doesn't want to expire right now, but in one year or so... I think he is implementing the tutorial about how to store the main keys at a safe place, and keep the subkeys for daily usage. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ99MQAAoJEMV4f6PvczxAhCwH/Rf4vsgXNu9jotiv/BUE6wj8 B5suYCxjcjHRN/4GHcN1ipxlA2aOmiMPmbxMaCHkSzWoduHT4a978mSeh9QndbiY 764F/YBSWKB3+DNgCXMzMyfoyMS701Dk8mqFlmJG7dDraCS0u53sHlkr5E1PNrMC cwwmHcCxAMOrzif4ma+9/OkoFMdlpJWMhOhZWo0f9bdCIGeYkQzhMpxJcLr8q7l3 2vplqceGxht3blK0D9L1Hzo0exJziQ36EJ3tW+ve4WooteMhgme85cM4EmgbCgIv anna7RUDbjzkBYMEB0FDnIps4oP1mNSi4jGRJr+QdaV9hNKWOJf/5gKajUp9sAE= =HrxZ -----END PGP SIGNATURE----- From allen.schultz at gmail.com Wed Apr 29 06:49:23 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Tue, 28 Apr 2009 22:49:23 -0600 Subject: Subkeys... In-Reply-To: <49F7D310.5010805@gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7B545.8080508@gmail.com> <49F7BD83.8030709@sixdemonbag.org> <49F7D310.5010805@gmail.com> Message-ID: <3f34f8420904282149i6428484aub9189f5b77f3730b@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 28, 2009 at 10:09 PM, Faramir wrote: > Yes, but if I'm not wrong, he is talking about a brand new subkey he > doesn't want to expire right now, but in one year or so... I think he is > implementing the tutorial about how to store the main keys at a safe > place, and keep the subkeys for daily usage. I am still following that. But the tutorial started out with no Encryption key. I was trying to get the Encryption key to have an expiration date. If I take my current subkey and edit it and try to upload the same subkey with the new expiration, will the server accept an expiration after one is posted for no expiration? Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iEYEARECAAYFAkn33EwACgkQV5r3Eu55xjYRlwCfXLJ7PGdv36pvp1xy4l1OID4H HGQAn0iC8PQqEtDc5iDJ/oGodgNahuj2 =sqA0 -----END PGP SIGNATURE----- From mlisten at hammernoch.net Wed Apr 29 08:36:20 2009 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Wed, 29 Apr 2009 08:36:20 +0200 Subject: Subkeys... In-Reply-To: <3f34f8420904282149i6428484aub9189f5b77f3730b@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7B545.8080508@gmail.com> <49F7BD83.8030709@sixdemonbag.org> <49F7D310.5010805@gmail.com> <3f34f8420904282149i6428484aub9189f5b77f3730b@mail.gmail.com> Message-ID: <49F7F564.40801@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Allen Schultz wrote on 29.04.2009 6:49 Uhr: > (...) If I take my current subkey and edit it and > try to upload the same subkey with the new expiration, will the > server accept an expiration after one is posted for no > expiration? Yes. One can even update an expiry date, when the key alread has expired. http://lists.gnupg.org/pipermail/gnupg-announce/2009q1/000282.html Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJJ9/VkAAoJEA52XAUJWdLj354H+QFgUXjXkl6E8HMKNmqQ8okb I149equ3mlQINJ1siT15F6doGzx8KG3dAOssGJffC0nZfPNTGGLS5dyDg2yFGItk spWGpdAIQ/Ny8wx/t8gddVzswZvbqP1IFpoz0AgKuoHOWdX3gx4bOxdQ3eOr2ljT 0+r/lIs3C3JfYd5Zm0hoEK9H7eb33ltMr100VrXnPDQfVxb/D4qtMpsy/9Fw04Vk bX8WBqcuR+yAD+vdkHl3YAKuzrgUPN/BqUh5xBlwZTvYZUT01x8OHlflAc4fBVLy f0AEzIlwcn1ZbAEbTOcviWeaSJbRHIezG7HGCck9iXhaKgK5HRZVzSGzlRtMWA4= =aIjU -----END PGP SIGNATURE----- From bmearns at ieee.org Wed Apr 29 15:03:30 2009 From: bmearns at ieee.org (Brian Mearns) Date: Wed, 29 Apr 2009 09:03:30 -0400 Subject: Looking for a good port80 static-DNS keyserver Message-ID: <4df3a1330904290603p34efaa24k9eec1843b583c66d@mail.gmail.com> So I've been "advertising" keys.gnupg.net as the place to get my key for a while now, but the round-robin DNS is kind of bugging me. I understand the purpose of it, but it's kind of a crap shoot: not infrequently, the address maps to a server that's down or buggy. I'd rather have one dedicated address for an sks I can use and refer others to, preferably one that's available on port 80. Any suggestions? Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From yahoo at hankgupton.com Wed Apr 29 04:20:35 2009 From: yahoo at hankgupton.com (Hank Gupton) Date: Tue, 28 Apr 2009 19:20:35 -0700 Subject: Subkeys... In-Reply-To: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> Message-ID: <49F7B973.4010609@hankgupton.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Even better than that, you can CHANGE the expiration date on the subkey that has no expiration date to anything like. You can extend the date out further or cut it short. But, this will effect only your key, and not the copies of your key that everyone else has. It might be better to revoke your old subkey and spread the revokation far and wide. And then, as you say, make a new subkey. Hank Gupton ("node8080") OpenPGP Key 0x0F4D885E "All generalizations are dangerous, even this one." Allen Schultz wrote: > I made a key with default settings. Can I delte the encrypting > subkey that has not expiration date and remake one with an > expiration date? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn3uXMACgkQtYl5pQ9NiF7rjQCgsbuLsXo3sMPPPBHabRiGbe/7 HlAAnRb8nHgERGSSgNtXAL7uAoRrtDWq =85kR -----END PGP SIGNATURE----- From public at hankgupton.com Wed Apr 29 04:54:36 2009 From: public at hankgupton.com (Hank Gupton) Date: Tue, 28 Apr 2009 19:54:36 -0700 Subject: Subkeys... In-Reply-To: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> Message-ID: <49F7C16C.4030109@hankgupton.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Even better than that, you can CHANGE the expiration date on the subkey that has no expiration date to anything you like. You can extend the date out further or cut it short. But, this will effect only your key, and not the copies of your key that everyone else has. It might be better to revoke your old subkey and spread the revokation far and wide. And then, as you say, make a new subkey. Hank Gupton ("node8080") OpenPGP Key 0x0F4D885E "All generalizations are dangerous, even this one." Allen Schultz wrote: > I made a key with default settings. Can I delte the encrypting > subkey that has not expiration date and remake one with an > expiration date? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn3wWwACgkQ1tcQ5wnF2P0yOgCfTJevQpmzk6itFJWh+ZrWuFLN up8Animl9ifDZofN+zF6mX6z2r5k9TjD =Ny48 -----END PGP SIGNATURE----- From shtrom at ssji.net Wed Apr 29 12:09:02 2009 From: shtrom at ssji.net (Olivier Mehani) Date: Wed, 29 Apr 2009 20:09:02 +1000 Subject: How easy would it be to create (and prevent the creation of) a fake pinentry? Message-ID: <20090429100857.GA5970@lxiv.atp.nicta.com.au> Hi GnuPG users, I'm a happy user of PGP and the GPG agent with it's little friend the GTK pinentry program to facilitate usage. I've been starting to wonder, though, how easy it would be to fake a GPG pinentry window. Let me explain: having several background-ish applications making use of the agent, it happens that the pinentry sometimes pops out when the passphrase cache has expired. One of my first concerns is that there's no way to identify which application actually needs to use my PGP key. This one seems to be partially addressed in [0], as the application could set the title of the pinentry program. However, I can't see any reason why a malicious applications couldn't set the title to some valid application in order to be able to use my key without my consent. This leads me to a generalization of the problem: how easy would it be to create a pinentry-lookalike program, pretending to be called by a valid application in order to steal a user's passphrase? And, then, how can that be prevented? (I mean beside the obvious ?don't get your computer hacked? solution) Thanks in advance for your insight. PS: please CC me on any answer as I'm not subscribed to the list. [0] https://bugs.g10code.com/gnupg/issue966 -- Olivier Mehani PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From lists at 404not-found.de Wed Apr 29 15:31:51 2009 From: lists at 404not-found.de (Raimar Sandner) Date: Wed, 29 Apr 2009 15:31:51 +0200 Subject: How easy would it be to create (and prevent the creation of) a fake pinentry? In-Reply-To: <20090429100857.GA5970@lxiv.atp.nicta.com.au> References: <20090429100857.GA5970@lxiv.atp.nicta.com.au> Message-ID: <200904291531.52050.lists@404not-found.de> On Wednesday 29 April 2009 12:09:02 Olivier Mehani wrote: > Let me explain: having several background-ish applications making use of > the agent, it happens that the pinentry sometimes pops out when the > passphrase cache has expired. One of my first concerns is that there's > no way to identify which application actually needs to use my PGP key. > This one seems to be partially addressed in [0], as the application > could set the title of the pinentry program. The pinentry should only pop up when the application actually needs the key do do something. If pinentry pops up without you doing someting that requires your secret key, you should be worried. And the problem is not specific to pinentry: in order to steal passphrases on the console you could as well install a gpg wrapper script or binary. > And, then, how can that be prevented? (I mean beside the obvious ?don't > get your computer hacked? solution) I think if someone has this kind of control (executing arbitrary code on your machine), there is no way to prevent passphrase stealing. Am I wrong here? Raimar From roam at ringlet.net Wed Apr 29 15:40:47 2009 From: roam at ringlet.net (Peter Pentchev) Date: Wed, 29 Apr 2009 16:40:47 +0300 Subject: How easy would it be to create (and prevent the creation of) a fake pinentry? In-Reply-To: <200904291531.52050.lists@404not-found.de> References: <20090429100857.GA5970@lxiv.atp.nicta.com.au> <200904291531.52050.lists@404not-found.de> Message-ID: <20090429134047.GA928@straylight.m.ringlet.net> On Wed, Apr 29, 2009 at 03:31:51PM +0200, Raimar Sandner wrote: > On Wednesday 29 April 2009 12:09:02 Olivier Mehani wrote: > > > Let me explain: having several background-ish applications making use of > > the agent, it happens that the pinentry sometimes pops out when the > > passphrase cache has expired. One of my first concerns is that there's > > no way to identify which application actually needs to use my PGP key. > > This one seems to be partially addressed in [0], as the application > > could set the title of the pinentry program. > > The pinentry should only pop up when the application actually needs the key do > do something. If pinentry pops up without you doing someting that requires > your secret key, you should be worried. ...like, for example, your OpenPGP-powered Jabber client suddenly needing to reconnect after something happened to the network and you simply didn't notice? :> G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From webmaster at felipe1982.com Wed Apr 29 15:15:31 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Wed, 29 Apr 2009 23:15:31 +1000 Subject: Subkeys... In-Reply-To: <49F7D310.5010805@gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7BD83.8030709@sixdemonbag.org> <49F7D310.5010805@gmail.com> Message-ID: <200904292315.38104.webmaster@felipe1982.com> On Wed, 29 Apr 2009 14:09:52 Faramir wrote: > I think he is > implementing the tutorial about how to store the main keys at a safe > place, and keep the subkeys for daily usage. Which TUT is that? Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From mail at 404not-found.de Wed Apr 29 16:13:32 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Wed, 29 Apr 2009 16:13:32 +0200 Subject: How easy would it be to create (and prevent the creation of) a fake pinentry? In-Reply-To: <20090429134047.GA928@straylight.m.ringlet.net> References: <20090429100857.GA5970@lxiv.atp.nicta.com.au> <200904291531.52050.lists@404not-found.de> <20090429134047.GA928@straylight.m.ringlet.net> Message-ID: <200904291613.37862.mail@404not-found.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 29 April 2009 15:40:47 Peter Pentchev wrote: > On Wed, Apr 29, 2009 at 03:31:51PM +0200, Raimar Sandner wrote: > > On Wednesday 29 April 2009 12:09:02 Olivier Mehani wrote: > > > Let me explain: having several background-ish applications making use > > > of the agent, it happens that the pinentry sometimes pops out when the > > > passphrase cache has expired. One of my first concerns is that there's > > > no way to identify which application actually needs to use my PGP key. > > > This one seems to be partially addressed in [0], as the application > > > could set the title of the pinentry program. > > > > The pinentry should only pop up when the application actually needs the > > key do do something. If pinentry pops up without you doing someting that > > requires your secret key, you should be worried. > > ...like, for example, your OpenPGP-powered Jabber client suddenly > needing to reconnect after something happened to the network and > you simply didn't notice? :> Ok, granted there are situations when pinentry pops up without your action. Now that you mention it, this happened quite often to me (uppon receiving an encrypted message though, not on reconnect of the client) before I used OTR for instant messaging :D Raimar -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkn4YJEACgkQVsSSMllCZClffgCeN9bcIf7FGeNAdh2x5+rQJPcN oCEAn3bET0TLH0dZid+5yym74fKYfesz =Y0OZ -----END PGP SIGNATURE----- From joelcsalomon at gmail.com Wed Apr 29 16:38:17 2009 From: joelcsalomon at gmail.com (Joel C. Salomon) Date: Wed, 29 Apr 2009 10:38:17 -0400 Subject: WinPT & Enigmail don't show the same keys Message-ID: <49F86659.2040002@gmail.com> I was under the impression that GnuPG kept track of everything, but I noticed that Windows Privacy Tray and Enigmail do not always show the same keys. Both are accessing the correct version of GPG (C:\Program Files\GNU\GnuPG\gpg.exe), and at least WinPT knows where the GnuPG keyrings are (C:\Users\chesky\AppData\Roaming\gnupg). Can someone explain to me what?s going on with my system? ?Joel Salomon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Wed Apr 29 17:14:13 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 29 Apr 2009 11:14:13 -0400 Subject: WinPT & Enigmail don't show the same keys In-Reply-To: <49F86659.2040002@gmail.com> References: <49F86659.2040002@gmail.com> Message-ID: <49F86EC5.5020608@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Joel C. Salomon wrote: > I was under the impression that GnuPG kept track of everything, but I > noticed that Windows Privacy Tray and Enigmail do not always show the > same keys. > > Both are accessing the correct version of GPG (C:\Program > Files\GNU\GnuPG\gpg.exe), and at least WinPT knows where the GnuPG > keyrings are (C:\Users\chesky\AppData\Roaming\gnupg). > > Can someone explain to me what???s going on with my system? While this Question more properly belongs on the Enigmail List [https://www.mozdev.org/mailman/listinfo/enigmail ] I shall ask at this time if You clicked on 'Refresh Keys' in the Enigmail Key Management window? JOHN ;) Timestamp: Wednesday 29 Apr 2009, 11:13 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ+G7CAAoJEBCGy9eAtCsPxD0IAKDIAKjR1NHsQlArWkeRkcUb 8NrHxvEt0Hk8dDaCzm9OaqNZnbsCoHFrF6cRteHmi7LeJLgDToGdIaLXhXM0c5sK B/xJTysLo3LLDsaDoSsXaxAOaGkGVgRjSu8adPtPbh9DXb7jrz0IKomRoSTD6KYR J3Fu9AMJm4PC0CyZhgXqzbsgIwiJ/qlld6GhwdVpqklA5zs2oC8TPdsl/tpc1wlq wpqBmXmgFjb/nXC7r/fji8wPcJb3x0+YFMaSCtjnCnPoluvlapNi+KOuHJLrtBH6 w3BAd08Kct3dLtRGbXx/fMpzSj8kZJGkMLKNO2fHT3MM2dQU9cLFeP0KQYyg6js= =FGvf -----END PGP SIGNATURE----- From gerard.schrago at eds.com Wed Apr 29 17:24:12 2009 From: gerard.schrago at eds.com (Schrago, Gerard) Date: Wed, 29 Apr 2009 17:24:12 +0200 Subject: Help! Please with decryption failed: No secret key (gpg in batch mode) Message-ID: Hi all, Sorry to insist but I really need someone that can answer my question. Why a running process cannot decrypt a file while the very same shell script invoked within a ssh session does it? Please! With my best regards. Gerard. -----Original Message----- From: Schrago, Gerard Sent: mardi, 28. avril 2009 17:19 To: 'gnupg-users at gnupg.org' Subject: Help with GPG in batch mode Hi all, Help needed in the following issue; I hope not to bother anyone but I need an advise from an expert. If the verbose provided by the --debug-level guru would be of some help I can send it in a further mail. I have to use GnuPG in batch mode to enable a running process to decrypt encrypted file. If I run the shell script through ssh (with the specific user that was previously used to set the keys and has its proper .gnupg directory) this works fine despite the following warning: WARNING: message was not integrity protected. But if I have the running process invoking the very same script, the response is: gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key I have then tried to modify the script to define home directory using --homedir and I got the following: gpg: WARNING: unsafe permissions on homedir `/home/superagt/'" gpg: keyring `/home/superagt//secring.gpg' created gpg: keyring `/home/superagt//pubring.gpg' created gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key It is to note that I see neither in /home/superagt/ nor in /home/superagt/.gnupg/ the secring.gpg pubring.gpg announced. Thanks per advance for your help and support. With my best regards. G?rard Schrago From jbruni at me.com Wed Apr 29 17:29:28 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Wed, 29 Apr 2009 08:29:28 -0700 Subject: Help! Please with decryption failed: No secret key (gpg in batch mode) In-Reply-To: References: Message-ID: <69384707-C643-4773-9785-4E2C309E8392@me.com> Your automated process is not running with the same home directory as your login shell. -Joe On Apr 29, 2009, at 8:24 AM, Schrago, Gerard wrote: > > Hi all, > > Sorry to insist but I really need someone that can answer my question. > Why a running process cannot decrypt a file while the very same > shell script invoked within a ssh session does it? > Please! > > With my best regards. > Gerard. > > -----Original Message----- > From: Schrago, Gerard > Sent: mardi, 28. avril 2009 17:19 > To: 'gnupg-users at gnupg.org' > Subject: Help with GPG in batch mode > > Hi all, > > Help needed in the following issue; I hope not to bother anyone but > I need an advise from an expert. > If the verbose provided by the --debug-level guru would be of some > help I can send it in a further mail. > > I have to use GnuPG in batch mode to enable a running process to > decrypt encrypted file. > If I run the shell script through ssh (with the specific user that > was previously used to set the keys and has its proper .gnupg > directory) this works fine despite the following warning: > WARNING: message was not integrity protected. > But if I have the running process invoking the very same script, the > response is: > gpg: encrypted with RSA key, ID 911633C3 > gpg: decryption failed: No secret key > I have then tried to modify the script to define home directory > using --homedir and I got the following: > gpg: WARNING: unsafe permissions on homedir `/home/superagt/'" > gpg: keyring `/home/superagt//secring.gpg' created > gpg: keyring `/home/superagt//pubring.gpg' created > gpg: encrypted with RSA key, ID 911633C3 > gpg: decryption failed: No secret key > It is to note that I see neither in /home/superagt/ nor in /home/ > superagt/.gnupg/ the secring.gpg pubring.gpg announced. > Thanks per advance for your help and support. > > With my best regards. > > G?rard Schrago > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2557 bytes Desc: not available URL: From bmearns at ieee.org Wed Apr 29 17:37:18 2009 From: bmearns at ieee.org (Brian Mearns) Date: Wed, 29 Apr 2009 11:37:18 -0400 Subject: Looking for a good port80 static-DNS keyserver In-Reply-To: <49F8707D.9080302@Mozilla-Enigmail.org> References: <4df3a1330904290603p34efaa24k9eec1843b583c66d@mail.gmail.com> <49F8707D.9080302@Mozilla-Enigmail.org> Message-ID: <4df3a1330904290837s4d41d7a8i2d3b9cea32667da4@mail.gmail.com> On Wed, Apr 29, 2009 at 11:21 AM, John Clizbe wrote: > Brian Mearns wrote: >> So I've been "advertising" keys.gnupg.net as the place to get my key >> for a while now, but the round-robin DNS is kind of bugging me. I >> understand the purpose of it, but it's kind of a crap shoot: not >> infrequently, the address maps to a server that's down or buggy. I'd >> rather have one dedicated address for an sks I can use and refer >> others to, preferably one that's available on port 80. Any >> suggestions? > > Curious which ones are showing up as "buggy"? There's a flaw in one > specific search case with SKS 1.0.10. 1.1.x is safe as is 1.0.9 > > See http://www.pramberger.at/peter/services/keyserver/network/ > > EKP is an email protocol > > also http://sks-keyservers.net/status/ from where > hkp://pool.sks-keyservers.net is constructed > > I use (operate) the one in the sig block below > -- > John P. Clizbe ? ? ? ? ? ? ? ? ? ? ?Inet:John (a) Mozilla-Enigmail.org > You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net ?or > ? ? mailto:pgp-public-keys at gingerbear.net?subject=HELP > > Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" > A:"An odd melody / island voices on the winds / surplus of vowels" > Thanks, John. I was unaware of the status page, I think that will be helpful. I'm not sure offhand which servers have been "buggy", but I believe I've connected to http://keys.gnupg.net/ in the past and been presented with a blank page, for instance. Is it considered impolite to advertise one specific keyserver (like gingerbear, for instance) in my sig? -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From mail at 404not-found.de Wed Apr 29 17:36:49 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Wed, 29 Apr 2009 17:36:49 +0200 Subject: Help! Please with decryption failed: No secret key (gpg in batch mode) In-Reply-To: References: Message-ID: <200904291736.54707.mail@404not-found.de> > I have to use GnuPG in batch mode to enable a running process to decrypt > encrypted file. If I run the shell script through ssh (with the specific > user that was previously used to set the keys and has its proper .gnupg > directory) this works fine despite the following warning: WARNING: message > was not integrity protected. > But if I have the running process invoking the very same script, the > response is: gpg: encrypted with RSA key, ID 911633C3 > gpg: decryption failed: No secret key > I have then tried to modify the script to define home directory using > --homedir and I got the following: gpg: WARNING: unsafe permissions on > homedir `/home/superagt/'" If the secring.gpg containing your secret key lies in /home/superagt/.gnupg then you should use --homedir /home/superagt/.gnupg, but I suspect this is not the correct path to your secret key, right? > gpg: keyring `/home/superagt//secring.gpg' created > gpg: keyring `/home/superagt//pubring.gpg' created > gpg: encrypted with RSA key, ID 911633C3 > gpg: decryption failed: No secret key > It is to note that I see neither in /home/superagt/ nor in > /home/superagt/.gnupg/ the secring.gpg pubring.gpg announced. Thanks per > advance for your help and support. Where lies the secret key you are trying to use? Is the script executed by the same user who has access to the secret key? Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From joelcsalomon at gmail.com Wed Apr 29 17:30:32 2009 From: joelcsalomon at gmail.com (Joel C. Salomon) Date: Wed, 29 Apr 2009 11:30:32 -0400 Subject: WinPT & Enigmail don't show the same keys In-Reply-To: <49F86EC5.5020608@bellsouth.net> References: <49F86659.2040002@gmail.com> <49F86EC5.5020608@bellsouth.net> Message-ID: <49F87298.40202@gmail.com> John W. Moore III wrote: > Joel C. Salomon wrote: > > I was under the impression that GnuPG kept track of everything, but I > > noticed that Windows Privacy Tray and Enigmail do not always show the > > same keys. > > > > Both are accessing the correct version of GPG (C:\Program > > Files\GNU\GnuPG\gpg.exe), and at least WinPT knows where the GnuPG > > keyrings are (C:\Users\chesky\AppData\Roaming\gnupg). > > > > Can someone explain to me what's going on with my system? > > While this Question more properly belongs on the Enigmail List > [https://www.mozdev.org/mailman/listinfo/enigmail] > I shall ask at this time if You clicked on 'Refresh Keys' in the > Enigmail Key Management window? Actually, I was noticing that WinPT was not showing keys that Enigmail -- and GnuPG -- knew about. If I tried importing the key through the WinPT interface I was told that "nothing has changed". Turns out these were keys I'd just seen in my current online session, and which Enigmail had added to my keyring, but WinPT wasn't updating its keylist. ?Joel Salomon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From JPClizbe at tx.rr.com Wed Apr 29 18:10:25 2009 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 29 Apr 2009 11:10:25 -0500 Subject: Looking for a good port80 static-DNS keyserver In-Reply-To: <4df3a1330904290837s4d41d7a8i2d3b9cea32667da4@mail.gmail.com> References: <4df3a1330904290603p34efaa24k9eec1843b583c66d@mail.gmail.com> <49F8707D.9080302@Mozilla-Enigmail.org> <4df3a1330904290837s4d41d7a8i2d3b9cea32667da4@mail.gmail.com> Message-ID: <49F87BF1.8080808@tx.rr.com> Brian Mearns wrote: > > Thanks, John. I was unaware of the status page, I think that will be > helpful. I'm not sure offhand which servers have been "buggy", but I > believe I've connected to http://keys.gnupg.net/ in the past and been > presented with a blank page, for instance. Not all servers provide a web page, even if they listen on that port Keyserver ops ({hkp,http}:///pks/...) should work fine > Is it considered impolite to advertise one specific keyserver (like > gingerbear, for instance) in my sig? No, but replying to a direct message sent only to you via the mailing list would be. ;-) BTW, keyserver.gingerbear.net is a "mostly static" IP address. I never know when Time-Warner will flip me into another net block. But it's usually detected and DNS updated fairly soon after. pool.sks-keyservers.net is what "I" prefer users advertise. Once a key (or a key mod) is on one SKS server, it's spread to the rest within a few minutes You may also set preferred keyserver URL on your key. Details in the man page. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From John at Mozilla-Enigmail.org Wed Apr 29 18:17:39 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 29 Apr 2009 11:17:39 -0500 Subject: WinPT & Enigmail don't show the same keys In-Reply-To: <49F87298.40202@gmail.com> References: <49F86659.2040002@gmail.com> <49F86EC5.5020608@bellsouth.net> <49F87298.40202@gmail.com> Message-ID: <49F87DA3.5010808@Mozilla-Enigmail.org> Joel C. Salomon wrote: > John W. Moore III wrote: >> Joel C. Salomon wrote: >> > I was under the impression that GnuPG kept track of everything, but I >> > noticed that Windows Privacy Tray and Enigmail do not always show the >> > same keys. >> > Can someone explain to me what's going on with my system? >> >> I shall ask at this time if You clicked on 'Refresh Keys' in the >> Enigmail Key Management window? > > Actually, I was noticing that WinPT was not showing keys that Enigmail > -- and GnuPG -- knew about. If I tried importing the key through the > WinPT interface I was told that "nothing has changed". > > Turns out these were keys I'd just seen in my current online session, > and which Enigmail had added to my keyring, but WinPT wasn't updating > its keylist. Neither of those operate directly on the actual keyring but an extract of info from the keyring, which is why both have "refresh" menu options. GPGshell is the same way in this regard. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Wed Apr 29 18:26:28 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 29 Apr 2009 12:26:28 -0400 Subject: Looking for a good port80 static-DNS keyserver In-Reply-To: <4df3a1330904290603p34efaa24k9eec1843b583c66d@mail.gmail.com> References: <4df3a1330904290603p34efaa24k9eec1843b583c66d@mail.gmail.com> Message-ID: <57DE4FC7-DAFB-427B-9D97-D09CC61782D4@jabberwocky.com> On Apr 29, 2009, at 9:03 AM, Brian Mearns wrote: > So I've been "advertising" keys.gnupg.net as the place to get my key > for a while now, but the round-robin DNS is kind of bugging me. I > understand the purpose of it, but it's kind of a crap shoot: not > infrequently, the address maps to a server that's down or buggy. I'd > rather have one dedicated address for an sks I can use and refer > others to, preferably one that's available on port 80. Any > suggestions? Why not just throw the key onto a web server and point people at it that way? Part of the usefulness of a keyserver is to find keys that you don't know how to get otherwise. In your case, you are telling people where to get it so that doesn't apply. David From gerard.schrago at eds.com Wed Apr 29 19:09:23 2009 From: gerard.schrago at eds.com (Schrago, Gerard) Date: Wed, 29 Apr 2009 19:09:23 +0200 Subject: FW: Help! Please with decryption failed: No secret key (gpg in batch mode) Message-ID: Hi All, Thanks to Rainar Sandner and Joseph Oreste Bruni who helped me to reconsider the whole chain in my running process, the problem is solved. The problem was that the process invoking the shell script was running on a different machine and it has been solved in setting the --home-dir to effectively point to the server directory. Thanks and best regards. G?rard. -----Original Message----- From: Schrago, Gerard Sent: mercredi, 29. avril 2009 17:24 To: 'gnupg-users at gnupg.org' Subject: Help! Please with decryption failed: No secret key (gpg in batch mode) Hi all, Sorry to insist but I really need someone that can answer my question. Why a running process cannot decrypt a file while the very same shell script invoked within a ssh session does it? Please! With my best regards. Gerard. -----Original Message----- From: Schrago, Gerard Sent: mardi, 28. avril 2009 17:19 To: 'gnupg-users at gnupg.org' Subject: Help with GPG in batch mode Hi all, Help needed in the following issue; I hope not to bother anyone but I need an advise from an expert. If the verbose provided by the --debug-level guru would be of some help I can send it in a further mail. I have to use GnuPG in batch mode to enable a running process to decrypt encrypted file. If I run the shell script through ssh (with the specific user that was previously used to set the keys and has its proper .gnupg directory) this works fine despite the following warning: WARNING: message was not integrity protected. But if I have the running process invoking the very same script, the response is: gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key I have then tried to modify the script to define home directory using --homedir and I got the following: gpg: WARNING: unsafe permissions on homedir `/home/superagt/'" gpg: keyring `/home/superagt//secring.gpg' created gpg: keyring `/home/superagt//pubring.gpg' created gpg: encrypted with RSA key, ID 911633C3 gpg: decryption failed: No secret key It is to note that I see neither in /home/superagt/ nor in /home/superagt/.gnupg/ the secring.gpg pubring.gpg announced. Thanks per advance for your help and support. With my best regards. G?rard Schrago From faramir.cl at gmail.com Wed Apr 29 18:45:45 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 29 Apr 2009 12:45:45 -0400 Subject: Subkeys... In-Reply-To: <200904292315.38104.webmaster@felipe1982.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <49F7BD83.8030709@sixdemonbag.org> <49F7D310.5010805@gmail.com> <200904292315.38104.webmaster@felipe1982.com> Message-ID: <49F88439.8090901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Felipe Alvarez escribi?: > On Wed, 29 Apr 2009 14:09:52 Faramir wrote: >> I think he is >> implementing the tutorial about how to store the main keys at a safe >> place, and keep the subkeys for daily usage. > > Which TUT is that? This one http://tjl73.altervista.org/secure_keygen/en/index.html By the way, I saw your message is signed, but I couldn't locate a copy of your public key... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+IQ5AAoJEMV4f6PvczxAk7UH/0p7Da7cNrGIP2a5TbrVqjv7 cF0ZpA1yTD1B8QVn+MPg8igcR3Jm6SNQQmzG+fdJ85uH0Wr6XY0Zu2rkVFgDlCZC gPJVphwiw04wizGgS5B+H5DEtuZEs+RucKTTDhhS/pV13T+a2IA51iDITlmeq/QE Aer6mxgvZsrgkPgUVT8Nni9vSm0zAcb0WDGeMJU1nOGiX0Z/z+oq65dKnXGd7tYQ 5jmkjTBlJPf+unw4HX67SrUH4Vkdv8UKCSUYN+BkjrN3TFEZvtb/FXOTnyJEKobw I7MmH/7QK6QnmcJFEV/n4swJVzhLT7UEYmEECTW/bfHguGKUQocwN2ti9lpa7Ww= =NeUa -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Wed Apr 29 21:40:58 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 29 Apr 2009 15:40:58 -0400 Subject: Looking for a good port80 static-DNS keyserver In-Reply-To: <4df3a1330904290837s4d41d7a8i2d3b9cea32667da4@mail.gmail.com> References: <4df3a1330904290603p34efaa24k9eec1843b583c66d@mail.gmail.com> <49F8707D.9080302@Mozilla-Enigmail.org> <4df3a1330904290837s4d41d7a8i2d3b9cea32667da4@mail.gmail.com> Message-ID: <49F8AD4A.5060609@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Brian Mearns wrote: > Is it considered impolite to advertise one specific keyserver (like > gingerbear, for instance) in my sig? Not at all! In fact, many use a Comment line to direct folks to Big Lumber or their Own Web page to locate their Key. JOHN 8-) Timestamp: Wednesday 29 Apr 2009, 15:40 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ+K1HAAoJEBCGy9eAtCsProEH/0ifoMeeBMqV+Nmthn9sTlAS PNmCQLGKbgVHlgRt/IQg7UTH2yICkzHNq+HKT45qnmOAWB8mkevzKfcl87I/wTLK Ony7pNXYGH/HOHLam2aKMhBaJcdOhDvAgI1/u87tKWB6tKjEInEtkRFbMVb/CQFz txSQlOXzBHLqWmDl5xJFcL2J+jhHnCaSbz211cRa0KLyIe9/XGWgrqyEIm1xLzhc 9Xah4OUn4lfPPG1PhhWmBHcztccU++Y1tVPh11GJ2/rNm6ZXeQ6DjIM98Q1Pcc6P GUZrqbarufabQbFubqQTZ1/oGC954ER/qUwn32rW0WfexlkyN4cR0wuHlUWP/YU= =LL3f -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Apr 29 22:19:10 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 29 Apr 2009 16:19:10 -0400 Subject: [Enigmail] Setting trust levels for unknown keys In-Reply-To: <3f34f8420904291143u733cc36es314fbf70f7b5982e@mail.gmail.com> References: <49F85354.5050009@rainydayz.org> <49F87EC5.8080600@Mozilla-Enigmail.org> <3f34f8420904291143u733cc36es314fbf70f7b5982e@mail.gmail.com> Message-ID: <49F8B63E.1020700@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen Schultz escribi?: > On Wed, Apr 29, 2009 at 10:22 AM, John Clizbe wrote: >> If I don't know the purported key owner I select "I don't know." ... > Or better yet, Faramir.cl told me to get CAcert.org's gpg key and sign > it as it is a Certificate Authority. Then you may download a few or > all of the GSIntroducers how have verified and signed other keys. Once > I have done this, over half of my corespondants became Trusted. Yes, and also the GSWoT root key, since that one validates all the GSIntroducers. But what is a good idea for some people, can look like a bad idea to other people, so it's your personal choice to do it or to don't do it... I like these things, because it's unlikely I'll ever assist to a keysigning party at USA or Europe, but with CAcert and GSWoT, I can be a lot more sure about people's identities than by just exchangins some e-mail messages.. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+LY9AAoJEMV4f6PvczxAeRQH/jpWHPVpwg8gXUFPbXnQDQS7 X/Ja4z2llSFon4VLToibZIIwMitfcFMwreNMTpQcV/rgPMAgkzpxwk2pFGmEU57/ 97zhGAN60A89spDYsEDuJhwRME8Ia8k+8EyCfrNb3+ejzGvEz2nb9rSp2hcqo3V+ 5WG9U4XqwWe9kJi+SLxGaVjN3RBvaePWpWtEMmedHMt96Y9bFgrZ9u1BfjLSrkM5 dmMzo0mNve6uFc9ckbz58ro4hiUazGUOqQOpkiUNNqHKEYPvKy2avwmAkbibMThv YYD5Xdsm8IGxwLO1rnQYOSqKa/75QS1XUVHbpdCbcDksO10wBD5MjR6z7Qi/QzA= =9sIu -----END PGP SIGNATURE----- From rsurfer at gmail.com Wed Apr 29 22:11:53 2009 From: rsurfer at gmail.com (Rasta Surfer) Date: Wed, 29 Apr 2009 13:11:53 -0700 Subject: compatible? GnuPG & PGP 6.5.8 Message-ID: Is it possible to export a key from GNUPG 1.4.[7,9] and import it into PGP 6.5.8? The purpose is for GNUPG to encrypt a file and PGP to decrypt. I keep coming up toan error of "encrypted session key is bad" on PGP trying to decrypt. Older keys that were imported into PGP have cipher set as CAST, the new keys show IDEA. I have tried to gen-key a 3des one to no avail.... i know pgp 6.5.8 is older than the hills, i still imagine there is a work around for some type of incompatibility. Thank You. RS -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed Apr 29 22:48:31 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 29 Apr 2009 16:48:31 -0400 Subject: compatible? GnuPG & PGP 6.5.8 In-Reply-To: References: Message-ID: <49F8BD1F.2010709@sixdemonbag.org> Rasta Surfer wrote: > Is it possible to export a key from GNUPG 1.4.[7,9] and import it into > PGP 6.5.8? Yes, but it's generally easier to go the other way around. You'll find that route to be much easier. > i know pgp 6.5.8 is older than the hills, i still imagine there is a > work around for some type of incompatibility. Most people in the OpenPGP community will strongly advise you against using PGP 6.5.8, for very good reasons. I'm one of them. :) From webmaster at felipe1982.com Thu Apr 30 01:06:45 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Thu, 30 Apr 2009 09:06:45 +1000 Subject: Subkeys... In-Reply-To: <49F88439.8090901@gmail.com> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <200904292315.38104.webmaster@felipe1982.com> <49F88439.8090901@gmail.com> Message-ID: <200904300907.03034.webmaster@felipe1982.com> On Thu, 30 Apr 2009 02:45:45 Faramir wrote: > By the way, I saw your message is signed, but I couldn't locate a copy > of your public key... Sorry about that. My comment below should contain the URL for the key. I still new to this, and weary about uploading my public key on keyservers. Last time I did that (the first time ever) i didn't create a revocation cert, and I lost/forgot my password. They will expire I think in one year (at public key server) but I'm afraid I might doing something wrong and much the whole thing up. That's why I just host my pub key at my site. AND this discussion of reliable and fast key servers has got me nervous again. http://www.felipe1982.com/gpg/felipe_alvarez_public_key -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 258 bytes Desc: This is a digitally signed message part. URL: From webmaster at felipe1982.com Thu Apr 30 13:32:55 2009 From: webmaster at felipe1982.com (felipe alvarez) Date: Thu, 30 Apr 2009 21:32:55 +1000 Subject: Subkeys... References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <200904292315.38104.webmaster@felipe1982.com> <49F88439.8090901@gmail.com> <200904300907.03034.webmaster@felipe1982.com> <49F8F525.5000003@gmail.com> Message-ID: <4884AFC1319740259791332F6148260E@cheetah> Somewhat humourously, my public key is now up on all the public key servers! I guess I'll have to live with all that spam .. .. .. felipe (can't sign this msg - Outlook express sucks, i use Kmail regularly, and don't want to bother customising my windows and "getting used to it." bad idea, no TB for me thanks) ----- Original Message ----- From: "Faramir" To: "Felipe Alvarez" Sent: Thursday, April 30, 2009 10:47 AM Subject: Re: Subkeys... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Felipe Alvarez escribi?: > >> Sorry about that. My comment below should contain the URL for the >> key. I >> still new to this, and weary about uploading my public key on >> keyservers. > > I didn't notticed the comment the last time, but now, somehow, your > key was imported magically... > > >> the whole thing up. That's why I just host my pub key at my site. > > You can host it on BigLumber too, it would act the same as your site, > but would allow you to be searched easily. > >> AND this discussion of reliable and fast key servers has got me >> nervous >> again. > > I just use pool.sks-keyservers.net and forget problems... I have never > been contacted to a keyserver being "down". > > Best Regards > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBCAAGBQJJ+PUkAAoJEMV4f6PvczxAf08IAJcYbwvaxdPmuI7C7YluwbAp > H4teETVaZE5VtWfli0LpTjmGScAtDHJjlNcFxP5J20AjYXQIcOsc12PXgSuo12lg > 0LYXa+GaYEVd5NWJcddX8JWpZU2YIVgz2nzg8uvKxe8BKlvu3as+rAKq4U3n1ztz > mKShALjX9WiXRoQ8nB7tQkoSVtvL9EABwWs5zoM5U2gzGkGcjBwGE/3J/fzxMjN8 > IdNHtlR+5/OBv24y+2a4akp9/ntrFyPBzFy5ml58WLJ1WKDzZaqqRjygZx1JHRgq > p5/Lu4xZw4OBr1B04WlJ9OJ4sh8CSVCR1H4iet1aItLelTnxFu1xvI4uy40+c5E= > =a1TN > -----END PGP SIGNATURE----- > From rookie01 at arcor.de Thu Apr 30 14:02:59 2009 From: rookie01 at arcor.de (rookie01 at arcor.de) Date: Thu, 30 Apr 2009 14:02:59 +0200 (CEST) Subject: gpgsm data structure References: <17764364.1241089849578.JavaMail.ngmail@webmail18.arcor-online.net> Message-ID: <5040856.1241092979229.JavaMail.ngmail@webmail18.arcor-online.net> Hi, I?m not good in C and algorithms, so I have a question. A recipient cannot decrypt my gpgsm signed and encrypted data. He sent me some data he can decrypt. It looks like this: 121:d=5 hl=2 l= 13 cons: SEQUENCE 123:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 134:d=6 hl=2 l= 0 prim: NULL 136:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:47E37BFB771546DC3A8732EDE391E2F5241F1CA30 .. 396:d=3 hl=5 l=412998 cons: SEQUENCE 401:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 412:d=4 hl=2 l= 20 cons: SEQUENCE 414:d=5 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 424:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:A5A8A903C2569A48 434:d=4 hl=5 l=412960 prim: cont [ 0 ] A3 76 AD C6 7C FF 55 2A 51 B0 EF 3F 66 32 26 F7 ........................ My gpgsm data looks like this: 114:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 125:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:4EF9C8BAF21E4C11CD867D30D68C67DB465 385:d=3 hl=2 l=inf cons: SEQUENCE 387:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 398:d=4 hl=2 l= 20 cons: SEQUENCE 400:d=5 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 410:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:B5169BAC652FBBDC 420:d=4 hl=2 l=inf cons: cont [ 0 ] 422:d=5 hl=4 l=4000 prim: OCTET STRING [HEX DUMP]:622551D24221160CFB04821BE62FD681 .. 4426:d=5 hl=4 l=4000 prim: OCTET STRING [HEX DUMP]:B7C8DCCF89 . The differences I see here: 1. There is an extra NULL Object below ?OBJECT:rsaEncryption? 2. The ?encryptedcontent? looks like one big block ?412960? while there are 4kB blocks ?4000? in the gpgsm-Data. He also told me he can decrypt data that has 1kB blocks (haven't seen such stuff), so I checked the gnupg and libgcrypt source-packages to find out where and why. But as I said I?m not fit in C . So here?s my question: Why is the gpgsm data in 4kB blocks and is there a ?easy? way to change this blocksize. Thanks -- Siegfried Arcor.de Gaming Area - kostenfrei daddeln bis der Arzt kommt! Jetzt checken und aus ?ber 80 Spielen w?hlen! http://www.arcor.de/footer-gaming/ From vedaal at hush.com Thu Apr 30 16:09:37 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 30 Apr 2009 10:09:37 -0400 Subject: compatible? GnuPG & PGP 6.5.8 Message-ID: <20090430140937.AF3A5158049@smtp.hushmail.com> >Rasta Surfer wrote: >> Is it possible to export a key from GNUPG 1.4.[7,9] and import >it into PGP 6.5.8? >>> i know pgp 6.5.8 is older than the hills, i still imagine there >is a work around for some type of incompatibility. it's possible, but 'tedious' ;-) [1] use the gnupg option of --pgp6 (and, if you must continue using 6.5.8 until you can upgrade to something newer, please ask gnupg users you correspond with, to also use the option of --pgp6 ) [2] now the 'tedious' part, if you want to export both the secret and public keys, then you have to remove the passphrase from the gnupg secret keys, as the gnupg default secret key protection is newer than 6.5.8 and 6.5.8 can't recognize it you can then set the passphrase in 6.5.8 for that keyring, and then set them back in gnupg for the gnupg keys btw, even though pgp6.5.8 is quite ancient, it can still do some very surprising things ;-) if you want to play around with your gnupg keys in 6.5.8 and see how 'compatible' they are or aren't you don't have to import them at all you can just set your pgp options (temporarily) to point to your gnupg keyrings, and 6.5.8 will recognize them [in the PGP tray, right click on 'Options', then on 'Files', then on 'browse' to find the locations of your pubring.gpg for the Public Keyring File, and secring.gpg for your Private Keyring File, then click OK] you can now sign, encrypt, verify, etc. with almost any gnupg key (just don't try to 'edit' a key, or generate a new one ;-) ) and you can compare the error messages you get when trying to decrypt with a gnupg key that you haven't removed the passphrase from, and a key where you have removed the passphrase >Most people in the OpenPGP community will strongly advise you >against using PGP 6.5.8, for very good reasons. there are 'too many' little incompatibility 'workarounds' that you might need to do, if you continue using 6.5.8 ;-(( vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmdaLt9OaJBCVUpgAZOH5pwNO5xWXWvSFhVLmXj1phfCEJNnOV6/ From faramir.cl at gmail.com Thu Apr 30 19:32:19 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 30 Apr 2009 13:32:19 -0400 Subject: Subkeys... In-Reply-To: <4884AFC1319740259791332F6148260E@cheetah> References: <3f34f8420904281848v574329f1pa011e62d03194b8e@mail.gmail.com> <200904292315.38104.webmaster@felipe1982.com> <49F88439.8090901@gmail.com> <200904300907.03034.webmaster@felipe1982.com> <49F8F525.5000003@gmail.com> <4884AFC1319740259791332F6148260E@cheetah> Message-ID: <49F9E0A3.70601@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 felipe alvarez escribi?: > Somewhat humourously, my public key is now up on all the public key > servers! I guess I'll have to live with all that spam .. .. .. Well, it was predictable soon or later somebody was going to upload it without your consent, maybe by mistake. But don't worry too much, the amount of spam received due to keys in keyservers seems a lot smaller than the normal amount of spam... at least I don't notice the difference between account with keys, and accounts without keys... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+eCiAAoJEMV4f6PvczxAp2IH/jIAPGsfIuqnYU3IhRMQgZvU motHuRCN9l6a9TRkU9JYIoNWmWFZvZuRCq/oTIlEAgMfVQZwniyAlqiPRMwhfhUx 1szTl6gyic1ZXUuU4/pswtQiuRLc0aTVogZsqHwx1hUXgYyggzw07l+Kz601lR3m HqVT8NiYIFUrVTBo7CpcIG6Bgoc/mnO7R/BqO73LLfcyqoOpOj+PaLig9qhIooQ1 AE4C9gHbpmwurl0Sx822tXN8CVGJV3GgFB5EBv7JQUtS1Z9rOtviIXJF32Qen3d2 aeZQrcgBui5vhTNqGvFMM9MemAQbB49x1eQYN9TeBX9r02/OcRoCvjSqCpl3tuA= =/8z4 -----END PGP SIGNATURE----- From cathy.smith at pnl.gov Thu Apr 30 23:54:15 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Thu, 30 Apr 2009 14:54:15 -0700 Subject: Selecting cipher to generate a key pair Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA0A@EMAIL03.pnl.gov> Is it possible to select a specific cipher, such as Triple-DES or Blowfish, to use to generate a key pair? I've read email posted in the archives, and FAQ that indicates this is possible. I don't see an option to do that just running pgp --gen-key Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov From shtrom at ssji.net Thu Apr 30 01:13:42 2009 From: shtrom at ssji.net (Olivier Mehani) Date: Thu, 30 Apr 2009 09:13:42 +1000 Subject: How easy would it be to create (and prevent the creation of) a fake pinentry? In-Reply-To: <20090429134047.GA928@straylight.m.ringlet.net> References: <20090429100857.GA5970@lxiv.atp.nicta.com.au> <200904291531.52050.lists@404not-found.de> <20090429134047.GA928@straylight.m.ringlet.net> Message-ID: <20090429231341.GA4222@lxiv.atp.nicta.com.au> On Wed, Apr 29, 2009 at 04:40:47PM +0300, Peter Pentchev wrote: > > The pinentry should only pop up when the application actually needs the key do > > do something. If pinentry pops up without you doing someting that requires > > your secret key, you should be worried. > ...like, for example, your OpenPGP-powered Jabber client suddenly > needing to reconnect after something happened to the network and > you simply didn't notice? :> That's exactly what I'm talking about. (: -- Olivier Mehani PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: