From lists at whitehouse.org.nz Sun Aug 1 09:17:41 2010 From: lists at whitehouse.org.nz (Aaron Whitehouse) Date: Sun, 01 Aug 2010 19:17:41 +1200 Subject: Importing/Merging (secret) subkey into existing secret key In-Reply-To: <4C4975DC.3040903@whitehouse.org.nz> References: <4C4975DC.3040903@whitehouse.org.nz> Message-ID: <4C551F95.5080707@whitehouse.org.nz> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/07/10 22:58, Aaron Whitehouse wrote: > How do I import a subkey into an existing secret key? If there really is no way to do this, I'll file a bug that: gpg --import sec_subkey.asc should do it automatically. Please let me know if there is a way so that I don't clutter the bugtracker. Regards, Aaron -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxVH4wACgkQCq+ErtWaTnHnoACdHtwPjcOmVamX/ZC5miji32Vn xYQAnjljtAg7T3heT/nH3WGOayaZm3z+ =TTM+ -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Sun Aug 1 11:34:29 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 1 Aug 2010 11:34:29 +0200 Subject: Importing/Merging (secret) subkey into existing secret key In-Reply-To: <4C551F95.5080707@whitehouse.org.nz> References: <4C4975DC.3040903@whitehouse.org.nz> <4C551F95.5080707@whitehouse.org.nz> Message-ID: <201008011134.34499.mailinglisten@hauke-laging.de> Am Sonntag 01 August 2010 09:17:41 schrieb Aaron Whitehouse: > On 23/07/10 22:58, Aaron Whitehouse wrote: > > How do I import a subkey into an existing secret key? > > If there really is no way to do this, I'll file a bug that: > gpg --import sec_subkey.asc > should do it automatically. That won't change anything. I had a similar problem, filed a bug report, and was told that this was an architecture problem in 2.0.x. The key handling will be changed in 2.1 which will solve this kind of problem. But for 2.0.x this will not be changed. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Sun Aug 1 12:25:50 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 01 Aug 2010 12:25:50 +0200 Subject: Importing/Merging (secret) subkey into existing secret key In-Reply-To: <201008011134.34499.mailinglisten@hauke-laging.de> (Hauke Laging's message of "Sun, 1 Aug 2010 11:34:29 +0200") References: <4C4975DC.3040903@whitehouse.org.nz> <4C551F95.5080707@whitehouse.org.nz> <201008011134.34499.mailinglisten@hauke-laging.de> Message-ID: <87tynemxxt.fsf@vigenere.g10code.de> On Sun, 1 Aug 2010 11:34, mailinglisten at hauke-laging.de said: > be changed in 2.1 which will solve this kind of problem. But for 2.0.x this > will not be changed. We won't change it for 1.4 either. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jprokos at gmail.com Mon Aug 2 10:09:42 2010 From: jprokos at gmail.com (John Prokos) Date: Mon, 2 Aug 2010 13:54:42 +0545 Subject: gnupg-2.0.16 make issue Message-ID: i386-apple-darwin10.4.0 Hello, I have a low experience level? I tried to install gnupg-2.0.16 with dependencies, etc. I am getting an error after running make? ? iMac:gnupg-2.0.16 jp$ make check Making check in m4 make[1]: Nothing to be done for `check'. Making check in gl make check-am make[2]: Nothing to be done for `check-am'. Making check in include make[1]: Nothing to be done for `check'. Making check in jnlib make check-TESTS PASS: t-stringhelp ============= 1 test passed ============= Making check in common make[1]: *** No rule to make target `audit-events.h', needed by `check'. Stop. make: *** [check-recursive] Error 1 Also, I would like to mention that before this roadblock I had to resolve another error which was corrected by installing an unmentioned dependency, libiconv. A bit of googling solved that, but this one I've had no luck with. John From mohanr at fss.co.in Tue Aug 3 08:58:39 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Tue, 3 Aug 2010 12:28:39 +0530 Subject: AES key management Message-ID: <0EE14841E1FD8545B7E084F22AEF9681033358E5@fssbemail.fss.india> Hi, I have been trying to set up AES key management because the AES encryption/decryption keys are stored in the Java code. I came across split key technology but we are not able to get any idea because we don't use any hardware for this. Is there any way to store a AES key in a GPG keyring securely and retrieve it securely ? I also know that there is always a password involved and it will be soon be a chicke-and-egg situation. Are there any ideas about this ? Thanks, Mohan -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasanth_thandra at yahoo.co.in Tue Aug 3 13:01:44 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Tue, 3 Aug 2010 16:31:44 +0530 (IST) Subject: setuping local/standalone sks keyserver In-Reply-To: <20100720085558.GA2652@straylight.ringlet.net> Message-ID: <421131.41772.qm@web94801.mail.in2.yahoo.com> On Tue, Jul 20, 2010 at 12:50:53PM +0530, Prasanth Thandra wrote: > Hi, > i configured gnupg 2.0.15 on RHEL4 which is a mialserver. > i am able to generate keypairs. > now i want to setup a keyserver either on localhost or as a standalone. > please let me know how to do the same. Start from http://code.google.com/p/sks-keyserver/ I don't know if anybody has made an RPM of that; probably somebody has, but I'm not familiar enough with the various RPM distribution channels to check :) G'luck, Peter HI, First i want to thanks Mr.?Peter Pentchev for his first inputs. i am trying to configure a local sks keyserver on RHEL4. i downloded sks-1.1.1, ocaml-3.11.2 and Berkely DB db-4.6.21 i installed the prerequisites?caml-3.11.2 and Berkely DB db-4.6.21 as said in README of sks-1.1.1 then i #CD /../../sks-1.1.1 #mkdir dump #sks_build.sh === Running fastbuild... === ./sks_build.sh: line 11: sks: command not found Command failed unexpectedly. Bailing out . . please help me in resolving the issue. Thanks in Adv. PRasanth thandra -------------- next part -------------- An HTML attachment was scrubbed... URL: From nobody at nowhere.gov Mon Aug 2 20:18:42 2010 From: nobody at nowhere.gov (Null User) Date: Mon, 2 Aug 2010 20:18:42 +0200 (CEST) Subject: Kleopatra Start Error (Win7) [AUG Resend] Message-ID: <529d74348ecfb2769aaa1e71cd1e79e5@rip.ax.lt> When attempting to start Kleopatra, I get the following error: "The procedure entry point libiconv_set_relocation_prefix could not be located in the dynamic link library iconv.dll" This happens every time. Kleopatra's never worked, even after reinstalling 2.0.4 update. Everything else seems to be OK. Many thanks for any help with this! From John at Mozilla-Enigmail.org Tue Aug 3 22:43:42 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 03 Aug 2010 15:43:42 -0500 Subject: setuping local/standalone sks keyserver In-Reply-To: <421131.41772.qm@web94801.mail.in2.yahoo.com> References: <421131.41772.qm@web94801.mail.in2.yahoo.com> Message-ID: <4C587F7E.1060902@Mozilla-Enigmail.org> Prasanth Thandra wrote: > On Tue, Jul 20, 2010 at 12:50:53PM +0530, Prasanth Thandra wrote: I already replied this on July 21, but it would appear it never reached you so allow me to quote myself in these two top sections (>+) >> i configured gnupg 2.0.15 on RHEL4 which is a mialserver. >> i am able to generate keypairs. >> now i want to setup a keyserver either on localhost or as a standalone. >> please let me know how to do the same. >+ Setting up a keyserver is relatively simple, but I'm not reading the use case >+ for a standalone keyserver. What is it you are wanting to accomplish? >+ For serving a small number of keys, which is typically the standalone model, >+ LDAP is more likely the better implementation. > Start from http://code.google.com/p/sks-keyserver/ > I don't know if anybody has made an RPM of that; probably somebody has, > but I'm not familiar enough with the various RPM distribution channels > to check :) >+ Prebuilt RPMs as well as DEBs of the latest release should be available.* >+ >+ The nominal place for SKS support is the sks-devel list at sks-devel at nongnu.org >+ (http://lists.nongnu.org/mailman/listinfo/sks-devel ) * A quick google, http://lmgtfy.com/?q=sks-1.1.1+rpm returned, near the top, www.rpmfind.net/linux/RPM/fedora/12/.../sks-1.1.1-2.fc12.i686.html > HI, > > First i want to thanks Mr. *Peter Pentchev for his first inputs.* > > *i am trying to configure a local sks keyserver on RHEL4. > > *i downloded sks-1.1.1, ocaml-3.11.2 and Berkely DB db-4.6.21 > > *i installed the prerequisites **caml-3.11.2 and Berkely DB db-4.6.21 as > said in README of sks-1.1.1** It would appear that you stopped reading the README after that section on installing ocaml. Please read the the full README and continue with the next two sections (at a minimum): * Copy Makefile.local.unused to Makefile.local, and edit to match your installation. * Compile make dep make all make all.bc # if you want the bytecode versions make install # puts executables in $PREFIX/bin, as defined # in Makefile.local > *then i * > *#CD /../../sks-1.1.1 Typically, it's a directory under /var, /var/sks or /var/lib/sks > *#mkdir dump Did you put any keyring files in dump? You mention you wish to run this as a standalone keyserver, that would imply that you have your own keyrings you wish to serve. If you wish to serve the main key database that the online SKS network uses, you need to download it into the dump directory, presently ~4GB. Note: that also makes the idea of a standalone server questionable as it will soon become out of sync with the keys on the public servers. > *#sks_build.sh > > === Running fastbuild... === > ./sks_build.sh: line 11: sks: command not found > Command failed unexpectedly. Bailing out 1) You need to build the source and install the executables 2) IMO, edit sks_build.sh and replace fastbuild with build > *please help me in resolving the issue. To repeat myself: The nominal place for SKS support is the sks-devel list at sks-devel at nongnu.org (http://lists.nongnu.org/mailman/listinfo/sks-devel ) Help _IS_ available. You are asking in the wrong place. The is a fair amount of work involved in setting up SKS -- a full discussion of which is NOT appropriate to this list. Subscribe and ask on SKS-Devel. -- John P. Clizbe Inet: John (a) Gingerbear DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From snakylove at googlemail.com Wed Aug 4 02:51:50 2010 From: snakylove at googlemail.com (Snaky Love) Date: Wed, 4 Aug 2010 02:51:50 +0200 Subject: Gnupg good for big groups? Message-ID: Hi, I would like to better understand: is gnupg good for big groups? I would like to encrypt communication in groups - not instant communication like e.g. messengers like pidgin, but like on a forum or web-group - the data persists in an archive, where the communication can be read. Members are coming and leaving a group constantly - that means if somebody leaves the group, she should not be able to read the content decrypted anymore, and if anybody attaches the group all the old content optionally must be encrypted with her key so she can read all data belonging to this group. well, maybe you get the idea. It?s basically like a forum or mailing list with an archive. With my understanding of gnupg I see no other way than to store the data NOT encrypted - in a database or wherever, perhaps on an encrypted disc to compensate for the data not being encrypted - and then to encrypt the data on the fly with the pubkey of the user after the user logged into the website and is checked to belong to the right group. But doing this would be stupid, as it would basically use gnupg only for transport - but there is already SSL and TLS existing for this purpose. So is there any trick to encrypt data at creation time for unknown future users? And how can I remove users from the group of allowed users without re-encrypting the content? Is this possible to realize at all without having to keep the original unencrypted content? Is this scenario - group communication - not a use-case for gnupg at all? Thank you very much for your attention! Have a nice day, Snaky -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasanth_thandra at yahoo.co.in Wed Aug 4 09:14:16 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Wed, 4 Aug 2010 12:44:16 +0530 (IST) Subject: recieving/updating Public Keys from SKS keyserver to pubring.gpg Message-ID: <646262.92885.qm@web94804.mail.in2.yahoo.com> Hi, i configured gnupg 2.0.15 on RHEL4 to encrytp e-mail messages. Then i installed SKS 1.1.1-2 on the same mechine.? now i am able to generate keys #gpg --gen-keysand export/sent them to SKS ? ? #gpg --keyserver hkp://localhost --send-key KEYIDand also recieve them through ?#gpg --keyserver hkp://localhost --recv-key KEYID and i configured each users e-mail client (EVOLUTION) using their KEYIDes. When a user receives an encrypted mail from his peer ... he is able to read the mail only after receiving the KEY of sender to his pubring.gpg . But the problem here is each user has to receive KEYs of all the other one after another....which i dont think is the correct way. ??????? is there any way of receiving all the Public-keys that are available with the local SKS keyserver ??????? if it is ?? how to update users pubring.gpg periodically or ?when ever a new KEY is received by the KEYSERVER? Please help me.. Thanking you P K Thandra? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Simon.Richter at hogyros.de Wed Aug 4 13:55:31 2010 From: Simon.Richter at hogyros.de (Simon Richter) Date: Wed, 4 Aug 2010 13:55:31 +0200 Subject: Gnupg good for big groups? In-Reply-To: References: Message-ID: <20100804115531.GA13412@richter> Hi, On Wed, Aug 04, 2010 at 02:51:50AM +0200, Snaky Love wrote: > I would like to encrypt communication in groups - not instant communication > like e.g. messengers like pidgin, but like on a forum or web-group - the > data persists in an archive, where the communication can be read. Members > are coming and leaving a group constantly - that means if somebody leaves > the group, she should not be able to read the content decrypted anymore, and > if anybody attaches the group all the old content optionally must be > encrypted with her key so she can read all data belonging to this group. > well, maybe you get the idea. It?s basically like a forum or mailing list > with an archive. Obviously you cannot revoke access to something people have already decrypted, because they can always keep a copy. In principle, the rest would be possible, as the data is encrypted using a session key, which is then attached encrypted for each individual recipient, so all that is needed is a way to decrypt one copy of the session key and reencrypt it for the additional recipients. As said, removing a copy of the session key is nonsensical, but if the contents of the file change, it needs to be reencrypted anyway. As far as I know, there are no readymade commandline tools for your use case. Some of these would be generally useful for other uses as well: - take an encrypted file and add new recipients: you'd need to be one of the original recipients, that is, able to decrypt any of the packets containing the session key. - remove recipients from an encrypted file: can be done by selectively throwing away packets; I think this would also be useful in some email setups. > So is there any trick to encrypt data at creation time for unknown future > users? Not really -- you need to have access to the clear text data somehow to extend the list of people who have access. This access can be realized by having a special "recipient" for the web frontend, and by manipulating the gnupg packet stream, the actual data need not be decrypted, but all you gain is speed, not security, as you still need the same information as if you were to decrypt the data. And, obviously, that is a good thing. > And how can I remove users from the group of allowed users without > re-encrypting the content? You can remove the packet containing the session key, but if they already have the session key, they will continue to have access. Given that they also have had access to the clear text, this is not really an issue. > Is this scenario - group communication - not a use-case for gnupg at all? There are mailing list managers that support encrypted mailing lists -- i.e. you encrypt the message to the list bot, and the bot reencrypts to the then-current set of recipients. That doesn't solve your archive problem though, and the revocation issue is unsolvable with any crypto framework. Simon From dirk.walter at semanticbits.com Wed Aug 4 16:32:22 2010 From: dirk.walter at semanticbits.com (Dirk Walter) Date: Wed, 4 Aug 2010 10:32:22 -0400 Subject: Gnupg good for big groups? In-Reply-To: <20100804115531.GA13412@richter> References: <20100804115531.GA13412@richter> Message-ID: > There are mailing list managers that support encrypted mailing lists -- > i.e. you encrypt the message to the list bot, and the bot reencrypts to > the then-current set of recipients. That doesn't solve your archive > problem though, and the revocation issue is unsolvable with any crypto > framework. I disagree with you there, as long as the archive is large enough that a person could not read it all there are sensible reasons to lock out people, say an archive of internal company documents. You want to lock out employees that leave, sure they might still have copies of the documents but the damage is limited if they can't get more to deliberately do damage. You could probably implement access control using a quorum type key setup where multiple parties need to agree to a decryption before it can happen but I can't think of any such key schema that would allow you to change users dynamically, and it also doesn't really conform to your usecase. That said assess control is not usually solved by crypto, and this is not a case where I would use GNUPG, all it can realistically add is transport level security. Your solution of using a service to provide the data after checking for access is probably the right one. From expires2010 at ymail.com Wed Aug 4 19:35:59 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 4 Aug 2010 18:35:59 +0100 Subject: Gnupg good for big groups? In-Reply-To: References: Message-ID: <567813228.20100804183559@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 4 August 2010 at 1:51:50 AM, in , Snaky Love wrote: > Hi, > I would like to better understand: is gnupg good for > big groups? It works for the encrypted mailing list PGPNET (http://tech.groups.yahoo.com/group/PGPNET/). Hardly "big," usually about 30-40 members. > I would like to encrypt communication in groups - not > instant communication like e.g. messengers like pidgin, > but like on a forum or web-group - the data persists in > an archive, where the communication can be read. > Members are coming and leaving a group constantly - > that means if somebody leaves the group, she should not > be able to read the content decrypted anymore, and if > anybody attaches the group all the old content > optionally must be encrypted with her key so she can > read all data belonging to this group. well, maybe you > get the idea. It?s basically like a forum or mailing > list with an archive. PGPNET messages are encrypted to the keys of all current members. Before you joined and after you left, they do not encrypt to your key. - -- Best regards MFPA mailto:expires2010 at ymail.com Always forgive your enemies; nothing annoys them so much -----BEGIN PGP SIGNATURE----- iQCVAwUBTFmlAqipC46tDG5pAQraEQQAiKp0YwN3gYBS5Q9XW1jM9PXeLbWpa1bL 34urWtbDuNrXBXlforlZI2sFLaigOF7PNvR3y88Qv8aEnwk9UAdFqUNscdqwRoxs vQfiU2SF/q370XmyoYEBmrJyvizZPuZFcEOHf7FkSDhIo8zFiHANt1gif0fa2NyW keN+nejMFzY= =vTqo -----END PGP SIGNATURE----- From expires2010 at ymail.com Wed Aug 4 19:45:23 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 4 Aug 2010 18:45:23 +0100 Subject: Gnupg good for big groups? In-Reply-To: <20100804115531.GA13412@richter> References: <20100804115531.GA13412@richter> Message-ID: <617145556.20100804184523@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 4 August 2010 at 12:55:31 PM, in , Simon Richter wrote: > In principle, the rest would be possible, as the data > is encrypted using a session key, which is then > attached encrypted for each individual recipient, so > all that is needed is a way to decrypt one copy of the > session key and reencrypt it for the additional > recipients. Come to that, on a mailing list each member could be sent a copy with the session key encrypted only to their key. For archives, maybe users could authenticate their key with some sort of challenge-response setup and then the server could supply a copy of the required messages encrypted (on the fly) to their key. I guess that would be possible, rather than practical? - -- Best regards MFPA mailto:expires2010 at ymail.com I'll tell you what's the matter! This parrot is dead! -----BEGIN PGP SIGNATURE----- iQCVAwUBTFmnNqipC46tDG5pAQp07AP8C7brl/q6+mDAzhuskRlttFYYiKyCR7Te QcSLmh21JwRZDLLwxZRaVDAv5x4hCDT5vFA2h7MrKDsbI/FHKH8lpiIPogAXWNdv 7wgm52iK3D0gYbsQ9alvMcSsI3Eh03VcfXIeZIn8bHYa5unrvPZ69zPf8Ut6+Tzz zHqtvfARx9I= =xcMj -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Aug 4 19:57:57 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 04 Aug 2010 13:57:57 -0400 Subject: Gnupg good for big groups? In-Reply-To: <567813228.20100804183559@my_localhost> References: <567813228.20100804183559@my_localhost> Message-ID: <4C59AA25.6080505@sixdemonbag.org> On 8/4/10 1:35 PM, MFPA wrote: > PGPNET messages are encrypted to the keys of all current members. > Before you joined and after you left, they do not encrypt to your key. It is also worth noting that PGPNET has some very big problems with key management. PGPNET users are apparently comfortable wrestling with these problems (more power to them for that), but we shouldn't pretend the problems don't exist. In a completely connected graph of N nodes there are (N^2 - N)/2 different edges. Or, in English, 40 members equals 780 separate communications links, each one of which can fail and produce problems for other people. The network begins to get spammed with "that last message wasn't encrypted to my new key, please re-send." The network slowly begins to drown with communications overhead: key synchronization, resend requests, failure notifications, etc. PGPNET is probably operating pretty close to the limits of OpenPGP. At some point the math bites you hard and doesn't let go. A couple of years ago at USENIX Dan Wallach of Rice University talked about his difficulties getting 30 Ph.Ds in computer science to all communicate on an OpenPGP-encrypted mailing list. His precise phrasing was, "it was the torment of the damned." From faramir.cl at gmail.com Wed Aug 4 23:24:44 2010 From: faramir.cl at gmail.com (Faramir) Date: Wed, 04 Aug 2010 17:24:44 -0400 Subject: recieving/updating Public Keys from SKS keyserver to pubring.gpg In-Reply-To: <646262.92885.qm@web94804.mail.in2.yahoo.com> References: <646262.92885.qm@web94804.mail.in2.yahoo.com> Message-ID: <4C59DA9C.4010509@gmail.com> El 04-08-2010 3:14, Prasanth Thandra escribi?: > Hi, Hello, > and i configured each users e-mail client (EVOLUTION) using their > KEYIDes. When a user receives an encrypted mail from his peer ... he is > able to read the mail only after receiving the KEY of sender to his > pubring.gpg . But the problem here is each user has to receive KEYs of > all the other one after another....which i dont think is the correct way. I'm not sure if I understood it right, as far as I know, you need to have the public key of the recipient of the message before you can send him an encrypted message. The recipient can decrypt the message even without having the public key of the sender, that key is required just in case of wanting to reply, or to check the signature of the message. I think downloading they keys one by one, is usually the correct way, because most people operate with public keyservers, and of course, they just want the keys of people they know. But that doesn't apply to your case, since you have your own (private) keyserver. > ??????? is there any way of receiving all the Public-keys that are > available with the local SKS keyserver ??????? I don't know if there is a command to do that, and also, I know very little about using GnuPG at the command line (I always use a GUI), but a possible workaround could be if one user (probably an administrator) download all the keys (one by one or whatever), and then export all the public keys into a single file, which could be distributed to each user. But then, there would be no need of the keyserver, except to keep track of revocations. Maybe you can configure Evolution to automatically download keys when needed... I hope someone else with more knowledge about the subject can help you. > how to update users pubring.gpg periodically or when ever a new KEY is > received by the KEYSERVER? Ah, I saw something about auto refreshing the keyring at PGP-Basics list... I searched but I just found this: that is a crontab (whatever a crontab is) gpg2 -q --batch --refresh-keys gpg2 -q --batch --update-trustdb Sorry for not providing a better answer. Best Regards From expires2010 at ymail.com Thu Aug 5 01:12:59 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 5 Aug 2010 00:12:59 +0100 Subject: Gnupg good for big groups? In-Reply-To: <4C59AA25.6080505@sixdemonbag.org> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> Message-ID: <1678416438.20100805001259@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 4 August 2010 at 6:57:57 PM, in , Robert J. Hansen wrote: > It is also worth noting that PGPNET has some very big > problems with key management. PGPNET users are > apparently comfortable wrestling with these problems > (more power to them for that), but we shouldn't pretend > the problems don't exist. In a business-critical setting where it is very important that such things "just work" and do so effiently, this model undoubtedly would fall considerably short of the mark. In a friendly, social forum like PGPNET, I would characterise these "very big problems" more as minor issues and/or learning opportunities. It's really no big deal, just a case of adding/deleting a key in your encryption list each time a new person joins/leaves/changes their key. For those who don't want to "manage" it themselves, shortly after any change one of the moderators posts a list of members and their key IDs to the group's file area, along with an asc file containing all the members' keys; sometimes this may happen a couple of times in a week but more often it's well over a month. And twice a year there's a month-long "roll-call" - anybody who doesn't post in that month is removed from the group. > 40 members equals 780 separate communications links, each one of > which can fail and produce problems for other people. The network > begins to get spammed with "that last message wasn't encrypted to my > new key, please re-send." There is a certain amount of that, obviously. Some people use more than one system and forget to update them all, or update their installation and break something. Or come back from vacation and post messages before spotting there are new members. But it's not as much of an issue as you might expect. Remember, the communications are neither urgent nor important. > PGPNET is probably operating pretty close to the limits of OpenPGP. > At some point the math bites you hard and doesn't let go. Some time back, the head count on PGPNET was in the mid-high 40s and there were more issues. The inevitable increase in instances of human error, plus I also think I recall some people's software would fail to reliably encrypt to that many keys - not report any errors, just send the message encrypted to a subset of the keys. > A couple of years ago at USENIX Dan Wallach of Rice > University talked about his difficulties getting 30 > Ph.Ds in computer science to all communicate on an > OpenPGP-encrypted mailing list. His precise phrasing > was, "it was the torment of the damned." Maybe the issue is that he was getting them to do it, rather than them choosing of their own volition. Some new members on PGPNET seem to have great difficulties; they overcome them or give up. Most are able to master it fairly quickly, with help and guidance from existing members as requested. - -- Best regards MFPA mailto:expires2010 at ymail.com All generalizations are dangerous, even this one. -----BEGIN PGP SIGNATURE----- iQCVAwUBTFnz/qipC46tDG5pAQrEsQP+MMsp3Qwi47tgIN5sB5D/JwXpzDHyWvzP zmaHGN73hlD1HfGHx+eNWV4z52oshkPeqE5BoAhu4P2sfKfmufNGCX39v3z3oXYR xDusJQtYQQrHywKKri7rPbHtTRTwZSphJKxJ/K0VTO7wSrbKllnB9OvkViROT4J/ XvjZ0PmCThY= =s/uO -----END PGP SIGNATURE----- From expires2010 at ymail.com Thu Aug 5 02:38:47 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 5 Aug 2010 01:38:47 +0100 Subject: recieving/updating Public Keys from SKS keyserver to pubring.gpg In-Reply-To: <646262.92885.qm@web94804.mail.in2.yahoo.com> References: <646262.92885.qm@web94804.mail.in2.yahoo.com> Message-ID: <321743049.20100805013847@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 4 August 2010 at 8:14:16 AM, in , Prasanth Thandra wrote: > When a user > receives an encrypted mail from his peer ... he is able > to read the mail only after receiving the KEY of sender > to his pubring.gpg . Not quite right, but Faramir has already addressed this point. > But the problem here is each user has to receive KEYs > of all the other one after another....which i dont think > is the correct way. ??????? It would be the usual way to download keys from the server as needed. > is there any way of receiving > all the Public-keys that are available with the local SKS > keyserver ??????? If all the keys on your local server have a common string in the user-id, this would be trivial. Let's assume the common string is "@domain.example" and try issuing the command gpg --keyserver hkp://localhost --recv-key @domain.example Doesn't that fetch all keys on that server containing that string? Or maybe "gpg --fetch-keys hkp://localhost" might do it? > if it is ?? how to update users > pubring.gpg periodically Put the required commands in a batch file and schedule it to be run periodically, perhaps? > or ?when ever a new KEY is > received by the KEYSERVER? Please help me.. "--auto-key-locate [parameters]" could be used to fetch new keys as needed, rather than as soon as posted to the server - -- Best regards MFPA mailto:expires2010 at ymail.com Wisdom is a companion to age; yet age may travel alone. -----BEGIN PGP SIGNATURE----- iQCVAwUBTFoIGaipC46tDG5pAQqpsAQArzzZm0F5xQS0KnB1IqGSKxarup4ORMJf W2PG/4FmQ8YVSbmLe10hewCrsgQzCywtuKkA8XxelI26hvz8mBz5h2RwatUsKG+s ba8gZpGw7jkOwR+cGTxUL+XxC0xOrGAdwpa86qIbIv8eaD60GILqPdnc4h/Qxy4V Uyq6WyZqz2o= =SMxk -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Aug 5 02:57:08 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 4 Aug 2010 20:57:08 -0400 Subject: Gnupg good for big groups? In-Reply-To: <1678416438.20100805001259@my_localhost> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> Message-ID: <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> > fall considerably short of the mark. In a friendly, social forum like > PGPNET, I would characterise these "very big problems" more as minor > issues and/or learning opportunities. I'm not going to try to tell you what your feelings on the issue should be. However, I strongly suspect that rather than being a minor issue this is in fact the largest issue shaping the group's development. It's kind of like gravity. You don't notice it very much, but it shapes your entire universe. Completely connected graphs tend to evolve along similar lines. So long as it remains under a certain membership level the communication overhead is tolerable. Add one or two people past that and it becomes intolerable. People drop off the network because it's stopped becoming useful to them. The ones who leave tend to be the ones who have derived the least benefit from being part of the network -- their tolerance is not as much as those who have gained from being part of the network. The effect of this is that churn tends to be among new members, not among long-standing ones. Once the network shrinks to a state of usability, people stop leaving. More people sign up, and more people leave. Etc., etc. This is all pretty basic networking theory, and it's why completely connected networks are rarely used in the real world. You can only build it out so far before hitting a brick wall of self-limiting behavior. > It's really no big deal It's no big deal *for you*. If you want to make a blanket statement of it being no big deal, you need to take into account the churn on the periphery: all those people who joined and then left because the key management problem was nontrivial. > Remember, the communications are neither urgent nor important. That's not especially relevant. >> A couple of years ago at USENIX Dan Wallach of Rice >> University talked about his difficulties getting 30 >> Ph.Ds in computer science to all communicate on an >> OpenPGP-encrypted mailing list. His precise phrasing >> was, "it was the torment of the damned." > > Maybe the issue is that he was getting them to do it, rather than them > choosing of their own volition. The network was entirely voluntary. Only way to do it, really. I'd like to see anyone get thirty Ph.Ds to do something in concert which they didn't want to do -- I'd rather try and teach manners to a cat. > Some new members on PGPNET seem to have great difficulties; they overcome > them or give up. Most are able to master it fairly quickly, with help and > guidance from existing members as requested. I suspect if you look at the churn you'll discover many are not able to, and leave for that reason. Again -- my remarks here are not meant to be critical of the mailing list. Nothing of the sort. People who are on the list and like it should stay on it and I hope they keep liking it. My remarks here are of general applicability to completely-connected graphs. The stuff I talk about here is the sort of stuff you can expect to occur on any large OpenPGP-encrypted mailing list. I really don't want to give the impression I'm turning this into a referendum on PGPNET's existence. From jh at jameshoward.us Thu Aug 5 03:09:02 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Wed, 04 Aug 2010 21:09:02 -0400 Subject: Gnupg good for big groups? In-Reply-To: <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> Message-ID: <4C5A0F2E.4020005@jameshoward.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/4/10 8:57 PM, Robert J. Hansen wrote: > It's no big deal *for you*. If you want to make a blanket statement of it being no big deal, you need to take into account the churn on the periphery: all those people who joined and then left because the key management problem was nontrivial. It's worth noting that I have, more or less, dropped off of PGPNET because of the key management issue. They are nontrivial and it is a pain. GSWoT, however, does share information using a key where the private key parts are shared among all members. I wonder if the key management issue would be simpler if there were a master key, group members were an ADK, and GnuPGP supported ADK. James - -- James P. Howard, II, MPA MBCS CGFM -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJMWg8oAAoJEHPMAEw+5CSeBJQH/3tCo8vwsGR0mW5l4ul2YR8j tkkxU7sPsaFk5CBwu9fJYHSRDZ21mddIHyBPyRINjGEnzs9AxpainLJ/rDs6DKE8 Tvd90TVzrH/wCTk8Fac63n+bxvNjZcghXQwitc91157fT5Vbn1u79ALmf+4RbdEK 3hc4cIxlYTO12m1mJ5Yl/nzAwixoeG2o3zBwyLVtEh0J+02RMr55BWGp6op9mqYR bxHlY3CqRQ0qjU2FaYfXXz4OCnhzNfHnRBEjbwdUV8yezUq8wFV7f23Wy9pSO2W+ V/fThm/xX/LN/Hv7eZZgX3S8NY4qhDcoX0zqPwnQ2lkjDIGO8GJCm11k18doMlo= =HSCY -----END PGP SIGNATURE----- From prasanth_thandra at yahoo.co.in Thu Aug 5 08:07:27 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Thu, 5 Aug 2010 11:37:27 +0530 (IST) Subject: recieving/updating Public Keys from SKS keyserver to pubring.gpg In-Reply-To: <321743049.20100805013847@my_localhost> Message-ID: <931528.12445.qm@web94804.mail.in2.yahoo.com> Hi Thanks for the help. the commands suggested gave the following error messages. > When a user > receives an encrypted mail from his peer ... he is able > to read the mail only after receiving the KEY of sender > to his pubring.gpg . Not quite right, but Faramir has already addressed this point. > But the problem here is each user has to receive KEYs > of all the other one after another....which i dont think > is the correct way. ??????? It would be the usual way to download keys from the server as needed. > is there any way of receiving > all the Public-keys that are available with the local SKS > keyserver ??????? If all the keys on your local server have a common string in the user-id, this would be trivial. Let's assume the common string is "@domain.example" and try issuing the command gpg --keyserver hkp://localhost --recv-key @domain.example ^^[root at localhost ~]# gpg --keyserver hkp://localhost --recv-key @localhost ^^gpg: skipping invalid key ID "@localhost"# by questioner# Doesn't that fetch all keys on that server containing that string? Or maybe "gpg --fetch-keys hkp://localhost" might do it? ^^[root at localhost ~]# gpg --fetch-keys hkp://localhost ^^gpg: Invalid option "--fetch-keys" # by questioner# > if it is ?? how to update users > pubring.gpg periodically Put the required commands in a batch file and schedule it to be run periodically, perhaps? > or ?when ever a new KEY is > received by the KEYSERVER? Please help me.. "--auto-key-locate [parameters]" could be used to fetch new keys as needed, rather than as soon as posted to the server ^^ i have added the line?keyserver-options --auto-key-locate?^^ in my ~/.gnupg/gpg.conf file i have to see how it works - -- Best regards MFPA? ? ? ? ? ? ? ? ? ? mailto:expires2010 at ymail.com Wisdom is a companion to age; yet age may travel alone. -----BEGIN PGP SIGNATURE----- iQCVAwUBTFoIGaipC46tDG5pAQqpsAQArzzZm0F5xQS0KnB1IqGSKxarup4ORMJf W2PG/4FmQ8YVSbmLe10hewCrsgQzCywtuKkA8XxelI26hvz8mBz5h2RwatUsKG+s ba8gZpGw7jkOwR+cGTxUL+XxC0xOrGAdwpa86qIbIv8eaD60GILqPdnc4h/Qxy4V Uyq6WyZqz2o= =SMxk -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at Mozilla-Enigmail.org Thu Aug 5 08:31:28 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 05 Aug 2010 01:31:28 -0500 Subject: recieving/updating Public Keys from SKS keyserver to pubring.gpg In-Reply-To: <321743049.20100805013847@my_localhost> References: <646262.92885.qm@web94804.mail.in2.yahoo.com> <321743049.20100805013847@my_localhost> Message-ID: <4C5A5AC0.4000904@Mozilla-Enigmail.org> MFPA wrote: > On Wednesday 4 August 2010 at 8:14:16 AM, in > , Prasanth Thandra > wrote: >> When a user receives an encrypted mail from his peer ... he is >> able to read the mail only after receiving the KEY of sender to his >> pubring.gpg . > > Not quite right, but Faramir has already addressed this point. Public key of sender is needed to verify his signature OR to encrypt messages sent to him. >> But the problem here is each user has to receive KEYs of all the >> other one after another....which i dont think is the correct way. >> ??????? > > It would be the usual way to download keys from the server as needed. True, but there are easier solutions >> is there any way of receiving all the Public-keys that are >> available with the local SKS keyserver ??????? > > If all the keys on your local server have a common string in the > user-id, this would be trivial. Let's assume the common string is > "@domain.example" and try issuing the command > > gpg --keyserver hkp://localhost --recv-key @domain.example > > Doesn't that fetch all keys on that server containing that string? > > Or maybe "gpg --fetch-keys hkp://localhost" might do it? Nope, that won't do it. --recv-key takes one of more hex key IDs. --search-key will work with part of an address, but it is a manual process. There's still an easier way to do this > if it is ?? how to update users pubring.gpg periodically gpg --refresh-keys on a periodic basis, cron job or Scheduled Tasks on Windows > Put the required commands in a batch file and schedule it to be run > periodically, perhaps? > >> or when ever a new KEY is received by the KEYSERVER? Please help me.. Not any mechanism within SKS for this directly, although... SKS' mailsync mechanism could be used to forward updates to an all-employees list, but the volume would probably get to be a nuisance. Doable but not a good approach > "--auto-key-locate [parameters]" could be used to fetch new keys as > needed, rather than as soon as posted to the server auto-key-locate is more of a last-minute fetch, as such, it can be a bit of a gamble Since this is all happening within the context of a single enterprise, what we have here is a system administration/HR issue. IMNSHO, the intelligent thing to do in this implementation would be yo keep a separate globally readable keyring of all the employee's keys (they need not be current) For each new employee, the employee: 1) generates a key and sends the pub key to the ring admin and the keyserver, and generates a revocation certificate, a copy of which stays with HR (alternatively, designate HR as a revoker) 2) The employee then imports the company pubring, thus obtaining all of the base keys 3) Then Employee then issues gpg --refresh-keys thus updating all keys to their current status This global keyring doesn't even need to be binary, it can be a concatenation of .asc exported keys This scenario, along with ADKs, is part of what prompted PGP Corp to create their PGP Enterprise offering. If I was implementing this, I would not bother with running a private SKS server for keys, it's serious overkill -- it's akin to using a bazooka instead of a fly-swatter. (Note: I run a SKS keyserver.) I'd use LDAP to serve keys as part of an enterprise wide directory system. Much, much, much more cleaner, easier, and more multipurpose of a solution. Honestly, you want LDAP. Really. -- John P. Clizbe Inet: John (a) Keyservers DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From prasanth_thandra at yahoo.co.in Thu Aug 5 10:35:41 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Thu, 5 Aug 2010 14:05:41 +0530 (IST) Subject: gnupg installation problem Message-ID: <351061.17518.qm@web94809.mail.in2.yahoo.com> Hi, i am installing GNUPG 2.0.15 on RHEL4. As suggested by readme doc i installed? libgpg-error-1.8libgcrypt-1.4.5libassuan-2.0.0libksba-1.0.6pinentry-0.8.0 using ?the instructions ./configure, make, make install .... in the above order. Finally i installed GNUPG 2.0.15. I have created .gnupg in my home dir, and gpg.conf using ?/usr/local/share/gnupg/gpg-conf.skel?i added?keyserver hkp://localhost (i configured local sks server for testing)keyserver-options auto-key-retrive. i have generated a key-pair #gpg --gen-keysand exported to local keyserver #gpg --send-key KEYIDi have not faced any problem till then BUT.. when i am trying to invoke gpg-agent, gpg2 or gpgsm iam getting errors [root at localhost ~]# gpg-agent --daemon gpg-agent: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory [root at localhost ~]# gpg2 gpg2: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory [root at localhost ~]# gpgsm gpgsm: error while loading shared libraries: libksba.so.8: cannot open shared object file: No such file or directory i am clueless about what is happening or what to do to correct these errors... whether my installation was not complete ???? PLEASE HELP ME ...THANKING YOU -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Thu Aug 5 13:25:38 2010 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 05 Aug 2010 13:25:38 +0200 Subject: Importing/Merging (secret) subkey into existing secret key In-Reply-To: <4C4975DC.3040903@whitehouse.org.nz> References: <4C4975DC.3040903@whitehouse.org.nz> Message-ID: <4C5A9FB2.4030205@digitalbrains.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On -10/01/37 20:59, Aaron Whitehouse wrote: > How do I import a subkey into an existing secret key? I managed to do this with gpgsplit and recombining. I'm doing this under Linux; commands for other OSes might differ. Please read the whole mail before starting. On one machine, I have a key with 2 encryption subkeys, let's say A and B. I then use these commands: $ mkdir key1 $ cd key1 $ gpg --export-secret-keys | gpgsplit Here, the $ sign simply indicates I type it at the prompt, a common convention. Don't actually include the $. Replace with your... keyid, indeed :). If I now do a listing of the files in this directory, I see the following: $ ls 000001-005.secret_key 000002-013.user_id 000003-002.sig 000004-007.secret_subkey 000005-002.sig 000006-007.secret_subkey 000007-002.sig (sorry for the layout) These files are the parts that together make up your whole key. Filenames are a sequence number (increasing), and after the dash the packet type. The packet type in human readable form is after the dot. An explanation: 000001-005.secret_key The primary key. 000002-013.user_id The user id. 000003-002.sig The signature binding user id and specifying preferences. 000004-007.secret_subkey The first secret subkey, encryption key A. 000005-002.sig Signature binding A to the primary key. 000006-007.secret_subkey The second secret subkey, encryption key B. 000007-002.sig Signature binding B to the primary key. You can het more information on these packets with, f.e.: $ cat * | gpg --list-packets This will list details about the packets, /in the same order/ as the files. Just count. Now, on the second machine I have the same key, only unfortunately it has encryption subkeys A and C. That is, on the first machine I miss key C and on the second machine I miss key B. I start out the same on the second machine: $ mkdir key2 $ cd key2 $ gpg --export-secret-keys | gpgsplit The files created will in this case actually have exactly the same names as described above. The big difference is the contents of the last two files: 000006-007.secret_subkey Encryption subkey /C/ 000007-002.sig Signature binding /C/ to the primary key. Unfortunately, gpg --list-packets does not list the key id's for key packets. But it does list creation date (in UNIX time format) and expiration date. You can use these numbers to match up which keys you want to combine. No need to understand UNIX time format, just match up numbers so that you end up with all unique subkeys together. You can always throw out unneeded ones later using GnuPG. Now we want to have subkey C on the first machine. Assuming you've copied the directory key2 and its contents to the first machine, you can do this: $ cp key2/000006-007.secret_subkey key1/000008-007.secret_subkey $ cp key2/000007-002.sig key1/000009-002.sig Actually, the names are not very important, as long as they are in the same sorting order as here. I chose to continue the naming GnuPG itself uses. Now directory key1 has the full key: primary key, and subkeys A, B and C. These can be combined to form the full key: $ cd key1 $ cat * >secret_key.gpg The difficulty you initially ran into is that GnuPG will not import a key it already has in the keyring, even if the subkeys are different. So after making a backup of everything, you delete the key already in the keyring. I suggest making the backup before even starting all this, to avoid disasters if you got something wrong. So on both machines, we do: $ gpg --delete-secret-and-public-keys $ gpg --import secret_key.gpg The file secret_key.gpg is what we created in the previous step. You should now have the full key on both systems. I hope /I/ didn't do something wrong here, but the backup you made saves you from disasters in that case. Note 1: If this is too cryptic, you should not just type in what I say. You need to understand commands you enter at the prompt, not blindly type in what some stranger on the internet says. Just ask for more info. Note 2: I strongly suggest setting the passphrase the same on the two systems, or you'll run into funny behaviour when it prompts for the passphrase of your new combined key. You might even want to "change" the passphrase after the import of the whole key, but change it to the same passphrase you already had. I won't go into the details, but this will make the key consistent with how GnuPG normally stores encrypted keys. I don't think GnuPG was ever meant to support the interesting combining of encrypted keys we do here, even though it works. On a sidenote, I think it would be cool if GnuPG, on --import, inspected all subkeys and user id's in a key individually, and add any that are missing. I think such functionality is useful and intuitive. Perhaps I should create a feature request ticket. Good luck, Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMWp+sAAoJEJaeAY/ebNyhG24IAIIQ4qa9usTBN76dMPKzoR3x tXXamXRsgr+Ny6szflybheScmw0gCoqulYq8KKDu6xrYlkHuBUPMMQgXitGRvNYL YRLxTzv7QlCATwxK9VW3uyx+vCShysNFzoUlTOw1fHzn9IB0IxOzqQQKzm28ry5q 2MvsTdf2inscrEOhA6yOAQ4qCY+nzz5Yfowr8NQLBk0NVVKbxH6f077j/YqCgNyV K9Ekq+GvdL7DEQZuV8LmcykfOp6Vq9KdWMFoXPuBdvogiajR6TAnUysVAXZcO3TI hc2Kn6UiEbzZZWLAToXyrgoS/mJ10IkPnXSNH9VIiDqpqI3EL2rhY3dHLw5+98k= =kWgk -----END PGP SIGNATURE----- From klaus at vink-slott.dk Thu Aug 5 15:43:49 2010 From: klaus at vink-slott.dk (Klaus Slott) Date: Thu, 05 Aug 2010 15:43:49 +0200 Subject: Keypair is expiring. In-Reply-To: <4C4727B6.3090405@grant-olson.net> References: <4C4727B6.3090405@grant-olson.net> Message-ID: <4C5AC015.5090800@vink-slott.dk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 21-07-2010 19:00, Grant Olson answered Alex Wolff: > >> Can I change the expiration date of my key pair to not expire...without >> having to re-issue another public key to all my encryption partners? // > But that's where keyservers are handy. You push the key with the new > expiration date to the keyserver. I had the same issue and changed dates on my key. Now if I look at my keystore it looks as my public key life if extended: klaus at zap:~> gpg --list-key 30096062 pub 4096R/30096062 2009-10-08 [expires: 2015-07-14] uid Klaus Vink Slott sub 4096g/BA72310E 2009-10-08 [expires: 2010-10-08] but my sub key is not and I guess that is a problem? Can I extend the life of the subkey or do I issue a new sub-key. Will the new subkey still carry on the trust from people that people that have signed my public key? Another thing that puzzles me is that even if I have uploaded my keys again to public servers klaus at zap:~> gpg --send-key 30096062 (in gpg.conf in have keyserver hkp://keys.gnupg.net) the servers don't seem to list my new expiry date when I search my key from the web interface. - -- Regards Klaus -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJMWsAVAAoJENuk95UwCWBiBnAP/jM5eiGQFxmsUrr8OWKlF8uB aVSPEUuLaKEfpGeuwwRzf6t1iLfYQ8AXOUa3uWWJyN3+FZnz6ZRGB+J5Bcl462VP hZX3JTUMyaGZVI1gIsmE+N1k3WLkMAAxKramAXLTlCScljMXHBuly5A7x6PWEJ97 Hz2AoRtvNdbOXHp0zaUmhFHZiHCP7Z6ga7edgiBOAy091XKgAJLZqhsl9Ou/FwpP zxf1kBgZnQqMFiutYo+ncfgnWSTB0ah68PNv1Joe+AH2FvDWVCsKhGKzFsM7fE05 Vbq2fq8B8A9e1uKHqi9xylOtug5qsJGO92BOPhWVefzdl9jfRMAMSIwk8W4mhcsl FcQAgZOBc80/gvFrMDt4MXt0PQZpMOlnUEvK93MCx1uc8fFLUieVLudjFElgHjqB TagJt03bUe15+eflPIotuYcVNzG6wv2bBtlHAQMMCxuXbJS/cp9P8ooI6eCDOjaX vBm/vhkACYDQI38xN+CKasG3YTyfWmq9SjV/0y5otj7DIRHjiVv/VmX/6sQaINyN +AMo63lirOpkvPCiikcGJ6Wx5YbSVfvpsx2KtkmH22HenSeabsKEyGk50FsNASVX Hw5Me1Dj1MpryjxcWzp5A1mQ/oX6cxIk9dSpLxn66qf3tKLH4APqTEUirTzbCaYD 8lAYKPjbCbDn3fVmfr3k =TdYe -----END PGP SIGNATURE----- From expires2010 at ymail.com Thu Aug 5 20:00:16 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 5 Aug 2010 19:00:16 +0100 Subject: Gnupg good for big groups? In-Reply-To: <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> Message-ID: <282533062.20100805190016@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 5 August 2010 at 1:57:08 AM, in , Robert J. Hansen wrote: > I strongly suspect that rather than being a minor issue this is in > fact the largest issue shaping the group's development. It's kind of > like gravity. You don't notice it very much, but it shapes your > entire universe. Interesting. I never considered it like that. > People drop off the network because it's stopped becoming useful to > them. The ones who leave tend to be the ones who have derived the > least benefit from being part of the network -- their tolerance is > not as much as those who have gained from being part of the network. > The effect of this is that churn tends to be among new members, not > among long-standing ones. This could be describing almost any social or work-related group! (-; > Once the network shrinks to a state of usability, > people stop leaving. More people sign up, and more > people leave. Etc., etc. This is all pretty basic > networking theory, and it's why completely connected > networks are rarely used in the real world. You can > only build it out so far before hitting a brick wall of > self-limiting behavior. Definitely not scaleable. A bit like a sports league where each team plays against every other twice each season - this reaches a limiting number of participants much quicker than a knock-out competition where those who lose play no further matches. >> It's really no big deal > It's no big deal *for you*. Of course; I claim no mandate to speak for anybody else. > If you want to make a blanket statement of it being no big deal, you > need to take into account the churn on the periphery: all those > people who joined and then left because the key management problem > was nontrivial. I probably under-estimate the amount of churn - partly because few people actually leave the group rather than just stop posting and get culled at the next roll-call. It seems unlikely to me that key management is the major reason people sign up and don't hang around, since that also happens a lot in non-encrypted groups. >> Remember, the communications are neither urgent nor >> important. > That's not especially relevant. If nothing else, I think it is very relevant to where "not encrypted to my key" appears on the scale from major problem to minor issue. > Again -- my remarks here are not meant to be critical of the mailing > list. Nothing of the sort. People who are on the list and like it > should stay on it and I hope they keep liking it. > I really don't want to give the impression I'm turning this into a > referendum on PGPNET's existence. Yes, you have made this very clear. > My remarks here are of general applicability to completely-connected > graphs. The stuff I talk about here is the sort of stuff you can > expect to occur on any large OpenPGP-encrypted mailing list. I > really don't want to give the impression I'm turning this into a > referendum on PGPNET's existence. I guess there is a more scalable model of openPGP-encrypted mailing list. Maybe members could encrypt to a group's key and the list-server decrypt, then re-encrypt for the members? - -- Best regards MFPA mailto:expires2010 at ymail.com Another person's secret is like another person's money: you are not as careful with it as you are with your own -----BEGIN PGP SIGNATURE----- iQCVAwUBTFr8PqipC46tDG5pAQqEIwP+IsaNyGda8ZALrk2lztv3yKZnV/Svvo5m a5T9ozv//+dbWRXuZdv39o2FZixrLE5u3LY901VXEaCKhHO3IQL+/uCuIjFUzJWx hPW0VlWpNTz0yrfNZyXxzirgseAzn/Z+w5m75TxmLWub1PPLfoVT+BVOjBqaQmre kOsepzIjz9w= =0Zob -----END PGP SIGNATURE----- From expires2010 at ymail.com Thu Aug 5 20:12:17 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 5 Aug 2010 19:12:17 +0100 Subject: Keypair is expiring. In-Reply-To: <4C5AC015.5090800@vink-slott.dk> References: <4C4727B6.3090405@grant-olson.net> <4C5AC015.5090800@vink-slott.dk> Message-ID: <1371226741.20100805191217@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 5 August 2010 at 2:43:49 PM, in , Klaus Slott wrote: > Can I extend the life of the subkey or do I issue a new > sub-key. You can extend the life of a subkey (when editing your key, select the subkey then issue the "expire" command), but I've more often seen people suggest replacing it. > Will the new subkey still carry on the trust > from people that people that have signed my public key? Yes, the signatures are always on the main key and the subkeys are bound to the main key. The fact that signatures on the main key may predate creation of a particular subkey does not matter (as far as I know). - -- Best regards MFPA mailto:expires2010 at ymail.com No matter where you go, there you are. -----BEGIN PGP SIGNATURE----- iQCVAwUBTFr/CKipC46tDG5pAQpGkgP/Rwm1XtIHXv/zlLLxAWwEEI/WYGVmztIc oFMHu4rhMiNZkMOrDqJikQ9XBw5COUGNfa5rNHOTcF8pxHhJTyUnIzajaktZtsIq VQkTQjClxZvEUrDLCCqUdb/wBVCgMI268N9MylWeZVUmrCNfaliN9KesQTEYWnoq iUxk9Ab/1Tk= =XH8V -----END PGP SIGNATURE----- From bdesham at gmail.com Thu Aug 5 20:34:58 2010 From: bdesham at gmail.com (Benjamin Esham) Date: Thu, 5 Aug 2010 13:34:58 -0500 Subject: Newbie questions about keyring maintenance Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I've been using GnuPG for personal things for many years, but I've only recently started to try to understand the "social" aspects, like signing others' keys and the trust model. I have a bunch of basic questions that I was hoping people here could answer. (If these are answered by some beginners' guide then a link to that would be appreciated too!) I'm running GnuPG 2 on Mac OS X. 1. Right now, my crontab contains gpg2 -q --batch --refresh-keys gpg2 -q --batch --update-trustdb This will grab new copies of the public keys from the servers and then recalculate the trust relationships. (There's a thirty-minute gap in between to allow for the downloading to take place.) Is it necessary to manually update the trust database this often? Are there any other commands I should run periodically to maintain my keyring? 2. During the update process, I get a bunch of lines like gpg: requesting key 1234ABCD from hkp server subkeys.pgp.net Is there any reason this is displayed even though I've invoked GPG with -q? I get an e-mail whenever this command produces output, so it would be nice if GPG would really be quiet unless there were an error. 3. During the update process, I also get errors like gpgkeys: key 1A2B3C4D[...] not found on keyserver Is there something I should configure differently in order to avoid this? 4. When I run gpg2 --update-trustdb, I get a message like gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 10 trust: 0-, 1q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2010-07-24 How do I interpret this output? Also, given a certain key, how can I get GPG to tell me what its trust status is? (For example, "this key is not signed by you, but it is signed by two keys you consider fully trusted, so it is valid", etc.) Thanks a lot for any answers! - -- Benjamin D. Esham | bdesham at gmail.com Te audire non possum est. Musa fixa in aure sapientum est. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iEYEARECAAYFAkxbBFIACgkQzOC3TdZ2u5odawCg7tEQ3OcWM7gWuDmAMlAMySGU 7g4AoMKRCr4QUqwEySZE3iB9aKPEP9GD =LSck -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Aug 6 00:32:37 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 05 Aug 2010 15:32:37 -0700 Subject: Gnupg good for big groups? In-Reply-To: <282533062.20100805190016@my_localhost> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <282533062.20100805190016@my_localhost> Message-ID: <1281047557.13753.19.camel@ubuntu> On Thu, 2010-08-05 at 19:00 +0100, MFPA wrote: > This could be describing almost any social or work-related group! > (-; Networking theory is like that. It takes a while to understand the math, but once you do you see applications everywhere. > I probably under-estimate the amount of churn - partly because few > people actually leave the group rather than just stop posting and get > culled at the next roll-call. It seems unlikely to me that key > management is the major reason people sign up and don't hang around, > since that also happens a lot in non-encrypted groups. Yes and no. Generally speaking, the number one reason why nodes drop out of networks is the benefit is exceeded by the cost. Or, in plain English, "it just isn't worth the headache." Marriages end for this reason. So do friendships. Political alliances come apart. Etc., etc. So the question isn't whether key management is the major reason why people sign up and don't hang around -- the question is more whether key management is a major expense which adversely affects the cost-benefit ratio. As an example, if I were to start posting tomorrow's winning lottery numbers to PGPNET, you'd hardly see any churn at all. The benefit is worth the cost. But, as you've observed, the network's purpose is generally social. It's pleasant, but it's not exactly winning lottery numbers. Returning back to general discussion about networks and OpenPGP, the usefulness of the information will be a (although perhaps not *the*) major factor which will drive the network's growth. The headache involved in key management will be a (although perhaps not *the*) major factor limiting the network's growth. > If nothing else, I think it is very relevant to where "not encrypted > to my key" appears on the scale from major problem to minor issue. See above. > Yes, you have made this very clear. Good. :) My thanks to the various PGPNET guys for being good-natured about this. The group is a good laboratory for discovering and understanding problems that arise in real-world OpenPGP deployments. > I guess there is a more scalable model of openPGP-encrypted mailing > list. Maybe members could encrypt to a group's key and the list-server > decrypt, then re-encrypt for the members? Some years ago I offered to write a tool for the group which would help manage the key problem. (Kind of.) The idea was to write a small Windows app that would automatically download the membership list once a day and update Enigmail's pgprules.xml file. This meant Enigmail users would no longer be maintaining per-recipient rule lists by hand (which is tedious, error-prone, and frustrating for newbies). The process would be entirely automated. It sounds like a great idea, up until you consider that even if the spam overhead problem is reduced by a factor of 10, that gain gets obliterated once a few more people join the network. The spam overhead follows an exponential growth. When dealing with exponential curves, linear reductions -- even large linear reductions -- are pretty much meaningless. Ultimately, the group decided not to take me up on the offer -- the overwhelming opinion was that they'd rather get experience editing pgprules.xml by hand. C'est la vie. :) From faramir.cl at gmail.com Fri Aug 6 00:18:44 2010 From: faramir.cl at gmail.com (Faramir) Date: Thu, 05 Aug 2010 18:18:44 -0400 Subject: Keypair is expiring. In-Reply-To: <4C5AC015.5090800@vink-slott.dk> References: <4C4727B6.3090405@grant-olson.net> <4C5AC015.5090800@vink-slott.dk> Message-ID: <4C5B38C4.9000602@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 05-08-2010 9:43, Klaus Slott escribi?: ... > I had the same issue and changed dates on my key. Now if I look at my > keystore it looks as my public key life if extended: > > klaus at zap:~> gpg --list-key 30096062 > pub 4096R/30096062 2009-10-08 [expires: 2015-07-14] > uid Klaus Vink Slott > sub 4096g/BA72310E 2009-10-08 [expires: 2010-10-08] > > but my sub key is not and I guess that is a problem? Can I extend the > life of the subkey or do I issue a new sub-key. Will the new subkey > still carry on the trust from people that people that have signed my > public key? This tutorial is about using subkeys without the main key, but it contains info about how to modify the expiration time of subkeys: http://tjl73.altervista.org/secure_keygen/en/index.html > the servers don't seem to list my new expiry date when I search my key > from the web interface. Maybe the chosen server is having issues and is not propagating the changes? I'd wait some hours and check again. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMWzjEAAoJEMV4f6PvczxAx00IAIYF2r/zyZ33Qm61eBm5tFz1 adj6nKGXJDDMT8IBf6LMApGgIF8OgyNWvihntlb3pWOBVZp6Awc6YDVZI+58Yxda 66oSGf9tZJ0H5Xb3YmjdfnAyWN5pK+wdnR0f5N3OJrW7NECBgpeFNHbi0lrH0W20 /O86RXQM73b9iVtGFyp97Ua20JAPAstyPspf+DyRXt7Zm3xwzoVe4eR6vp89ScDm Y3oFt2risI2zYRqhauoN+EM9M7qyF83cRnX+JS7jKUpcNkORnIuvo3K+35fbcbuI VZu89WUqF3kF9ZBnEO+QXJcJIHC5kBYUikKUSBrzWNj7eH61kmNlctzw7d4hgqE= =l1yP -----END PGP SIGNATURE----- From jh at jameshoward.us Fri Aug 6 03:30:39 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Thu, 05 Aug 2010 21:30:39 -0400 Subject: Gnupg good for big groups? In-Reply-To: References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <4C5A0F2E.4020005@jameshoward.us> Message-ID: <4C5B65BF.60104@jameshoward.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/5/10 1:46 PM, Snaky Love wrote: > About GSWoT - does this cover my described use-case? I don?t quite get > it from a first glance on the website... Actually, no, not at all. - -- James P. Howard, II, MPA MBCS CAPM CGFM -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJMW2W7AAoJEHPMAEw+5CSeqbAH/3bHp5B5DO2AtRC4z8WpRiMI O9+TabSEtm3b6dc1Y62pgMjriMZA1RfmvIy4RyttgZ2h8jOqjNpA+jx2sw9nOdJZ /SRJHNBw8VaAmdfjwL5Gd8UOjkEEehYT3+UVFQgoWXB6X6AsdNTZfv37Wbv3Qtfg aNzRles1YKzGSjuQFRm4hCt3HauR2oo6Jf4UiJcO5PlTDBmzZyXa4KjIRR8cN5R0 Jal64Lemp14wmWKQY9RF4qDdLVPPInMYZNd+M50Lb6OWpJVMecEX+TNtTq2aZkwS OK16BxFiW4Eq8gu67BUWHOlMFwyZW1rnimYOSKZ4FlpeN9MbK8ZDVu5UJmZrArA= =jliE -----END PGP SIGNATURE----- From prasanth_thandra at yahoo.co.in Fri Aug 6 07:43:43 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Fri, 6 Aug 2010 11:13:43 +0530 (IST) Subject: gnupg installation problem Message-ID: <715051.40754.qm@web94809.mail.in2.yahoo.com> Hi, i am installing GNUPG 2.0.15 on RHEL4. As suggested by readme doc i installed? libgpg-error-1.8libgcrypt-1.4.5libassuan-2.0.0libksba-1.0.6pinentry-0.8.0 using ?the instructions ./configure, make, make install .... in the above order. Finally i installed GNUPG 2.0.15. I have created .gnupg in my home dir, and gpg.conf using ?/usr/local/share/gnupg/gpg-conf.skel?i added?keyserver hkp://localhost (i configured local sks server for testing)keyserver-options auto-key-retrive. i have generated a key-pair #gpg --gen-keysand exported to local keyserver #gpg --send-key KEYIDi have not faced any problem till then BUT.. when i am trying to invoke gpg-agent, gpg2 or gpgsm iam getting errors [root at localhost ~]# gpg-agent --daemon gpg-agent: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory [root at localhost ~]# gpg2 gpg2: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory [root at localhost ~]# gpgsm gpgsm: error while loading shared libraries: libksba.so.8: cannot open shared object file: No such file or directory i am clueless about what is happening or what to do to correct these errors... whether my installation was not complete ???? PLEASE HELP ME ...THANKING YOU -------------- next part -------------- An HTML attachment was scrubbed... URL: From snakylove at googlemail.com Thu Aug 5 19:46:50 2010 From: snakylove at googlemail.com (Snaky Love) Date: Thu, 5 Aug 2010 19:46:50 +0200 Subject: Gnupg good for big groups? In-Reply-To: <4C5A0F2E.4020005@jameshoward.us> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <4C5A0F2E.4020005@jameshoward.us> Message-ID: Hi, thank you very much for the interesting discussion. About GSWoT - does this cover my described use-case? I don?t quite get it from a first glance on the website... Thanks again for your attention, Snaky -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dave.Smith at st.com Fri Aug 6 14:51:02 2010 From: Dave.Smith at st.com (David Smith) Date: Fri, 6 Aug 2010 13:51:02 +0100 Subject: Gnupg good for big groups? In-Reply-To: References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <4C5A0F2E.4020005@jameshoward.us> Message-ID: <4C5C0536.9090502@st.com> Snaky Love wrote: > Hi, > > thank you very much for the interesting discussion. > > About GSWoT - does this cover my described use-case? I don?t quite get > it from a first glance on the website... Well, I've only just learned about it by reading the website, but... Not really. >From what I can tell, GSWoT doesn't really add anything "technically" to GnuPG and the "normal" WoT. I think that the idea behind "GSWoT" is to create a number of "more trusted" people that will actively go out and sign keys, and adhere to a specified code of conduct when doing so. They are hoping that, due to their affiliation with the GSWoT organisation, that you will put more trust in their ability to sign keys than you would in "Joe Public". By doing this, they hope that people who choose to increase their trust level of GSWoT "introducers" will therefore be able to validate many more keys than someone with standard trust settings. However, it does not solve your problem. IMHO, GnuPG is the wrong tool (overall) to solve your problem. There are ways in which you could shoe-horn it to force it to work, but it's really not the appropriate tool. The "mailing list" problem is solved relatively easily with GnuPG - as others have said, the originator of each message sends his/her message to the list server encrypted with the server's key; the server then decrypts the message and forwards the mail to each list member encrypted with each member's key individually; alternatively the server could send the message to every member at the same time encrypted with everyone's key, although that might have some privacy and bandwidth issues (since you can tell who is on the list, and if there are many users, the overhead of including the session key so many times might become prohibitive. The main problem is with the archive; in particular, revoking access. One way you could do it: Every document is encrypted using symmetric encryption with the same, randomly-generated session key. That key is then encrypted using each list member's key, and sent to every member. If a new member arrives, they are given the current session key encrypted with their key. Now, this is where it becomes nasty. When a member is removed, the entire database must be decrypted and then re-encrypted with a new, randomly-generated session key which is then re-distributed amongst the remaining members. Another way: The system automatically encrypts every document with every user's key, plus one key for the administrator. When a user is added, the administrator decrypts and then re-encrypts every single document using the new user's key When a user is removed, the administrator decrypts and then re-encrypts every single document without the removed user's key. Neither of these solutions solve the problem where a user takes a copy of the whole encrypted database before they are removed. Both of these solutions are rather painful. As others have suggested, a much better way of doing this sort of system would be a client-server architecture where the user is required to log in to the server, which decides (based on the user's credentials) whether to provide the document. Obviously you now have to make sure that the server mechanism itself is secure and cannot be successfully attacked. You could use GnuPG to encrypt communication between the client and server, but as you've already mentioned, we already have SSL/TLS for this sort of thing. I'd propose that your requirements are likely to be served by: o A web server running either a forum or a Wiki, which requires user logins. An audit may need to be done to check the security of the forum. o Enforcing the use of HTTPS to connect to the server o If mailed notifications are required, use a forum/Wiki which is able to mail out postings/changes, and modify the mailing back-end to encrypt all messages to the intended users. You could use one of the encrypted mailing list servers available as your back-end. o Depending on your threat model, you may want to encrypt the back-end storage; in the worst case this could be on-the-fly encryption of each file as it's written to disk using the server's key (although this does introduce the problem of keeping the server's key secure), or it could just be an encrypted disk partition using (e.g.) LUKS. Note that there are no solutions that will prevent a user keeping a decrypted copy of a previously-downloaded document, unless you use your own custom-written browser and document viewer. From tomp at idirect.com Fri Aug 6 14:05:16 2010 From: tomp at idirect.com (Tom Pegios) Date: Fri, 06 Aug 2010 08:05:16 -0400 Subject: gnupg installation problem In-Reply-To: <715051.40754.qm@web94809.mail.in2.yahoo.com> References: <715051.40754.qm@web94809.mail.in2.yahoo.com> Message-ID: <4C5BFA7C.4080701@idirect.com> Prasanth Thandra wrote: > > Hi, > i am installing GNUPG 2.0.15 on RHEL4. As suggested by readme doc i installed > libgpg-error-1.8libgcrypt-1.4.5libassuan-2.0.0libksba-1.0.6pinentry-0.8.0 > using the instructions ./configure, make, make install .... in the above order. Finally i installed GNUPG 2.0.15. I have created .gnupg in my home dir, and gpg.conf using /usr/local/share/gnupg/gpg-conf.skel i added keyserver hkp://localhost (i configured local sks server for testing)keyserver-options auto-key-retrive. > i have generated a key-pair #gpg --gen-keysand exported to local keyserver #gpg --send-key KEYIDi have not faced any problem till then > BUT.. when i am trying to invoke gpg-agent, gpg2 or gpgsm iam getting > errors > [root at localhost ~]# gpg-agent --daemon > gpg-agent: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory > > [root at localhost ~]# gpg2 > gpg2: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory > [root at localhost ~]# gpgsm > gpgsm: error while loading shared libraries: libksba.so.8: cannot open shared object file: No such file or directory > i am clueless about what is happening or what to do to correct these errors... whether my installation was not complete ???? > PLEASE HELP ME ...THANKING YOU > Hello Prasanth Thandra I had the same problem with gpg2 in Ubuntu 10.04 , my solution was as follows: in the folder /etc/ld.so.conf.d create a file called gpg2.conf (as root) gpg2.conf contains one line "/usr/local/lib" (without quotes) reboot system or enter the command "ldconfig -v" (without quotes) gpg2 was able to find libksba.so.0 Tom Pegios From klaus at vink-slott.dk Fri Aug 6 16:07:31 2010 From: klaus at vink-slott.dk (Klaus Vink Slott) Date: Fri, 6 Aug 2010 16:07:31 +0200 Subject: Keypair is expiring. In-Reply-To: <1371226741.20100805191217@my_localhost> References: <4C5AC015.5090800@vink-slott.dk> <1371226741.20100805191217@my_localhost> Message-ID: <201008061607.42946.klaus@vink-slott.dk> Thursday 5. August 2010 20:12:17 MFPA wrote: > > Can I extend the life of the subkey or do I issue a new > > sub-key. > > You can extend the life of a subkey (when editing your key, select the > subkey then issue the "expire" command), but I've more often seen > people suggest replacing it. Thanks. I opted to extend the key life as I don't suspect that my key has been compromised. I think that in doing so the the gnupg program/handbook is not very good in explaining how to select key. I find it quite confusing that if you start the program with --edit-key [subkey-id] and issue a expire command - then I am offered to extend the life of the primary key. This let me to the conclusion that is was not possible to extend the validity on a subkey. My fault and now every thing is great for the next 5 years ;-) -- Klaus -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From klaus at vink-slott.dk Fri Aug 6 16:29:39 2010 From: klaus at vink-slott.dk (Klaus Vink Slott) Date: Fri, 6 Aug 2010 16:29:39 +0200 Subject: Keypair is expiring. In-Reply-To: <4C5B38C4.9000602@gmail.com> References: <4C5AC015.5090800@vink-slott.dk> <4C5B38C4.9000602@gmail.com> Message-ID: <201008061629.48866.klaus@vink-slott.dk> On Friday 6. August 2010 00:18:44 Faramir wrote: > ... > This tutorial is about using subkeys without the main key, but it > contains info about how to modify the expiration time of subkeys: > http://tjl73.altervista.org/secure_keygen/en/index.html This is a really good walk trough. Thanks. I will recommend it to others.. > > the servers don't seem to list my new expiry date when I search my key > > from the web interface. > > Maybe the chosen server is having issues and is not propagating the > changes? I'd wait some hours and check again. Yes after I updated my subkey I did another try and this time I succeeded. -- Thanks Klaus -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From awolff at newbreed.com Fri Aug 6 19:26:04 2010 From: awolff at newbreed.com (Wolff, Alex) Date: Fri, 6 Aug 2010 13:26:04 -0400 Subject: Message was not integrity protected. Message-ID: Hi. I know this has been dicussed before...but I have yet to see a resolution: A vendor encrypts data with our public key. We receive the file and we attempt to decrypt it. Although the file does get decrypted we receive the warning below. How do we avoid the warning..we think it is messing up our automated integration software we use to encrypt/exchange/decrypt files. Thank you! $ gpg --force-mdc --output testkey.txt --decrypt return-100806-06-06173908.txt.gpg You need a passphrase to unlock the secret key for user: "Lawson Admin (New Breed Corp) " 2048-bit ELG-E key, ID CCE12B6F, created 2010-07-21 (main key ID 23A60DF6) gpg: encrypted with 2048-bit ELG-E key, ID 48FD7CE5, created 2003-07-23 "CFT BatchOps " gpg: encrypted with 2048-bit ELG-E key, ID CCE12B6F, created 2010-07-21 "Lawson Admin (New Breed Corp) " File `testkey.txt' exists. Overwrite? (y/N) y gpg: WARNING: message was not integrity protected $ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Aug 6 19:42:38 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 06 Aug 2010 13:42:38 -0400 Subject: Message was not integrity protected. In-Reply-To: References: Message-ID: <4C5C498E.4070909@sixdemonbag.org> On 8/6/2010 1:26 PM, Wolff, Alex wrote: > A vendor encrypts data with our public key. We receive the file and we > attempt to decrypt it. Although the file does get decrypted we receive > the warning below. How do we avoid the warning..we think it is messing > up our automated integration software we use to encrypt/exchange/decrypt > files. The Right Thing is, of course, to fix your script -- but until you can get that done, --disable-mdc should suppress that warning message. (I think. It's been a few years since I've needed to do this.) From mailinglisten at hauke-laging.de Fri Aug 6 19:46:37 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 6 Aug 2010 19:46:37 +0200 Subject: Message was not integrity protected. In-Reply-To: References: Message-ID: <201008061946.37733.mailinglisten@hauke-laging.de> Am Freitag 06 August 2010 19:26:04 schrieb Wolff, Alex: > How do we avoid the warning..we think it is messing > up our automated integration software we use to encrypt/exchange/decrypt > files. > gpg: WARNING: message was not integrity protected What is your problem, that there is no valid signature or just the warning itself? The signature is not damaged. No signature has been created at all. If there was a non-valid signature the error message (instead of a warning) would look like this: "gpg: decryption failed: Bad signature" Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Fri Aug 6 19:57:33 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 6 Aug 2010 13:57:33 -0400 Subject: Message was not integrity protected. In-Reply-To: <4C5C498E.4070909@sixdemonbag.org> References: <4C5C498E.4070909@sixdemonbag.org> Message-ID: On Aug 6, 2010, at 1:42 PM, Robert J. Hansen wrote: > On 8/6/2010 1:26 PM, Wolff, Alex wrote: >> A vendor encrypts data with our public key. We receive the file and we >> attempt to decrypt it. Although the file does get decrypted we receive >> the warning below. How do we avoid the warning..we think it is messing >> up our automated integration software we use to encrypt/exchange/decrypt >> files. > > The Right Thing is, of course, to fix your script -- but until you can > get that done, --disable-mdc should suppress that warning message. (I > think. It's been a few years since I've needed to do this.) That's the command to disable the MDC on the sending side. In this case, the sender is already not using a MDC. If you want to disable the warning for a missing MDC on the recipient side, use --no-mdc-warning. The Right Thing to do is to ask the sender to start using a MDC. If that isn't possible, then --no-mdc-warning will make the warning on the recipient side go away. David From rjh at sixdemonbag.org Fri Aug 6 19:59:43 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 06 Aug 2010 13:59:43 -0400 Subject: Message was not integrity protected. In-Reply-To: References: <4C5C498E.4070909@sixdemonbag.org> Message-ID: <4C5C4D8F.7040901@sixdemonbag.org> On 8/6/2010 1:57 PM, David Shaw wrote: > That's the command to disable the MDC on the sending side. In this > case, the sender is already not using a MDC. If you want to disable > the warning for a missing MDC on the recipient side, use > --no-mdc-warning. Thank you, yes, my error. One of those occasions when I knew the right answer, it just escaped onto the screen as something wrong. Apologies to the Alex for leading him (briefly) astray. From wegwerf4 at gmx.de Sat Aug 7 15:30:47 2010 From: wegwerf4 at gmx.de (wegwerf4 at gmx.de) Date: Sat, 7 Aug 2010 15:30:47 +0200 Subject: batch program to find my password - help please!!! Message-ID: <20100807133046.GA23928@ekaiser.de> Unfortunately I forgot my passphrase but can remember some characters and the position of them in the phrase. I wrote a bash-script to check a list of passwords which are all candidates. I also created a test-gpg-account to test the script before I run it with the quite longer list. Now the output of the test-script shows me that it works at a speed of about three tests per second and it finds the correct phrase. But if I run the same script in my actual environment, in the .gnupg directory I see the passwords running at a much higher speed. The output per check is the same. But this script doesn't find the passphrase. The script reads: ------------------------------------------------------------ #!/bin/bash echo $1 while read -r line do echo $line gpg --batch --yes --homedir /home/user/.gnupg -o zahl.txt --passphrase $line --decrypt zahl.gpg success=$? if [ $success -eq 0 ]; then echo "success: $line"; exit 0; fi done < $1 echo "No success" ------------------------------------------------------------------- Does anybody have any idea? Best Josef From sattva at pgpru.com Sat Aug 7 07:56:21 2010 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Sat, 07 Aug 2010 12:56:21 +0700 Subject: Gnupg good for big groups? In-Reply-To: <4C5C0536.9090502@st.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <4C5A0F2E.4020005@jameshoward.us> <4C5C0536.9090502@st.com> Message-ID: <4C5CF585.2010300@pgpru.com> David Smith (06.08.2010 19:51): > Note that there are no solutions that will prevent a user keeping a > decrypted copy of a previously-downloaded document, unless you use your > own custom-written browser and document viewer. How's that? A DRM? Don't forget a custom OS and a custom monitor to prevent a user making photo shots. -- Vlad "SATtva" Miller 3d viz | security & privacy consulting www.vladmiller.info | www.pgpru.com From dotancohen at gmail.com Sat Aug 7 16:57:38 2010 From: dotancohen at gmail.com (Dotan Cohen) Date: Sat, 7 Aug 2010 17:57:38 +0300 Subject: Gnupg good for big groups? In-Reply-To: References: Message-ID: On Wed, Aug 4, 2010 at 03:51, Snaky Love wrote: > Hi, > I would like to better understand: is gnupg good for big groups? > > I would like to encrypt communication in groups - not instant communication > like e.g. messengers like pidgin, but like on a forum or web-group - the > data persists in an archive, ?where the communication can be read. Members > are coming and leaving a group constantly - that means if somebody leaves > the group, she should not be able to read the content decrypted anymore, and > if anybody attaches the group all the old content optionally must be > encrypted with her key so she can read all data belonging to this group. > well, maybe you get the idea. It?s basically like a forum or mailing list > with an archive. > With my understanding of gnupg I see no other way than to store the data NOT > encrypted - in a database or wherever, perhaps on an encrypted disc to > compensate for the data not being encrypted - and then to encrypt the data > on the fly with the pubkey of the user after the user logged into the > website and is checked to belong to the right group. > But doing this would be stupid, as it would basically use gnupg only for > transport - but there is already SSL and TLS existing for this purpose. > So is there any trick to encrypt data at creation time for unknown future > users? > And how can I remove users from the group of allowed users without > re-encrypting the content? Is this possible to realize at all without having > to keep the original unencrypted content? > Is this scenario - group communication - not a use-case for gnupg at all? > Thank you very much for your attention! > Have a nice day, > Snaky > Sounds to me like you just need a password-protected online forum such as PHPbb or such. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com From faramir.cl at gmail.com Sat Aug 7 18:12:40 2010 From: faramir.cl at gmail.com (Faramir) Date: Sat, 07 Aug 2010 12:12:40 -0400 Subject: Keypair is expiring. In-Reply-To: <201008061607.42946.klaus@vink-slott.dk> References: <4C5AC015.5090800@vink-slott.dk> <1371226741.20100805191217@my_localhost> <201008061607.42946.klaus@vink-slott.dk> Message-ID: <4C5D85F8.9020609@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 06-08-2010 10:07, Klaus Vink Slott escribi?: ... > offered to extend the life of the primary key. This let me to the conclusion > that is was not possible to extend the validity on a subkey. My fault and now > every thing is great for the next 5 years ;-) Yes, it will be good until 05-08-2015 Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMXYX4AAoJEMV4f6PvczxAWv0IAKpATPaBuW0yagSdTBY7iu7q f/ZWmpjreyHRy9o8tnseeQd9lF7miYLLQB4p5Qecw/JV+3qApN0mYvp87qqJaSKK vpe1q8Rc1F9K3/5+LxQvHcmNqvcaeGEQC25bbqOYlwGzn9rkXdrlPX1UnR43WZzs ZoAiYe8fUAoCwowZUEmdyRw2unQDVAkm2mJDvRWxPxfp9N2WKVmS0m+chPrby3mo o8M8tfuJOlAGnGg4rGAeJanzx/DACB2BDlBPNZoxVcOI5FKEw4ZRIxjq8DViaetG zTjaqayUhysExu6rZ5CA9YYgG1r7/ItsnpbsfqW6LBkAy1smHx6Ui0naCSBTN/A= =kkc6 -----END PGP SIGNATURE----- From expires2010 at ymail.com Sat Aug 7 19:58:09 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 7 Aug 2010 18:58:09 +0100 Subject: Gnupg good for big groups? In-Reply-To: <1281047557.13753.19.camel@ubuntu> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <282533062.20100805190016@my_localhost> <1281047557.13753.19.camel@ubuntu> Message-ID: <683763603.20100807185809@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 5 August 2010 at 11:32:37 PM, in , Robert J. Hansen wrote: > So the question isn't whether key management is the > major reason why people sign up and don't hang around > -- the question is more whether key management is a > major expense which adversely affects the cost-benefit > ratio. Fair enough. > As an example, if I were to start posting tomorrow's > winning lottery numbers to PGPNET, If you have them, could you PM them to me, please? (-; > Some years ago I offered to write a tool for the group > which would help manage the key problem. (Kind of.) > The idea was to write a small Windows app that would > automatically download the membership list once a day > and update Enigmail's pgprules.xml file. This meant > Enigmail users would no longer be maintaining > per-recipient rule lists by hand (which is tedious, > error-prone, and frustrating for newbies). The process > would be entirely automated. > Ultimately, the group decided not to take me up on the > offer -- the overwhelming opinion was that they'd > rather get experience editing pgprules.xml by hand. > C'est la vie. :) Whether fully automated or ran on demand, I'm quite surprised *nobody* was interested. I don't use Thunderbird/Enigmail, so it wouldn't help me; I make use of jasontik's group line generator to update the group line in my gpg.conf after roll-calls or after a period of absence from the group - other than that I just edit that line manually to add or delete the odd key ID. > It sounds like a great idea, up until you consider that > even if the spam overhead problem is reduced by a > factor of 10, that gain gets obliterated once a few > more people join the network. The spam overhead > follows an exponential growth. When dealing with > exponential curves, linear reductions -- even large > linear reductions -- are pretty much meaningless. I take it the "spam overhead problem" you refer to is things like "not encrypted to my key" messages? - -- Best regards MFPA mailto:expires2010 at ymail.com A closed mouth gathers no foot -----BEGIN PGP SIGNATURE----- iQCVAwUBTF2eu6ipC46tDG5pAQqU2gP/d/x/NR6CpcNe/b/HLHhy6T0EQNGUuuPr 6qqyoZXxeTDHtSq834p529CY3RRAJxded7IDkEkkcaXPajhQ4V28CU9ZGplMm6Nb HlHW5cj09XOeDY+VLEQt9b7iw0uGbWWBXv96LHMtQH4hYQsGf+6O6lNyiihcMCFs wrCwjaAzfaY= =XMAh -----END PGP SIGNATURE----- From expires2010 at ymail.com Sat Aug 7 20:11:25 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 7 Aug 2010 19:11:25 +0100 Subject: Keypair is expiring. In-Reply-To: <201008061607.42946.klaus@vink-slott.dk> References: <4C5AC015.5090800@vink-slott.dk> <1371226741.20100805191217@my_localhost> <201008061607.42946.klaus@vink-slott.dk> Message-ID: <848362803.20100807191125@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 6 August 2010 at 3:07:31 PM, in , Klaus Vink Slott wrote: > I > find it quite confusing that if you start the program > with --edit-key [subkey-id] and issue a expire command > - then I am offered to extend the life of the primary > key. This let me to the conclusion that is was not > possible to extend the validity on a subkey. Yes, this is one of the situations in which the subkey ID stands as an alias for the primary key ID. FWIW, I tried prepending an exclamation mark to the subkey ID but it didn't help. - -- Best regards MFPA mailto:expires2010 at ymail.com I hit the CTRL key but I'm still not in control! -----BEGIN PGP SIGNATURE----- iQCVAwUBTF2h16ipC46tDG5pAQr5EgQAhWFo1akt8ZkMJUFTfRNLajygLvqgzJkT FRZtb8qTxCQyLWEOPXFy+j+Rl23z7rcLLyxaEI0af3y6l8005zDo3y9gYJ20ZwBd Qgu4a1EA1mFaCXBB82kXRNSP9oIjt/hp+wTWHOT0SqUHVSMFkfPMDTImSxA6VjvC EK0WOUInIvQ= =UUJU -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Aug 7 20:22:19 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 07 Aug 2010 14:22:19 -0400 Subject: Gnupg good for big groups? In-Reply-To: <683763603.20100807185809@my_localhost> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <282533062.20100805190016@my_localhost> <1281047557.13753.19.camel@ubuntu> <683763603.20100807185809@my_localhost> Message-ID: <4C5DA45B.2040205@sixdemonbag.org> On 8/7/2010 1:58 PM, MFPA wrote: > Whether fully automated or ran on demand, I'm quite surprised *nobody* > was interested. One person said they would use it. The overall reaction was negative. These things happen. Sometimes, the tool you think people need isn't the tool they want. :) > I take it the "spam overhead problem" you refer to is things like "not > encrypted to my key" messages? Yep. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From free10pro at gmail.com Sat Aug 7 21:59:45 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sat, 07 Aug 2010 12:59:45 -0700 Subject: Gnupg good for big groups? In-Reply-To: <4C59AA25.6080505@sixdemonbag.org> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> Message-ID: <4C5DBB31.3090709@gmail.com> On Wed, 04 Aug 2010 13:57:57 -0400, Robert J. Hansen wrote: > It is also worth noting that PGPNET has some very big problems with key > management. PGPNET users are apparently comfortable wrestling with > these problems (more power to them for that), but we shouldn't pretend > the problems don't exist. > > In a completely connected graph of N nodes there are (N^2 - N)/2 > different edges. Or, in English, 40 members equals 780 separate > communications links, each one of which can fail and produce problems > for other people. The network begins to get spammed with "that last > message wasn't encrypted to my new key, please re-send." The network > slowly begins to drown with communications overhead: key > synchronization, resend requests, failure notifications, etc. PGPNET is > probably operating pretty close to the limits of OpenPGP. At some point > the math bites you hard and doesn't let go. Well, I have some numbers to show the frequency of NETMK (Not Encrypted To My Key) messages. I was on the PGPNET mailing list for just over three months, and these are my findings (note that all of these numbers are from the day that I joined to the day that roll call ended and my key was removed). 681 Messages sent by members of the list 628 Encrypted messages 36 NETMK messages 37-41 Keys 37-40 Members 32 Members sent encrypted messages 13 Members were responsible for not encrypting to someone's key 12 Members sent NETMK messages And for what it's worth: 22 Messages weren't encrypted to my key So for me that makes approximately 1 in 29 encrypted messages was not encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. Hope this is enlightening. :-) -Paul From faramir.cl at gmail.com Sun Aug 8 02:30:22 2010 From: faramir.cl at gmail.com (Faramir) Date: Sat, 07 Aug 2010 20:30:22 -0400 Subject: Gnupg good for big groups? In-Reply-To: <4C5DBB31.3090709@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> Message-ID: <4C5DFA9E.9010504@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 07-08-2010 15:59, Paul Richard Ramer escribi?: ... > So for me that makes approximately 1 in 29 encrypted messages was not > encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 > in 12 of all messages was either not encrypted to my key or a NETMK > complaint. > > Hope this is enlightening. :-) The interesting thing, is a lot of times the NETMK messages are caused by less active members who (somehow) broken their configurations. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMXfqdAAoJEMV4f6PvczxAcOMH/24oZnWBGWeipdn09Sbt3Kg2 nhaKFaoebB91EUHVUioEEnuUtuVDsa5M8MXV101wSTjOAk/otIoL4nvJ/I55aXJZ gcsCo7HYF0lvFBhDdAGhJTwdyZ2Xo24yIW3A+V7JEYIjMz+0N1/1dHtDv8GDTK+F RPmX3WMbMiAYEpOuoA4LdBHuKvR2KCG7nyqRFjf7UB7SB2y3k3a1+fmdGBOAvPAU YYZKjneeinCdxeq7uQ/L/xmjXuzXNs2iQKZD6XI0tt22485TZghS2GD0wzXlCGVY 1vtSpy0Zig+2wcakwprAVjXotUN+7xSQX7WO1AlhiV1KzUKK5v2O6yzGxU2g3Ng= =iVBn -----END PGP SIGNATURE----- From free10pro at gmail.com Sun Aug 8 09:22:55 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sun, 08 Aug 2010 00:22:55 -0700 Subject: Gnupg good for big groups? In-Reply-To: <4C5DBB31.3090709@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> Message-ID: <4C5E5B4F.6030903@gmail.com> On Sat, 07 Aug 2010 12:59:45 -0700, Paul Richard Ramer wrote: > 681 Messages sent by members of the list > 628 Encrypted messages > 36 NETMK messages > 37-41 Keys > 37-40 Members > 32 Members sent encrypted messages > 13 Members were responsible for not encrypting to someone's key > 12 Members sent NETMK messages > > And for what it's worth: > > 22 Messages weren't encrypted to my key > > So for me that makes approximately 1 in 29 encrypted messages was not > encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 > in 12 of all messages was either not encrypted to my key or a NETMK > complaint. My apology. Two of the numbers that I posted were wrong. The total of encrypted messages should be 641, and the number of members who didn't encrypt to someone's key was 18. Also, note that the ratios that I gave are still correct despite the corrections. I have reposted the original message with the corrected numbers below. -Paul -----Corrected message below----- Well, I have some numbers to show the frequency of NETMK (Not Encrypted To My Key) messages. I was on the PGPNET mailing list for just over three months, and these are my findings (note that all of these numbers are from the day that I joined to the day that roll call ended and my key was removed). 681 Messages sent by members of the list 641 Encrypted messages 36 NETMK messages 37-41 Keys 37-40 Members 32 Members sent encrypted messages 18 Members were responsible for not encrypting to someone's key 12 Members sent NETMK messages And for what it's worth: 22 Messages weren't encrypted to my key So for me that makes approximately 1 in 29 encrypted messages was not encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. From free10pro at gmail.com Sun Aug 8 09:39:07 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sun, 08 Aug 2010 00:39:07 -0700 Subject: Gnupg good for big groups? In-Reply-To: <4C5DFA9E.9010504@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <4C5DFA9E.9010504@gmail.com> Message-ID: <4C5E5F1B.80402@gmail.com> On Sat, 07 Aug 2010 20:30:22 -0400, Faramir wrote: > El 07-08-2010 15:59, Paul Richard Ramer escribi?: > ... >> So for me that makes approximately 1 in 29 encrypted messages was not >> encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 >> in 12 of all messages was either not encrypted to my key or a NETMK >> complaint. > >> Hope this is enlightening. :-) > > The interesting thing, is a lot of times the NETMK messages are caused > by less active members who (somehow) broken their configurations. True. In fact over a third of all NETMK messages (14 to be exact) were to members who posted fewer than ten messages in that three month period. -Paul From rjh at sixdemonbag.org Sun Aug 8 09:45:23 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 08 Aug 2010 03:45:23 -0400 Subject: Gnupg good for big groups? In-Reply-To: <4C5E5F1B.80402@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <4C5DFA9E.9010504@gmail.com> <4C5E5F1B.80402@gmail.com> Message-ID: <4C5E6093.9060802@sixdemonbag.org> On 8/8/2010 3:39 AM, Paul Richard Ramer wrote: > True. In fact over a third of all NETMK messages (14 to be exact) were > to members who posted fewer than ten messages in that three month period. This is expected, and it's not specific to PGPNET. Communication links that get used tend to be better-maintained than ones that don't: small problems are discovered and fixed in the natural course of using them. Compare to a link you don't use for six months -- by the time you need it, everything has changed and your link totally fails. It's one of the reasons why any communication channel you plan on relying on in an emergency should be regularly tested to make sure it performs the way you expect. (We are arguably getting pretty far afield from GnuPG, but I believe this conversation is still germane to GnuPG usage. If people object, say the word.) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From kloecker at kde.org Sun Aug 8 11:07:25 2010 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun, 08 Aug 2010 11:07:25 +0200 Subject: Gnupg good for big groups? In-Reply-To: <4C5DA45B.2040205@sixdemonbag.org> References: <683763603.20100807185809@my_localhost> <4C5DA45B.2040205@sixdemonbag.org> Message-ID: <201008081107.30380@thufir.ingo-kloecker.de> On Saturday 07 August 2010, Robert J. Hansen wrote: > On 8/7/2010 1:58 PM, MFPA wrote: > > Whether fully automated or ran on demand, I'm quite surprised > > *nobody* was interested. > > One person said they would use it. The overall reaction was > negative. These things happen. Sometimes, the tool you think people > need isn't the tool they want. :) And sometimes people think they don't want or need it until they have tried it and realize that they cannot live without it anymore. :-) Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Sun Aug 8 16:49:40 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 8 Aug 2010 15:49:40 +0100 Subject: Gnupg good for big groups? In-Reply-To: <4C5DBB31.3090709@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> Message-ID: <114650791.20100808154940@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 7 August 2010 at 8:59:45 PM, in , Paul Richard Ramer wrote: > Well, I have some numbers to show the frequency of > NETMK (Not Encrypted To My Key) messages. I was on the > PGPNET mailing list for just over three months, and > these are my findings (note that all of these numbers > are from the day that I joined to the day that roll > call ended and my key was removed). Around 28th February to the end of June. (-; > 681 Messages sent by members of the list > 628 Encrypted messages I'm surprised the difference is so large - it doesn't "feel like" that large a proportion is unencrypted. But that number not encrypted looks correct if it includes about ten notification messages from Yahoo about new file uploads, etc. > 36 NETMK messages I have difficulty counting those because my email program is poor at searching inside encrypted messages. It finds six plaintext, and this only rises to 13 if I tell it to also look inside encrypted messages; I know this is a very long way short. > 13 Members were responsible for not encrypting to someone's key > 12 Members sent NETMK messages > And for what it's worth: > 22 Messages weren't encrypted to my key How many of these 22 were within the first week or so? I find very few messages not encrypted to mine. > So for me that makes approximately 1 in 29 encrypted > messages was not encrypted to my key, That's quite high; I would hope for a significantly better figure if you calculated it from about a week after you posted your key. > 1 in 19 of all messages was a NETMK message, That feels about right (-; > and 1 in 12 of all messages was either not encrypted to my key or a > NETMK complaint. Wow! > Hope this is enlightening. :-) It is. I'm quite surprised at the proportion of unencrypted messages, and at the proportion of members not encrypting to somebody's key. I would hope that latter figure dropped significantly if non-encryption to keys posted within the last week were disregarded. - -- Best regards MFPA mailto:expires2010 at ymail.com The truth is out there. -----BEGIN PGP SIGNATURE----- iQCVAwUBTF7EDaipC46tDG5pAQpTNQP/aFENDdIT4rvVQq9U0gk02nP87O7jyAiR Nv7UpJVSi4pFDhzQXjhxE4KBfyye3dLnh0BgScXGuYAB/9dpTKDMa9zS0Znql+5c ETfCrYIYmj/vuIysutxzidYFIrfFH3qcvdLAvPLJGLj6d3m9WKQtfgfOt0gjGQt0 vXg4LHQuwkY= =ZiB/ -----END PGP SIGNATURE----- From expires2010 at ymail.com Sun Aug 8 16:59:12 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 8 Aug 2010 15:59:12 +0100 Subject: Gnupg good for big groups? In-Reply-To: <201008081107.30380@thufir.ingo-kloecker.de> References: <683763603.20100807185809@my_localhost> <4C5DA45B.2040205@sixdemonbag.org> <201008081107.30380@thufir.ingo-kloecker.de> Message-ID: <1469072329.20100808155912@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 8 August 2010 at 10:07:25 AM, in , Ingo Kl?cker wrote: > On Saturday 07 August 2010, Robert J. Hansen wrote: >> Sometimes, the tool you think people need isn't the >> tool they want. :) > And sometimes people think they don't want or need it > until they have tried it and realize that they cannot > live without it anymore. :-) Anybody who engages in DIY will have experienced that! - -- Best regards MFPA mailto:expires2010 at ymail.com My mind works like lightning... one brilliant flash and it's gone -----BEGIN PGP SIGNATURE----- iQCVAwUBTF7GSKipC46tDG5pAQqKSgP+M4z56wem/nj1DV7d7worTPbCMzzEinCa mFALAtsLt2SrDWU+XAS+kVZ2tNQ3cs4FwIvgEWyH/3pkYNMzpICCI8qezvXtZMuc d7NW4TdIRop+xDyERgZP+eEP0fhXi6xZjjR21xo6QAw+kHypj+YgqyJWAQykiCb+ PY7h6jqR1AY= =RZaB -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sun Aug 8 18:44:21 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 08 Aug 2010 12:44:21 -0400 Subject: Gnupg good for big groups? In-Reply-To: <114650791.20100808154940@my_localhost> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <114650791.20100808154940@my_localhost> Message-ID: <4C5EDEE5.1060304@sixdemonbag.org> On 8/8/2010 10:49 AM, MFPA wrote: > How many of these 22 were within the first week or so? > I find very few messages not encrypted to mine. Again, network theory to the rescue. Generally speaking, nodes that carry little traffic are responsible for more problems than those that carry a lot. There are of course exceptions. > It is. I'm quite surprised at the proportion of unencrypted messages, > and at the proportion of members not encrypting to somebody's key. I > would hope that latter figure dropped significantly if non-encryption > to keys posted within the last week were disregarded. Right, but at that point you're coming close to cherrypicking -- disregarding data points in order to reach a result that's more in line with your preconceptions. Nobody ever wakes up and says, "today I think I'll cherrypick." It's almost always a subconscious process: "well, I can disregard that data, it's clearly anomalous because..." Sometimes, data really /is/ anomalous and has to be thrown out. If you were to pick a random sample of 100 people and come to an average of their incomes, you should disregard Bill Gates if he happens to be in your data set. More often than not, though, anomalous data isn't anomalous at all -- it just illuminates a part of the problem you didn't know existed. From wegwerf4 at gmx.de Sun Aug 8 18:47:49 2010 From: wegwerf4 at gmx.de (wegwerf4 at gmx.de) Date: Sun, 8 Aug 2010 18:47:49 +0200 Subject: batch program to find my password - help please!!! In-Reply-To: <20100807133046.GA23928@ekaiser.de> References: <20100807133046.GA23928@ekaiser.de> Message-ID: <20100808164749.GA25652@ekaiser.de> Just a repetition of my question, in a different way: Does anybody out there know of any script to brute force a list of passphrases? Josef From rjh at sixdemonbag.org Sun Aug 8 18:55:30 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 08 Aug 2010 12:55:30 -0400 Subject: batch program to find my password - help please!!! In-Reply-To: <20100808164749.GA25652@ekaiser.de> References: <20100807133046.GA23928@ekaiser.de> <20100808164749.GA25652@ekaiser.de> Message-ID: <4C5EE182.2010305@sixdemonbag.org> On 8/8/2010 12:47 PM, wegwerf4 at gmx.de wrote: > Just a repetition of my question, in a different way: > Does anybody out there know of any script to brute force a > list of passphrases? Ten lines of Perl will do it. However, you might be waiting a really long time. If you have lost your passphrase, there is effectively nothing anyone can do to help you. From mlisten at hammernoch.net Sun Aug 8 19:00:43 2010 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sun, 08 Aug 2010 19:00:43 +0200 Subject: batch program to find my password - help please!!! In-Reply-To: <20100808164749.GA25652@ekaiser.de> References: <20100807133046.GA23928@ekaiser.de> <20100808164749.GA25652@ekaiser.de> Message-ID: <4C5EE2BB.9000102@hammernoch.net> wegwerf4 at gmx.de wrote on 08.08.10 18:47: > Just a repetition of my question, in a different way: > Does anybody out there know of any script to brute force a > list of passphrases? nasty. http://www.vanheusden.com/nasty/ Ludwig From christoph.anton.mitterer at physik.uni-muenchen.de Sun Aug 8 19:00:05 2010 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Sun, 08 Aug 2010 19:00:05 +0200 Subject: batch program to find my password - help please!!! In-Reply-To: <20100808164749.GA25652@ekaiser.de> References: <20100807133046.GA23928@ekaiser.de> <20100808164749.GA25652@ekaiser.de> Message-ID: <1281286805.3232.45.camel@fermat.scientia.net> http://www.roguedaemon.net/rephrase/ or google.com Cheers, Chris. From email at sven-radde.de Sun Aug 8 22:52:46 2010 From: email at sven-radde.de (Sven Radde) Date: Sun, 08 Aug 2010 22:52:46 +0200 Subject: batch program to find my password - help please!!! In-Reply-To: <20100808164749.GA25652@ekaiser.de> References: <20100807133046.GA23928@ekaiser.de> <20100808164749.GA25652@ekaiser.de> Message-ID: <4C5F191E.3000803@sven-radde.de> Hi! Am -10.01.-28163 20:59, schrieb wegwerf4 at gmx.de: > Just a repetition of my question, in a different way: > Does anybody out there know of any script to brute force a > list of passphrases? Something called "rephrase" may be of help for you: I have no detailed idea how it works, I just found the package in Ubuntu by chance: cu, Sven From jeff.sadowski at gmail.com Mon Aug 9 00:29:28 2010 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Sun, 8 Aug 2010 16:29:28 -0600 Subject: batch program to find my password - help please!!! In-Reply-To: <20100808164749.GA25652@ekaiser.de> References: <20100807133046.GA23928@ekaiser.de> <20100808164749.GA25652@ekaiser.de> Message-ID: On Sun, Aug 8, 2010 at 10:47 AM, wrote: > Just a repetition of my question, in a different way: > Does anybody out there know of any script to brute force a > list of passphrases? > I never tried it before but maybe jack the ripper might help. I've only heard of it, never tried it. There was a procedure to try and get the old key less trusted and tell people to use a new key. Maybe someone can post the link to the page that tells you how to do that before I can find it. > Josef > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From free10pro at gmail.com Mon Aug 9 08:30:40 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sun, 08 Aug 2010 23:30:40 -0700 Subject: Gnupg good for big groups? In-Reply-To: <114650791.20100808154940@my_localhost> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <114650791.20100808154940@my_localhost> Message-ID: <4C5FA090.4080605@gmail.com> Hi MFPA, Sun, 8 Aug 2010 15:49:40 +0100, MFPA wrote: >> 681 Messages sent by members of the list >> 628 Encrypted messages > > I'm surprised the difference is so large - it doesn't "feel like" that > large a proportion is unencrypted. But that number not encrypted looks > correct if it includes about ten notification messages from Yahoo > about new file uploads, etc. Actually, the number of encrypted messages that I originally posted was incorrect. The real number is 641. I replied to my original post and posted the correct numbers. You can find them at this link http://lists.gnupg.org/pipermail/gnupg-users/2010-August/039335.html. No Yahoo notifications were counted in any of the numbers that I posted, since none of those messages were from someone on or joining the list. But all other messages were counted, including my initial post of my public key. >> 36 NETMK messages > > I have difficulty counting those because my email program is poor at > searching inside encrypted messages. It finds six plaintext, and this > only rises to 13 if I tell it to also look inside encrypted messages; > I know this is a very long way short. 36 is correct. I took note of every NETMK (Not Encrypted To My Key) message, who was complaining, and who hadn't encrypted. Also note that 36 NETMK messages does not mean 36 messages that weren't encrypted to someone's key. Sometimes a person had multiples messages that he couldn't decrypt, and sometimes multiple people responded to the same initial message with NETMK messages. >> 13 Members were responsible for not encrypting to someone's key >> 12 Members sent NETMK messages >> And for what it's worth: >> 22 Messages weren't encrypted to my key > > How many of these 22 were within the first week or so? > I find very few messages not encrypted to mine. I agree with Hansen that this is seems almost like cherry picking, but I will give it to you anyway. Six in the first week and four in the last week. But before you say, "Ah ha," know that four of the first week's messages were from a person that had successfully sent encrypted messages to me prior in that same week. Also two of the last week's were not due to someone removing my key from his list of keys. In both cases someone else couldn't read the poster's message and the poster replied with a message the NETMK complainer and I could read. It's not that you need this much detail, but without it you might come to incorrect conclusions about the causes of the messages that I couldn't decrypt. >> and 1 in 12 of all messages was either not encrypted to my key or a >> NETMK complaint. > > Wow! > >> Hope this is enlightening. :-) > > It is. I'm quite surprised at the proportion of unencrypted messages, > and at the proportion of members not encrypting to somebody's key. I > would hope that latter figure dropped significantly if non-encryption > to keys posted within the last week were disregarded. As for the proportion of unencrypted message, see the top of this message. No one sent NETMK messages in the last week. But if I deduct the 4 messages that I could not decrypt that were sent in the last week, then the ratio of NETMK messages plus messages not encrypted me to all messages is approximately 1 in 13. -Paul From free10pro at gmail.com Mon Aug 9 08:24:57 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sun, 08 Aug 2010 23:24:57 -0700 Subject: Gnupg good for big groups? In-Reply-To: <4C5DFA9E.9010504@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <4C5DFA9E.9010504@gmail.com> Message-ID: <4C5F9F39.2090804@gmail.com> On Sat, 07 Aug 2010 20:30:22 -0400, Faramir wrote: > The interesting thing, is a lot of times the NETMK messages are caused > by less active members who (somehow) broken their configurations. Actually, the most amusing and bizarre mistake is that people sometimes encrypt to only *their* key. That happened 30% of the time. -Paul From calestyo at scientia.net Sun Aug 8 00:07:34 2010 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Sun, 08 Aug 2010 00:07:34 +0200 Subject: policy url is not set on selfsigs Message-ID: <1281218854.7661.168.camel@fermat.scientia.net> Hi. I've just realised that policy URLs (--set-policy-urls) seem to be not set on self-sigs (e.g. when resigning the key via changing the prefs or so). If that's not a bug,... why have you chosen not to put it on self-sigs? AFAIU RFC4880 it's just the policy under which a signature was made. So one could under the url used for the selfsigs find, the policy of the key itself (e.g.). Cheers, Chris. btw: Can anybody tell me what --sig-keyserver-url is? Is that simply for setting the perferred keyserver sig subpacket (23)? Why does it say something about data signs? I thought that should go onto self-sigs? From snakylove at googlemail.com Fri Aug 6 15:38:05 2010 From: snakylove at googlemail.com (Snaky Love) Date: Fri, 6 Aug 2010 15:38:05 +0200 Subject: Gnupg good for big groups? In-Reply-To: <4C5C0536.9090502@st.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <4C5A0F2E.4020005@jameshoward.us> <4C5C0536.9090502@st.com> Message-ID: Hi David, thank you very much for your explanation! May I ask a few final questions about this issue: - are there any tools at all that handle the "group crypto + archive" use-case satisfactory? (Yes, PM me your ads :) - what is the current state of research regarding groups and cryptography? I am not a crypto-scientist, so my speculation might be laughable - but for me it looks like there is a big vacuum to be filled with some new crypto algorithms - considering that group-like applications are becoming mainstream on the net - where is the crypto tool that will help us keep our privacy within these "social" networks? How many people are working on this and what are they coming up with? Thanks again for your attention! Snaky -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcio.barbado at gmail.com Mon Aug 9 16:28:59 2010 From: marcio.barbado at gmail.com (Marcio B. Jr.) Date: Mon, 9 Aug 2010 11:28:59 -0300 Subject: Gnupg good for big groups? In-Reply-To: References: Message-ID: I guess all you need is proper "read" and "write" privileges management. Regards, On Tue, Aug 3, 2010 at 9:51 PM, Snaky Love wrote: > Hi, > I would like to better understand: is gnupg good for big groups? > > I would like to encrypt communication in groups - not instant communication > like e.g. messengers like pidgin, but like on a forum or web-group - the > data persists in an archive, ?where the communication can be read. Members > are coming and leaving a group constantly - that means if somebody leaves > the group, she should not be able to read the content decrypted anymore, and > if anybody attaches the group all the old content optionally must be > encrypted with her key so she can read all data belonging to this group. > well, maybe you get the idea. It?s basically like a forum or mailing list > with an archive. > With my understanding of gnupg I see no other way than to store the data NOT > encrypted - in a database or wherever, perhaps on an encrypted disc to > compensate for the data not being encrypted - and then to encrypt the data > on the fly with the pubkey of the user after the user logged into the > website and is checked to belong to the right group. > But doing this would be stupid, as it would basically use gnupg only for > transport - but there is already SSL and TLS existing for this purpose. > So is there any trick to encrypt data at creation time for unknown future > users? > And how can I remove users from the group of allowed users without > re-encrypting the content? Is this possible to realize at all without having > to keep the original unencrypted content? > Is this scenario - group communication - not a use-case for gnupg at all? > Thank you very much for your attention! > Have a nice day, > Snaky > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Marcio Barbado, Jr. From Dave.Smith at st.com Mon Aug 9 18:03:02 2010 From: Dave.Smith at st.com (David Smith) Date: Mon, 9 Aug 2010 17:03:02 +0100 Subject: Gnupg good for big groups? In-Reply-To: References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <1678416438.20100805001259@my_localhost> <969383F3-31BE-4ADE-94F3-4163365C1B07@sixdemonbag.org> <4C5A0F2E.4020005@jameshoward.us> <4C5C0536.9090502@st.com> Message-ID: <4C6026B6.7090309@st.com> Snaky Love wrote: > Hi David, > > thank you very much for your explanation! > > May I ask a few final questions about this issue: > > - are there any tools at all that handle the "group crypto + archive" > use-case satisfactory? (Yes, PM me your ads :) > - what is the current state of research regarding groups and cryptography? > > I am not a crypto-scientist, so my speculation might be laughable - but > for me it looks like there is a big vacuum to be filled with some new > crypto algorithms - considering that group-like applications are > becoming mainstream on the net - where is the crypto tool that will help > us keep our privacy within these "social" networks? How many people are > working on this and what are they coming up with? I'm afraid that my answer to both of your questions is "I don't know". I suspect that there is a fundamental problem with trying to achieve the "group" functionality that you want using standard crypto. The problem is that information cannot be created or destroyed. Once someone has the information required to decrypt the destination file, you cannot prevent that person from decrypting the file at a future date, unless you modify the encrypted file in some way (i.e. by re-encrypting it with a new key). I guess that there are some possible half-way solutions (for example, a tool that could modify an existing encrypted file to add a new session key encryption (thus giving a new user access to the file) or removing an old session key encryption (thus removing a user's ability to access the file) without re-doing the encryption of the target data itself; the user doing this operation (the web server or admin) would need to be on the recipient list of the file already. Also, there could be other ways of doing a similar thing within current tools by splitting the keys out across different files. I think it just depends on what level of security you want - the above proposal still has potential problems - for example, what if the user took a copy of the session key of every file before leaving? From expires2010 at ymail.com Mon Aug 9 19:34:53 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 9 Aug 2010 18:34:53 +0100 Subject: Gnupg good for big groups? In-Reply-To: <4C5FA090.4080605@gmail.com> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <114650791.20100808154940@my_localhost> <4C5FA090.4080605@gmail.com> Message-ID: <6810157498.20100809183453@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 9 August 2010 at 7:30:40 AM, in , Paul Richard Ramer wrote: > Actually, the number of encrypted messages that I > originally posted was incorrect. The real number is > 641. I replied to my original post and posted the > correct numbers. Yes, I received that message shortly after posting mine. >> I have difficulty counting those because my email >> program is poor at searching inside encrypted >> messages. It finds six plaintext, and this only rises >> to 13 if I tell it to also look inside encrypted >> messages; I know this is a very long way short. > 36 is correct. I was not disputing... > I took note of every NETMK (Not > Encrypted To My Key) message, who was complaining, and > who hadn't encrypted. Actually analysed and noted it down at the time? That's keen. >> How many of these 22 were within the first week or so? >> I find very few messages not encrypted to mine. > I agree with Hansen that this is seems almost like > cherry picking, My rationale was that I would expect the volume of messages not encrypted to a particular key to be highest before folks had time to notice it had been posted, and to then reduce to a more uniform level. I just wondered if the figures would bear this out. > but I will give it to you anyway. Six > in the first week and four in the last week. And a total of 12 spread over the fifteen weeks or so in between. Which proves nothing, of course. > But before you say, "Ah ha," know that four of the > first week's messages were from a person that had > successfully sent encrypted messages to me prior in > that same week. Yes, some people use more than one set-up for their encryption and don't update everything at the same time. Which is one reason why the incidence of missing a key from the encryption does not tail off as much after a few days from it's introduction as might be expected. - -- Best regards MFPA mailto:expires2010 at ymail.com Was time invented by an Irishman named O'Clock? -----BEGIN PGP SIGNATURE----- iQCVAwUBTGA8Q6ipC46tDG5pAQq/rQP7B1R6Rchn7mR/YQeYkqqUbBHW1aaNeNOt W4WRrOEb4zB9flvI3n30Mo0fs5Ca5pkZXTaQ0ItajXOloNn66/UPp+H/XWWbsoDJ lmNNUG2kqNyoCOKpwt6oLBrzUIN0ZPIjZUUX2tJjQvFDoHJDp9a0Q40HVEzMYf4o aLf4s1CSDU4= =Po6I -----END PGP SIGNATURE----- From expires2010 at ymail.com Mon Aug 9 19:48:43 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 9 Aug 2010 18:48:43 +0100 Subject: Gnupg good for big groups? In-Reply-To: <4C5EDEE5.1060304@sixdemonbag.org> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <114650791.20100808154940@my_localhost> <4C5EDEE5.1060304@sixdemonbag.org> Message-ID: <1587478966.20100809184843@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 8 August 2010 at 5:44:21 PM, in , Robert J. Hansen wrote: > Right, but at that point you're coming close to > cherrypicking -- disregarding data points in order to > reach a result that's more in line with your > preconceptions. Nobody ever wakes up and says, "today > I think I'll cherrypick." It's almost always a > subconscious process: "well, I can disregard that data, > it's clearly anomalous because..." I worded that very badly. Rather than throwing away data, I was trying to suggest looking at it in more detail. As a whole from day 1 to day n, the proportion not encrypted to the key was x. Fine as far as it goes, but did the figures confirm or refute my expectation that the proportion would be higher in the first few days and then decline to a steady level? - -- Best regards MFPA mailto:expires2010 at ymail.com Was time invented by an Irishman named O'Clock? -----BEGIN PGP SIGNATURE----- iQCVAwUBTGA/fqipC46tDG5pAQofbwP+Lu/CZHhuRwwugUHZr0RU3rliFNTPnxZ2 Cr9ErYW9z7JXlwtoxOiUoUTzpgNRrHDgJGTZ7wGB2o4gSUQdH96c+eTimn0SpSzl Qnf1rmDYcYRY2HK680oHVSdgQpRyp1IaViCsqV2KifGWP87wnZS3d3rzedSYmM6L NeriaL7n19k= =K5IZ -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Aug 9 19:55:41 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 09 Aug 2010 13:55:41 -0400 Subject: Gnupg good for big groups? In-Reply-To: <1587478966.20100809184843@my_localhost> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <114650791.20100808154940@my_localhost> <4C5EDEE5.1060304@sixdemonbag.org> <1587478966.20100809184843@my_localhost> Message-ID: <4C60411D.4020300@sixdemonbag.org> On 8/9/2010 1:48 PM, MFPA wrote: > I worded that very badly. Rather than throwing away data, I was trying > to suggest looking at it in more detail. As a whole from day 1 to day > n, the proportion not encrypted to the key was x. Fine as far as it > goes, but did the figures confirm or refute my expectation that the > proportion would be higher in the first few days and then decline to a > steady level? You would have to ask Paul. I suspect, though, that with only a low-thirtysomething number of nodes and a total number of messages in the neighborhood of six hundred, that there's not much confidence to be had in any trend. Gross behaviors (the combinatoric explosion of edges as new nodes enter the graph, churn in the fringes, etc.) are fairly easy to recognize in even small data sets. Subtle behaviors (figuring out precisely what the problem die-off is) are difficult to discover and require some pretty sophisticated knowledge of statistics -- far beyond my own capabilities. From prasanth_thandra at yahoo.co.in Tue Aug 10 05:29:08 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Tue, 10 Aug 2010 08:59:08 +0530 (IST) Subject: (SOLVED)Re: gnupg installation problem gpg(working) , gpg2 & spgsm (are not working) In-Reply-To: <4C5BFA7C.4080701@idirect.com> Message-ID: <399546.65205.qm@web94802.mail.in2.yahoo.com> Dear Tom i followed the instructions of you ... i worked for me too like magic... Thanks alot..? From: Tom Pegios Subject: Re: gnupg installation problem To: "GnuPG Users List" Date: Friday, 6 August, 2010, 5:35 PM Prasanth Thandra wrote: > > Hi, > i am installing GNUPG 2.0.15 on RHEL4. As suggested by readme doc i installed > libgpg-error-1.8libgcrypt-1.4.5libassuan-2.0.0libksba-1.0.6pinentry-0.8.0 > using? the instructions ./configure, make, make install .... in the above order. Finally i installed GNUPG 2.0.15. I have created .gnupg in my home dir, and gpg.conf using? /usr/local/share/gnupg/gpg-conf.skel i added keyserver hkp://localhost (i configured local sks server for testing)keyserver-options auto-key-retrive. > i have generated a key-pair #gpg --gen-keysand exported to local keyserver #gpg --send-key KEYIDi have not faced any problem till then > BUT.. when i am trying to invoke gpg-agent, gpg2 or gpgsm iam getting >? errors > [root at localhost ~]# gpg-agent --daemon > gpg-agent: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory > > [root at localhost ~]# gpg2 > gpg2: error while loading shared libraries: libassuan.so.0: cannot open shared object file: No such file or directory > [root at localhost ~]# gpgsm > gpgsm: error while loading shared libraries: libksba.so.8: cannot open shared object file: No such file or directory > i am clueless about what is happening or what to do to correct these errors... whether my installation was not complete ???? > PLEASE HELP ME ...THANKING YOU > Hello Prasanth Thandra ??? I had the same problem with gpg2 in Ubuntu 10.04 , my solution was as follows: in the folder /etc/ld.so.conf.d create a file called gpg2.conf (as root) gpg2.conf contains one line "/usr/local/lib" (without quotes) reboot system or enter the command "ldconfig -v" (without quotes) gpg2 was able to find libksba.so.0 Tom Pegios _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From robbat2 at gentoo.org Tue Aug 10 06:52:12 2010 From: robbat2 at gentoo.org (Robin H. Johnson) Date: Tue, 10 Aug 2010 04:52:12 +0000 Subject: WoT cluster analysis tools? Message-ID: Not sure if such things exist already, but hopefully they do, and somebody could point me to them... To go into a little more detail, I'd like to examine the WoT as it exists between Gentoo developers, and try to work out a reasonable way to close it for resurrecting our long-dead keyring. Specifically interested in isolation of local clusters within the sets of keys. Two sets of keys, one of current developers only, and a second of all developers, past and present. Looking around, I find a few WoT graphing sites, but none of the tools used by said sites. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2 at gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 From free10pro at gmail.com Tue Aug 10 08:44:45 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Mon, 09 Aug 2010 23:44:45 -0700 Subject: Gnupg good for big groups? In-Reply-To: <4C60411D.4020300@sixdemonbag.org> References: <567813228.20100804183559@my_localhost> <4C59AA25.6080505@sixdemonbag.org> <4C5DBB31.3090709@gmail.com> <114650791.20100808154940@my_localhost> <4C5EDEE5.1060304@sixdemonbag.org> <1587478966.20100809184843@my_localhost> <4C60411D.4020300@sixdemonbag.org> Message-ID: <4C60F55D.5090500@gmail.com> On Mon, 09 Aug 2010 13:55:41 -0400, Robert J. Hansen wrote: > You would have to ask Paul. I suspect, though, that with only a > low-thirtysomething number of nodes and a total number of messages in > the neighborhood of six hundred, that there's not much confidence to be > had in any trend. Exactly. I figured from the start that with few people and messages that I wasn't going to find anything more than gross trends. -Paul From wegwerf4 at gmx.de Tue Aug 10 17:51:58 2010 From: wegwerf4 at gmx.de (wegwerf4 at gmx.de) Date: Tue, 10 Aug 2010 17:51:58 +0200 Subject: batch program to find my password - help please!!! In-Reply-To: References: <20100807133046.GA23928@ekaiser.de> <20100808164749.GA25652@ekaiser.de> Message-ID: <20100810155157.GA18197@ekaiser.de> Thanks to all for your hints. I succeeded to run rephrase but it didn't find the phrase. So I had to revoke my key and generate a new one... Josef Jeff Sadowski schrieb: > On Sun, Aug 8, 2010 at 10:47 AM, wrote: > > Just a repetition of my question, in a different way: > > Does anybody out there know of any script to brute force a > > list of passphrases? > > > I never tried it before but maybe jack the ripper might help. > I've only heard of it, never tried it. There was a procedure to try > and get the old key less trusted and tell people to use a new key. > Maybe someone can post the link to the page that tells you how to do > that before I can find it. > > > Josef > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From kloecker at kde.org Tue Aug 10 20:04:16 2010 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue, 10 Aug 2010 20:04:16 +0200 Subject: WoT cluster analysis tools? In-Reply-To: References: Message-ID: <201008102004.21688@thufir.ingo-kloecker.de> On Tuesday 10 August 2010, Robin H. Johnson wrote: > Not sure if such things exist already, but hopefully they do, and > somebody could point me to them... > > To go into a little more detail, I'd like to examine the WoT as it > exists between Gentoo developers, and try to work out a reasonable > way to close it for resurrecting our long-dead keyring. > > Specifically interested in isolation of local clusters within the > sets of keys. Two sets of keys, one of current developers only, and > a second of all developers, past and present. > > Looking around, I find a few WoT graphing sites, but none of the > tools used by said sites. Most likely most sites use a combination of a simple script (written in an arbitrary scripting language) extracting the graph's edges from a keyring and one of the graphviz tools (probably dot) for the visualization of the graphs. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From jimoe at sohnen-moe.com Tue Aug 10 22:30:52 2010 From: jimoe at sohnen-moe.com (James Moe) Date: Tue, 10 Aug 2010 13:30:52 -0700 Subject: gpg-agent does not work Message-ID: <4C61B6FC.9060508@sohnen-moe.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, gpg and gpg-agent v2.0.15 gpg-agent is not working with Thunderbird v3.1.2. Enigmail seems to think that gpg-agent is not properly configured. That is likely. The "use-agent" directive is in <~/.gnupg/gpg.conf> This is what I use at reboot: - ----[ gpg-agent startup (\'s added for clarity) ]---- gpg-agent --debug-level advanced --daemon --enable-ssh-support \ --write-env-file /home/jmoe/.gpg-agent.info \ --log-file /home/jmoe /.gnupg/gpg-agent.log > /dev/null source /home/jmoe/.gpg-agent.info > /dev/null export GPG_AGENT_INFO SSH_AUTH_SOCK SSH_AGENT_PID - ----[ end ]---- This is what is typically put into .gpg-agent.info: - ----[ gpg-agent.info ]---- GPG_AGENT_INFO=/tmp/gpg-0AfD2b/S.gpg-agent:3324:1 SSH_AUTH_SOCK=/tmp/gpg-45SEJB/S.gpg-agent.ssh SSH_AGENT_PID=3324 - ----[ end ]---- There is a log this in the log file. However, these are entries for ssh, not TB/Enigmail. - ----[ typical i'm-not-working message ]---- 2010-08-09 17:02:49 gpg-agent[3324] ssh handler 0x7f31cfe6bbb0 for fd 8 started 2010-08-09 17:02:49 gpg-agent[3324] ssh request handler for request_identities (11) started 2010-08-09 17:02:49 gpg-agent[3324] new connection to SCdaemon established (reusing) gpg-agent[3324.10] DBG: -> GETATTR $AUTHKEYID gpg-agent[3324.10] DBG: <- ERR 100663404 Card error 2010-08-09 17:02:49 gpg-agent[3324] error getting default authentication keyID of card: Card error 2010-08-09 17:02:49 gpg-agent[3324] ssh request handler for request_identities (11) ready gpg-agent[3324.10] DBG: -> RESTART gpg-agent[3324.10] DBG: <- OK 2010-08-09 17:02:58 gpg-agent[3324] ssh handler 0x7f31cfe6bbb0 for fd 8 terminated - ----[ end ]---- - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxhtvwACgkQzTcr8Prq0ZNw8QCeJ9BF4MemeXjzTfEqsIBstI8O 4JkAoLFqsJnwt9ZmtalqiexdXkJo+WXi =9PuX -----END PGP SIGNATURE----- From jharris at widomaker.com Wed Aug 11 04:31:35 2010 From: jharris at widomaker.com (Jason Harris) Date: Tue, 10 Aug 2010 22:31:35 -0400 Subject: WoT cluster analysis tools? In-Reply-To: References: Message-ID: <20100811023135.GB44722@laptop> On Tue, Aug 10, 2010 at 04:52:12AM +0000, Robin H. Johnson wrote: > Not sure if such things exist already, but hopefully they do, and > somebody could point me to them... > > To go into a little more detail, I'd like to examine the WoT as it > exists between Gentoo developers, and try to work out a reasonable way > to close it for resurrecting our long-dead keyring. > > Specifically interested in isolation of local clusters within the sets of > keys. Two sets of keys, one of current developers only, and a second of > all developers, past and present. > > Looking around, I find a few WoT graphing sites, but none of the tools > used by said sites. I think keyanalyze does exactly what you want. Given a keyring, it will list the strong set, in which everyone can reach everyone else, and isolated sets, which can be connected to the strong set with a single connection between sets. Any keys which aren't specifically listed are (essentially) only self-signed and also need a connection to/from the strong set. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 314 bytes Desc: not available URL: From richard at r-selected.de Wed Aug 11 09:47:32 2010 From: richard at r-selected.de (Richard) Date: Wed, 11 Aug 2010 09:47:32 +0200 Subject: Accessing the 2nd card reader Message-ID: Hello everyone, I have connected two card readers to my computer, but want only to use the 2nd one with GnuPG 2/scdaemon. Both are PCSC readers: $ opensc-tool -l Readers known about: Nr. Driver Name 0 pcsc SCM SPR 532 [Vendor Interface] (21250837209929) 00 00 1 pcsc REINER SCT CyberJack pp_a (8928928328) 00 00 However, GnuPG only recognizes the 1st reader: $ echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' 04E6:E003:21250837209929:0 How can I force GnuPG to use the 2nd reader only? I don't know what which reader-port option to set in ~/.gnupg/scdaemon.conf. Thanks, Richard From wk at gnupg.org Wed Aug 11 12:34:55 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 11 Aug 2010 12:34:55 +0200 Subject: Accessing the 2nd card reader In-Reply-To: (richard@r-selected.de's message of "Wed, 11 Aug 2010 09:47:32 +0200") References: Message-ID: <87sk2lxws0.fsf@vigenere.g10code.de> On Wed, 11 Aug 2010 09:47, richard at r-selected.de said: > However, GnuPG only recognizes the 1st reader: If you enter "scd help getinfo" you can see this in the scdameon log file: : chan_10 <- # reader_list - Return a list of detected card readers. Does : chan_10 <- # currently only work with the internal CCID driver. Thus it does not work with pcscd. To convince pcscd to use the second reader you need to use the reader-port "REINER SCT CyberJack pp_a" or a bit more of the string shown by opensc-tool. I am not sure how it formats the reader description. Scdaemon compares the reader-port against the reader description as returned by pcsc_list_reader. The problem with pcsc is that we need a wrapper on most system and this wrapper does not return the list of readers. We have plans to drop this wrapper in 2.1. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Aug 11 12:40:53 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 11 Aug 2010 12:40:53 +0200 Subject: gpg-agent does not work In-Reply-To: <4C61B6FC.9060508@sohnen-moe.com> (James Moe's message of "Tue, 10 Aug 2010 13:30:52 -0700") References: <4C61B6FC.9060508@sohnen-moe.com> Message-ID: <87ocd9xwi2.fsf@vigenere.g10code.de> On Tue, 10 Aug 2010 22:30, jimoe at sohnen-moe.com said: > There is a log this in the log file. However, these are entries for > ssh, not TB/Enigmail. Right, nothing of interest for us. To check gpg-agent you should use "gpg-connect-agent" and for example enter the command > getinfo socket_name D /tmp/gpg-YI0nEA/S.gpg-agent This returns the same socket as in the environment variable. Right? My guess is that TB does not know the envvar and thus can't connect gpg-agent. Please start TB from an xterm and see whether it knows the envvar. I am not sure whether it is possible to spawn a shell from TB, if so , try gpg-connect-agent via such a shell. Another way to debug this is to attach ktrace or strace to TB and grep the socket name. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Wed Aug 11 13:33:49 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 11 Aug 2010 13:33:49 +0200 Subject: no-ks-modify effect on signature uploads Message-ID: <201008111333.49698.mailinglisten@hauke-laging.de> Hello, a few weeks ago we had a discussion about the no-ks-modify flag (being not reliably supported by the keyservers yet). It certainly makes a difference whether you can accidentally ignore this flag or have to ignore it intentionally. This raises the question (I admit I was too lazy to test that myself) whether gpg ignores this flag. Does gpg upload signatures for other people's key which have this flag? The keyservers don't do crypto checks but gpg could, of course. IMHO it would make sense for gpg to reject uploads in these cases. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From Mistey82 at live.com Tue Aug 10 23:42:53 2010 From: Mistey82 at live.com (Mistey) Date: Tue, 10 Aug 2010 16:42:53 -0500 Subject: gnuPG Message-ID: I have been trying to get my enigmail extension to work on my Thunderbird for two days and I am burnt out it say that I need to install a GnuPG executable and I have tried ALMOST EVERYONE ON THE DOGGONE site and it still isn't working I have windows 7 64bit system and Mozilla Thunderbird mail client.. please get back to me asap and help me out please -- mistey m Morrison -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed Aug 11 14:17:51 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Aug 2010 08:17:51 -0400 Subject: gnuPG In-Reply-To: References: Message-ID: <1D83F2A8-9B45-46F9-8E7B-29BC6C4D0F33@sixdemonbag.org> > I have been trying to get my enigmail extension to work on my Thunderbird for two days and I am burnt out it say that I need to install a GnuPG executable and I have tried ALMOST EVERYONE ON THE DOGGONE site and it still isn't working I have windows 7 64bit system and Mozilla Thunderbird mail client.. please get back to me asap and help me out please ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.10b.exe Download and install that. Once you have it installed, uninstall and then re-install Enigmail. Enigmail will automatically detect your GnuPG installation, and things should just work. You may also want to consider asking on the Enigmail mailing list: http://www.mozdev.org/mailman/listinfo/enigmail Hope this helps! From dshaw at jabberwocky.com Wed Aug 11 16:11:24 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Aug 2010 10:11:24 -0400 Subject: no-ks-modify effect on signature uploads In-Reply-To: <201008111333.49698.mailinglisten@hauke-laging.de> References: <201008111333.49698.mailinglisten@hauke-laging.de> Message-ID: On Aug 11, 2010, at 7:33 AM, Hauke Laging wrote: > Hello, > > a few weeks ago we had a discussion about the no-ks-modify flag (being not > reliably supported by the keyservers yet). > > It certainly makes a difference whether you can accidentally ignore this flag > or have to ignore it intentionally. This raises the question (I admit I was > too lazy to test that myself) whether gpg ignores this flag. Does gpg upload > signatures for other people's key which have this flag? The keyservers don't > do crypto checks but gpg could, of course. IMHO it would make sense for gpg to > reject uploads in these cases. I actually considered this once, but in the end, it would be confusing to have a key be uploadable with PGP but not GPG. Also, it could be defeated trivially by just exporting a key to a text file (always legal), and then uploading it to the keyservers using the web. It would have been an illusion of actual functionality. David From olav at mozilla-enigmail.org Wed Aug 11 15:14:04 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Wed, 11 Aug 2010 15:14:04 +0200 Subject: gnuPG In-Reply-To: References: Message-ID: <4C62A21C.5020706@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Mistey, cross-posting to the Enigmail users list since I expect your issue to be more related to Engimail-GnuPG interaction than to GnuPG itself. > I have been trying to get my enigmail extension to work on my Thunderbird > for two days and I am burnt out it say that I need to install a GnuPG > executable and I have tried ALMOST EVERYONE ON THE DOGGONE site and it > still isn't working I have windows 7 64bit system and Mozilla Thunderbird > mail client.. please get back to me asap and help me out please If you don't already have, I suggest you install Thunderbird 3.1.2 http://www.mozillamessaging.com/ Enigmail 1.1.2 https://addons.mozilla.org/thunderbird/addon/71/ GnuPG 2.0.14 http://gpg4win.org/download.html This combination is known to work on Windows 7 64bit (though all are 32-bit applications). Instead of GnuPG 2 you may also use GnuPG 1.4.10b http://gnupg.org/download/index.en.html#auto-ref-2 If Enigmail complains about not finding GnuPG, this can have two causes I know of: you installed GPG4Win to a non-standard place or you installed 1.4 from gnupg.org - this installer doesn't add the installation path to the Windows PATH environment variable. You may solve both issues by adding the proper path to PATH or enter the path in the Enigmail settings. If your problem persists, please provide us with more detailled information about what is installed where, which messages you get when and what the built in debugging features tell you (JS console, OpenPGP console/logfile/debug). Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJMYqIXAAoJEKGX32tq4e9W0koL/2o10RHTe8rokPflU/J4lFXg 1G1LnE5diwsu1UHFWAlsSUtEIdw75GNFtSUcVM1MYn4Qsy00UbEeLHomFW0l8PHU oqqMiYLZWNdSqoaWPQl/bOdsE5fNRJ+4rOdK2329MvJsY6wqqktPMIAfGJwoq7Wp HssSNIKCs9VOJolxLaXCzDQohf+0NNmZ7C+p5yCvsv0REjEKM3XrLcoDniwmr1gF ZZpBJ87YnF58MYJtPsynfSTqN3skK47zVKQZJvuwHn7F9CDuR2lyDFbkLEYUTyxr B7AOaGoXEZoWgxxfa5nV8GAmh1kAMqLpybQekO88rmOKsvCHNtpMkIGXQmArhbjr 5IMOAUV+bDqIOLKmZzbSdH6pENgqj0kDJVCpQF9xVdnGsu2taDiWqyhI0l9cnpWb UEhamsL2I9EnA5iQw0I1spuMBUrwvvzfOb/2s8QOkmRErS7OhTLIiIpALJqKi7/c oZ94F9VTpzOPGi+sys+uZ3HpxoFgq/t+DyFUBq9xSQ== =wXDS -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Wed Aug 11 17:52:50 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 11 Aug 2010 17:52:50 +0200 Subject: no-ks-modify effect on signature uploads In-Reply-To: References: <201008111333.49698.mailinglisten@hauke-laging.de> Message-ID: <201008111752.56075.mailinglisten@hauke-laging.de> Am Mittwoch 11 August 2010 16:11:24 schrieb David Shaw: > > Does gpg upload signatures for other people's key which have this flag? > I actually considered this once, but in the end, it would be confusing to > have a key be uploadable with PGP but not GPG. Maybe but the number of people using both (with the same keys!) is probably not so high. And it would be obvious to anyone that this behaviour is due to an improvement in gpg. Avoid big number improvement in order to avoid small number confusion? A weak argument, even more as gpg is not strictly compatible to (all versions of) PGP (simultaneously) anyway. gpg should issue an error message to inform the user. > Also, it could be defeated > trivially by just exporting a key to a text file (always legal), When doing this with such a key then a warning should be issued. This would have the additional positive effect of making users aware of the privacy problem over time. > and then > uploading it to the keyservers using the web. It would have been an > illusion of actual functionality. No, not an illusion of functionality, maybe an illusion of protection. The problem would not be solved but reduced. The illusion could be prevented by putting the relevant information into both the documentation and error/warning messages. Having such an illusion would be the fault of noone but the respective user himself. And there is no reason that there is noone out there who has this illusion even today. :-) Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From Brian.Cooperider at RelayHealth.com Wed Aug 11 18:19:42 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Wed, 11 Aug 2010 09:19:42 -0700 Subject: automating decryption with vbscript Message-ID: Is there a way to automate gnupg using vbscript? I've been tryng to figure out how to pass the passphrase via the script. I thought the command below would work but it still calls the pop up box and asks for passphrase. "C:\Program Files\GNU\GnuPG\gpg2.exe" --passphrase "mypassphrase" -o "C:\Brian\MyEncryptedFile.txt" -d "C:\Brian\MyEncryptedFile.gpg" We are using gpg4win as the frontend. I can pass along the vbs script I have been working on if it would help. Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Wed Aug 11 20:33:40 2010 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 11 Aug 2010 11:33:40 -0700 Subject: gpg-agent does not work In-Reply-To: <87ocd9xwi2.fsf@vigenere.g10code.de> References: <4C61B6FC.9060508@sohnen-moe.com> <87ocd9xwi2.fsf@vigenere.g10code.de> Message-ID: <4C62ED04.40302@dougbarton.us> James, Not sure if it's the problem, but I use the following script to start gpg-agent, perhaps it will be helpful: http://dougbarton.us/PGP/gpg-agent.html Good luck, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From sindegra at gmail.com Wed Aug 11 20:49:48 2010 From: sindegra at gmail.com (Joseph Isadore Ziff) Date: Wed, 11 Aug 2010 14:49:48 -0400 Subject: Build Gnupg2 to have bin name gpg Message-ID: Dear gnupg-users, I've been wanting to build gnupg2 to have the bin/executable name gpg instead of gpg2 but have so far been unsuccessful in tracking down exactly what bits of the source code need to be altered. I am running a linux i386 system. I know this question might be a bit trivial, but any help you could give me is greatly appreciated. Sincerely, Joseph Ziff -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed Aug 11 21:58:02 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Aug 2010 15:58:02 -0400 Subject: Build Gnupg2 to have bin name gpg In-Reply-To: References: Message-ID: <4C6300CA.3030807@sixdemonbag.org> On 8/11/2010 2:49 PM, Joseph Isadore Ziff wrote: > I've been wanting to build gnupg2 to have the bin/executable name gpg > instead of gpg2 but have so far been unsuccessful in tracking down > exactly what bits of the source code need to be altered. I am running a > linux i386 system. I know this question might be a bit trivial, but any > help you could give me is greatly appreciated. The filename is set, I believe, in g10/Makefile.am. Look for a line called "bin_PROGRAMS". You will also need to adjust certain targets: for instance, "gpg2_SOURCES" will become "gpg_SOURCES", "gpg2_OBJECTS" becomes "gpg_OBJECTS", and so on. It is not especially hard to do, but it requires a little fluency with the GNU Autotools. From dshaw at jabberwocky.com Wed Aug 11 22:11:06 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Aug 2010 16:11:06 -0400 Subject: no-ks-modify effect on signature uploads In-Reply-To: <201008111752.56075.mailinglisten@hauke-laging.de> References: <201008111333.49698.mailinglisten@hauke-laging.de> <201008111752.56075.mailinglisten@hauke-laging.de> Message-ID: <7F39D057-7D81-4CCD-8B84-F202AC910D48@jabberwocky.com> On Aug 11, 2010, at 11:52 AM, Hauke Laging wrote: >> Also, it could be defeated >> trivially by just exporting a key to a text file (always legal), > > When doing this with such a key then a warning should be issued. This would > have the additional positive effect of making users aware of the privacy > problem over time. 99%+ of all keys created with GPG have the flag set (it's the default). This would mean that virtually every time a key was exported with GPG, the exporter would get a warning along the lines of "hey, please don't upload this to a keyserver". At that point, it's just noise. >> and then >> uploading it to the keyservers using the web. It would have been an >> illusion of actual functionality. > > No, not an illusion of functionality, maybe an illusion of protection. I dislike illusion in security software. Either a protection is strong or it is not, and we should not pretend otherwise. The only way to properly implement the flag is on the server side. I'd rather work towards that real answer than do something weak on the client side. David From dshaw at jabberwocky.com Wed Aug 11 22:17:28 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Aug 2010 16:17:28 -0400 Subject: Build Gnupg2 to have bin name gpg In-Reply-To: References: Message-ID: On Aug 11, 2010, at 2:49 PM, Joseph Isadore Ziff wrote: > Dear gnupg-users, > > I've been wanting to build gnupg2 to have the bin/executable name gpg instead of gpg2 but have so far been unsuccessful in tracking down exactly what bits of the source code need to be altered. I am running a linux i386 system. I know this question might be a bit trivial, but any help you could give me is greatly appreciated. If you're building this for a distribution, I strongly advise against this. gpg and gpg2 are designed to be installable at the same time (they're not the same thing and gpg2 is not a strict replacement for gpg). If you have gpg2 claim the gpg name, then gpg isn't installable any longer. This is currently an issue that needs to be addressed in Fedora. If you're just doing it for yourself, however, I still wouldn't change code. Instead, just make a symlink from "gpg" to "gpg2". Much simpler and you don't need to deal with renaming keyserver helpers, or re-patching the code every time a new release is made, etc. David From bdesham at gmail.com Wed Aug 11 22:26:39 2010 From: bdesham at gmail.com (Benjamin Esham) Date: Wed, 11 Aug 2010 15:26:39 -0500 Subject: Build Gnupg2 to have bin name gpg References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joseph Isadore Ziff wrote: > I've been wanting to build gnupg2 to have the bin/executable name gpg > instead of gpg2 but have so far been unsuccessful in tracking down exactly > what bits of the source code need to be altered. I am running a linux i386 > system. I know this question might be a bit trivial, but any help you > could give me is greatly appreciated. Hi Joseph, Why not simply create a symlink from "gpg2" to "gpg"? Cheers, - -- Benjamin D. Esham | bdesham at gmail.com ?...more and more of our imports are coming from overseas.? ? George W. Bush -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iEYEARECAAYFAkxjB38ACgkQzOC3TdZ2u5rd8wCeODG5n0RN7Jra4xUe+Y2uLQzB nRkAoNQ/v9KziCMktQ0zI2R13IwsVc6+ =1btP -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Aug 11 22:04:14 2010 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Aug 2010 16:04:14 -0400 Subject: Build Gnupg2 to have bin name gpg In-Reply-To: References: Message-ID: <4C63023E.7090407@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 11-08-2010 14:49, Joseph Isadore Ziff escribi?: > Dear gnupg-users, > > I've been wanting to build gnupg2 to have the bin/executable name gpg > instead of gpg2 but have so far been unsuccessful in tracking down Remember gpg (not 2) is still alive, it might cause confusion to rename the executable... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMYwI+AAoJEMV4f6PvczxAXRYH/1AGn5ZYMwVvaCirYIenzDx3 c2aan29teloY4jMmLlvl77Wz9MZDwT/ze3q0agviFezaVS8BlEE63ZR/up4lzyvj GLM2Snebn1O2ItbGqhoJgc37OpsDYxA0OIbKxr6Y2LEobSHWwP1jnhPYNsajmcDe VElF6KvYwg7n8l0uGdwDpyH1uXFJK2OIF25aP/ysa8jfPLSTmzQpzdjfnWgp4Ggv 6On4PRRWvwGOhcI6z8sOxSGhd4PU2GCP+qseSFnKIOvLvj5LOhlZjKmtaKKZxCw5 gadkGDpgRMCROiG+C3YHh1Hu6qDxmVeiy+Av+hcWO0nM0roe5Zb2OQLNehgcegk= =KvhF -----END PGP SIGNATURE----- From richard at r-selected.de Thu Aug 12 00:11:40 2010 From: richard at r-selected.de (Richard) Date: Thu, 12 Aug 2010 00:11:40 +0200 Subject: Accessing the 2nd card reader In-Reply-To: <87sk2lxws0.fsf@vigenere.g10code.de> References: <87sk2lxws0.fsf@vigenere.g10code.de> Message-ID: Hello Werner, On Wed, Aug 11, 2010 at 12:34, Werner Koch wrote: >To convince pcscd to use the second > reader you need to use the > > ?reader-port "REINER SCT CyberJack pp_a" > > or a bit more of the string shown by opensc-tool. thanks for your advice. I had to use the whole identifier as issued by opensc-tool to get the reader to work: reader-port "REINER SCT CyberJack pp_a (8928928328) 00 00" Now I can finally access my OpenPGP smart card in my second reader using GPG :) Thanks again for your help, Richard From Simon.Richter at hogyros.de Thu Aug 12 09:41:27 2010 From: Simon.Richter at hogyros.de (Simon Richter) Date: Thu, 12 Aug 2010 09:41:27 +0200 Subject: Accessing the 2nd card reader In-Reply-To: References: <87sk2lxws0.fsf@vigenere.g10code.de> Message-ID: <20100812074126.GA3017@richter> Hi, on a related note: I have two cards, one is full sized, one SIM sized, and two different readers, one of which is an USB stick that is inserted only when needed. Using such a setup is a serious hassle, because I need to reconfigure the reader-port everytime I want to use the other card. Can the system be adapted to scan all readers when looking for a specific card, and to rescan for new readers when it prompted the user to insert a card? Simon From timbernutz at gmail.com Wed Aug 11 18:18:48 2010 From: timbernutz at gmail.com (bob smith) Date: Wed, 11 Aug 2010 09:18:48 -0700 Subject: gnupg for windows mobile 6.5 smartphone Message-ID: i have recently bought a samsung omnia 2 smartphone with windows mobile 6.5 as the OS. i have been searching for 3 days to find a way to encrypt text in any way with gnupg the only link to any software i found was for "PocketConsole - a Windows NT-like console for the Pocket PC " but the link (http://www.symbolictools.de/public/pocketconsole/)?is dead are there any gunpg applications available or even in development for windows moblie? i have an old pgp for mobile 1.6 that worked with pgp 7.03 but after dusting it off it does not work with new keys. ( or something else is wrong that i cant figure out) the new pgp mobile appears to use a client server system and i just want a simple app that can encrypt and decrypt my email even if i have to cut and paste everything to do it. thanks for any help.. From taysay1 at gmail.com Wed Aug 11 20:16:57 2010 From: taysay1 at gmail.com (Terseer Shaguy) Date: Wed, 11 Aug 2010 19:16:57 +0100 Subject: Decryption Error Message-ID: Good days wonderful people, I am having a challenge running gpg on windows 2003 server , I am working with it from java, when I run my code on my vista , Mac os x box it works pretty fine , everything work fine when I run it for the command line on windows 2003 server, however when I run it for my code on windwos 2003 server decryption fails though with no error rather that return false. Pls is there a special configuration for gpg on windows 2003 server? thank you, taysay -------------- next part -------------- An HTML attachment was scrubbed... URL: From taysay1 at gmail.com Thu Aug 12 10:36:38 2010 From: taysay1 at gmail.com (Terseer Shaguy) Date: Thu, 12 Aug 2010 09:36:38 +0100 Subject: GPG decryption issues on WINDOWS 2003 SERVER Message-ID: Hello wonderful People, I have a challenge with GPG on WINDOWS 2003 SERVER when I run my class from java which is based on GnuPG.java from http://www.macnews.co.il/mageworks/java/gnupg/ It doesnt decrypt and returns no errors rather that return false. However this same implementation runs fine on vista, as well as mac. Pls can anyone offer some help ? thank you. faithfully Taysay -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard at r-selected.de Thu Aug 12 12:31:14 2010 From: richard at r-selected.de (Richard) Date: Thu, 12 Aug 2010 12:31:14 +0200 Subject: Accessing the 2nd card reader In-Reply-To: References: <87sk2lxws0.fsf@vigenere.g10code.de> Message-ID: Well I stumbled upon another problem. I actually wanted to use one of my card readers with GnuPG/scdaemon exclusively, and the other one with OpenSC's PAM-PKCS#11 module. As already mentioned, both of my readers are accessible via PC/SC. Having set reader-port "REINER SCT CyberJack pp_a (8928928328) 00 00" in my ~/.gnupg/scdaemon.conf, I thought the other reader could now be used smoothly with PAM-PKCS#11. However, pcscd tells me "SCardConnect() Error Reader Exclusive". I'll have to figure out which the two readers it is trying to access here (although I have set the reader slot to use to the 1st reader, which should not be opened exclusively by scdaemon). I just wanted ask whether scdaemon always blocks _all_ PC/SC readers, even when told to use one specific reader only? If it doesn't, then this is probably a PAM-PKCS#11-related problem and I will have to contact the OpenSC people for support. Thanks, Richard From gnupg.user at seibercom.net Thu Aug 12 13:53:09 2010 From: gnupg.user at seibercom.net (Jerry) Date: Thu, 12 Aug 2010 07:53:09 -0400 Subject: GPG decryption issues on WINDOWS 2003 SERVER In-Reply-To: References: Message-ID: <20100812075309.23c50ddb@scorpio> On Thu, 12 Aug 2010 09:36:38 +0100 Terseer Shaguy articulated: > I have a challenge with GPG on WINDOWS 2003 SERVER when I run my > class from java which is based on GnuPG.java > from http://www.macnews.co.il/mageworks/java/gnupg/ It doesnt > decrypt and returns no errors rather that return false. However this > same implementation runs fine on vista, as well as mac. I saw something similar to this on another list. I forgot where. In any case, Windows Server 2003 is seriously deprecated. The 2008 version has been available for awhile and works fine from what I have been told. You might want to consider updating your installation. http://www.microsoft.com/windowsserver2008/en/us/default.aspx http://www.microsoft.com/downloads/details.aspx?familyid=B6E99D4C-A40E-4FD2-A0F7-32212B520F50&displaylang=en -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From rjh at sixdemonbag.org Thu Aug 12 17:10:06 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 12 Aug 2010 11:10:06 -0400 Subject: GPG decryption issues on WINDOWS 2003 SERVER In-Reply-To: <20100812075309.23c50ddb@scorpio> References: <20100812075309.23c50ddb@scorpio> Message-ID: <4C640ECE.3030202@sixdemonbag.org> On 8/12/2010 7:53 AM, Jerry wrote: > I saw something similar to this on another list. I forgot where. In any > case, Windows Server 2003 is seriously deprecated. Microsoft is not planning on any further service packs, but the OS is still supported until 2015. Mainstream support has ended, but extended support is still available. http://support.microsoft.com/gp/lifeselect Even if 2003 had been totally EOLed, this advice would still not be particularly useful. Migrating a server to a new OS is not something to be undertaken lightly. Given a choice between simply writing off an application as "doesn't work on our system" and migrating to a new OS, many places will choose to write off the application. From christoph.anton.mitterer at physik.uni-muenchen.de Thu Aug 12 18:30:23 2010 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Thu, 12 Aug 2010 18:30:23 +0200 Subject: policy url is not set on selfsigs In-Reply-To: <1281218854.7661.168.camel@fermat.scientia.net> References: <1281218854.7661.168.camel@fermat.scientia.net> Message-ID: <1281630623.3256.123.camel@fermat.scientia.net> Hi. Just found out, that a policy _is_ actually set when using --set-policy-urls when creating a key (--gen-key).... But it seems there is no way of changing that later.. I've looked through the code but could not find the place why it's ignored when just e.g. changing the keyserver/prefs/etc. Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From harakiri_23 at yahoo.com Fri Aug 13 00:19:59 2010 From: harakiri_23 at yahoo.com (Harakiri) Date: Thu, 12 Aug 2010 15:19:59 -0700 (PDT) Subject: GPG decryption issues on WINDOWS 2003 SERVER Message-ID: <154926.96292.qm@web52207.mail.re2.yahoo.com> --- On Thu, 8/12/10, Terseer Shaguy wrote: From: Terseer Shaguy Subject: GPG decryption issues on WINDOWS 2003 SERVER To: PGP-Basics at yahoogroups.com, Gnupg-users at gnupg.org Date: Thursday, August 12, 2010, 4:36 AM >> Pls can anyone offer some help ? This issue has nothing todo with GNUPG. This issue has also nothing todo with Windows 2003. The issue has something todo that the original author, and you dont know much about java programming at all. I highly advice you read more about java programming, because just calling Runtime.getRuntime().exec(fullCommand); with gpg is not gonna work, this is not a shell. Here i give you a start http://www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html and another free advice, dont use some "java class you found on the net" to integrate in your project. A real developer would never use code he does not understand, it only leads to ugly legacy code that experienced developers have to fix after you leave. tltr: try the java forums From rjh at sixdemonbag.org Fri Aug 13 02:32:34 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 12 Aug 2010 20:32:34 -0400 Subject: GPG decryption issues on WINDOWS 2003 SERVER In-Reply-To: <154926.96292.qm@web52207.mail.re2.yahoo.com> References: <154926.96292.qm@web52207.mail.re2.yahoo.com> Message-ID: <4C6492A2.7050805@sixdemonbag.org> On 8/12/2010 6:19 PM, Harakiri wrote: > This issue has nothing todo with GNUPG. This issue has also nothing > todo with Windows 2003. The issue has something todo that the > original author, and you dont know much about java programming at > all. Let's scale back the imprecations a little bit. Criticize errors, not people. For instance: > http://www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html This article is ten years old and is out of date with respect to current Java best practices. Since Java 1.5, the preferred method is ProcessBuilder, which was meant to replace most uses of Runtime.exec(). > and another free advice, dont use some "java class you found on the > net" to integrate in your project. A real developer would never use > code he does not understand, it only leads to ugly legacy code that > experienced developers have to fix after you leave. As a "real developer", I do this almost every workday. You do not know whether the original poster was using this for a deployment system, or as a prototype to explore the problem space. Exploration, testing the limits of your knowledge, and discovering how code works are all parts of the development process. From mailinglisten at hauke-laging.de Fri Aug 13 03:13:01 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 13 Aug 2010 03:13:01 +0200 Subject: no-ks-modify effect on signature uploads In-Reply-To: <7F39D057-7D81-4CCD-8B84-F202AC910D48@jabberwocky.com> References: <201008111333.49698.mailinglisten@hauke-laging.de> <201008111752.56075.mailinglisten@hauke-laging.de> <7F39D057-7D81-4CCD-8B84-F202AC910D48@jabberwocky.com> Message-ID: <201008130313.02009.mailinglisten@hauke-laging.de> Am Mittwoch 11 August 2010 22:11:06 schrieb David Shaw: > > When doing this with such a key then a warning should be issued. This > > would have the additional positive effect of making users aware of the > > privacy problem over time. > > 99%+ of all keys created with GPG have the flag set (it's the default). > This would mean that virtually every time a key was exported with GPG, the > exporter would get a warning along the lines of "hey, please don't upload > this to a keyserver". > > At that point, it's just noise. In my opinion that is a strange definition of noise. If we agree that this is a useful default (the flag set) and that it would be great if the keyservers honoured it then the wished for future is that most people cannot upload signatures for keys which are not their own. I would regard such gpg behaviour as a kind if information/education for this probable future (earlier or later). So people would start to change their view of the infrastructure and the way the use the toole before they are completely forced to do so (by the servers). > I dislike illusion in security software. Either a protection is strong or > it is not, and we should not pretend otherwise. That is a valid argument but the combination of a feature and its documentation is not necessarily pretending of something. If the warning and documentation clearly state that this is a convenience feature and not a crypto level protection then it is not illusion if anyone gets that wrong. You are in big problems nearly at once of you use crypto software without having understood how all this stuff works. This would be just one more point, a rather harmless one. And you would be forced to ignore clear hints in order to make mistakes. That's nothing anyone has to (or even: can) be protected from. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Fri Aug 13 03:17:01 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 12 Aug 2010 21:17:01 -0400 Subject: Decryption Error In-Reply-To: References: Message-ID: <4C649D0D.7070007@sixdemonbag.org> On 8/11/2010 2:16 PM, Terseer Shaguy wrote: > Pls is there a special configuration for gpg on windows 2003 server? I am sorry that no one else has given you a useful answer. To answer your question: no, there is no special configuration for GnuPG on Windows Server 2003. Calling GnuPG from Java is a little ... problematic. I have tried to do this several times, with varying levels of success. The root of the problems (at least, the problems I've run into) have been that GnuPG expects there to be a TTY, and when using Runtime.exec or ProcessBuilder, there is no TTY. The same problem occurs in C#. The last two times I asked on this list for help getting past this, I received no response. I wish I had answers for you. All I can do instead is tell you your best bet will probably involve writing JNI wrappers for GPGME. From dshaw at jabberwocky.com Fri Aug 13 04:06:20 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 12 Aug 2010 22:06:20 -0400 Subject: policy url is not set on selfsigs In-Reply-To: <1281630623.3256.123.camel@fermat.scientia.net> References: <1281218854.7661.168.camel@fermat.scientia.net> <1281630623.3256.123.camel@fermat.scientia.net> Message-ID: On Aug 12, 2010, at 12:30 PM, Christoph Anton Mitterer wrote: > Hi. > > Just found out, that a policy _is_ actually set when using > --set-policy-urls when creating a key (--gen-key).... > > But it seems there is no way of changing that later.. > I've looked through the code but could not find the place why it's > ignored when just e.g. changing the keyserver/prefs/etc. This is intentional. When you change the keyserver or prefs, you are *just* changing the keyserver or prefs. It would not be appropriate to silently add a policy URL or notation as part of the process. If you want to change a policy URL or notation after it has been issued, you can simply delete the old sig (even a self-sig can be deleted) and re-issue it. David From wk at gnupg.org Fri Aug 13 14:41:27 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Aug 2010 14:41:27 +0200 Subject: Decryption Error In-Reply-To: <4C649D0D.7070007@sixdemonbag.org> (Robert J. Hansen's message of "Thu, 12 Aug 2010 21:17:01 -0400") References: <4C649D0D.7070007@sixdemonbag.org> Message-ID: <87mxsqvg5k.fsf@vigenere.g10code.de> On Fri, 13 Aug 2010 03:17, rjh at sixdemonbag.org said: > received no response. I wish I had answers for you. All I can do > instead is tell you your best bet will probably involve writing JNI > wrappers for GPGME. Isn't http://github.com/smartrevolution/gnupg-for-java that what he needs? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Fri Aug 13 14:50:24 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 13 Aug 2010 08:50:24 -0400 Subject: Decryption Error In-Reply-To: <87mxsqvg5k.fsf@vigenere.g10code.de> References: <4C649D0D.7070007@sixdemonbag.org> <87mxsqvg5k.fsf@vigenere.g10code.de> Message-ID: <120C0182-F77E-4099-85D0-6E7E0E3210C1@sixdemonbag.org> > Isn't > > http://github.com/smartrevolution/gnupg-for-java > > that what he needs? It may be. I was looking at ftp://ftp.gnupg.org/gcrypt/alpha/gnupgjava, which shows no updates since 2005. It may be worth dropping a README in there directing people to Stefan Richter's git repo. I have never used gnupg-for-java, so I can't comment on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3916 bytes Desc: not available URL: From wk at gnupg.org Fri Aug 13 14:53:27 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Aug 2010 14:53:27 +0200 Subject: gnupg for windows mobile 6.5 smartphone In-Reply-To: (bob smith's message of "Wed, 11 Aug 2010 09:18:48 -0700") References: Message-ID: <87iq3evflk.fsf@vigenere.g10code.de> On Wed, 11 Aug 2010 18:18, timbernutz at gmail.com said: > i have recently bought a samsung omnia 2 smartphone with windows > mobile 6.5 as the OS. There is some hope for you. Meanwhile the entire GnuPG-2 system has been ported to that OS. Our target device is the HTC touch pro 2 but I don't think that we use any HTC specific API. See http://saegewerk.intevation.de/wince-packager/index.html which also has a link to an installer. Well this is only command line and thus not very useful unless you succeed installing sshd on the device (we have a package for that as well somewhere, can't remember the URL, though) and then use putty for Wince to get a terminal. Writing a simple application to encrypt the clipboard should not be very hard if you are used to native Windows programming. GPGME is fully ported and takes care of invoking the required GnuPG modules. There are some little things missing: For example we can't easily import an OpenPGP key - that is something I am going to implement next week. Dirmngr needs to be started manually - that should me fixed by Monday/ The final plan is to have KDEPIM running on the box. We are currently shrinking the KDE code and working on tricks to stuff all the code into the "interesting" virtual memory architecture. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Fri Aug 13 14:58:42 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Aug 2010 14:58:42 +0200 Subject: Accessing the 2nd card reader In-Reply-To: <20100812074126.GA3017@richter> (Simon Richter's message of "Thu, 12 Aug 2010 09:41:27 +0200") References: <87sk2lxws0.fsf@vigenere.g10code.de> <20100812074126.GA3017@richter> Message-ID: <87eie2vfct.fsf@vigenere.g10code.de> On Thu, 12 Aug 2010 09:41, Simon.Richter at hogyros.de said: > Can the system be adapted to scan all readers when looking for a > specific card, and to rescan for new readers when it prompted the user > to insert a card? Yeah those cards with readers are a real problem. We need to do something about it. I am still using my old card - as soon as I move to a new card with an USB stick reader I need to solve it ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From richard at r-selected.de Fri Aug 13 16:38:12 2010 From: richard at r-selected.de (Richard) Date: Fri, 13 Aug 2010 16:38:12 +0200 Subject: Accessing the 2nd card reader In-Reply-To: References: <87sk2lxws0.fsf@vigenere.g10code.de> Message-ID: On Thu, Aug 12, 2010 at 12:31, Richard wrote: > Well I stumbled upon another problem. > > I actually wanted to use one of my card readers with GnuPG/scdaemon > exclusively, and the other one with OpenSC's PAM-PKCS#11 module. [...] > > I just wanted ask whether scdaemon always blocks _all_ PC/SC readers, > even when told to use one specific reader only? All right, this appears to be a PAM-PKCS#11 bug. I am going to drop a note on this list if I find a solution. Richard From richard at r-selected.de Fri Aug 13 18:56:50 2010 From: richard at r-selected.de (Richard) Date: Fri, 13 Aug 2010 18:56:50 +0200 Subject: Accessing the 2nd card reader In-Reply-To: References: <87sk2lxws0.fsf@vigenere.g10code.de> Message-ID: On Fri, Aug 13, 2010 at 16:38, Richard wrote: > All right, this appears to be a PAM-PKCS#11 bug. That's not correct: It is a bug in OpenSC's PKCS#11 module. Someone wrote a patch for OpenSC (SVN, trunk), which fixes the problem for me: http://www.opensc-project.org/pipermail/opensc-user/2010-August/004224.html Best reagrds, Richard From gnupg.user at seibercom.net Sat Aug 14 00:46:11 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 13 Aug 2010 18:46:11 -0400 Subject: GPG decryption issues on WINDOWS 2003 SERVER In-Reply-To: <4C640ECE.3030202@sixdemonbag.org> References: <20100812075309.23c50ddb@scorpio> <4C640ECE.3030202@sixdemonbag.org> Message-ID: <20100813184611.48d489f4@scorpio> On Thu, 12 Aug 2010 11:10:06 -0400 Robert J. Hansen articulated: > On 8/12/2010 7:53 AM, Jerry wrote: > > I saw something similar to this on another list. I forgot where. In > > any case, Windows Server 2003 is seriously deprecated. > > Microsoft is not planning on any further service packs, but the OS is > still supported until 2015. Mainstream support has ended, but > extended support is still available. > > http://support.microsoft.com/gp/lifeselect > > Even if 2003 had been totally EOLed, this advice would still not be > particularly useful. Migrating a server to a new OS is not something > to be undertaken lightly. Given a choice between simply writing off > an application as "doesn't work on our system" and migrating to a new > OS, many places will choose to write off the application. As you stated, Microsoft is not planning any further service packs and work on the 2003 branch has effectively ended. The 2008 branch is an improved server and continued use of the deprecated version will only result in further problems down the line. Furthermore, while I would never take lightly the updating of any major system component, be it hardware or software based, there does come a time when you just bit the bullet and complete the task. Actually, Microsoft has made updating between versions of its server easier than you might have thought. You could start here to get some very general information: http://www.microsoft.com/windowsserver2008/en/us/why-upgrade-2003.aspx or, if you have paid support, contact them for complete details. Good luck! -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From emylistsddg at gmail.com Sun Aug 15 01:25:07 2010 From: emylistsddg at gmail.com (eMyListsDDg) Date: Sat, 14 Aug 2010 16:25:07 -0700 Subject: libkleo.dll can't load within TheBat! or be registered Message-ID: <1619564056.20100814162507@gmail.com> i use TheBat! for my email client. and Gpg4win ver 2.0.3. gpg4win seems to work fine except when trying to load up kleopatra.exe from within TheBat! ///[error msg]///////////////////////////////////////////////////////// kleopatra.exe - Unable to Locate Component this application has failed to start because libkleo.dll was not found. Re-installing the application may fix this problem //////////////////////////////////////////////////////////////////////// and ... ///[error msg]///////////////////////////////////////////////////////// RegSvr32 libkleo.dll returns, libkleo.dll was loaded, but the DllRegisterServer entry point was not found This file can not be registered //////////////////////////////////////////////////////////////////////// what, the libkleo.dll is not a .dll or .ocx file ?? -- Key fingerprint = DB4D 251B FE8A BDCD 2BE4 E889 13F1 78D0 A386 B32B From wk at gnupg.org Mon Aug 16 10:08:12 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Aug 2010 10:08:12 +0200 Subject: libkleo.dll can't load within TheBat! or be registered In-Reply-To: <1619564056.20100814162507@gmail.com> (emylistsddg@gmail.com's message of "Sat, 14 Aug 2010 16:25:07 -0700") References: <1619564056.20100814162507@gmail.com> Message-ID: <871v9zugib.fsf@vigenere.g10code.de> On Sun, 15 Aug 2010 01:25, emylistsddg at gmail.com said: > gpg4win seems to work fine except when trying to load up kleopatra.exe from within TheBat! > > ///[error msg]///////////////////////////////////////////////////////// > kleopatra.exe - Unable to Locate Component Please check the source code to see what is going wrong. Ooops - No source code? - Then please ask the makers of The Bat. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From expires2010 at ymail.com Mon Aug 16 19:07:08 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 16 Aug 2010 18:07:08 +0100 Subject: libkleo.dll can't load within TheBat! or be registered In-Reply-To: <871v9zugib.fsf@vigenere.g10code.de> References: <1619564056.20100814162507@gmail.com> <871v9zugib.fsf@vigenere.g10code.de> Message-ID: <1621837573.20100816180708@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 16 August 2010 at 9:08:12 AM, in , Werner Koch wrote: > Please check the source code to see what is going > wrong. > Ooops - No source code? - Then please ask the makers of > The Bat. You could also try asking on The Bat! User Discussion List, in case anybody else has issues when they select "OpenPGP Key Manager" from the menu. FWIW, TB! manages to open GPGshell's key manager for me without issue. (I'm guessing you have double-checked the "path to GnuPG external key manager" is set correctly in TB! at Options | OpenPGP | OpenPGP Preferences | Files tab.) - -- Best regards MFPA mailto:expires2010 at ymail.com Change is inevitable except from a vending machine -----BEGIN PGP SIGNATURE----- iQCVAwUBTGlwRqipC46tDG5pAQrkJAQAsK5+MUuBLXDtHV93jOjGfMDUAJeoecVR cu/fTgFiCCosG3LdZgXdaQ4WhIFhvnHBy2cxXQbvTP59REXVBq86hCRDd7L6+4pa C0G82RmJO+xP5X/g5syU7HQPkjELrfPfoq/DYVAS5YqweP5z/bF51SR7QpNR4Szd moO/nJRP7Sk= =Wfbe -----END PGP SIGNATURE----- From jpboard2 at yahoo.com Tue Aug 17 00:24:18 2010 From: jpboard2 at yahoo.com (James Board) Date: Mon, 16 Aug 2010 15:24:18 -0700 (PDT) Subject: Split Data Packet into Multiple Packets? Message-ID: <55392.52533.qm@web45901.mail.sp1.yahoo.com> Hi, I looked into the OpenPGP Message Format spec, and some encrypted files, and figured out that no matter how large my encrypted message is, gpg uses a single Data Packet for the cipher text. Can I somehow split that Data Packet into multiple independent Data Packets and decrypt them independently of each other? I know I can't do that with standard command-line args to gpg, but I'm willing to manipulate the Data Packet to do this. Is it possible from a technical standpoint ov view? Also, what is the format of that Data Packet? The OpenPGP Message Format is silent on that matter. I'm not using any compression when I encrypt, so the Data Packet should be about the same size as the unencrypted file. However, it's usually about 55 bytes longer than that. What other information is stored in the Data Packet and what is the format? Thanks From sindegra at gmail.com Tue Aug 17 02:38:52 2010 From: sindegra at gmail.com (Joseph Isadore Ziff) Date: Mon, 16 Aug 2010 20:38:52 -0400 Subject: Change encryption on the secret key Message-ID: <20100816203852.437321ae.sindegra@gmail.com> Dear Fellow Gnupg users, I recently grew more knowlegeable about of the different ciphers and compression methods. I already generated my secret key but would like to change the symmetric encryption protecting the secret key. I put the following in my gpg.conf: s2k-cipher-algo AES256 and then I updated my password with gpg --edit-key, passwd. Is that enough to update the cipher on my private key? If not, what should I be doing? Is there also a way to detect the encryption algorithm on a file? Any help with these questions is appreciated. Sincerely, -- Joseph Isadore Ziff Verify the GPG signatures I make with pgp/gpg software: http://www.gnupg.org/. Encryption is free. Take the matter of privacy in your own hands. (Contact me if you are interested or need any help.) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From dshaw at jabberwocky.com Tue Aug 17 05:18:21 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 16 Aug 2010 23:18:21 -0400 Subject: Change encryption on the secret key In-Reply-To: <20100816203852.437321ae.sindegra@gmail.com> References: <20100816203852.437321ae.sindegra@gmail.com> Message-ID: <8858BA5D-7E67-46DF-AEE6-A69B7911133E@jabberwocky.com> On Aug 16, 2010, at 8:38 PM, Joseph Isadore Ziff wrote: > Dear Fellow Gnupg users, > > I recently grew more knowlegeable about of the different ciphers and compression methods. I already generated my secret key but would like to change the symmetric encryption protecting the secret key. I put the following in my gpg.conf: > > s2k-cipher-algo AES256 > > and then I updated my password with gpg --edit-key, passwd. Is that enough to update the cipher on my private key? Yes. See also the --s2k-digest-algo option, but the default is what you want anyway. > Is there also a way to detect the encryption algorithm on a file? Any help with these questions is appreciated. Try gpg --list-packets, or decrypting with "-v" set. David From dshaw at jabberwocky.com Tue Aug 17 05:22:36 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 16 Aug 2010 23:22:36 -0400 Subject: Split Data Packet into Multiple Packets? In-Reply-To: <55392.52533.qm@web45901.mail.sp1.yahoo.com> References: <55392.52533.qm@web45901.mail.sp1.yahoo.com> Message-ID: On Aug 16, 2010, at 6:24 PM, James Board wrote: > Hi, > > I looked into the OpenPGP Message Format spec, and some encrypted files, and figured out that no matter how large my encrypted message is, gpg uses a single Data Packet for the cipher text. Can I somehow split that Data Packet into multiple independent Data Packets and decrypt them independently of each other? I know I can't do that with standard command-line args to gpg, but I'm willing to manipulate the Data Packet to do this. Is it possible from a technical standpoint ov view? Yes and no. Yes, in that you can probably torture the GPG code into doing it. No, in that OpenPGP does not permit multiple data packets in a single message. > Also, what is the format of that Data Packet? The OpenPGP Message Format is silent on that matter. I'm not using any compression when I encrypt, so the Data Packet should be about the same size as the unencrypted file. However, it's usually about 55 bytes longer than that. What other information is stored in the Data Packet and what is the format? Read RFC-4880. Specifically, section 11.3, which gives the various legal packet combinations. David From joke at seiken.de Tue Aug 17 11:31:23 2010 From: joke at seiken.de (Joke de Buhr) Date: Tue, 17 Aug 2010 11:31:23 +0200 Subject: Importing subkeys from smartcard Message-ID: <201008171131.33543.joke@seiken.de> hi, if I transfer my smartcard to an new host I can run gpg2 --card-edit fetch to import my public key from a keyserver. But if done so gnupg doesn't recognize the private subkeys stored on the smartcard. How do I tell gnupg where it should look for the private subkeys? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Aug 18 09:44:15 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 18 Aug 2010 09:44:15 +0200 Subject: Importing subkeys from smartcard In-Reply-To: <201008171131.33543.joke@seiken.de> (Joke de Buhr's message of "Tue, 17 Aug 2010 11:31:23 +0200") References: <201008171131.33543.joke@seiken.de> Message-ID: <87zkwkqsa8.fsf@vigenere.g10code.de> On Tue, 17 Aug 2010 11:31, joke at seiken.de said: > to import my public key from a keyserver. But if done so gnupg doesn't > recognize the private subkeys stored on the smartcard. How do I tell gnupg > where it should look for the private subkeys? Insert the smartcard and run "gpg --card-staus" (--card-edit) again. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From alex_gnupg at yahoo.in Wed Aug 18 07:59:35 2010 From: alex_gnupg at yahoo.in (Alex Smily) Date: Tue, 17 Aug 2010 22:59:35 -0700 (PDT) Subject: where is the keyring location in windows XP Message-ID: <582660.33970.qm@web95720.mail.in.yahoo.com> Hi i am new to gnupg & email encryption. I have installed gpg4win on my machine...it is working fine , i am able to send and receive encrypted mails using Thunderbird (using enigmail plugin) & outlook. but i want to use outlook express so i decide to use GPGrelay but when i am installing it.. it is asking for keyring location which it didn find ..please let me know where the keyring location is in windows and any other config files Thanks alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From singh.madhusudan at gmail.com Wed Aug 18 17:09:02 2010 From: singh.madhusudan at gmail.com (Madhusudan Singh) Date: Wed, 18 Aug 2010 10:09:02 -0500 Subject: Adding keys Message-ID: Hello, I am new to using GPG. I have consulted the manuals and help online, but I am not sure it addresses my concern. I am trying to use this on Mac OSX Snow Leopard (so using MacGPG is apparently out of the question). Here is the situation: On Machine A (that I no longer have), I created a GPG key with email address A. Before I got rid of the machine, I backed up everything to disk (so I have the .gnupg folder and when I try using the keys within with certain scripts (using pathnames), the key works (it authenticates me to my Amazon S3 backup). On Machine B (that I am currently using), I created another GPG key with a different email address (B). I am using that key to make encrypted duplicity backups to a local Linux server (which is different from Amazon S3 - I am a fan of redundant, geographically diverse backups). This key appears in the output of gpg --list-keys (while the other one, for obvious reasons, does not). I want to merge the two keys in some way so that I get both keys listed. Importing a public key appears to be standard procedure. But what I need is access to the secret key for both keys so that I can make both the Amazon S3 and local Linux server backups without being forced to pass paths to certain scripts. Questions: 1. Is my question even well-posed ? 2. Is this kind of thing even possible ? 3. How do I do it ? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From expires2010 at ymail.com Wed Aug 18 18:52:39 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 18 Aug 2010 17:52:39 +0100 Subject: where is the keyring location in windows XP In-Reply-To: <582660.33970.qm@web95720.mail.in.yahoo.com> References: <582660.33970.qm@web95720.mail.in.yahoo.com> Message-ID: <1794700729.20100818175239@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 18 August 2010 at 6:59:35 AM, in , Alex Smily wrote: > i am new to gnupg & email encryption. I have installed > gpg4win on my machine...it is working fine , i am able > to send and receive encrypted mails using Thunderbird > (using enigmail plugin) & outlook. but i want to use > outlook express so i decide to use GPGrelay but when i > am installing it.. it is asking for keyring location > which it didn find ..please let me know where the > keyring location is in windows and any other config > files Mine are at:- %appdata%\GnuPG\pubring.gpg %appdata%\GnuPG\secring.gpg %appdata%\GnuPG\trustdb.gpg %appdata%\GnuPG\gpg.conf - -- Best regards MFPA mailto:expires2010 at ymail.com Was time invented by an Irishman named O'Clock? -----BEGIN PGP SIGNATURE----- iQCVAwUBTGwP5aipC46tDG5pAQp3GQQAjrhWelQDgPw3eK8njMsC6R2gzCWWKPr4 A1T3KuvEn4dv0iJXHrohLCFA0DKnaT3pkW4DpDMUWWo9kbDS0dOmY6whI8zBdiIr l1b2GRvdhlY4lJY6GbbmOfDICbeFUGZi2CFWDxgv00bnN/rZQzOog1rv3qydaVb0 MrUyd5Pz5/Q= =30GD -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Aug 18 19:32:33 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 18 Aug 2010 13:32:33 -0400 Subject: Adding keys In-Reply-To: References: Message-ID: <4C6C1931.7040704@sixdemonbag.org> On 8/18/2010 11:09 AM, Madhusudan Singh wrote: > I am new to using GPG. I have consulted the manuals and help online, but > I am not sure it addresses my concern. I am trying to use this on Mac > OSX Snow Leopard (so using MacGPG is apparently out of the question). MacGPG works just fine on OS X 10.6. I use it daily. > I want to merge the two keys in some way so that I get both keys listed. > Importing a public key appears to be standard procedure. But what I need > is access to the secret key for both keys so that I can make both the > Amazon S3 and local Linux server backups without being forced to pass > paths to certain scripts. gpg --import-key [secret key file] ... doesn't work? From rjh at sixdemonbag.org Wed Aug 18 20:25:33 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 18 Aug 2010 14:25:33 -0400 Subject: Adding keys In-Reply-To: <4C6C1931.7040704@sixdemonbag.org> References: <4C6C1931.7040704@sixdemonbag.org> Message-ID: <4C6C259D.7090107@sixdemonbag.org> On 8/18/2010 1:32 PM, Robert J. Hansen wrote: > gpg --import-key [secret key file] My goof: I meant to type '--import.' From John at Mozilla-Enigmail.org Wed Aug 18 21:15:57 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 18 Aug 2010 14:15:57 -0500 Subject: where is the keyring location in windows XP In-Reply-To: <582660.33970.qm@web95720.mail.in.yahoo.com> References: <582660.33970.qm@web95720.mail.in.yahoo.com> Message-ID: <4C6C316D.4080401@Mozilla-Enigmail.org> Alex Smily wrote: > Hi > > i am new to gnupg & email encryption. I have installed gpg4win on my > machine...it is working fine , i am able to send and receive encrypted > mails using Thunderbird (using enigmail plugin) & outlook. but i want to > use outlook express so i decide to use GPGrelay but when i am installing > it.. it is asking for keyring location which it didn find ..please let > me know where the keyring location is in windows and any other config files The keyring files, pubring.gpg, secring.gpg, trustdb.gpg, are stored by default in %APPDATA%\GnuPG. This usually translates as - Window XP and earlier (XP/2000/NT) - C:\Documents and Settings\\Application Data\GnuPG - Windows Vista and Windows 7: C:\Users\\AppData\Roaming\gnupg Any custom settings for GnuPG are stored in gpg.conf. It and any other GnuPG config files are /normally/ located in the same directory as the keyring files. Is GPGrelay still maintained? Last I saw it had been quite some time since any work had been done on it. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From Chris.Knadle at coredump.us Wed Aug 18 22:05:58 2010 From: Chris.Knadle at coredump.us (Chris Knadle) Date: Wed, 18 Aug 2010 16:05:58 -0400 Subject: Adding keys In-Reply-To: References: Message-ID: <201008181605.58511.Chris.Knadle@coredump.us> On Wednesday 18 August 2010 11:09:02 Madhusudan Singh wrote: ... > On Machine A (that I no longer have), I created a GPG key with email > address A. Before I got rid of the machine, I backed up everything to disk > (so I have the .gnupg folder and when I try using the keys within with > certain scripts (using pathnames), the key works (it authenticates me to > my Amazon S3 backup). > > On Machine B (that I am currently using), I created another GPG key with a > different email address (B). I am using that key to make encrypted > duplicity backups to a local Linux server (which is different from Amazon > S3 - I am a fan of redundant, geographically diverse backups). This key > appears in the output of gpg --list-keys (while the other one, for obvious > reasons, does not). > > I want to merge the two keys in some way so that I get both keys listed. > Importing a public key appears to be standard procedure. But what I need is > access to the secret key for both keys so that I can make both the Amazon > S3 and local Linux server backups without being forced to pass paths to > certain scripts. As far as I know there's no way to "merge keys". Each encryption key is tied to a particular primary key, so there's no way to move that key to be "under" a different primary key. You could create a second UID on the "Machine B" key that has the same email address as "Machine A", but the encryption key used would still be different -- encryption keys are tied to the primary key, and not to a particular UID or a particular email address. [I hope that makes sense.] You can /import/ the secret key for "Machine A", which is what Robert was explaining. This will let you use that key as well as the one that you're currently using for "Machine B". At least that's my current understanding. -- Chris -- Chris Knadle Chris.Knadle at coredump.us From jimoe at sohnen-moe.com Thu Aug 19 01:16:03 2010 From: jimoe at sohnen-moe.com (James Moe) Date: Wed, 18 Aug 2010 16:16:03 -0700 Subject: gpg-agent does not work In-Reply-To: <87r5i3uew9.fsf@vigenere.g10code.de> References: <4C61B6FC.9060508@sohnen-moe.com> <87ocd9xwi2.fsf@vigenere.g10code.de> <4C639AAD.7090108@sohnen-moe.com> <878w4cvzku.fsf@vigenere.g10code.de> <4C644112.50608@sohnen-moe.com> <87r5i3uew9.fsf@vigenere.g10code.de> Message-ID: <4C6C69B3.6010402@sohnen-moe.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2010 12:53 AM, Werner Koch wrote: > > Check that either pcscd is running or if using the internal driver that > you have write permissions to the usb node. > USB? Why? I do not, nor never have had, a smartcard. Why would look for a smartcard? - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxsabMACgkQzTcr8Prq0ZPETQCfathvIyMUfuntUepIMhodjuI1 5uYAnR9RkM5XzZSLeWT9PRiPFII81Gm9 =AZ0j -----END PGP SIGNATURE----- From john.moores at hp.com Wed Aug 18 12:48:55 2010 From: john.moores at hp.com (Moores, John) Date: Wed, 18 Aug 2010 10:48:55 +0000 Subject: Error compiling GnuPG 1.4.10 on Sun Solaris - "stdint.h: No such file or directory" Message-ID: <759E6FE31C4C6445B67448ED58A901A239E0392428@GVW1350EXA.americas.hpqcorp.net> Hi, Please can you help me with this problem. I notice that this problem was logged as a bug (Issue #1155) back in December 2009. Unfortunately I cannot see a resolution in the BTS. I've also checked all emails going back to beginning of 2009 but no other mention of this issue found. My compile attempt gave me the following error: gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../include -I../intl -D_REENTRANT -g -O2 -Wall -MT estream-printf.o -MD -MP -MF .deps/estream-printf.Tpo -c -o estream-printf.o estream-printf.c estream-printf.c:52:21: stdint.h: No such file or directory *** Error code 1 make: Fatal error: Command failed for target `estream-printf.o' Current working directory /app/dzdsnp/gnugp/gnupg-1.4.10/util *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /app/dzdsnp/gnugp/gnupg-1.4.10 *** Error code 1 make: Fatal error: Command failed for target `all' The config.status file shows: configure:8960: checking for inttypes.h configure:8981: gcc -c -g -O2 conftest.c >&5 configure:8987: $? = 0 configure:9003: result: yes configure:8960: checking for stdint.h configure:8981: gcc -c -g -O2 conftest.c >&5 conftest.c:91:20: stdint.h: No such file or directory configure:8987: $? = 1 We're compiling on the following platform: SunOS 5.9 Generic_117171-07 sun4u sparc SUNW,Sun-Fire-V240 I'm sure I've read somewhere (http://www.selenic.com/pipermail/mercurial/2006-June/008916.html) that on Sun Solaris, the stdint.h is not used / required as this is covered by inttypes.h. Not sure if this is relevant. Many thanks in advance for your help. Best regards, John. John Moores Business Exchange Services HP Enterprise Services UK Ltd Hewlett-Packard Company +44 (0)1925 5841196 / Tel john.moores at hp.com / Email 2 Kelvin Close, Birchwood Science Park North Warrington WA3 7PB UK -------------- next part -------------- An HTML attachment was scrubbed... URL: From Chris.Knadle at coredump.us Thu Aug 19 22:21:28 2010 From: Chris.Knadle at coredump.us (Chris Knadle) Date: Thu, 19 Aug 2010 16:21:28 -0400 Subject: Error compiling GnuPG 1.4.10 on Sun Solaris - "stdint.h: No such file or directory" In-Reply-To: <759E6FE31C4C6445B67448ED58A901A239E0392428@GVW1350EXA.americas.hpqcorp.net> References: <759E6FE31C4C6445B67448ED58A901A239E0392428@GVW1350EXA.americas.hpqcorp.net> Message-ID: <201008191621.28758.Chris.Knadle@coredump.us> On Wednesday 18 August 2010 06:48:55 Moores, John wrote: > Hi, > > Please can you help me with this problem. > > I notice that this problem was logged as a bug (Issue #1155) back in > December 2009. Unfortunately I cannot see a resolution in the BTS. I've > also checked all emails going back to beginning of 2009 but no other > mention of this issue found. > > My compile attempt gave me the following error: > gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../include -I../intl -D_REENTRANT -g > -O2 -Wall -MT estream-printf.o -MD -MP -MF .deps/estream-printf.Tpo -c -o > estream-printf.o estream-printf.c estream-printf.c:52:21: stdint.h: No > such file or directory > *** Error code 1 > make: Fatal error: Command failed for target `estream-printf.o' > Current working directory /app/dzdsnp/gnugp/gnupg-1.4.10/util > *** Error code 1 > make: Fatal error: Command failed for target `all-recursive' > Current working directory /app/dzdsnp/gnugp/gnupg-1.4.10 > *** Error code 1 > make: Fatal error: Command failed for target `all' > > The config.status file shows: > configure:8960: checking for inttypes.h > configure:8981: gcc -c -g -O2 conftest.c >&5 > configure:8987: $? = 0 > configure:9003: result: yes > configure:8960: checking for stdint.h > configure:8981: gcc -c -g -O2 conftest.c >&5 > conftest.c:91:20: stdint.h: No such file or directory > configure:8987: $? = 1 > > We're compiling on the following platform: > SunOS 5.9 Generic_117171-07 sun4u sparc SUNW,Sun-Fire-V240 > > I'm sure I've read somewhere > (http://www.selenic.com/pipermail/mercurial/2006-June/008916.html) that on > Sun Solaris, the stdint.h is not used / required as this is covered by > inttypes.h. Not sure if this is relevant. > > Many thanks in advance for your help. Disclaimer: I haven't compiled code for Solaris in a long time I'm assuming you're trying to compile the code from here: http://www.sunfreeware.com/programlistsparc10.html#gnupg I've found a discussion on trying to compile another program on Solaris x86, and what's interesting is that depending on the version of Solaris the stdint.h header either is or is not available: http://opensolaris.org/jive/thread.jspa?messageID=478257 With version: SunOS aequitas 5.11 snv_138 i86pc i386 i86pc the stdint.h header is there, but with version: SunOS titan 5.8 Generic_127722-03 i86pc i386 i86pc it's not. This isn't the same architecture, but this at least gives me a clue that the lack of the header/library is likely version-specific. -- Chris -- Chris Knadle Chris.Knadle at coredump.us From recasted at hotmail.com Thu Aug 19 23:26:07 2010 From: recasted at hotmail.com (BernePGP) Date: Thu, 19 Aug 2010 14:26:07 -0700 (PDT) Subject: gnuPGP Setup Message-ID: <29486628.post@talk.nabble.com> Hi , Im really new to this and I have about 80% understood, I am at the stage where I have sent my key in a word file to my recipient that is sorted. I then tell the reciepient to download and load the gnupgp programe and to read the setup for novice readme file. After the recipient has loaded the programe he generates a personal key but does he do as I have done and copy out his public key in a wordfile and send it to me? In other words when the recipient got my email with my public key encrypted in a wordfile , what does he then do? Does he copy and paste my public key somewhere in his gnupgp programe? Next: In what form should I expect to recieve the senders public key? Will it arrive already encrypted in a word file and if so what do I do with that enc public key in regard to my gnuPGP programe? Again a newbie , a few words to clear the matter please. I did read the novice helpfile but you can see the whole process is not fully understood. BernePGP -- View this message in context: http://old.nabble.com/gnuPGP-Setup-tp29486628p29486628.html Sent from the GnuPG - User mailing list archive at Nabble.com. From Simon.Richter at hogyros.de Fri Aug 20 15:09:53 2010 From: Simon.Richter at hogyros.de (Simon Richter) Date: Fri, 20 Aug 2010 15:09:53 +0200 Subject: gnuPGP Setup In-Reply-To: <29486628.post@talk.nabble.com> References: <29486628.post@talk.nabble.com> Message-ID: <20100820130953.GD6950@richter> Hi, On Thu, Aug 19, 2010 at 02:26:07PM -0700, BernePGP wrote: > After the recipient has loaded the programe he generates a personal key but > does he do as I have done and copy out his public key in a wordfile and send > it to me? Essentially, yes. It is usually advisable to use plain text files (i.e. files containing just the raw text, without any formatting), as these can be used from gpg directly. If you use gpg on the command line, the easiest way is to use the "--output" (or "-o") option, e.g. in order to export a key: gpg --output mykey.txt --export --armor 12345678 where you replace "mykey.txt" with the name of the file you wish to contain a copy of your public key, and 12345678 with the ID for your key. You can import such a file using gpg --import mykey.txt (again, replacing the file name). > In other words when the recipient got my email with my public key encrypted > in a wordfile , what does he then do? Does he copy and paste my public key > somewhere in his gnupgp programe? He needs to import the key using --import. For this it is vital that the key be available as plain text. If you have a Word file, you should copy and paste the text into Notepad, and import from there. Note that the communication channel you used to transfer the public key is not secure -- while an attacker could not use the key data for anything other than sending you an encrypted message, a man in the middle could swap the key for another one. Therefore, it is recommended that after importing, you list the contents of the keyring using the command gpg --fingerprint which will then show you one block for each known key, starting with "pub" then followed by a number and letter, a slash, then the key id and creation date, then in the next line listing a string of numbers. You should verify that these two lines are the same for both you and the recipient, if they are, then the key has not been tampered with in transit. You can then use gpg --sign-key 23456789 (replacing 23456789 with the other's key id), and follow the instructions there to sign their key using yours; with this, you amend the other's key with a signed note saying that you have verified their identity, as the note is signed it cannot be forged, and your local copy of gpg will then know that it is safe to use this key (otherwise it'll warn that the key is "untrusted" whenever it is used). > In what form should I expect to recieve the senders public key? Will it > arrive already encrypted in a word file and if so what do I do with that enc > public key in regard to my gnuPGP programe? The same thing as your party does with your key. Simon From rjh at sixdemonbag.org Fri Aug 20 15:20:03 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 20 Aug 2010 09:20:03 -0400 Subject: gnuPGP Setup In-Reply-To: <20100820130953.GD6950@richter> References: <29486628.post@talk.nabble.com> <20100820130953.GD6950@richter> Message-ID: <4C6E8103.9060308@sixdemonbag.org> On 8/20/2010 9:09 AM, Simon Richter wrote: >> After the recipient has loaded the programe he generates a personal key but >> does he do as I have done and copy out his public key in a wordfile and send >> it to me? > > Essentially, yes. One detail that Simon omitted: do not copy public keys into Word files. It must be transmitted as-is, without any of the data mangling that Word does behind-the-scenes. Alternately (and IMO, preferably), use the keyserver network. gpg --keyserver pool.sks-keyservers.net --send-key 12345678 Then, a few hours later, the correspondent can use recv-key to get the key: gpg --keyserver pool.sks-keyservers.net --recv-key 12345678 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From expires2010 at ymail.com Fri Aug 20 19:47:05 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 20 Aug 2010 18:47:05 +0100 Subject: Adding keys In-Reply-To: <201008181605.58511.Chris.Knadle@coredump.us> References: <201008181605.58511.Chris.Knadle@coredump.us> Message-ID: <843486794.20100820184705@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 18 August 2010 at 9:05:58 PM, in , Chris Knadle wrote: > As far as I know there's no way to "merge keys". It *can* be done, but that doesn't mean it *should* be done. See http://atom.smasher.org/gpg/gpg-migrate.txt - -- Best regards MFPA mailto:expires2010 at ymail.com It's better to feed one cat than many mice -----BEGIN PGP SIGNATURE----- iQCVAwUBTG6/qKipC46tDG5pAQr6NQP7BBtRaFs1NyRwyX1Agu1PZzUSgqEutC3Q rbGDWx271IQ1o5dC4XF+ePVLxzn+BfMa0UpsBPg6NYpzVk0kxOj8gcbYQXR+PuK7 ui3P9GiSTY5yloNuzVo/xnemtJm++dwzu4Ktu9qU7z3pXi7+INWqVWIM9R4h6tW/ nM1zqvShYjo= =dsF0 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Fri Aug 20 22:42:25 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 20 Aug 2010 16:42:25 -0400 Subject: gnuPGP Setup In-Reply-To: <29486628.post@talk.nabble.com> References: <29486628.post@talk.nabble.com> Message-ID: <4C6EE8B1.7060007@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 19-08-2010 17:26, BernePGP escribi?: ... > In other words when the recipient got my email with my public key encrypted > in a wordfile , what does he then do? Does he copy and paste my public key > somewhere in his gnupgp programe? Well, there are graphical interphases to use GnuPG easily. Since you said you pasted your key into a word file, I assume (maybe a risky asumption) you are using Windows. My favorite GUI is GPGShell, but it is not open source, so you can either trust or distrust it. GPG4win package includes other GUIs, and these are Open Source, so it is up to you what you would like to use, if any. With GPGShell, I just double-click the public key file, and it is imported to my keyring. > Next: > > In what form should I expect to recieve the senders public key? Will it > arrive already encrypted in a word file and if so what do I do with that enc > public key in regard to my gnuPGP programe? Well, I guess the most common format is an ascii enarmored file (file.asc), which can be opened into notepad, or imported directly to GnuPG (using either the command line or a GUI). As Simon Richter said, you should check the key fingerprint with the key owner, to make sure you have the right key, and that should be done using a "secure channel", like a phone call (assuming you know the voice of the key owner and can detect if someone else is trying to impersonate him/her). Another option is to upload your key to a public keyserver, and then anybody can search by email address or name or keyID, and download your key. Of course, that way is even easier to upload a bogus key, so you should check you are downloading the right key. By the way, once you have uploaded your key to a keyserver, there is no way to remove it from the keyserver. Most people don't care too much about that, but a few persons don't like their keys to be uploaded to keyservers, so you should ask permision from the key owner before uploading his/her key to anywhere. So, usually, the recomendation is, if you sign a key, send it back to the owner, and let him/her to chose to upload or not upload it. > Again a newbie , a few words to clear the matter please. I did read the > novice helpfile but you can see the whole process is not fully understood. Don't worry, these things take time to be fully digested. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMbuixAAoJEMV4f6PvczxAqOcIAJuqKRXGRPnwnVCUR9+e7AT2 eLgjy4gWZhVvba0Jb1eVoQTD6fzi17QjJZjQJEbOLoYM9y+mtTDkryboOIDlJ799 B9XocdqFwCDRJy9YCy4ZYGnbYVDG2koMsSLYaat3NucTqtMORg6RROudA6MBOIRG o02nHFHJ20hRxFtHXoDAMrF/7ZrEgQ6Bz6SY98DBEa4wH9Gvvy3SuUWmV/yeMrhR o3B6IVmU2is6GvXA0VyF+agJ9oeWLdqyBkC9mMye2oKPahHGpoAi1T6m6Fu5g8nd DCnAEeXm1OkLpQl6YkZyUozK9eOjpM4NigjXPIuOgFi6nrwh3eYLnSorLMLSoco= =2zBQ -----END PGP SIGNATURE----- From krisik28 at gmail.com Sat Aug 21 00:49:05 2010 From: krisik28 at gmail.com (Krzysztof Kowalski) Date: Sat, 21 Aug 2010 00:49:05 +0200 Subject: Gnugp won't compile Message-ID: Hello i have a little problem gnugp from svn won't compile I compiled : libassuan-2.0.1 libksba-1.0.8 pth-2.0.7 libgpg-error-1.9 ./configure show this : http://wklej.org/hash/a063261d b1/ so everything should be ok but make give this : make make all-recursive make[1]: Entering directory `/home/krisik28/src/gnupg/gnupg' Making all in m4 make[2]: Entering directory `/home/krisik28/src/gnupg/gnupg/m4' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/home/krisik28/src/gnupg/gnupg/m4' Making all in gl make[2]: Entering directory `/home/krisik28/src/gnupg/gnupg/gl' { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ cat ./alloca_.h; \ } > alloca.h-t mv -f alloca.h-t alloca.h make all-am make[3]: Entering directory `/home/krisik28/src/gnupg/gnupg/gl' gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT allocsa.o -MD -MP -MF .deps/allocsa.Tpo -c -o allocsa.o allocsa.c mv -f .deps/allocsa.Tpo .deps/allocsa.Po rm -f libgnu.a ar cru libgnu.a allocsa.o ranlib libgnu.a make[3]: Leaving directory `/home/krisik28/src/gnupg/gnupg/gl' make[2]: Leaving directory `/home/krisik28/src/gnupg/gnupg/gl' Making all in include make[2]: Entering directory `/home/krisik28/src/gnupg/gnupg/include' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/home/krisik28/src/gnupg/gnupg/include' Making all in jnlib make[2]: Entering directory `/home/krisik28/src/gnupg/gnupg/jnlib' gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT stringhelp.o -MD -MP -MF .deps/stringhelp.Tpo -c -o stringhelp.o stringhelp.c mv -f .deps/stringhelp.Tpo .deps/stringhelp.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT strlist.o -MD -MP -MF .deps/strlist.Tpo -c -o strlist.o strlist.c mv -f .deps/strlist.Tpo .deps/strlist.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT utf8conv.o -MD -MP -MF .deps/utf8conv.Tpo -c -o utf8conv.o utf8conv.c mv -f .deps/utf8conv.Tpo .deps/utf8conv.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT argparse.o -MD -MP -MF .deps/argparse.Tpo -c -o argparse.o argparse.c argparse.c: In function ?show_help?: argparse.c:999: warning: ignoring return value of ?fwrite?, declared with attribute warn_unused_result mv -f .deps/argparse.Tpo .deps/argparse.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT logging.o -MD -MP -MF .deps/logging.Tpo -c -o logging.o logging.c mv -f .deps/logging.Tpo .deps/logging.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT dotlock.o -MD -MP -MF .deps/dotlock.Tpo -c -o dotlock.o dotlock.c mv -f .deps/dotlock.Tpo .deps/dotlock.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT mischelp.o -MD -MP -MF .deps/mischelp.Tpo -c -o mischelp.o mischelp.c mv -f .deps/mischelp.Tpo .deps/mischelp.Po rm -f libjnlib.a ar cru libjnlib.a stringhelp.o strlist.o utf8conv.o argparse.o logging.o dotlock.o mischelp.o ranlib libjnlib.a gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT t-stringhelp.o -MD -MP -MF .deps/t-stringhelp.Tpo -c -o t-stringhelp.o t-stringhelp.c mv -f .deps/t-stringhelp.Tpo .deps/t-stringhelp.Po gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT t-support.o -MD -MP -MF .deps/t-support.Tpo -c -o t-support.o t-support.c mv -f .deps/t-support.Tpo .deps/t-support.Po gcc -DJNLIB_IN_JNLIB -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -o t-stringhelp t-stringhelp.o t-support.o libjnlib.a make[2]: Leaving directory `/home/krisik28/src/gnupg/gnupg/jnlib' Making all in common make[2]: Entering directory `/home/krisik28/src/gnupg/gnupg/common' make[2]: *** No rule to make target `audit-events.h', needed by `all'. Stop. make[2]: Leaving directory `/home/krisik28/src/gnupg/gnupg/common' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/krisik28/src/gnupg/gnupg' make: *** [all] Error 2 So can someone tell me what im making bad that it won't compile ? Regards krisik28 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kardan at brueckenschlaeger.de Sat Aug 21 07:13:42 2010 From: kardan at brueckenschlaeger.de (kardan) Date: Sat, 21 Aug 2010 07:13:42 +0200 Subject: encrypted message has been manipulated! Message-ID: <20100821071342.089b4a94@brueckenschlaeger.de> Greetings, I backed some folders with tar in combination with gnupg, file sizes differ from 100..400mb. Now when I needed some of the files back for nearly every archive I get: gpg: WARNING: encrypted message has been manipulated! I tried to unpack the resulting archives with $ for file in *.tar.gz ; do tar -xz --ignore-failed-read --ignore-command-error -f $file ; done gzip: stdin: unexpected end of file tar: Child returned status 1 tar: Exiting with failure status due to previous errors gzip: stdin: invalid compressed data--format violated tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now tar: Skipping to next header tar: Exiting with failure status due to previous errors tar: Skipping to next header tar: Exiting with failure status due to previous errors tar: Skipping to next header gzip: stdin: invalid compressed data--format violated tar: Child returned status 1 tar: Exiting with failure status due to previous errors So, as gpg decrypts a damaged gzip file I assume there is no way restore a bit more than the slices so far. My research so far brought only topics related to the fat 4gb problem, wrong mail client wrapping and just one case of a damaged 420GB tgz-archive. This leads to my conclusion that my disk is exceptionally damaged. kardan > tar --version tar (GNU tar) 1.22 > gpg --version gpg (GnuPG) 1.4.10 From recasted at hotmail.com Sat Aug 21 13:21:07 2010 From: recasted at hotmail.com (BernePGP) Date: Sat, 21 Aug 2010 04:21:07 -0700 (PDT) Subject: gnuPGP Setup In-Reply-To: <29486628.post@talk.nabble.com> References: <29486628.post@talk.nabble.com> Message-ID: <29497552.post@talk.nabble.com> BernePGP wrote: > > Hi , > Im really new to this and I have about 80% understood, I am at the stage > where I have sent my key in a word file to my recipient that is sorted. I > then tell the reciepient to download and load the gnupgp programe and to > read the setup for novice readme file. > > After the recipient has loaded the programe he generates a personal key > but does he do as I have done and copy out his public key in a wordfile > and send it to me? > > In other words when the recipient got my email with my public key > encrypted in a wordfile , what does he then do? Does he copy and paste my > public key somewhere in his gnupgp programe? > > Next: > > In what form should I expect to recieve the senders public key? Will it > arrive already encrypted in a word file and if so what do I do with that > enc public key in regard to my gnuPGP programe? > > Again a newbie , a few words to clear the matter please. I did read the > novice helpfile but you can see the whole process is not fully understood. > > BernePGP > To be upfront, Im no further on, I just cant follow the great advice shown here. The only thing I can do is to provide a screenshot and then follow exactly an A), B), C) format no further advice until a return screenshot has proven that Ive understood and executed that step? So here is the first screenshot of my GnuPGP UI ( if I should use an easier UI please advise where I can get it but this one seems ok )? Oh, re the word file it was a misprint, wordpad was used, But now I cant seem to reproduce my own public key in wordpad? Regards, Berne http://old.nabble.com/file/p29497552/Image%2B1.GIF Image+1.GIF :confused::confused: -- View this message in context: http://old.nabble.com/gnuPGP-Setup-tp29486628p29497552.html Sent from the GnuPG - User mailing list archive at Nabble.com. From oliverml1 at oli1170.net Mon Aug 23 19:45:49 2010 From: oliverml1 at oli1170.net (Oliver Winker) Date: Mon, 23 Aug 2010 19:45:49 +0200 Subject: Setting up a gpg card with 2048bit, some notes Message-ID: <4C72B3CD.2090508@oli1170.net> Hi, Here some notes on the setup of my gpg card with 2048bit, and the different problems I meet with workarounds: --- 1) I could generate 1024 keys on card, but no 2048 keys. Setup is a ACR38U reader on a 32-bit linux system (Debian, Testing, 2.6.35.1) !? Generation stopped after 10-20sec with error message: "Key generation failed: general error" => Curiously! with the same hw running AMD64 I could generate 2048 keys on card with the same ACR38U !? I don't know why ... maybe some USB problem with the ACR38U. 2) The encryption key, due to gpg issue #1230, is currently set to 1024 bit. 3) A backup of the encryption key is saved (on choice) during generation, but not of the signing and auth key. --- The following describes an experimental way and patch for gpg 1.4.10, which allowed me to work around this. => Only try if you feel experimental as well ;)! No guarantees !! => Maybe this is also (partly) none-sense: no guarantees either, but comments are highly welcome then ;) !! So what the patch below does is the following: --- a) It uses the gen_card_key_with_backup() function for all three keys in keygen.c b) Sets the keys size to 2048 (hardcoded) --- => This solved my problems 2) and 3) ... and, since the keys are now generate in software by gpg (not on the card anymore), it also works around my problem 1). The final result is a gpg card with: * All three keys (signing, encr, auth) are now 2048 RSA * Backups of all keys, which allows to create a full backup card To create an initial card + backup card, the following are the steps: I) Setup the initial card: --- 1) Patch gpg 1.4.10 and build 2) Generate the keys (generate command), choose 2048 key size gpg.patched --card-edit admin generate Info: The "passphrase" question is the passphrase, that gpg will use to protect the backup keys stored on disc! => During generation note the names of the backup files in sequence of the keys generated. The sequence is the following: 1st) Signing key: sk_rst....gpg 2nd) Auth key: sk_uvw....gpg 3rd) Encr key: sk_xyz....gpg Info: If the card refuses the new keys, do first a 'normal' generate, on card, using a none patched gpg, with 1024 key sizes. This seems to reset things. --- II) Setup a backup card --- 1) Put the keys on the card from the created backup-files, using the 'bkuptocard' command gpg --edit-key XYZ... toggle bkuptocard sk_rst....gpg bkuptocard sk_uvw....gpg bkuptocard sk_xyz....gpg => Choose the right key-type (1,2 or 3) using the sequence noted before! Info: Also here, if the card refuses the new keys, do a 'normal' generate, on card, with a none patched gpg, with 1024 key sizes. This seems to reset things. 2) Now ATTENTION: !!! Your secret key backups are still all on disc !!! Depending on the 'passphrase' you gave them during the key generation, your secret keys are now more ???OR MAYBE LESS??? protected! If e.g. your passphrase was just a 6 digit-pin code, then their protection is very low, because there is no chip around them anymore, that can lock them away after three retries! => Therefore: Either a) shred them, then no more backups possible: the key once on the card can't be recovered or b) store them away in a safe place! --- III) Using the backup card --- In the gpg key-ring a 'stub' is pointing gpg to the card for the secret keys, and verifies the card serial number for this. The serial-number verification will fail with the backup card. To use the backup card with an existing installation, you need to: 1) Delete the secret-key, which is in fact just the stub: gpg --delete-secret-key XYZ... 2) And let gpg setup a new stub to the backup card, by an --card-status gpg --card-status --- If something goes wrong: As long as you don't block the card by meddling around with wrong pins, you can always back out and start over again. Cheers, Oliver --- diff --git a/gnupg-1.4.10/g10/keygen.c b/gnupg-1.4.10/g10/keygen.c --- a/gnupg-1.4.10/g10/keygen.c +++ b/gnupg-1.4.10/g10/keygen.c @@ -3138,6 +3138,19 @@ } else { + if ((s = get_parameter_value (para, pBACKUPENCDIR))) + { + /* A backup of the key has been requested. + Generate the key i software and import it then to + the card. Write a backup file. */ + rc = gen_card_key_with_backup (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root, + timestamp, + get_parameter_u32 (para, + pKEYEXPIRE), + para, s); + + } else + rc = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root, NULL, ×tamp, get_parameter_u32 (para, pKEYEXPIRE), para); @@ -3176,6 +3189,20 @@ if (!rc && card && get_parameter (para, pAUTHKEYTYPE)) { + + if ((s = get_parameter_value (para, pBACKUPENCDIR))) + { + /* A backup of the key has been requested. + Generate the key i software and import it then to + the card. Write a backup file. */ + rc = gen_card_key_with_backup (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, + timestamp, + get_parameter_u32 (para, + pKEYEXPIRE), + para, s); + + } else + rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, NULL, ×tamp, get_parameter_u32 (para, pKEYEXPIRE), para); @@ -3719,7 +3746,9 @@ sk_unprotected = NULL; sk_protected = NULL; - rc = generate_raw_key (algo, 1024, timestamp, +// rc = generate_raw_key (algo, 1024, timestamp, +// &sk_unprotected, &sk_protected); + rc = generate_raw_key (algo, 2048, timestamp, &sk_unprotected, &sk_protected); if (rc) return rc; From gnupg.user at seibercom.net Mon Aug 23 22:56:20 2010 From: gnupg.user at seibercom.net (Jerry) Date: Mon, 23 Aug 2010 16:56:20 -0400 Subject: Difference between different key types Message-ID: <20100823165620.7a9f43ac@scorpio> This is probably a stupid question; however, since I am relatively new to gpg, I was wondering if someone could briefly explain this to me. When creating a key, I am presented with a menu offering four possibilities: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) What is the difference between choices 1 & 2? Is one better than the other? Which would be preferred? I am assuming #1; however, "KGPG" (In the KDE suite) seems to prefer choice #2. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. I don't want a pickle, I just wanna ride on my motorcycle. And I don't want to die, I just want to ride on my motorcycle. Arlo Guthrie From rjh at sixdemonbag.org Mon Aug 23 23:06:57 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Aug 2010 17:06:57 -0400 Subject: Difference between different key types In-Reply-To: <20100823165620.7a9f43ac@scorpio> References: <20100823165620.7a9f43ac@scorpio> Message-ID: <4C72E2F1.7090806@sixdemonbag.org> On 8/23/2010 4:56 PM, Jerry wrote: > What is the difference between choices 1 & 2? Is one better than the > other? Which would be preferred? I am assuming #1; however, "KGPG" (In > the KDE suite) seems to prefer choice #2. All asymmetric cryptography is built on math problems that are so hard they cannot be solved unless you already know part of the answer. For instance, factoring a number is hard: what two prime factors go into 2,701? But if I give you one of those prime factors (37), it's really easy to figure out the other one (73). RSA is built on the Integer Factorization Problem (IFP). This is pretty much exactly what's described above. DSA and Elgamal are built on the Discrete Logarithm Problem (DLP). This is a different kind of problem involving computing discrete logarithms in a finite field -- another problem that's widely considered to be intractable unless you already know part of the answer. That's the big difference between DSA/Elgamal and RSA. From a purely functional perspective, they are almost entirely equivalent. (One might be a few milliseconds faster for encryption, one might be a few milliseconds faster for decryption -- but that's hardly a big deal.) "Better" is a subjective term. I don't know what "better" means to you, so I can't answer it. A lot of pointless holy wars have erupted over which key type is "better", and my best advice is to ignore the question completely. GnuPG has sensible defaults. You don't need to override them. From tchitwoo at us.ibm.com Tue Aug 24 00:06:03 2010 From: tchitwoo at us.ibm.com (Thomas Chitwood) Date: Mon, 23 Aug 2010 16:06:03 -0600 Subject: AUTO: Out of office (returning 08/30/2010) Message-ID: I am out of the office until 08/30/2010. I will be on vacation the week of Aug 23 and will not have access to the internae or email. I will respond to your message when I return. If this is an FTP emergency, Please contact Doyle Hatfield or Danny Barba or send and email to ftpit at us.ibm.com. Note: This is an automated response to your message "Difference between different key types" sent on 8/23/10 14:56:20. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Tue Aug 24 03:12:33 2010 From: faramir.cl at gmail.com (Faramir) Date: Mon, 23 Aug 2010 21:12:33 -0400 Subject: Difference between different key types In-Reply-To: <20100823165620.7a9f43ac@scorpio> References: <20100823165620.7a9f43ac@scorpio> Message-ID: <4C731C81.5070006@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 23-08-2010 16:56, Jerry escribi?: ... > (1) RSA and RSA (default) > (2) DSA and Elgamal > (3) DSA (sign only) > (4) RSA (sign only) > > What is the difference between choices 1 & 2? Is one better than the > other? Which would be preferred? I am assuming #1; however, "KGPG" (In > the KDE suite) seems to prefer choice #2. The only stupid question is the one that is not asked. As far as I know, RSA keys required licence to be used, so GnuPG favored DSA and Elgamal combination, since they were free. Finally, RSA keys became free and got included in free software. So far, it would be almost the same to use one or the other option, _but_: DSA keys used to have max size of 1024 bits, which by today standards are too short. DSA2 standard allows bigger keys, but may cause trouble with legacy software. IIRC, RSA has been around in free software for longer time than DSA2, so it is less likely to have problems. Of course, there are no guarantees you won't find somebody using a really old implementation of OpenPGP. And there is something about hash algoritms and DSA, so I would chose RSA and forget about it. As Robert J. Hansen said, the defaults are good, so don't change them unless you know what you are doing. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMcxyAAAoJEMV4f6PvczxA2xQH+gNTgeY+n2ujqbwWQKI4WyvQ 115vOii2cYntF+Yfmpl1q+uhFMILh6AFBUBm4mQhMweflcOBDOAlaeg+VGtQ5Smo NMuiZeifgDi/agtdvFaViIEGa6wymzUE03sO2TvPd5tGwakVvOmpLiStamU5/yi4 5NnmZnUzzIbkXRKxUouM/Ty7l6ZkxQtt70hgP0kZGJ0PuIZkqntsv3vaqFCmnrae SFb6J0qQpU1vCt404fK47GOxZRHH0rVyTXOI5jiKyES+6D7q2PXBpkYQp7zVdmyb yikjUtyDgFzH8DLdUojPvNcLg/1S8eOkP87r7El2he5n3H/eYgPn0sWx9j1Pl+w= =zfWX -----END PGP SIGNATURE----- From free10pro at gmail.com Tue Aug 24 11:30:47 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Tue, 24 Aug 2010 02:30:47 -0700 Subject: gnuPGP Setup In-Reply-To: <29497552.post@talk.nabble.com> References: <29486628.post@talk.nabble.com> <29497552.post@talk.nabble.com> Message-ID: <4C739147.8010605@gmail.com> On Sat, 21 Aug 2010 04:21:07 -0700 (PDT), BernePGP wrote: >> Im really new to this and I have about 80% understood, I am at the stage >> where I have sent my key in a word file to my recipient that is sorted. I >> then tell the reciepient to download and load the gnupgp programe and to >> read the setup for novice readme file. >> >> After the recipient has loaded the programe he generates a personal key >> but does he do as I have done and copy out his public key in a wordfile >> and send it to me? He can do one of two things. He can export his public key into a file and, by some means, deliver the file to you, or he send his public key to a keyserver so the you can fetch it from the keyserver. >> In other words when the recipient got my email with my public key >> encrypted in a wordfile , what does he then do? Does he copy and paste my >> public key somewhere in his gnupgp programe? He imports it into his program. If he is using the program that you are using, then he clicks the "Import" button and selects the file. Also, note that public keys are not encrypted when exported. That is only done for private keys, because there is no danger in revealing a public key but the inverse for a private key. >> In what form should I expect to recieve the senders public key? Will it >> arrive already encrypted in a word file and if so what do I do with that >> enc public key in regard to my gnuPGP programe? Concerning the first question here, it depends on the way he chooses to deliver his key to you (please see my top paragraph). And concerning the second, you import it into your program. In the program that you are using, click the "Import" button and select the public key file. >> Again a newbie , a few words to clear the matter please. I did read the >> novice helpfile but you can see the whole process is not fully understood. No problem. No one was ever born an expert. ;-) > To be upfront, Im no further on, I just cant follow the great advice shown > here. The only thing I can do is to provide a screenshot and then follow > exactly an A), B), C) format no further advice until a return screenshot has > proven that Ive understood and executed that step? So here is the first > screenshot of my GnuPGP UI ( if I should use an easier UI please advise > where I can get it but this one seems ok )? Oh, re the word file it was a > misprint, wordpad was used, But now I cant seem to reproduce my own public > key in wordpad? All right. Let's start by exporting your public key. And since your GUI is GNU Privacy Assistant, I will refer to it as GPA. A) Select your key in GPA. B) Click the "Export" button. C) Enter the filename that you want. You're done. Now give that file to your recipient by whatever means you will. Now wait for him to give you his public key. If he gives you a file with his public key in it, follow the steps below. A) In GPA, click the "Import" button. B) Select the file that your recipient gave you. Done. Now have your recipient perform each of these series of steps as you have, and both of you will be able communicate securely. Also, please follow the advice given to you by Simon Richter and Faramir about ensuring that you and your recipient have the correct keys. -Paul PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From recasted at hotmail.com Tue Aug 24 17:58:11 2010 From: recasted at hotmail.com (BernePGP) Date: Tue, 24 Aug 2010 08:58:11 -0700 (PDT) Subject: gnuPGP Setup In-Reply-To: <4C739147.8010605@gmail.com> References: <29486628.post@talk.nabble.com> <29497552.post@talk.nabble.com> <4C739147.8010605@gmail.com> Message-ID: <29523562.post@talk.nabble.com> Paul Richard Ramer wrote: > > On Sat, 21 Aug 2010 04:21:07 -0700 (PDT), BernePGP wrote: >>> Im really new to this and I have about 80% understood, I am at the stage >>> where I have sent my key in a word file to my recipient that is sorted. >>> I >>> then tell the reciepient to download and load the gnupgp programe and to >>> read the setup for novice readme file. >>> >>> After the recipient has loaded the programe he generates a personal key >>> but does he do as I have done and copy out his public key in a wordfile >>> and send it to me? > > He can do one of two things. He can export his public key into a file > and, by some means, deliver the file to you, or he send his public key > to a keyserver so the you can fetch it from the keyserver. > >>> In other words when the recipient got my email with my public key >>> encrypted in a wordfile , what does he then do? Does he copy and paste >>> my >>> public key somewhere in his gnupgp programe? > > He imports it into his program. If he is using the program that you are > using, then he clicks the "Import" button and selects the file. > > Also, note that public keys are not encrypted when exported. That is > only done for private keys, because there is no danger in revealing a > public key but the inverse for a private key. > >>> In what form should I expect to recieve the senders public key? Will it >>> arrive already encrypted in a word file and if so what do I do with that >>> enc public key in regard to my gnuPGP programe? > > Concerning the first question here, it depends on the way he chooses to > deliver his key to you (please see my top paragraph). And concerning > the second, you import it into your program. In the program that you > are using, click the "Import" button and select the public key file. > >>> Again a newbie , a few words to clear the matter please. I did read the >>> novice helpfile but you can see the whole process is not fully >>> understood. > > No problem. No one was ever born an expert. ;-) > >> To be upfront, Im no further on, I just cant follow the great advice >> shown >> here. The only thing I can do is to provide a screenshot and then follow >> exactly an A), B), C) format no further advice until a return screenshot >> has >> proven that Ive understood and executed that step? So here is the first >> screenshot of my GnuPGP UI ( if I should use an easier UI please advise >> where I can get it but this one seems ok )? Oh, re the word file it was >> a >> misprint, wordpad was used, But now I cant seem to reproduce my own >> public >> key in wordpad? > > All right. Let's start by exporting your public key. And since your > GUI is GNU Privacy Assistant, I will refer to it as GPA. > > A) Select your key in GPA. > B) Click the "Export" button. > C) Enter the filename that you want. > > You're done. Now give that file to your recipient by whatever means you > will. Now wait for him to give you his public key. If he gives you a > file with his public key in it, follow the steps below. > > A) In GPA, click the "Import" button. > B) Select the file that your recipient gave you. > > Done. Now have your recipient perform each of these series of steps as > you have, and both of you will be able communicate securely. > > Also, please follow the advice given to you by Simon Richter and Faramir > about ensuring that you and your recipient have the correct keys. > > > -Paul > > PGP Key ID: 0x3DB6D884 > PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Hi Paul & All, Ill be honest, Im cancelling this project and Ill use a password protected PDF. Thanks again for the time shown. BernePGP -- View this message in context: http://old.nabble.com/gnuPGP-Setup-tp29486628p29523562.html Sent from the GnuPG - User mailing list archive at Nabble.com. From thomas001le at googlemail.com Wed Aug 25 18:18:18 2010 From: thomas001le at googlemail.com (thomas weidner) Date: Wed, 25 Aug 2010 18:18:18 +0200 Subject: Modified user ids and key servers and a possible security risk? Message-ID: Hello, i started using gpg (with enigmail) today and found out i have already a key for my e-mail address on the key servers which i had completely forgotten about. Of cause i do have the private key for this old key any more. Therefore i created a new key. Some sources on the web suggested leaving a message in the old key which states that the key is not used any more. to do this i binary edited a gpg files and uploaded the modified old key to the keyserver again. the result looked promising: http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6 Is this a security risk? I could do this for any key and leave wrong messages on the key server which point to some other key. After a discussion on #gnupg i was told that gpg will not import the added user id because the signature is wrong. while this is great for security the key server still shows the user id. is it a bug in the key server, that it does not check new data for validity? greetings, thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 898 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Wed Aug 25 18:58:55 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Aug 2010 12:58:55 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: References: Message-ID: <4C754BCF.90705@fifthhorseman.net> On 08/25/2010 12:18 PM, thomas weidner wrote: > Hello, > > i started using gpg (with enigmail) today and found out i have > already a key for my e-mail address on the key servers which i had > completely forgotten about. Of cause i do have the private key for > this old key any more. Therefore i created a new key. Some sources on > the web suggested leaving a message in the old key which states that > the key is not used any more. to do this i binary edited a gpg files > and uploaded the modified old key to the keyserver again. the result > looked promising: > http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6 > > Is this a security risk? I could do this for any key and leave > wrong messages on the key server which point to some other key. After > a discussion on #gnupg i was told that gpg will not import the added > user id because the signature is wrong. while this is great for > security the key server still shows the user id. is it a bug in the > key server, that it does not check new data for validity? keyservers do no cryptographic verification whatsoever. I think this is (historically) for several reasons: 0) the clients receiving the OpenPGP certificates need to verify the material anyway, and 1) adding the cryptographic checks to the keyservers is a non-trivial amount of work, and 2) there is no guarantee that the keyservers will support any specific cryptographic protocol. For example, as elliptic curve keys get rolled out for OpenPGP, what should cryptographic-capable (RSA, DSA, and ElGamal) keyservers do with such new keys? what should they do with certifications over old keys made by such keys? And 3) With the exception of self-signatures, it's entirely possible that the keyserver does not have a copy of the issuer's key, and so can't compute the validity of the signature in the first place. So: is this a cryptographic risk? no, not for clients who verify things on their own. Is it a risk of cruft accumulating in the keyservers? yep. Does it mean you shouldn't trust the information you see published in a keyserver web page without fetching the keys and verifying them locally? yes, but that remains true whether or not you believe that the keyserver is implementing cryptographic checks, as the keyserver itself could be compromised. On balance, i think we should probably start considering adding crypto to keyservers, with the knowledge of these particular constraints. But it's not there yet. As always, i'd be happy to hear other people's perspectives on this stuff. --dkg [0] http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From telegraph at gmx.net Wed Aug 25 19:11:09 2010 From: telegraph at gmx.net (Gregor Zattler) Date: Wed, 25 Aug 2010 19:11:09 +0200 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C754BCF.90705@fifthhorseman.net> References: <4C754BCF.90705@fifthhorseman.net> Message-ID: <20100825171109.GJ6040@shi.workgroup> Hi Daniel, gnupg-users, * Daniel Kahn Gillmor [25. Aug. 2010]: > On 08/25/2010 12:18 PM, thomas weidner wrote: >> Some sources on the web suggested leaving a message in the old >> key which states that the key is not used any more. to do this >> i binary edited a gpg files and uploaded the modified old key >> to the keyserver again. the result looked promising: >> http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6 >> >> Is this a security risk? I could do this for any key and leave >> wrong messages on the key server which point to some other key. After >> a discussion on #gnupg i was told that gpg will not import the added >> user id because the signature is wrong. while this is great for >> security the key server still shows the user id. is it a bug in the >> key server, that it does not check new data for validity? > > keyservers do no cryptographic verification whatsoever. I think this is > (historically) for several reasons: > > 0) the clients receiving the OpenPGP certificates need to verify the > material anyway, and > > 1) adding the cryptographic checks to the keyservers is a non-trivial > amount of work, and > > 2) there is no guarantee that the keyservers will support any specific > cryptographic protocol. For example, as elliptic curve keys get rolled > out for OpenPGP, what should cryptographic-capable (RSA, DSA, and > ElGamal) keyservers do with such new keys? what should they do with > certifications over old keys made by such keys? And > > 3) With the exception of self-signatures, it's entirely possible that > the keyserver does not have a copy of the issuer's key, and so can't > compute the validity of the signature in the first place. But the selfsig would be enough to verify the legitimacy of new user ids. > So: is this a cryptographic risk? no, not for clients who verify things > on their own. Doesn't this open a denial of service attack vector on OpenPGPs PKI infrastructure? I could binary edit your key, the key server adds its. Your correspondent is then not able any more to import your key from the server... > Is it a risk of cruft accumulating in the keyservers? > yep. Does it mean you shouldn't trust the information you see published > in a keyserver web page without fetching the keys and verifying them > locally? yes, but that remains true whether or not you believe that the > keyserver is implementing cryptographic checks, as the keyserver itself > could be compromised. > > On balance, i think we should probably start considering adding crypto > to keyservers, with the knowledge of these particular constraints. But > it's not there yet. > > As always, i'd be happy to hear other people's perspectives on this stuff. > > --dkg > > [0] http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05 > Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From rjh at sixdemonbag.org Wed Aug 25 19:19:04 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 25 Aug 2010 13:19:04 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C754BCF.90705@fifthhorseman.net> References: <4C754BCF.90705@fifthhorseman.net> Message-ID: <4C755088.8000104@sixdemonbag.org> On 8/25/10 12:58 PM, Daniel Kahn Gillmor wrote: > keyservers do no cryptographic verification whatsoever. I think this is > (historically) for several reasons: [good reasons 0-3 skipped] 4) Asymmetric cryptography is computationally expensive. I would not want to think about the CPU load of a keyserver that did verification of every new certificate, user id, user attribute, etc., etc. From dkg at fifthhorseman.net Wed Aug 25 19:27:18 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Aug 2010 13:27:18 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <20100825171109.GJ6040@shi.workgroup> References: <4C754BCF.90705@fifthhorseman.net> <20100825171109.GJ6040@shi.workgroup> Message-ID: <4C755276.8040008@fifthhorseman.net> On 08/25/2010 01:11 PM, Gregor Zattler wrote: > Doesn't this open a denial of service attack vector on OpenPGPs > PKI infrastructure? I could binary edit your key, the key server > adds its. You could also create bogus signatures that claim to be from non-existent keys and upload them to the keyserver. > Your correspondent is then not able any more to import > your key from the server... my key would still be fetchable from the keyserver, but the bogus user IDs wouldn't get imported. The non-bogus material would be accepted by the client, though. One busted component doesn't invalidate the entire certificate. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Wed Aug 25 20:37:08 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Aug 2010 14:37:08 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C755088.8000104@sixdemonbag.org> References: <4C754BCF.90705@fifthhorseman.net> <4C755088.8000104@sixdemonbag.org> Message-ID: <4C7562D4.1070402@fifthhorseman.net> On 08/25/2010 01:19 PM, Robert J. Hansen wrote: > On 8/25/10 12:58 PM, Daniel Kahn Gillmor wrote: >> keyservers do no cryptographic verification whatsoever. I think this is >> (historically) for several reasons: > > [good reasons 0-3 skipped] > > 4) Asymmetric cryptography is computationally expensive. I would not > want to think about the CPU load of a keyserver that did verification of > every new certificate, user id, user attribute, etc., etc. Keyervers receive relatively few new certifications each day, certainly a small fraction of the number of requests they emit. Compared to offering hkps service (HKP-over-TLS on port 443), i doubt we'd notice a big computational cost differential, but i have no quantitative data on that. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Wed Aug 25 21:38:44 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 25 Aug 2010 15:38:44 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C7562D4.1070402@fifthhorseman.net> References: <4C754BCF.90705@fifthhorseman.net> <4C755088.8000104@sixdemonbag.org> <4C7562D4.1070402@fifthhorseman.net> Message-ID: <4C757144.90309@sixdemonbag.org> On 8/25/10 2:37 PM, Daniel Kahn Gillmor wrote: > Keyervers receive relatively few new certifications each day, certainly > a small fraction of the number of requests they emit. Initial syncs would be prohibitive. After that, syncs would probably not be too obnoxious, but the initial setup would just be awful. From kgo at grant-olson.net Wed Aug 25 21:28:35 2010 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 25 Aug 2010 15:28:35 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C754BCF.90705@fifthhorseman.net> References: <4C754BCF.90705@fifthhorseman.net> Message-ID: <4C756EE3.4050706@grant-olson.net> On 8/25/10 12:58 PM, Daniel Kahn Gillmor wrote: > > On balance, i think we should probably start considering adding crypto > to keyservers, with the knowledge of these particular constraints. But > it's not there yet. > > As always, i'd be happy to hear other people's perspectives on this stuff. > Since this has come up a few times in the past months, I guess I'm curious as to what the correct 'round-one' implementation of cryptographically enabled key-servers would would be. Is it: (1) Verifying that the keydata hasn't been tampered with, like editing in a hex editor? (2) Only accepting keydata that has been signed by the key owner? (3) Possibly accepting keydata signed by trusted keys, for example peer keyservers that that also perform the same verifications? (4) Possibly saving the signature as well, so peer keyservers can optionally perform the same verification at step (2) when you sync? ? Or am I totally off base here? -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From tiago at xroot.org Wed Aug 25 21:47:17 2010 From: tiago at xroot.org (Tiago Faria) Date: Wed, 25 Aug 2010 19:47:17 +0000 Subject: OpenPGP Card - general error unblocking PIN Message-ID: <20100825194717.7c987f1c@tt2k4> Hi list, I've been giving the OpenPGP card a try, and a ran into a problem when changing/unblocking my PIN. After a few Google searches I noticed other people also experienced this problem, however, I couldn't find a solution. GnuPG is version 1.4.9 and I'm using the second version of the card. I've included the debug information of the passwd > unblock PIN command, even though the Change PIN doesn't work either: ------- Debug Log ------- Command> passwd gpg: DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 C4 00 gpg: DBG: response: sw=9000 datalen=7 gpg: DBG: dump: 01 20 20 20 03 00 03 gpg: DBG: send apdu: c=00 i=CA p0=00 p1=7A lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 7A 00 gpg: DBG: response: sw=9000 datalen=5 gpg: DBG: dump: 93 03 00 00 00 gpg: OpenPGP card no. D2760001240102000005000006DF0000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 2 gpg: DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 C4 00 gpg: DBG: response: sw=9000 datalen=7 gpg: DBG: dump: 01 20 20 20 03 00 03 gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN gpg: DBG: send apdu: c=00 i=20 p0=00 p1=83 lc=8 le=-1 gpg: DBG: PCSC_data: 00 20 00 83 08 31 32 33 34 35 36 37 38 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: New PIN New PIN gpg: DBG: send apdu: c=00 i=2C p0=02 p1=81 lc=6 le=-1 gpg: DBG: PCSC_data: 00 2C 02 81 06 31 31 31 31 31 31 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: gpg: DBG: send apdu: c=00 i=2C p0=02 p1=82 lc=6 le=-1 gpg: DBG: PCSC_data: 00 2C 02 82 06 31 31 31 31 31 31 gpg: DBG: response: sw=6A88 datalen=0 Error unblocking the PIN: general error 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit ------- Debug Log ------- One thing I also noticed is that the PIN retry counter has the following values: 3 0 3 According to the documentation, the first value and second should be in sync. Any tips would be appreciated. Thank you very much for any help. Tiago -- Tiago Faria [ tiago at xroot.org ] PGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed Aug 25 23:49:18 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Aug 2010 17:49:18 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C756EE3.4050706@grant-olson.net> References: <4C754BCF.90705@fifthhorseman.net> <4C756EE3.4050706@grant-olson.net> Message-ID: <4C758FDE.3070101@fifthhorseman.net> On 08/25/2010 03:28 PM, Grant Olson wrote: > (1) Verifying that the keydata hasn't been tampered with, like editing > in a hex editor? this isn't very meaningful -- data is data, and you can't actually tell if it's been touched by a hex editor. > (2) Only accepting keydata that has been signed by the key owner? for self-sigs of algorithms that the keyserver understands, that's certainly a reasonable requirement. This would allow keyservers to cull bogus self-sigs, bogus primary key revocations, and any associated data (e.g. be willing to drop any user ID that has no valid self-signature associated with it). Note that there are some potentially weird corner cases here: if what used to be an invalid User ID becomes valid at some point in the future (because a true self-sig shows up), then other third-party certifications over that uid+key will suddenly become acceptable. It opens a range of questions, including: * How do we distinguish a self-sig from a non-self-sig? (the presence of certain subpackets indicates that a sig must be a self-sig, but the absence of such subpackets does not necessarily indicate a non-self-sig) * What about self-sigs that use considered-weak digests? (these could potentially be forged by malicious parties) and which digests are considered weak? * What about self-sigs of asymmetric keys whose algorithms the keyserver doesn't support? * If the above are policy questions for the owner of the keyserver, then we have an additional protocol-level question for gossip peers -- how do we interact with gossip peers who make different policy decisions than we do, or who have implemented different a different set of asymmetric cryptographic algorithms? And that's *just* for the self-signatures. Deciding how to cull the non-self-signatures is an even larger can of worms. > (3) Possibly accepting keydata signed by trusted keys, for example peer > keyservers that that also perform the same verifications? ugh, no, please. i'd rather not turn keyserver operators into certifying authorities. This would also introduce massive syncing problems, since each keyserver operator might choose to rely on a different set of peers, and would therefore accept a different set of certifications. > (4) Possibly saving the signature as well, so peer keyservers can > optionally perform the same verification at step (2) when you sync? Pretty much the main job of the keyservers is to store signatures. That is, the contents of an OpenPGP certificate exist largely in the form of embedded signatures over key material. I can't think of any additional data that a keyserver would need to request or save. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Wed Aug 25 23:55:17 2010 From: faramir.cl at gmail.com (Faramir) Date: Wed, 25 Aug 2010 17:55:17 -0400 Subject: Strange behaviour of gpg when importing key from keyserver Message-ID: <4C759145.6010706@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm using GnuPG 1.4.10b in a Windows XP machine, in Spanish language. I don't know exactly the command used, since I use GPGShell GUI, but I already contacted the author of GPGShell, and he told me cmd-windows are GPG itself, so it is not a problem with GPGShell. Now, the problem: I search keys by an email address, and gpg shows me the different matches found, and ask me to enter the number of the match I want to import, or O for other, or F to finish. But if I enter O or F, it just repeats the question, it doesn't finish the process. I tried different characters based on English words I thought may have been used in English version of GPG, and found 'Q' (for Quit) is the right answer to finish the process and exit, but I don't know the equivalent for 'other', nor what is it supposed to do. So, there is a problem with Spanish translation. Best Regards P.S: this is the question: Keys 1-3 of 3 for "theAddressIused". Introduzca n?mero(s), O)tro, o F)in > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMdZFFAAoJEMV4f6PvczxAX5QH/jeXdAqlyA8JY+a2LlLtt5t9 FTgJW2JjqvoahLpb+TzB0HL09QrDzlf/RsAowmJXs9QCqtUzGm7UpV7Fu9TfQWmx c2HqaoVEsWXw7FnKJeICOem0/j+LSuqzLrTZZsB4myd20tsdDBflGq4Rj5CRu9oM NXnBPp28w0icQhZ/26aBnnjwdUjuw5iO9pqY/TAjePqW+/jmnzS/ztBWI9ycH+H/ vq0lhafUDb6Y7Y/o7VignkobMFjd0J8ZERKK8Ldy3Jkq/jcUnQmaIbPQKwIFnGh1 5XUC5ekeAU78WFtF9FUzT/5DquTFLHjeiVPAaNJ5WCC4/PxyxHos1EQDPblojbQ= =U9H4 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Aug 26 00:04:58 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 25 Aug 2010 18:04:58 -0400 Subject: Strange behaviour of gpg when importing key from keyserver In-Reply-To: <4C759145.6010706@gmail.com> References: <4C759145.6010706@gmail.com> Message-ID: <698081A6-969A-4D89-AE44-963D790F7B5C@jabberwocky.com> > I'm using GnuPG 1.4.10b in a Windows XP machine, in Spanish > language. I don't know exactly the command used, since I use GPGShell > GUI, but I already contacted the author of GPGShell, and he told me > cmd-windows are GPG itself, so it is not a problem with GPGShell. > > Now, the problem: I search keys by an email address, and gpg shows > me the different matches found, and ask me to enter the number of the > match I want to import, or O for other, or F to finish. But if I enter O > or F, it just repeats the question, it doesn't finish the process. I > tried different characters based on English words I thought may have > been used in English version of GPG, and found 'Q' (for Quit) is the > right answer to finish the process and exit, but I don't know the > equivalent for 'other', nor what is it supposed to do. In English, it is "N" for "next". If there are many results from the keyserver, N is used to go to the next page of responses. The maximum number of results on a page varies depending on the window size, but it will never be smaller than 24. David From mailinglisten at hauke-laging.de Thu Aug 26 00:09:49 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 26 Aug 2010 00:09:49 +0200 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C7562D4.1070402@fifthhorseman.net> References: <4C755088.8000104@sixdemonbag.org> <4C7562D4.1070402@fifthhorseman.net> Message-ID: <201008260009.49413.mailinglisten@hauke-laging.de> Am Mittwoch 25 August 2010 20:37:08 schrieb Daniel Kahn Gillmor: > > [good reasons 0-3 skipped] > > > > 4) Asymmetric cryptography is computationally expensive. I would not > > want to think about the CPU load of a keyserver that did verification of > > every new certificate, user id, user attribute, etc., etc. > > Keyervers receive relatively few new certifications each day, certainly > a small fraction of the number of requests they emit. > > Compared to offering hkps service (HKP-over-TLS on port 443), i doubt > we'd notice a big computational cost differential, but i have no > quantitative data on that. And in contrast to TLS this CPU load can be postponed without serious consequences. If the load is high then new signatures could simply be added and checked later. Only "strange" updates (e.g. many signatures for the same key) would be checked at once in order to prevent such a postponing feature to be easily abused. To be on the safe side the keyserver could also prevent not yet checked information from being publicly available. So it might take a few hours until a key update is visible. Usually not a problem. If such administrative decisions are possible then I would like the keyserver to inform the client (in a signed way...) about its policy. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From kgo at grant-olson.net Thu Aug 26 01:27:58 2010 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 25 Aug 2010 19:27:58 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C758FDE.3070101@fifthhorseman.net> References: <4C754BCF.90705@fifthhorseman.net> <4C756EE3.4050706@grant-olson.net> <4C758FDE.3070101@fifthhorseman.net> Message-ID: <4C75A6FE.2040101@grant-olson.net> On 8/25/10 5:49 PM, Daniel Kahn Gillmor wrote: > On 08/25/2010 03:28 PM, Grant Olson wrote: >> (1) Verifying that the keydata hasn't been tampered with, like editing >> in a hex editor? > > this isn't very meaningful -- data is data, and you can't actually tell > if it's been touched by a hex editor. > I was thinking of that for the case where Tomas, the OP, managed to upload a key to a keyserver that gpg was rejecting as invalid. Should the keyserver reject something with a corrupt sig in advance? But I guess you're already talking about that below... >> (2) Only accepting keydata that has been signed by the key owner? > > for self-sigs of algorithms that the keyserver understands, that's > certainly a reasonable requirement. This would allow keyservers to cull > bogus self-sigs, bogus primary key revocations, and any associated data > (e.g. be willing to drop any user ID that has no valid self-signature > associated with it). > > ... > > And that's *just* for the self-signatures. Deciding how to cull the > non-self-signatures is an even larger can of worms. > The one big use case people throw around for keyservers with crypto support is that keyservers could then honor the 'keyserver no-modify' flag. I'm not really too concerned with that, but I guess I'll frame the conversation as that being the killer feature that crypto would accomplish. I was originally thinking, "How do you verify third party signatures?" and the initial hacky answer seemed to be have the submitter sign the keydata, not with a self-signature, but with a standard signature on the whole file. Less hacky solution proposed below... >> (3) Possibly accepting keydata signed by trusted keys, for example peer >> keyservers that that also perform the same verifications? > > ugh, no, please. i'd rather not turn keyserver operators into > certifying authorities. This would also introduce massive syncing > problems, since each keyserver operator might choose to rely on a > different set of peers, and would therefore accept a different set of > certifications. > I think for this and (4), I was out-thinking myself. How would keyservers trust each other enough to sync? Or re-create the chain of custody? Would a pool of servers even be possible since syncing is propagating data via a third party? I wouldn't want a solution where you couldn't sync between two servers. Anyway, after some googling, it looks like there's a third-party confirmation signature type in the spec. I'm not sure exactly how that works, but that seems like the less hacky way to deal with things. A brief look at the rfc makes it look like I could certify the third party sigs on my own keyring. If that's right, maybe that's the only way a keyserver would import third party sigs when no-modify is set. You could have the keyserver: (1) Perform crypto on self-sigs, only upload a key if the self-sigs on the packets check out. (2) If the newly uploaded key has the no-modify flag set, only add third-party keys that have a "Third Party Confirmation" from the original keyholder. That seems like a reasonable solution if I'm understanding the confirmation signature correctly. Regarding a crypto algo that the server doesn't understand, or one that's been flagged as 'weak' in the configuration, I think the server would just have to reject that info. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From Chris.Knadle at coredump.us Thu Aug 26 01:45:07 2010 From: Chris.Knadle at coredump.us (Chris Knadle) Date: Wed, 25 Aug 2010 19:45:07 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <201008260009.49413.mailinglisten@hauke-laging.de> References: <4C7562D4.1070402@fifthhorseman.net> <201008260009.49413.mailinglisten@hauke-laging.de> Message-ID: <201008251945.16268.Chris.Knadle@coredump.us> On Wednesday 25 August 2010 18:09:49 Hauke Laging wrote: > Am Mittwoch 25 August 2010 20:37:08 schrieb Daniel Kahn Gillmor: > > > [good reasons 0-3 skipped] > > > > > > 4) Asymmetric cryptography is computationally expensive. I would not > > > want to think about the CPU load of a keyserver that did verification > > > of every new certificate, user id, user attribute, etc., etc. > > > > Keyervers receive relatively few new certifications each day, certainly > > a small fraction of the number of requests they emit. > > > > Compared to offering hkps service (HKP-over-TLS on port 443), i doubt > > we'd notice a big computational cost differential, but i have no > > quantitative data on that. > > And in contrast to TLS this CPU load can be postponed without serious > consequences. If the load is high then new signatures could simply be added > and checked later. There's a problem with this idea, which is that there's no opportunity to notify the client that there was a problem if the check is done /later/. If instead the computation is done at the time of the uploaded modification, then there's an opportunity for the server to notify the gpg client that there was a problem. -- Chris -- Chris Knadle Chris.Knadle at coredump.us -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Thu Aug 26 01:50:07 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Aug 2010 19:50:07 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <201008251945.16268.Chris.Knadle@coredump.us> References: <4C7562D4.1070402@fifthhorseman.net> <201008260009.49413.mailinglisten@hauke-laging.de> <201008251945.16268.Chris.Knadle@coredump.us> Message-ID: <4C75AC2F.9000005@fifthhorseman.net> On 08/25/2010 07:45 PM, Chris Knadle wrote: > There's a problem with this idea, which is that there's no opportunity to > notify the client that there was a problem if the check is done /later/. If > instead the computation is done at the time of the uploaded modification, then > there's an opportunity for the server to notify the gpg client that there was > a problem. there's also a question of how it would affect the gossip protocol (that is, server-to-server, not client-to-server), if one party declines to accept some certifications. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Thu Aug 26 02:13:50 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 26 Aug 2010 02:13:50 +0200 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <201008251945.16268.Chris.Knadle@coredump.us> References: <201008260009.49413.mailinglisten@hauke-laging.de> <201008251945.16268.Chris.Knadle@coredump.us> Message-ID: <201008260213.55591.mailinglisten@hauke-laging.de> Am Donnerstag 26 August 2010 01:45:07 schrieb Chris Knadle: > There's a problem with this idea, which is that there's no opportunity to > notify the client that there was a problem if the check is done /later/. That's not a problem. You cannot require a server to make this decision immediately. The server can tell you that this decision is postponed and for how long it well be at most. The client can decide then to make a query at that time or later to check if the requested update has been made. This way the information what kind the error was of is lost, though. But if you like to make it more complicated then the keyserver could log failed updates and their check result so in case of error (no update visible to the client after the given check period) the client would upload the same data again and then the server could respond with the error information without causing CPU load. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From Chris.Knadle at coredump.us Thu Aug 26 02:59:23 2010 From: Chris.Knadle at coredump.us (Chris Knadle) Date: Wed, 25 Aug 2010 20:59:23 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <201008260213.55591.mailinglisten@hauke-laging.de> References: <201008251945.16268.Chris.Knadle@coredump.us> <201008260213.55591.mailinglisten@hauke-laging.de> Message-ID: <201008252059.31247.Chris.Knadle@coredump.us> On Wednesday 25 August 2010 20:13:50 Hauke Laging wrote: > Am Donnerstag 26 August 2010 01:45:07 schrieb Chris Knadle: > > There's a problem with this idea, which is that there's no opportunity to > > notify the client that there was a problem if the check is done /later/. > > That's not a problem. You cannot require a server to make this decision > immediately. My definition of "later" is "after the client-server connection is closed". It is unusual for any specification to require decision to be made later than while the client-server connection is still open. > The server can tell you that this decision is postponed and > for how long it well be at most. The client can decide then to make a > query at that time or later to check if the requested update has been > made. This now increases overhead by requiring the client to make several connections to the server to ask "did you do that thing yet?", also forcing the client remember what request was made in order to go check up on "half- done" transactions. This also messes up human feedback. "Made the request, check back later" is not an actual answer. > This way the information what kind the error was of is lost, though. Humans need feedback of what the problem was. "General Error" doesn't suffice. > But if > you like to make it more complicated then the keyserver could log failed > updates and their check result so in case of error (no update visible to > the client after the given check period) the client would upload the same > data again and then the server could respond with the error information > without causing CPU load. All these problems become far simpler if the final response from the server is made during the client-server connection. Without this there are state issues to remember and handle on both the client and the server side. -- Chris -- Chris Knadle Chris.Knadle at coredump.us -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Thu Aug 26 04:02:34 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Aug 2010 22:02:34 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C75A6FE.2040101@grant-olson.net> References: <4C754BCF.90705@fifthhorseman.net> <4C756EE3.4050706@grant-olson.net> <4C758FDE.3070101@fifthhorseman.net> <4C75A6FE.2040101@grant-olson.net> Message-ID: <4C75CB3A.7050308@fifthhorseman.net> On 08/25/2010 07:27 PM, Grant Olson wrote: > On 8/25/10 5:49 PM, Daniel Kahn Gillmor wrote: >> And that's *just* for the self-signatures. Deciding how to cull the >> non-self-signatures is an even larger can of worms. > > The one big use case people throw around for keyservers with crypto > support is that keyservers could then honor the 'keyserver no-modify' > flag. I'm not really too concerned with that, but I guess I'll frame > the conversation as that being the killer feature that crypto would > accomplish. That makes sense. i wasn't originally trying to be that ambitious, but i see where you're going with this. > I was originally thinking, "How do you verify third party signatures?" > and the initial hacky answer seemed to be have the submitter sign the > keydata, not with a self-signature, but with a standard signature on the > whole file. Less hacky solution proposed below... [...] > Anyway, after some googling, it looks like there's a third-party > confirmation signature type in the spec. I'm not sure exactly how that > works, but that seems like the less hacky way to deal with things. yup, that's a clever way to get rid of the non-self-sig case entirely -- by turning them into self-sigs effectively. So you guarantee that you have the public key material available to check the certifications with anyway. > A brief look at the rfc makes it look like I could certify the third > party sigs on my own keyring. If that's right, maybe that's the only > way a keyserver would import third party sigs when no-modify is set. > You could have the keyserver: > > (1) Perform crypto on self-sigs, only upload a key if the self-sigs on > the packets check out. > > (2) If the newly uploaded key has the no-modify flag set, only add > third-party keys that have a "Third Party Confirmation" from the > original keyholder. i think you mean "only add *non-self-sigs* that have a "Third Party Confirmation" from the original keyholder". But yeah, i think this is an interesting angle to pursue. Would wide adoption of this kind of confirmation create another angle that people could use to "force" signatures on a known text? If so, that might be a concern for digests that are known to have weaker collision resistance (e.g. the kind of exploits used in the hashclash efforts against MD5 back in Dec 2008 [0]). Do other people see this as a concern? --dkg [0] http://www.win.tue.nl/hashclash/rogue-ca/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Thu Aug 26 05:40:19 2010 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 25 Aug 2010 23:40:19 -0400 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C75CB3A.7050308@fifthhorseman.net> References: <4C754BCF.90705@fifthhorseman.net> <4C756EE3.4050706@grant-olson.net> <4C758FDE.3070101@fifthhorseman.net> <4C75A6FE.2040101@grant-olson.net> <4C75CB3A.7050308@fifthhorseman.net> Message-ID: <4C75E223.2030305@grant-olson.net> On 8/25/10 10:02 PM, Daniel Kahn Gillmor wrote: > > i think you mean "only add *non-self-sigs* that have a "Third Party > Confirmation" from the original keyholder". Yes, of course. > Would wide adoption of this kind of confirmation create another angle > that people could use to "force" signatures on a known text? If so, > that might be a concern for digests that are known to have weaker > collision resistance (e.g. the kind of exploits used in the hashclash > efforts against MD5 back in Dec 2008 [0]). Do other people see this as > a concern? > I don't know if that's an issue. At least with their attack. They weren't able to impersonate an existing CA. They created a bogus intermediate certificate, and a normal one that had a hash collision. Once the normal one was signed by a single lax CA, they could issue certificates that were recognized worldwide based on many web browser's default settings. Since all OpenPGP keys are created equal, and none are trusted by anyone by default, it's a little harder to exploit. To use the same exploit, you'd need to: (1) Generate a bogus pgp key, for example 'barak at whitehouse.gov'. (2) Generate a colliding key for 'joe.sixpack at gmail.com'. (3) Get a bunch of people to sign the colliding key, which would probably involve getting fake identification, etc. (4) Hope that many of the people signing the key are using MD5. (5) Hope that many of the people using MD5 are trusted by many OpenPGP users, GSWOT a member or the PGP Global Directory, or at least someone in the strong set. (6) After all that you might (repeat might) be able to get the three signatures required for a random user to fully trust the bogus key. (7) Profit... Compare steps 3, 4, and 5 in the OpenPGP scenario to that one lax X.509 CA that's already trusted by browsers worldwide. And even then, you'll only trusted by some (possibly many) OpenPGP users. You won't get instant world domination. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From free10pro at gmail.com Thu Aug 26 07:10:55 2010 From: free10pro at gmail.com (Paul Richard Ramer) Date: Wed, 25 Aug 2010 22:10:55 -0700 Subject: Strange behaviour of gpg when importing key from keyserver In-Reply-To: <4C759145.6010706@gmail.com> References: <4C759145.6010706@gmail.com> Message-ID: <4C75F75F.7050404@gmail.com> On Wed, 25 Aug 2010 17:55:17 -0400, Faramir wrote: > Now, the problem: I search keys by an email address, and gpg shows > me the different matches found, and ask me to enter the number of the > match I want to import, or O for other, or F to finish. But if I enter O > or F, it just repeats the question, it doesn't finish the process. I > tried different characters based on English words I thought may have > been used in English version of GPG, and found 'Q' (for Quit) is the > right answer to finish the process and exit, but I don't know the > equivalent for 'other', nor what is it supposed to do. [snip] > P.S: this is the question: > Keys 1-3 of 3 for "theAddressIused". Introduzca n?mero(s), O)tro, o F)in > The equivalent for "O" is "N", because the English word here would be "Next". For example: Keys 1-6 of 12 for "Faramir". Enter number(s), N)ext, or Q)uit > -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From wk at gnupg.org Thu Aug 26 15:01:21 2010 From: wk at gnupg.org (Werner Koch) Date: Thu, 26 Aug 2010 15:01:21 +0200 Subject: OpenPGP Card - general error unblocking PIN In-Reply-To: <20100825194717.7c987f1c@tt2k4> (Tiago Faria's message of "Wed, 25 Aug 2010 19:47:17 +0000") References: <20100825194717.7c987f1c@tt2k4> Message-ID: <8739u1o7dq.fsf@vigenere.g10code.de> On Wed, 25 Aug 2010 21:47, tiago at xroot.org said: > GnuPG is version 1.4.9 and I'm using the second version of the card. 1.4.9 does not support this card. Upgrade to 1.4.10. > One thing I also noticed is that the PIN retry counter has the > following values: 3 0 3 There is no PIN2 anymore thus we don't have a retry counter for it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From tiago at xroot.org Thu Aug 26 16:03:49 2010 From: tiago at xroot.org (Tiago Faria) Date: Thu, 26 Aug 2010 14:03:49 +0000 Subject: OpenPGP Card - general error unblocking PIN In-Reply-To: <8739u1o7dq.fsf@vigenere.g10code.de> References: <20100825194717.7c987f1c@tt2k4> <8739u1o7dq.fsf@vigenere.g10code.de> Message-ID: <20100826140349.22935a11@tt2k4> On Thu, 26 Aug 2010 15:01:21 +0200 Werner Koch wrote: > On Wed, 25 Aug 2010 21:47, tiago at xroot.org said: > > > GnuPG is version 1.4.9 and I'm using the second version of the > > card. > > 1.4.9 does not support this card. Upgrade to 1.4.10. > > > One thing I also noticed is that the PIN retry counter has the > > following values: 3 0 3 > > There is no PIN2 anymore thus we don't have a retry counter for it. > > > Salam-Shalom, > > Werner > Werner, Thank you very much for getting back to me. In fact, upgrading to the latest stable fixed the problems I was experiencing. Thank you very much for the help. Tiago -- Tiago Faria [ tiago at xroot.org ] PGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From expires2010 at ymail.com Thu Aug 26 20:06:31 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 26 Aug 2010 19:06:31 +0100 Subject: Modified user ids and key servers and a possible security risk? In-Reply-To: <4C757144.90309@sixdemonbag.org> References: <4C754BCF.90705@fifthhorseman.net> <4C755088.8000104@sixdemonbag.org> <4C7562D4.1070402@fifthhorseman.net> <4C757144.90309@sixdemonbag.org> Message-ID: <89821064.20100826190631@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 25 August 2010 at 8:38:44 PM, in , Robert J. Hansen wrote: > On 8/25/10 2:37 PM, Daniel Kahn Gillmor wrote: >> Keyervers receive relatively few new certifications each day, certainly >> a small fraction of the number of requests they emit. > Initial syncs would be prohibitive. After that, syncs > would probably not be too obnoxious, but the initial > setup would just be awful. Would the initial set-up have to involve immediately checking the UIDs and certifications of all keys already on the server? Could new/updated keys be prioritised, and unchanged pre-existing keys "processed" in small batches over a long period of time? Could the checking be restricted to new/updated keys only? Or is that a non-starter because, in order to preserve the web of trust, you then want to check the integrety of keys that had already signed the key that was just updated but have not been updated themselves? - -- Best regards MFPA mailto:expires2010 at ymail.com The second mouse gets the cheese -----BEGIN PGP SIGNATURE----- iQCVAwUBTHatKqipC46tDG5pAQrKqwP/VFPkPfFIX5uPq0T3pCJtdShiNAAwIvJ8 ZkKbLPBXXhLE81DM6QZ5vVZuWrcBX43aht3MiWnCFnJC+2kkATbXFmYPdYnyoJiy 0/9pGCSwe3td/hxxk8Tutd62HzGPUX2+tRkrX0btDMCi9FsmNnvxPlRqbWkin+jj RfC3uFVeSZE= =bki+ -----END PGP SIGNATURE----- From damailings at mcbf.net Thu Aug 26 22:52:24 2010 From: damailings at mcbf.net (David Mohr) Date: Thu, 26 Aug 2010 22:52:24 +0200 Subject: How to use the gnupg card with an akasa smart card reader? Message-ID: <4C76D408.4080500@mcbf.net> Hi, I recently bought a gnupg smart card (kudos to the organizers of Froscon). I own an internal smart card reader made by akasa (AK-ICR-05). Unfortunately it doesn't work with gnupg out of the box, and I have no idea how to get it going. I contacted the manufacturer and of course they don't have Linux support but they were able to tell me that it uses an RTS5161 chipset. I wasn't able to find anything using google about it... lsusb -v says: ---SNIP--- Bus 001 Device 002: ID 0bda:0161 Realtek Semiconductor Corp. Mass Storage Device Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x0bda Realtek Semiconductor Corp. idProduct 0x0161 Mass Storage Device bcdDevice 61.10 iManufacturer 1 Generic iProduct 2 USB2.0-CRW iSerial 3 20070818000000000 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 116 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 4 CARD READER bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 11 Chip/SmartCard bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 6 Smart Card Reader Interface ChipCard Interface Descriptor: bLength 54 bDescriptorType 33 bcdCCID 1.10 (Warning: Only accurate for version 1.0) nMaxSlotIndex 0 bVoltageSupport 7 5.0V 3.0V 1.8V dwProtocols 3 T=0 T=1 dwDefaultClock 3750 dwMaxiumumClock 7500 bNumClockSupported 0 dwDataRate 10080 bps dwMaxDataRate 312500 bps bNumDataRatesSupp. 0 dwMaxIFSD 254 dwSyncProtocols 00000000 dwMechanical 00000000 dwFeatures 00010030 Auto clock change Auto baud rate change TPDU level exchange dwMaxCCIDMsgLen 271 bClassGetResponse 00 bClassEnvelope 00 wlcdLayout none bPINSupport 0 bMaxCCIDBusySlots 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 8 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x05 EP 5 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x86 EP 6 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 (omitting the mass storage part) ---SNAP--- I tried: % gpg --card-status gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: general error % opensc-tool --list-readers Error: can't open /var/run/openct/status: No such file or directory <--snip-repeat--> [opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d [opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found Readers known about: Nr. Driver Name 0 openct OpenCT reader (detached) 1 openct OpenCT reader (detached) Any help would be greatly appreciated! Thanks, ~David From Chris.Knadle at coredump.us Fri Aug 27 04:36:58 2010 From: Chris.Knadle at coredump.us (Chris Knadle) Date: Thu, 26 Aug 2010 22:36:58 -0400 Subject: How to use the gnupg card with an akasa smart card reader? In-Reply-To: <4C76D408.4080500@mcbf.net> References: <4C76D408.4080500@mcbf.net> Message-ID: <201008262237.05092.Chris.Knadle@coredump.us> On Thursday 26 August 2010 16:52:24 David Mohr wrote: > Hi, > I recently bought a gnupg smart card (kudos to the organizers of > Froscon). I own an internal smart card reader made by akasa (AK-ICR-05). > Unfortunately it doesn't work with gnupg out of the box, and I have no > idea how to get it going. > > I contacted the manufacturer and of course they don't have Linux support > but they were able to tell me that it uses an RTS5161 chipset. I wasn't > able to find anything using google about it... > lsusb -v says: > ---SNIP--- > Bus 001 Device 002: ID 0bda:0161 Realtek Semiconductor Corp. Mass ... What version of gnupg are you using, and what Linux version/distro are you running? In the meantime... someone was able to get this device /almost/ working: http://ohioloco.ubuntuforums.org/showthread.php?p=9084818 Note that this was done using a Linux kernel version 2.6.31 on Ubuntu 9.10 Apparently this same RTS5161 chip is also in some IR remote control devices. I did some digging to try to figure out when the device was supported by GNU/Linux, which seems to happen on Debian/Ubuntu via the 'usbutils' package. As best I can tell, device 0bda:0161 was added to Greg Kroah-Hartman's git usbutils repository (at URL git://github.com/gregkh/usbutils.git) in commit f7c66c505dc470c841792f19901ef901308168a7 by David Brownwell on Jun 5, 2008. So since it's been in the usb.ids since June, 2008, any relatively recent usbutils package that's newer than that should at least support the chip... at least in theory. -- Chris -- Chris Knadle Chris.Knadle at coredump.us -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From damailings at mcbf.net Fri Aug 27 20:04:22 2010 From: damailings at mcbf.net (David Mohr) Date: Fri, 27 Aug 2010 20:04:22 +0200 Subject: How to use the gnupg card with an akasa smart card reader? In-Reply-To: <201008262237.05092.Chris.Knadle@coredump.us> References: <4C76D408.4080500@mcbf.net> <201008262237.05092.Chris.Knadle@coredump.us> Message-ID: <4C77FE26.1090005@mcbf.net> On 08/27/2010 04:36 AM, Chris Knadle wrote: > On Thursday 26 August 2010 16:52:24 David Mohr wrote: >> Hi, >> I recently bought a gnupg smart card (kudos to the organizers of >> Froscon). I own an internal smart card reader made by akasa (AK-ICR-05). >> Unfortunately it doesn't work with gnupg out of the box, and I have no >> idea how to get it going. >> >> I contacted the manufacturer and of course they don't have Linux support >> but they were able to tell me that it uses an RTS5161 chipset. I wasn't >> able to find anything using google about it... > >> lsusb -v says: >> ---SNIP--- >> Bus 001 Device 002: ID 0bda:0161 Realtek Semiconductor Corp. Mass > ... > > What version of gnupg are you using, and what Linux version/distro are you > running? I'm running gnupg 1.4.10 on Debian sid. > In the meantime... someone was able to get this device /almost/ working: > > http://ohioloco.ubuntuforums.org/showthread.php?p=9084818 > > Note that this was done using a Linux kernel version 2.6.31 on Ubuntu 9.10 I had found that report but thought the guy was using a different reader afterall since it was identified as MSI StarReader. But your pointer caused me to try it again, and I found out that I didn't have pcscd installed! Without this, pcsc_scan seems to be pretty useless. I'm sure there is a reason not to have a dependency on there in Debian, but it would have been pretty helpful in my case :-). I must have overlooked that package since it was mentioned on the linked ubuntuforum post. Now I get some sensible output: % gpg --card-status gpg: detected reader `MSI StarReader SMART [Smart Card Reader Interface] (20070818000000000) 00 00' > Apparently this same RTS5161 chip is also in some IR remote control devices. > > > > I did some digging to try to figure out when the device was supported by > GNU/Linux, which seems to happen on Debian/Ubuntu via the 'usbutils' package. > > As best I can tell, device 0bda:0161 was added to Greg Kroah-Hartman's git > usbutils repository (at URL git://github.com/gregkh/usbutils.git) in commit > f7c66c505dc470c841792f19901ef901308168a7 by David Brownwell on Jun 5, 2008. > > So since it's been in the usb.ids since June, 2008, any relatively recent > usbutils package that's newer than that should at least support the chip... at > least in theory. Thanks for doing some digging. Sometimes another little hint is all that's required! :-) I'll post again sometimes soon to see if the card _actually_ worked. ~David From Chris.Knadle at coredump.us Fri Aug 27 21:32:09 2010 From: Chris.Knadle at coredump.us (Chris Knadle) Date: Fri, 27 Aug 2010 15:32:09 -0400 Subject: How to use the gnupg card with an akasa smart card reader? In-Reply-To: <4C77FE26.1090005@mcbf.net> References: <4C76D408.4080500@mcbf.net> <201008262237.05092.Chris.Knadle@coredump.us> <4C77FE26.1090005@mcbf.net> Message-ID: <201008271532.09977.Chris.Knadle@coredump.us> On Friday 27 August 2010 14:04:22, David Mohr wrote: > On 08/27/2010 04:36 AM, Chris Knadle wrote: ... > > In the meantime... someone was able to get this device /almost/ working: > > http://ohioloco.ubuntuforums.org/showthread.php?p=9084818 > > > > Note that this was done using a Linux kernel version 2.6.31 on Ubuntu > > 9.10 > > I had found that report but thought the guy was using a different reader > afterall since it was identified as MSI StarReader. > > But your pointer caused me to try it again, and I found out that I > didn't have pcscd installed! Without this, pcsc_scan seems to be pretty > useless. I'm sure there is a reason not to have a dependency on there in > Debian, but it would have been pretty helpful in my case :-). Huh. Yeah, not even a 'recommends' for it in the control file for pcsc-tools. Interesting. You might consider writing a 'wishlist' bug for pcsc-tools to list the pcscd package under 'recommends'. Was easy for me to check, as I'm also running Debian Sid. > I must > have overlooked that package since it was mentioned on the linked > ubuntuforum post. > > Now I get some sensible output: > > % gpg --card-status > gpg: detected reader `MSI StarReader SMART [Smart Card Reader Interface] > (20070818000000000) 00 00' Definitely a start. > > I did some digging to try to figure out when the device was supported by > > GNU/Linux, which seems to happen on Debian/Ubuntu via the 'usbutils' > > package. ... > Thanks for doing some digging. Sometimes another little hint is all > that's required! :-) When it comes to drivers it's useful to know /when/ support was added especially when it comes to which particular Linux kernel (or package) versions support a device. I know I didn't have to go that far -- but once I found the git repo for usbutils I wanted to see that I could go through the history for a particular file and find the commit where the change was added. -- Chris -- Chris Knadle Chris.Knadle at coredump.us From jpboard2 at yahoo.com Sun Aug 29 02:34:23 2010 From: jpboard2 at yahoo.com (James Board) Date: Sat, 28 Aug 2010 17:34:23 -0700 (PDT) Subject: Redirecting STDIN Message-ID: <145806.49004.qm@web45907.mail.sp1.yahoo.com> I'm trying to encode a file in a shell script on a linux machine. The script is getting stuck on an interactive question for which the answer is always 'y' (yes). I tried redirecting stdin from a file, and with 'echo "y" | ....", but that doesn't work for some reason (it works with other programs that take interactive input from the user). I also tried the --yes option, but this doesn't work either. How can I redirect STDIN to pgp so that questions are always answered 'y' and my script won't have to wait on user inputs? From dougb at dougbarton.us Sun Aug 29 02:58:35 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sat, 28 Aug 2010 17:58:35 -0700 Subject: Redirecting STDIN In-Reply-To: <145806.49004.qm@web45907.mail.sp1.yahoo.com> References: <145806.49004.qm@web45907.mail.sp1.yahoo.com> Message-ID: <4C79B0BB.3060504@dougbarton.us> On 8/28/2010 5:34 PM, James Board wrote: > I'm trying to encode a file in a shell script on a linux machine. > The script is getting stuck on an interactive question for which the > answer is always 'y' (yes). I tried redirecting stdin from a file, > and with 'echo "y" | ....", but that doesn't work for some reason (it > works with other programs that take interactive input from the user). > I also tried the --yes option, but this doesn't work either. > > How can I redirect STDIN to pgp so that questions are always answered > 'y' and my script won't have to wait on user inputs? Is this a gnupg command that is prompting, or something else? If the former, which command? Doug From John at Mozilla-Enigmail.org Sun Aug 29 06:37:14 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 28 Aug 2010 23:37:14 -0500 Subject: Redirecting STDIN In-Reply-To: <145806.49004.qm@web45907.mail.sp1.yahoo.com> References: <145806.49004.qm@web45907.mail.sp1.yahoo.com> Message-ID: <4C79E3FA.9070901@Mozilla-Enigmail.org> James Board wrote: > I'm trying to encode a file in a shell script on a linux machine. The script is getting stuck on an interactive question for which the answer is always 'y' (yes). I tried redirecting stdin from a file, and with 'echo "y" | ....", but that doesn't work for some reason (it works with other programs that take interactive input from the user). I also tried the --yes option, but this doesn't work either. > > How can I redirect STDIN to pgp so that questions are always answered 'y' > and my script won't have to wait on user inputs? Hmm, what's the question where your script is getting stuck? If, as I suspect, it's dealing with trusting the key your encrypting to, either sign the key with a local sig or use '--trust-model always'. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From laurent.jumet at skynet.be Sun Aug 29 07:43:41 2010 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Sun, 29 Aug 2010 07:43:41 +0200 Subject: Redirecting STDIN In-Reply-To: <145806.49004.qm@web45907.mail.sp1.yahoo.com> Message-ID: Hello James ! James Board wrote: > I'm trying to encode a file in a shell script on a linux machine. The > script is getting stuck on an interactive question for which the answer is > always 'y' (yes). I tried redirecting stdin from a file, and with 'echo "y" > | ....", but that doesn't work for some reason (it works with other programs > that take interactive input from the user). I also tried the --yes option, > but this doesn't work either. > How can I redirect STDIN to pgp so that questions are always answered 'y' > and my script won't have to wait on user inputs? "--yes" means "Assume yes on most questions" "--batch" means "Never ask, do not allow interactive functions" "--no-tty" means "No warnings to terminal because GPG sometimes prints warnings even if --batch is used" Using one, two or 3 of these options should solve the problem. -- Laurent Jumet KeyID: 0xCFAF704C From faramir.cl at gmail.com Sun Aug 29 21:28:44 2010 From: faramir.cl at gmail.com (Faramir) Date: Sun, 29 Aug 2010 15:28:44 -0400 Subject: Strange behaviour of gpg when importing key from keyserver In-Reply-To: <4C75F75F.7050404@gmail.com> References: <4C759145.6010706@gmail.com> <4C75F75F.7050404@gmail.com> Message-ID: <4C7AB4EC.2010702@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 26-08-2010 1:10, Paul Richard Ramer escribi?: ... >> P.S: this is the question: >> Keys 1-3 of 3 for "theAddressIused". Introduzca n?mero(s), O)tro, o F)in > > > The equivalent for "O" is "N", because the English word here would be > "Next". For example: > > Keys 1-6 of 12 for "Faramir". Enter number(s), N)ext, or Q)uit > Thanks to David and Paul, that clarified my question. It seems there are 2 things that could be improved (but since I don't know how to fix it, I'm not complaining, just suggesting): to make the Spanish answers work, and maybe change O)tro (which means 'another') for S)iguiente (which means 'next'). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMerTsAAoJEMV4f6PvczxAOtAIAJxhRLqlADyjdE/UMxtK0Y8d HxZKZtR41KkIcLFdMv+PPS/qUtMq5/ps8bzavVsrhSHiYNLLv6pvlKILH50b1E3y 4fPI34Nk9VwDB2ArqIY+yXm+h8xW5ECnMPcPePVG1RMvSghGbymaEmIYAlUO6SDl TkdwHl3g/T9diKB05vrYWrL1FiQlAxJafJmWsklHWmLLNHKiY3h06cBfCtWlwvU2 ajnZnh7e8OhXBjj5fzQgoVc9Les9XdpTseeDp1DgGSDztr83wVe2jwSqcrO+JFHC YO7ZKoPYQkhHfmKt0sw0NWzOz8Cp1bjiAT8ZC+TTBTPYjbm/ko8FBaeR7j5gdBk= =Elzb -----END PGP SIGNATURE----- From jpboard2 at yahoo.com Sun Aug 29 22:40:13 2010 From: jpboard2 at yahoo.com (James Board) Date: Sun, 29 Aug 2010 13:40:13 -0700 (PDT) Subject: Redirecting STDIN In-Reply-To: Message-ID: <854860.73784.qm@web45901.mail.sp1.yahoo.com> This problem exists with gpg and with the older pgp 2.x. I'd like to solve it by redirecting STDIN because pgp 2.x doesn't implement the options that you specify. --- On Sun, 8/29/10, Laurent Jumet wrote: > From: Laurent Jumet > Subject: Re: Redirecting STDIN > To: "James Board" > Date: Sunday, August 29, 2010, 5:43 AM > > Hello James ! > > James Board > wrote: > > > I'm trying to encode a file in a shell script on a > linux machine.? The > > script is getting stuck on an interactive question for > which the answer is > > always 'y' (yes).? I tried redirecting stdin from > a file, and with 'echo "y" > > | ....", but that doesn't work for some reason (it > works with other programs > > that take interactive input from the user).? I > also tried the --yes option, > > but this doesn't work either. > > How can I redirect STDIN to pgp so that questions are > always answered 'y' > > and my script won't have to wait on user inputs? > > ? ? "--yes" means "Assume yes on most questions" > ? ? "--batch" means "Never ask, do not allow > interactive functions" > ? ? "--no-tty" means "No warnings to terminal > because GPG sometimes prints warnings even if --batch is > used" > > ? ? Using one, two or 3 of these options should > solve the problem. > > -- > Laurent Jumet > ? ? ? KeyID: 0xCFAF704C > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From mabrand at mabrand.nl Mon Aug 30 20:28:22 2010 From: mabrand at mabrand.nl (Mark Brand) Date: Mon, 30 Aug 2010 20:28:22 +0200 Subject: problem with static libgpg-error 1.9 on MinGW Message-ID: <4C7BF846.1040708@mabrand.nl> Hi, I have been working on updating from libgpg-error-1.8 to libgpg-error-1.9 in mingw-cross-env. Mingw-cross-env is a cross building environment for MinGW. One of its features is that it builds static versions of all its libraries. Anyway, I have a new runtime problem with applications linked to static libgpg-error-1.9. Compiling and linking go fine, but at runtime in Windows, the program crashes. Under Wine, the program hangs keeps producing this message: err:ntdll:RtlpWaitForCriticalSection section 0x473374 "?" wait timed out in thread 0009, blocked by 0000, retrying (60 sec). I'm pretty sure this happens before main(). Any easy example is tests/basic.c from libgcrypt-1.4.6. I would be grateful for some insights into this problem or hints about how to do further troubleshooting. regards, Mark From alex_gnupg at yahoo.in Tue Aug 31 07:08:25 2010 From: alex_gnupg at yahoo.in (Alex Smily) Date: Tue, 31 Aug 2010 10:38:25 +0530 (IST) Subject: how to change the default symmetric cipher Message-ID: <901386.30116.qm@web95702.mail.in.yahoo.com> Hi, i started working recently with gnupg, i did every thing instaling, generating keys, sending to keyservers, receiving keys from keyservers, sending and receiving encrypted & signed emails... now my question is how to choose the symmetric encryption algorithm among the available ciphers in GNUPG. & is there any way of selecting / adding a new symmetric cipher to GNUPG on which both sender and recipient are agreed. thanks a lot i learned quite a good mount from this group,alex? -------------- next part -------------- An HTML attachment was scrubbed... URL: From telegraph at gmx.net Tue Aug 31 12:58:28 2010 From: telegraph at gmx.net (Gregor Zattler) Date: Tue, 31 Aug 2010 12:58:28 +0200 Subject: how to change the default symmetric cipher In-Reply-To: <901386.30116.qm@web95702.mail.in.yahoo.com> References: <901386.30116.qm@web95702.mail.in.yahoo.com> Message-ID: <20100831105828.GA21501@shi.workgroup> Hi Alex, * Alex Smily [31. Aug. 2010]: > now my question is how to choose the symmetric encryption > algorithm among the available ciphers in GNUPG. > & is there any way of selecting / adding a new symmetric cipher > to GNUPG on which both sender and recipient are agreed. Different OpenPGP clients provide different symmetric ciphers. Your public key contains among other meta information the information which symmetric ciphers your OpenPGP client supports and ranks them according to your preferences [or the defaults if you did not provide the preferences yourself]. You may set/change the preferences on your key in order to inform your recipients OpenPGP client about them. you can do this with the command gpg --edit-key and use the commands (you should read the gpg manual): showpref More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list. In addition, the preferred keyserver and signature notations (if any) are shown. setpref string Set the list of user ID preferences to string for all (or just the selected) user IDs. Calling setpref with no argu? ments sets the preference list to the default (either built- in or set via --default-preference-list), and calling set? pref with "none" as the argument sets an empty preference list. Use gpg --version to get a list of available algo? rithms. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG. When setting preferences, you should list the algorithms in the order which you'd like to see them used by someone else when encrypting a message to your key. If you don't include 3DES, it will be automatically added at the end. Note that there are many factors that go into choosing an algorithm (for example, your key may not be the only recipient), and so the remote OpenPGP application being used to send to you may or may not follow your exact chosen order for a given message. It will, however, only choose an algorithm that is present on the preference list of every recipient key. See also the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS sec? tion below. Use "save" to end editing your keys preferences. When your OpenPGP client encrytpts to a recipents key it it searches the cipher capabilities/preferences of your recipents key and matches them against your preferences as stated in your config file (again you should read the manual:) --personal-cipher-preferences string Set the list of personal cipher preferences to string. Use gpg --version to get a list of available algorithms, and use none to set no preference at all. This allows the user to safely override the algorithm chosen by the recipient key preferences, as GPG will only select an algorithm that is usable by all recipients. The most highly ranked cipher in this list is also used for the --sym? metric encryption command. --personal-digest-preferences string Set the list of personal digest preferences to string. Use gpg --version to get a list of available algorithms, and use none to set no preference at all. This allows the user to safely override the algorithm chosen by the recipient key preferences, as GPG will only select an algorithm that is usable by all recipients. The most highly ranked digest algorithm in this list is also used when signing without encryption (e.g. --clearsign or --sign). The default value is SHA-1. --personal-compress-preferences string Set the list of personal compression preferences to string. Use gpg --version to get a list of available algorithms, and use none to set no preference at all. This allows the user to safely over? ride the algorithm chosen by the recipient key preferences, as GPG will only select an algorithm that is usable by all recipients. The most highly ranked compression algorithm in this list is also used when there are no recipient keys to consider (e.g. --symmet? ric). HTH, Gregor -- -... --- .-. . -.. ..--.. ...-.- From stercor at gmail.com Tue Aug 31 11:43:06 2010 From: stercor at gmail.com (Ted Rolle Jr.) Date: Tue, 31 Aug 2010 05:43:06 -0400 Subject: Encryption with no recipient Message-ID: <4C7CCEAA.2000309@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there an option to use symmetric ciphers to encrypt a file with no recipient? - --no-encrypt-to doesn't do this. I want to encrypt a file with no recipient. Ted -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMfM6iAAoJENEtY9EvFm6Jg+MQALYk8LeQTAFoI/SEuPs00/IW gJoDbHG+TcKEk9ThXOxo6qDXaHQucA3Fak07TwEUqzBC8dv2IM3cXFOdCH6a7JQg Y8DWzK2H1saUwqHNVo9eBMPeyngGZ50wTaJjVQVyY4RcWeAGCYxbIkmrG0yWU1P0 KMVQR/H6Hnr67YJ/c0WnOqag3+ljm5BtCdWyLCDlxKBhezf57h/9vuZgIZLMgoos fcHzrzFtWzXkXF3TMunmy+xOoyf4VQXkRjhQk6VxDmUmW6k69njdo8ufYECHbwNo Ku28wOeOjHYEr/SyEQydkT+QX+MeliTVGbhSxvCHCMG4PpOnpPpXQmqk+QCEj8Hh 2Y6h92XguXcO1VRwYMhVV2E2D/Er/3Rby7zHUjXYRMbmjyzeS6Dxn1lk1FPuTpB4 B9ymGBxXdGUoHI9UV7zL0oOhubtxKmZDsLzwl95tEquo73XFxiL/Pcyc7GdGc9en 9lJkBTD2wC15fzsl2VPBrTkglWHkK1GkAGl2dzYDz7k40TI77hlYS6kFE0R36xXL mpj7qEQmo2LuxPRd1+nJh0qWAZus1YvdQWap3WNP7m9ZQvvkwrvtTF8fEhaF4dGJ jK3U1i3c61P4FkczoutAwuu/H9/5h54olLk7UmbWLB1sYWSMgddciulReslvKwC2 GAF10JS7PHQCgB6VzX5L =Eau1 -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Tue Aug 31 13:37:51 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 31 Aug 2010 13:37:51 +0200 Subject: Encryption with no recipient In-Reply-To: <4C7CCEAA.2000309@gmail.com> References: <4C7CCEAA.2000309@gmail.com> Message-ID: <201008311337.56960.mailinglisten@hauke-laging.de> Am Dienstag 31 August 2010 11:43:06 schrieb Ted Rolle Jr.: > Is there an option to use symmetric ciphers to encrypt a file with no > recipient? > --no-encrypt-to doesn't do this. > I want to encrypt a file with no recipient. gpg --symmetric file Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From roam at ringlet.net Tue Aug 31 13:36:36 2010 From: roam at ringlet.net (Peter Pentchev) Date: Tue, 31 Aug 2010 14:36:36 +0300 Subject: Encryption with no recipient In-Reply-To: <4C7CCEAA.2000309@gmail.com> References: <4C7CCEAA.2000309@gmail.com> Message-ID: <20100831113636.GA3801@straylight.ringlet.net> On Tue, Aug 31, 2010 at 05:43:06AM -0400, Ted Rolle Jr. wrote: > Is there an option to use symmetric ciphers to encrypt a file with no > recipient? > --no-encrypt-to doesn't do this. > I want to encrypt a file with no recipient. Is "gpg -c filename" (or "gpg --symmetric filename") useful to you? G'luck, Peter -- Peter Pentchev roam at space.bg roam at ringlet.net roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From rjh at sixdemonbag.org Tue Aug 31 14:09:14 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 31 Aug 2010 08:09:14 -0400 Subject: how to change the default symmetric cipher In-Reply-To: <901386.30116.qm@web95702.mail.in.yahoo.com> References: <901386.30116.qm@web95702.mail.in.yahoo.com> Message-ID: <4C7CF0EA.6050004@sixdemonbag.org> On 8/31/2010 1:08 AM, Alex Smily wrote: > now my question is how to choose the symmetric encryption algorithm > among the available ciphers in GNUPG. First, think about whether you need to. Most people don't. GnuPG works just fine out of the box without any tweaking. That said, look at adding the line: personal-cipher-preferences [list] ... to your gpg.conf file. For instance, if I'd like to use Blowfish whenever possible, and 3DES if the person I'm communicating with doesn't understand Blowfish, I'd put: personal-cipher-preferences blowfish 3des ... in my gpg.conf file. From rjh at sixdemonbag.org Tue Aug 31 14:11:40 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 31 Aug 2010 08:11:40 -0400 Subject: Encryption with no recipient In-Reply-To: <4C7CCEAA.2000309@gmail.com> References: <4C7CCEAA.2000309@gmail.com> Message-ID: <4C7CF17C.90004@sixdemonbag.org> On 8/31/2010 5:43 AM, Ted Rolle Jr. wrote: > Is there an option to use symmetric ciphers to encrypt a file with no > recipient? --symmetric From stercor at gmail.com Tue Aug 31 13:49:48 2010 From: stercor at gmail.com (Ted Rolle Jr.) Date: Tue, 31 Aug 2010 07:49:48 -0400 Subject: Encryption with no recipient In-Reply-To: <20100831113636.GA3801@straylight.ringlet.net> References: <4C7CCEAA.2000309@gmail.com> <20100831113636.GA3801@straylight.ringlet.net> Message-ID: <4C7CEC5C.6030500@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I tried -ace and it aways asked for a userid. -c and -ac worked just fine. Apparently when -e is specified that triggers the request for a recipient. Thanks to all those who answered my request! Ted On 08/31/2010 07:36 AM, Peter Pentchev wrote: > On Tue, Aug 31, 2010 at 05:43:06AM -0400, Ted Rolle Jr. wrote: >> Is there an option to use symmetric ciphers to encrypt a file with no >> recipient? >> --no-encrypt-to doesn't do this. >> I want to encrypt a file with no recipient. > > Is "gpg -c filename" (or "gpg --symmetric filename") useful to you? > > G'luck, > Peter > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMfOxSAAoJENEtY9EvFm6J5x8QAI+BhvyxF7zfqif1lqSjiDgT Exkng+TaZeWeM3GQ4JjXFTrbhn2dlxaxV0RRvuxxM6Jw8G2hOEWPhh0xdrHuPWeV 8yOtkXB0MNaIVB7ZbE8VqbhGlORSi7a2rY+Vd7RDywoIKpotKQruca/C8MxhWwRk 3hAbeG4nV8ikYaIahiwgnS+o/bKsPd6b8BdgY3OUR24BW29NgXsfbQsVfavORMVI eCuyUg5cRNslMCJAU+y3nCM1FknpYGzEl6kV/uxIbHfNj8PoYTHpKo+Kdzpmr38S CTQVZ5l4G3udkFCdYcXFbaxNMnG7kEqhsYE/fA3up6NV+QiRZHnb9AkAUw2EIgxT Z6a6J7pPdlQ2P13C09luNfgmxfiQfZljhLSSB+r6x4gJXVzDxYz2kYwNgrnKO7eY ypft4Y8At9pN8ZYruKRI0M5AjY4at6r0xV4QPP2YS2ovrbvvg9WzQA1OXzZnZRq1 Ul4X2OrPjvK11oESdBf7ZKCTEZVNwD1g7KmZFr7Y509UHwLzfPP3w24wig9/eiSX Wmzy9MWvy+ouf4H9vOby/CKaXtYMwyElgAaYldj9g/SneaSkO+O3QEJ58TqB/+qW 90TZTf7FKTLiPrxNd+329rue4Odh8kUrCofcB7w+VCaT5vzMzi/nwI7o3vlBhhyJ ewj0tRr8W786wCRqCYX8 =pw9O -----END PGP SIGNATURE----- From stercor at gmail.com Tue Aug 31 16:47:24 2010 From: stercor at gmail.com (Ted Rolle Jr.) Date: Tue, 31 Aug 2010 10:47:24 -0400 Subject: Offtopic: any German speakers who can help translate jokes to English Message-ID: <4C7D15FC.1070809@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It doesn't have to be perfect! I visit www.spitzenwitze.de and find good jokes there. I don't get some of them because I'm not that familiar with colloquial German. And some don't translate well, if at all. Ted -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMfRX6AAoJENEtY9EvFm6JyrQQAKEnKCyoDNG2a+xUgB5K0avZ VNzOYm+Qup8q2GPD930Dg3FzcG2zSDKPeyu2gMqQYU90deU2Jy6WUfaCSALQNBHl iLNWAgnMZQJO7K09OGlJ+6d7AgyyF4XLMRug4LGbz7r6ltMGhOEfQQSUaUZK0uqR 3pIDIqJQyITDjx4pW3PzaDPhsCYo/Ch6e+M+rnVU08m/OY7k1ScUzm+0nLpxjtaO uBeHMc4kk2txyxOGMfYZfTLLsOdnUXRff5KznR0L8QsoJEGXGe/zY+0vYQkMsjLm H30heiuqd45JqQOuvgt4iwgvzpNduzVCy9PdbL6YVY8Dbr2A2u8V1CF/GShEDChA iUGgO4VaMUHlsB3vB/I2y0qSqZ+/rDLmErxFnyusfVOtBfXbvQpFllbZZ0JbKFLm CGzDf/keuVP2owydSr3usnKfJULtTcReounHfXNouvPu5X1Bp2CZ0S0bBfDuzQVY Rguf61Pkp1uYUIqaIeMBSyekdgaBzdC8P7tcnf1bn4iJuYMUUtRxV0xeUGBKXmla l+G6Ksl/SlDf1wfOV1Rl2P6/gB0wQ6bZfGYzfNGC47K56WbcKZmVoyv48GWH8voc 8xAlwz6TdoHHjOWScYKbNP2JDtR0pYOhY6JmZA0CiMy7QdwKP3UfkGiaSPg94k0f sBXHczkvKKT4+E/pSjV3 =OMED -----END PGP SIGNATURE----- From lopaki at gmail.com Tue Aug 31 18:26:08 2010 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 31 Aug 2010 12:26:08 -0400 Subject: Offtopic: any German speakers who can help translate jokes to English In-Reply-To: <4C7D15FC.1070809@gmail.com> References: <4C7D15FC.1070809@gmail.com> Message-ID: Sie brauchen einen Computer nicht einzuschalten um festzustellen, ob Windows installiert ist. Sehen Sie einfach nach, ob die Aufschrift auf der Reset-Taste noch lesbar ist! If you want to see if a computer has Windows installed, simply see if the print on the reset button is worn off. On Tue, Aug 31, 2010 at 10:47 AM, Ted Rolle Jr. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > It doesn't have to be perfect! I visit www.spitzenwitze.de and find > good jokes there. I don't get some of them because I'm not that > familiar with colloquial German. And some don't translate well, if at all. > > Ted > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJMfRX6AAoJENEtY9EvFm6JyrQQAKEnKCyoDNG2a+xUgB5K0avZ > VNzOYm+Qup8q2GPD930Dg3FzcG2zSDKPeyu2gMqQYU90deU2Jy6WUfaCSALQNBHl > iLNWAgnMZQJO7K09OGlJ+6d7AgyyF4XLMRug4LGbz7r6ltMGhOEfQQSUaUZK0uqR > 3pIDIqJQyITDjx4pW3PzaDPhsCYo/Ch6e+M+rnVU08m/OY7k1ScUzm+0nLpxjtaO > uBeHMc4kk2txyxOGMfYZfTLLsOdnUXRff5KznR0L8QsoJEGXGe/zY+0vYQkMsjLm > H30heiuqd45JqQOuvgt4iwgvzpNduzVCy9PdbL6YVY8Dbr2A2u8V1CF/GShEDChA > iUGgO4VaMUHlsB3vB/I2y0qSqZ+/rDLmErxFnyusfVOtBfXbvQpFllbZZ0JbKFLm > CGzDf/keuVP2owydSr3usnKfJULtTcReounHfXNouvPu5X1Bp2CZ0S0bBfDuzQVY > Rguf61Pkp1uYUIqaIeMBSyekdgaBzdC8P7tcnf1bn4iJuYMUUtRxV0xeUGBKXmla > l+G6Ksl/SlDf1wfOV1Rl2P6/gB0wQ6bZfGYzfNGC47K56WbcKZmVoyv48GWH8voc > 8xAlwz6TdoHHjOWScYKbNP2JDtR0pYOhY6JmZA0CiMy7QdwKP3UfkGiaSPg94k0f > sBXHczkvKKT4+E/pSjV3 > =OMED > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- There's a box? -------------- next part -------------- An HTML attachment was scrubbed... URL: