From dkg at fifthhorseman.net Tue Jun 1 01:18:04 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 31 May 2010 19:18:04 -0400 Subject: ...key belongs to ... In-Reply-To: References: Message-ID: <4C0443AC.9000002@fifthhorseman.net> On 05/29/2010 08:47 PM, Dan Mahoney, System Admin wrote: > On Sun, 30 May 2010, Michael D. Berger wrote: >> Now in the context in which this is being used, there is no >> uncertainty regarding key ownership, and the encryption is >> part of a bash script. The query stops the script. >> >> Therefore, how can I prevent this query? > > Edit the trust of the key, and or sign it with a trust signature. Please do not follow Dan Mahoney's suggestion here :/ The prompt you're trying to address is about fixing gpg's perceived calculated validity of the key, *not* about how much you trust the owner to make proper certifications. Trust signatures or edited ownertrust should not be used to adjust the validity of a single key's user ID, since an adjustment like that will have other unintended consequences (e.g. the holder of the key whose ownertrust is elevated will now be able to fool you into thinking that other key+uid combinations are actually valid). --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From jjperry at water.com Wed Jun 2 00:49:49 2010 From: jjperry at water.com (Perry, James J.) Date: Tue, 1 Jun 2010 18:49:49 -0400 Subject: GPG seems broken on FC13 after upgrade. Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> I just updated to FC 13 and not gpg fails to work for any user. I get the following messages when I try to decrypt a file and have the DISPLAY set even though I am not using X. gpg --pgp6 EDI997.20100601091546.pgp You need a passphrase to unlock the secret key for user: "xyz" 2048-bit ELG key, ID ... can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory gpg-agent[24444]: command get_passphrase failed: Operation cancelled gpg: cancelled by user gpg: encrypted with 2048-bit ELG key, ID ... gpg: public key decryption failed: General error gpg: decryption failed: No secret key This happens when I have a DISPLAY variable set. Without it I get a bad looking curses interface image like below: lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq k x Please enter the passphrase to unlock the secret key for the OpenPGP x x certificate: x x "xyz" x x 2048-bit ELG key, ID ... x x created 2010-05-30 (main key ID ...). x x x x x x Passphrase __________________________________________________________ x x x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq j This was not how it worked when I used it prior to upgrading to FC13. I do not want all the pretty stuff and I need it to prompt for a password on the command line like it did prior to the used of pinentry-qt or pinentry-curses. What do I need to fix? I spent 4 hours digging around to just find that if I had a DISPLAY variable set but no X-Server running on my MS Win box, it would not even work. Users of GPG here on Linux will not understand that issue so I will need to keep it running as it did before, but no manuals I found seemed to indicate how to correct it. Thanks! -Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: From dirk.walter at semanticbits.com Wed Jun 2 17:15:36 2010 From: dirk.walter at semanticbits.com (Dirk Walter) Date: Wed, 2 Jun 2010 11:15:36 -0400 Subject: Trying to build gpg on AIX 6.1 Message-ID: Hello all, I am trying to build gpg on an AIX 6.1 machine and while some people have reported success I can't even get configure to successfully run. The problem seems to be with the -V flag which takes arguments but none are provided in the configure script. I have included the part of the log I believe are relevant. I get the same regardless of if I run plain "./configure" or "CFLAGS="-g -O2 -mcpu=powerpc" ./configure" as I have read elsewhere. What am I doing wrong? configure:3305: result: gcc configure:3543: checking for C compiler version configure:3550: gcc --version >&5 gcc (GCC) 4.2.4 Copyright (C) 2007 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:3553: $? = 0 configure:3560: gcc -v >&5 Using built-in specs. Target: powerpc-ibm-aix5.3.0.0 Configured with: ../gcc-4.2.4/configure --with-as=/usr/bin/as --with-ld=/usr/bin/ld --enable-languages=c,c++,fortran --prefix=/opt/freeware --enable-threads --enable-version-specific-runtime-libs --disable-nls --enable-decimal-float=dpd --host=powerpc-ibm-aix5.3.0.0 Thread model: aix gcc version 4.2.4 configure:3563: $? = 0 configure:3570: gcc -V >&5 gcc: '-V' option must have argument configure:3573: $? = 1 configure:3596: checking for C compiler default output file name configure:3623: gcc conftest.c >&5 gcc: error trying to exec 'cc1': execvp: No such file or directory configure:3626: $? = 1 configure:3664: result: configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "gnupg" | #define PACKAGE_TARNAME "gnupg" | #define PACKAGE_VERSION "1.4.10" | #define PACKAGE_STRING "gnupg 1.4.10" | #define PACKAGE_BUGREPORT "bug-gnupg at gnu.org" | #define PACKAGE "gnupg" | #define VERSION "1.4.10" | #define _GNU_SOURCE 1 | #define EGD_SOCKET_NAME "" | #define USE_RSA 1 | #define USE_IDEA 1 | #define USE_CAST5 1 | #define USE_BLOWFISH 1 | #define USE_AES 1 | #define USE_TWOFISH 1 | #define USE_CAMELLIA 1 | #define USE_SHA256 1 | #define PK_UID_CACHE_SIZE 4096 | /* end confdefs.h. */ | | int | main () | { | | ; | return 0; | } configure:3670: error: C compiler cannot create executables See `config.log' for more details From ml at mareichelt.com Wed Jun 2 21:39:03 2010 From: ml at mareichelt.com (markus reichelt) Date: Wed, 2 Jun 2010 21:39:03 +0200 Subject: Linuxtag 2010 Berlin, June 09-12 Message-ID: <20100602193903.GM16980@pc21.mareichelt.com> Hi folks, just a quick heads-up for those planning to visit Berlin within the 2nd week of June: Linuxtag 2010, June 09-12, http://www.linuxtag.org/2010/ Mini Debian Conference 2010, June 10-11, http://wiki.debconf.org/wiki/Miniconf-LT-Berlin/2010 25th Chemspec Europe, June 09-10, http://www.chemspecevents.com/europe/ 100th ILA, June 08-13, http://www.ila-berlin.de/ila2010/home/index.cfm In case you'd like to exchange gpg key signatures, the best way would be to attend the official Linuxtag keysigning party (which was hijacked by wanna-be data-protection experts this year) http://wiki.linuxtag.org/w/Keysigning-Party_2010 Well, I'm going to attend all listed events. So, additional meetings to exchange (cross!) gpg key signatures are also possible. Just contact me by mail until 11:59pm Sunday, June 06 as to these concerns. Take care. -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From joke at seiken.de Thu Jun 3 16:12:07 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 3 Jun 2010 16:12:07 +0200 Subject: Crypto Stick released! In-Reply-To: References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> Message-ID: <201006031612.09043.joke@seiken.de> My stick works fine with 3072bit rsa keys. On Tuesday 25 May 2010 15:21:05 James P. Howard, II wrote: > On 5/10/10 5:04 PM, Olav Seyfarth wrote: > > english version: > > http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ > > My Crypto Stick arrived in the mail yesterday (Maryland, United > States--ordered on May 14). > > One thing I am confused about, it suggests it accepts RSA keys up to > 3072 bits. However, when I tried to copy my existing 2048-bit RSA keys, > GPG reponds with: > > Command> keytocard > Signature key ....: [none] > Encryption key....: [none] > Authentication key: [none] > > You may only store a 1024 bit RSA key on the card > > I take it I am missing something obvious in this? > > James -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From raviraj221 at gmail.com Thu Jun 3 16:23:07 2010 From: raviraj221 at gmail.com (raviraj kondraguntla) Date: Thu, 3 Jun 2010 10:23:07 -0400 Subject: Is there 2.0.14 for Solaris? Message-ID: Hi, I am trying to do the fresh installion on GnuPG. Instead of installing 1.4.10, I want to go with 2.0.14 directly. Is 2.0.14 available for Solairs? if available, can you please help me to locate it Did anyone of you installed/upgraded to 2.0.14 on Solaris 10? Is it working fine ? Thanks, Raj -------------- next part -------------- An HTML attachment was scrubbed... URL: From jjperry at water.com Thu Jun 3 16:23:41 2010 From: jjperry at water.com (Perry, James J.) Date: Thu, 3 Jun 2010 10:23:41 -0400 Subject: Crypto Stick released! In-Reply-To: <201006031612.09043.joke@seiken.de> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> >From what I see on the advertisement, they say it has "Three independent RSA keys (signature, encryption, authentication) with a length up to 3072 bit." While I don't speak Marketing, it sure sounds like each key is 1024 with the three of them taking up 3072 total. -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Joke de Buhr Sent: Thursday, June 03, 2010 10:12 AM To: jh at jameshoward.us Cc: gnupg-users at gnupg.org Subject: Re: Crypto Stick released! My stick works fine with 3072bit rsa keys. On Tuesday 25 May 2010 15:21:05 James P. Howard, II wrote: > On 5/10/10 5:04 PM, Olav Seyfarth wrote: > > english version: > > http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ > > My Crypto Stick arrived in the mail yesterday (Maryland, United > States--ordered on May 14). > > One thing I am confused about, it suggests it accepts RSA keys up to > 3072 bits. However, when I tried to copy my existing 2048-bit RSA keys, > GPG reponds with: > > Command> keytocard > Signature key ....: [none] > Encryption key....: [none] > Authentication key: [none] > > You may only store a 1024 bit RSA key on the card > > I take it I am missing something obvious in this? > > James Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- From cryptostick at privacyfoundation.de Thu Jun 3 16:43:19 2010 From: cryptostick at privacyfoundation.de (Crypto Stick) Date: Thu, 03 Jun 2010 16:43:19 +0200 Subject: Crypto Stick released! In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> Message-ID: <4C07BF87.9040907@privacyfoundation.de> Each of the three keys can be up to 3072 bit. In fact they can even be 4096 bit long; but GnuPG does currently not support such key length in cooperation with the Crypto Stick (but GnuPG can handle 4096 bit soft-keys without the Crypto Stick). On 03.06.2010 16:23, Perry, James J. wrote: >> >From what I see on the advertisement, they say it has "Three independent > RSA keys (signature, encryption, authentication) with a length up to > 3072 bit." While I don't speak Marketing, it sure sounds like each key > is 1024 with the three of them taking up 3072 total. > > -----Original Message----- > From: gnupg-users-bounces at gnupg.org > [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Joke de Buhr > Sent: Thursday, June 03, 2010 10:12 AM > To: jh at jameshoward.us > Cc: gnupg-users at gnupg.org > Subject: Re: Crypto Stick released! > > My stick works fine with 3072bit rsa keys. > > On Tuesday 25 May 2010 15:21:05 James P. Howard, II wrote: >> On 5/10/10 5:04 PM, Olav Seyfarth wrote: >>> english version: >>> http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ >> >> My Crypto Stick arrived in the mail yesterday (Maryland, United >> States--ordered on May 14). >> >> One thing I am confused about, it suggests it accepts RSA keys up to >> 3072 bits. However, when I tried to copy my existing 2048-bit RSA > keys, >> GPG reponds with: >> >> Command> keytocard >> Signature key ....: [none] >> Encryption key....: [none] >> Authentication key: [none] >> >> You may only store a 1024 bit RSA key on the card >> >> I take it I am missing something obvious in this? >> >> James > > Proud partner. Susan G. Komen for the Cure. > > Please consider our environment before printing this e-mail or attachments. > ---------------------------------- > CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. > ---------------------------------- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu Jun 3 17:02:39 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 3 Jun 2010 11:02:39 -0400 Subject: Crypto Stick released! In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> Message-ID: On Jun 3, 2010, at 10:23 AM, Perry, James J. wrote: >> From what I see on the advertisement, they say it has "Three independent > RSA keys (signature, encryption, authentication) with a length up to > 3072 bit." While I don't speak Marketing, it sure sounds like each key > is 1024 with the three of them taking up 3072 total. That is not correct. Each individual key can be up to 3072 bytes. The internal hardware can actually handle slightly more, but 3072 is the current limit. David From joke at seiken.de Thu Jun 3 17:13:12 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 3 Jun 2010 17:13:12 +0200 Subject: Crypto Stick released! In-Reply-To: <4C07BF09.2020006@jameshoward.us> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> <4C07BF09.2020006@jameshoward.us> Message-ID: <201006031713.14031.joke@seiken.de> Each key can be 3072 bit. ssb> 3072R/0x96525A09870156C6 created: 2010-04-29 expires: never card-no: 0005 00000569 ssb> 3072R/0x5354A50986C9F1CC created: 2010-04-29 expires: never card-no: 0005 00000569 ssb> 3072R/0x22EDBA56D3E557E9 created: 2010-04-29 expires: never card-no: 0005 00000569 On Thursday 03 June 2010 16:41:13 you wrote: > On 6/3/10 10:23 AM, Perry, James J. wrote: > > From what I see on the advertisement, they say it has "Three independent > > RSA keys (signature, encryption, authentication) with a length up to > > 3072 bit." While I don't speak Marketing, it sure sounds like each key > > is 1024 with the three of them taking up 3072 total. > > I noted that, too, but I currently have three 2048 bit keys on my card. > > James -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From joke at seiken.de Thu Jun 3 17:13:30 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 3 Jun 2010 17:13:30 +0200 Subject: Crypto Stick released! In-Reply-To: <4C07B922.8080209@jameshoward.us> References: <201006031612.09043.joke@seiken.de> <4C07B922.8080209@jameshoward.us> Message-ID: <201006031713.32248.joke@seiken.de> Same with me. It seems to be a gnupg problem. If you don't use the scdaemon the stick can do sha512 signatures. I added I bug report a couple of days ago. https://bugs.g10code.com/gnupg/issue1229 On Thursday 03 June 2010 16:16:02 you wrote: > On 6/3/10 10:12 AM, Joke de Buhr wrote: > > My stick works fine with 3072bit rsa keys. > > I updated to 2.0.14 and that solved my problems. > > However, right now there is a new one I just discovered. Someone else > posted this last month, too, but apparently when using the agent, the > card will not allow signatures with hashes other than SHA1 or RIPEMD160. > > James -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From jh at jameshoward.us Thu Jun 3 16:16:02 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Thu, 03 Jun 2010 10:16:02 -0400 Subject: Crypto Stick released! In-Reply-To: <201006031612.09043.joke@seiken.de> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> Message-ID: <4C07B922.8080209@jameshoward.us> On 6/3/10 10:12 AM, Joke de Buhr wrote: > My stick works fine with 3072bit rsa keys. I updated to 2.0.14 and that solved my problems. However, right now there is a new one I just discovered. Someone else posted this last month, too, but apparently when using the agent, the card will not allow signatures with hashes other than SHA1 or RIPEMD160. James -- James P. Howard, II, MPA MBCS CGFM -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jh at jameshoward.us Thu Jun 3 16:41:13 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Thu, 03 Jun 2010 10:41:13 -0400 Subject: Crypto Stick released! In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> Message-ID: <4C07BF09.2020006@jameshoward.us> On 6/3/10 10:23 AM, Perry, James J. wrote: > From what I see on the advertisement, they say it has "Three independent > RSA keys (signature, encryption, authentication) with a length up to > 3072 bit." While I don't speak Marketing, it sure sounds like each key > is 1024 with the three of them taking up 3072 total. I noted that, too, but I currently have three 2048 bit keys on my card. James -- James P. Howard, II, MPA MBCS CGFM -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jrollins at finestructure.net Thu Jun 3 16:58:55 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Thu, 03 Jun 2010 10:58:55 -0400 Subject: Crypto Stick released! In-Reply-To: <4C07BF87.9040907@privacyfoundation.de> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> <4C07BF87.9040907@privacyfoundation.de> Message-ID: <87d3w8w4b4.fsf@servo.finestructure.net> On Thu, 03 Jun 2010 16:43:19 +0200, Crypto Stick wrote: > Each of the three keys can be up to 3072 bit. In fact they can even be > 4096 bit long; but GnuPG does currently not support such key length in > cooperation with the Crypto Stick (but GnuPG can handle 4096 bit > soft-keys without the Crypto Stick). That's strange. What is the limitation with the bit length and GnuPG in regards to the Crypto Stick? Is that something that can be patched, or is it a limitation of the communication protocol? jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From jpmullis at gmail.com Thu Jun 3 17:08:55 2010 From: jpmullis at gmail.com (John Mullis) Date: Thu, 3 Jun 2010 11:08:55 -0400 Subject: Is there 2.0.14 for Solaris? In-Reply-To: References: Message-ID: I would like to find 2.0.14 for solaris 9 sparc... if it is out there. Thanks, John On Thu, Jun 3, 2010 at 10:23 AM, raviraj kondraguntla wrote: > Hi, > > I am trying to do the fresh installion on GnuPG. > Instead of installing 1.4.10, I want to go with 2.0.14 directly. > > Is 2.0.14 available for Solairs? > if available, can you please help me to locate it > > Did anyone of you installed/upgraded to 2.0.14 on Solaris 10? > Is it working fine ? > > Thanks, > Raj > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From raviraj221 at gmail.com Thu Jun 3 20:40:06 2010 From: raviraj221 at gmail.com (raviraj kondraguntla) Date: Thu, 3 Jun 2010 14:40:06 -0400 Subject: Installing 1.4.10 on Solaris 10 SPARC Message-ID: Hi All, I am installing 1.4.10 on Solaris 10 SPARC, below is the part of the output from config.log where installation errored out. Can you please let me know what should be the value of INCLUDE_FLAGS and where should I look/adjust to keep the installation proceeding *Cache Variables:* ac_cv_env_CFLAGS_value='-Xc -xstrconst -xcg92 *$(INCLUDE_FLAGS)* -O -DSUN_OS5 -DNLS_ASIA -DAFSTUBS' *output Variables* CFLAGS='-Xc -xstrconst -xcg92 *$(INCLUDE_FLAGS)* -O -DSUN_OS5 -DNLS_ASIA -DAFSTUBS' configure:3305: result: /opt/SUNWspro/bin/cc configure:3543: checking for C compiler version configure:3550: /opt/SUNWspro/bin/cc --version >&5 cc: Warning: Option --version passed to ld, if ld is invoked, ignored otherwise usage: cc [ options] files. Use 'cc -flags' for details configure:3553: $? = 0 configure:3560: /opt/SUNWspro/bin/cc -v >&5 usage: cc [ options] files. Use 'cc -flags' for details configure:3563: $? = 0 configure:3570: /opt/SUNWspro/bin/cc -V >&5 cc: Sun C 5.10 SunOS_sparc 2009/06/03 usage: cc [ options] files. Use 'cc -flags' for details configure:3573: $? = 0 configure:3596: checking for C compiler default output file name *configure:3623: /opt/SUNWspro/bin/cc -Xc -xstrconst -xcg92 $(INCLUDE_FLAGS) -O -DSUN_OS5 -DNLS_ASIA -DAFSTUBS conftest.c >&5 ld: fatal: file $(INCLUDE_FLAGS): open failed: No such file or directory* *ld: fatal: File processing errors. No output written to a.out* Thanks Raj -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Jun 4 16:00:49 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 04 Jun 2010 16:00:49 +0200 Subject: Encrypted Directory In-Reply-To: (Michael D. Berger's message of "Wed, 26 May 2010 22:08:41 +0000 (UTC)") References: <4BFD4F58.8000703__16666.6949437515$1274892267$gmane$org@grant-olson.net> Message-ID: <87ocfq7v8u.fsf@vigenere.g10code.de> On Thu, 27 May 2010 00:08, m_d_berger_1900 at yahoo.com said: > Also, AFAICT, truecrypt, luks, FreeOTFE do not have public key > encryption, which I would prefer. GnuPG 2.1 will come with g13 which is a public key encryption frontend to user filesystems. As of now we support Encfs but it is easy to add other file systems. Encfs has been ported to Windows, thus it will be possible to do this there as well. Smartcards are supported automagically. It is all work in progress and not yet ready for production use. Things we need to do: * Add other crypto file systems. * Add the code to manage the encryption, so that it is possible to change the keys or add more keys (even symmetric ones). * Port to Windows. * Improve the GPGME interface (we already have a mount/umount API, though). * Push some minor encfs changes to upstream. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From micah at riseup.net Fri Jun 4 19:35:10 2010 From: micah at riseup.net (Micah Anderson) Date: Fri, 04 Jun 2010 13:35:10 -0400 Subject: auto refresh-keys Message-ID: <87d3w6n1kh.fsf@algae.riseup.net> I filed this today at https://bugs.g10code.com/gnupg/issue1235 but I wanted to send it to the list to get wider discussion about the idea. If you do not regularly refresh your public keys from keyservers, you do not get timely expiration updates or revocations, both of which are very important to have available to your local keyring as soon as possible. If you do not refresh your keys from the keyserver, and I have revoked my key because it has been compromised, then you will continue to use my key without knowing that I've revoked it. That can lead to bad situations. For proper functioning of a distributed web of trust, this needs to happen, and until it does the breakages in those links are too fragile and frequent. I did an experiment recently where I set my key expiration to be short and then one week before it was to expire, I extended the expiration and sent that to the keyservers. What I found was that one week later, virtually everyone that I communicate with using that key thought that my key had expired, because none of them have a process to regularly refresh their keys in their keyring. I had to contact them individually and explain the situation and then advise them to setup a personal cronjob to do a regular refresh, typically I suggest something like: 0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1 This is annoying for every gnupg user to have to setup on their own. It is also problematic for people who do not understand cron. In my experience, asking every user to do this is problematic, as very few actually end up doing it. I've been begging people to setup cronjobs like this for the last 2 years as I've been going through various key transitions, and very few of them actually do it, even those that I have urged 3-4 times to do so. It also cannot be done in a reasonable way automatically by distro packagers due to the fact that package maintainers cannot know how the local admin needs to have things setup (such as a system-wide cronjob, or a adduser hook). For example, home directories are not necessarily local to a machine, and having a system-wide cronjob to scan all user's home directories and then modify them is not a good idea; or they don't use adduser and instead use automated tools for account creation. It seems like the best solution would be to build into gnupg the functionality that is similar to the automatic trust database operation: have gpg auto-refresh From the configured keyserver periodically. There are some considerations that should be made here, such as how frequent should this refresh operation happen? Should it happen on every use, before the key is used? Should it happen just on the key(s) that the current operation is going to act on? What about network problems, such as no network at all, keyserver down, or slow? There should probably be a low timeout to not cause user annoyance, but also some sort of indication/warning that when a keyserver update could not be performed that the key is potentially out of date. Users should have the capability to configure in their gpg.conf a 'no-auto-refresh-keys' variable if they do not want this functionality. Perhaps even some sanity checking on the data that is coming in would be good to guard against gigabytes of data coming down. micah -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From sonjamichelle at gmail.com Sat Jun 5 05:10:57 2010 From: sonjamichelle at gmail.com (Sonja Michelle L. Thomas) Date: Fri, 4 Jun 2010 22:10:57 -0500 Subject: auto refresh-keys In-Reply-To: <87d3w6n1kh.fsf@algae.riseup.net> References: <87d3w6n1kh.fsf@algae.riseup.net> Message-ID: <002501cb045c$b851c4e0$28f54ea0$@lonestar.org> This can also be done using Task Scheduler for folks using a Windows PC. In my particular instance using 64bit Windows 7 my gpg.exe was installed with GPG4Win and can be found in C:\Program Files (x86)\GNU\GnuPG\pub\ I also put that path in my list system path variables as well to make command line gpg actions easier. The task I set up runs weekly with the following command "C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe --refresh-keys" Note the use of quotes. When this task runs a command window opens and you can see the output. You can add > null to the command to kill the window output if you prefer. ************************************************* Sonja Michelle Lina Thomas sonja at sdf.lonestar.org Oregano - The ancient art of pizza folding. -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Micah Anderson Sent: Friday, June 04, 2010 12:35 To: gnupg-users at gnupg.org Subject: auto refresh-keys I filed this today at https://bugs.g10code.com/gnupg/issue1235 but I wanted to send it to the list to get wider discussion about the idea. If you do not regularly refresh your public keys from keyservers, you do not get timely expiration updates or revocations, both of which are very important to have available to your local keyring as soon as possible. If you do not refresh your keys from the keyserver, and I have revoked my key because it has been compromised, then you will continue to use my key without knowing that I've revoked it. That can lead to bad situations. For proper functioning of a distributed web of trust, this needs to happen, and until it does the breakages in those links are too fragile and frequent. I did an experiment recently where I set my key expiration to be short and then one week before it was to expire, I extended the expiration and sent that to the keyservers. What I found was that one week later, virtually everyone that I communicate with using that key thought that my key had expired, because none of them have a process to regularly refresh their keys in their keyring. I had to contact them individually and explain the situation and then advise them to setup a personal cronjob to do a regular refresh, typically I suggest something like: 0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1 This is annoying for every gnupg user to have to setup on their own. It is also problematic for people who do not understand cron. In my experience, asking every user to do this is problematic, as very few actually end up doing it. I've been begging people to setup cronjobs like this for the last 2 years as I've been going through various key transitions, and very few of them actually do it, even those that I have urged 3-4 times to do so. It also cannot be done in a reasonable way automatically by distro packagers due to the fact that package maintainers cannot know how the local admin needs to have things setup (such as a system-wide cronjob, or a adduser hook). For example, home directories are not necessarily local to a machine, and having a system-wide cronjob to scan all user's home directories and then modify them is not a good idea; or they don't use adduser and instead use automated tools for account creation. It seems like the best solution would be to build into gnupg the functionality that is similar to the automatic trust database operation: have gpg auto-refresh From the configured keyserver periodically. There are some considerations that should be made here, such as how frequent should this refresh operation happen? Should it happen on every use, before the key is used? Should it happen just on the key(s) that the current operation is going to act on? What about network problems, such as no network at all, keyserver down, or slow? There should probably be a low timeout to not cause user annoyance, but also some sort of indication/warning that when a keyserver update could not be performed that the key is potentially out of date. Users should have the capability to configure in their gpg.conf a 'no-auto-refresh-keys' variable if they do not want this functionality. Perhaps even some sanity checking on the data that is coming in would be good to guard against gigabytes of data coming down. micah -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From mailinglisten at hauke-laging.de Sun Jun 6 19:31:06 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 6 Jun 2010 19:31:06 +0200 Subject: Smartcard PIN change via card reader keypad? Message-ID: <201006061931.06894.mailinglisten@hauke-laging.de> Hello, I am surprised that gpg asks for the smartcard PIN via the keyboard when it is to be changed. Do I misunderstand anything? Can I make gpg use the card reader keypad for that instead? IMHO an important part of smartcard security is that the PC does NOT know the passphrase. Is there any reason why the keypad cannot be used for this? CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From simon at josefsson.org Mon Jun 7 08:22:07 2010 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 07 Jun 2010 08:22:07 +0200 Subject: Smartcard PIN change via card reader keypad? In-Reply-To: <201006061931.06894.mailinglisten__8640.23636463589$1275845641$gmane$org@hauke-laging.de> (Hauke Laging's message of "Sun, 6 Jun 2010 19:31:06 +0200") References: <201006061931.06894.mailinglisten__8640.23636463589$1275845641$gmane$org@hauke-laging.de> Message-ID: <87ljarbbw0.fsf@mocca.josefsson.org> Hauke Laging writes: > Hello, > > I am surprised that gpg asks for the smartcard PIN via the keyboard > when it is to be changed. Do I misunderstand anything? Can I make gpg > use the card reader keypad for that instead? IMHO an important part of > smartcard security is that the PC does NOT know the passphrase. Is > there any reason why the keypad cannot be used for this? I'm using the keyboard on my smartcard reader to enter the PIN and it works fine with GnuPG. I'm using a SCM SPR-532. Maybe your reader isn't supported? /Simon From mailinglisten at hauke-laging.de Mon Jun 7 12:48:31 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 7 Jun 2010 12:48:31 +0200 Subject: Smartcard PIN change via card reader keypad? In-Reply-To: <87ljarbbw0.fsf@mocca.josefsson.org> References: <201006061931.06894.mailinglisten__8640.23636463589$1275845641$gmane$org@hauke-laging.de> <87ljarbbw0.fsf@mocca.josefsson.org> Message-ID: <201006071248.36343.mailinglisten@hauke-laging.de> Am Montag 07 Juni 2010 08:22:07 schrieb Simon Josefsson: > I'm using the keyboard on my smartcard reader to enter the PIN and it > works fine with GnuPG. I'm using a SCM SPR-532. Maybe your reader > isn't supported? I have that reader model, too. The normal card usage works. (Not without problems but I don't know whether they are software or hardware related.) When I use the keys on the card then gpg always asks me to use the reader keypad. Do you have a special configuration so that it does this for changing the PIN, too? This is in the log file: gpg-agent[3472.9] DBG: -> PASSWD 1 gpg-agent[3472.9] DBG: <- INQUIRE NEEDPIN ||Bitte die PIN eingeben 2010-06-07 12:38:51 gpg-agent[3472] starting a new PIN Entry 2010-06-07 12:38:51 gpg-agent[3472] DBG: connection to PIN entry established Usually (signing) it has this message: gpg-agent[3284.9] DBG: <- INQUIRE POPUPKEYPADPROMPT ||Bitte die PIN eingeben%0A[Sigs erzeugt: 6] (meaning: "please enter PIN [sigs created: 6]") CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From simon at josefsson.org Mon Jun 7 15:24:01 2010 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 07 Jun 2010 15:24:01 +0200 Subject: Smartcard PIN change via card reader keypad? In-Reply-To: <201006071248.36343.mailinglisten__31272.4935509779$1275907848$gmane$org@hauke-laging.de> (Hauke Laging's message of "Mon, 7 Jun 2010 12:48:31 +0200") References: <201006061931.06894.mailinglisten__8640.23636463589$1275845641$gmane$org@hauke-laging.de> <87ljarbbw0.fsf@mocca.josefsson.org> <201006071248.36343.mailinglisten__31272.4935509779$1275907848$gmane$org@hauke-laging.de> Message-ID: <87k4qb5632.fsf@mocca.josefsson.org> Hauke Laging writes: > Am Montag 07 Juni 2010 08:22:07 schrieb Simon Josefsson: > >> I'm using the keyboard on my smartcard reader to enter the PIN and it >> works fine with GnuPG. I'm using a SCM SPR-532. Maybe your reader >> isn't supported? > > I have that reader model, too. The normal card usage works. (Not without > problems but I don't know whether they are software or hardware related.) > > When I use the keys on the card then gpg always asks me to use the reader > keypad. Do you have a special configuration so that it does this for changing > the PIN, too? Oops, sorry I didn't notice your question was only about changing the PIN. I don't recall testing this, so I'm not sure it is using the reader keypad or not. /Simon From wk at gnupg.org Mon Jun 7 15:44:06 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Jun 2010 15:44:06 +0200 Subject: Smartcard PIN change via card reader keypad? In-Reply-To: <201006071248.36343.mailinglisten@hauke-laging.de> (Hauke Laging's message of "Mon, 7 Jun 2010 12:48:31 +0200") References: <201006061931.06894.mailinglisten__8640.23636463589$1275845641$gmane$org@hauke-laging.de> <87ljarbbw0.fsf@mocca.josefsson.org> <201006071248.36343.mailinglisten@hauke-laging.de> Message-ID: <87bpbn6jq1.fsf@vigenere.g10code.de> On Mon, 7 Jun 2010 12:48, mailinglisten at hauke-laging.de said: > When I use the keys on the card then gpg always asks me to use the reader > keypad. Do you have a special configuration so that it does this for changing > the PIN, too? Changing the pin via the keypad is not implemented. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at jabberwocky.com Mon Jun 7 17:23:07 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 7 Jun 2010 11:23:07 -0400 Subject: Crypto domain auction ends tonight! Message-ID: <0CEBDDFB-4D60-4F9F-AEB1-77FC170D36FB@jabberwocky.com> Hi everyone, The crypto domain auction has done better than I expected, and we've raised $185 for the FSF/FSFE. At 8pm US/Eastern (midnight GMT) tonight, the auction will close and I will notify the winners shortly afterwards. If anyone wants to grab a domain, now is your chance. See http://www.jabberwocky.com/domain-auction.html David From raviraj221 at gmail.com Mon Jun 7 16:58:53 2010 From: raviraj221 at gmail.com (raviraj kondraguntla) Date: Mon, 7 Jun 2010 10:58:53 -0400 Subject: Installing 1.4.10 on Solaris 10 SPARC In-Reply-To: References: Message-ID: Can anyone help me on this, I am stuck here, I could not proceed. Thanks Ravi On Thu, Jun 3, 2010 at 2:40 PM, raviraj kondraguntla wrote: > Hi All, > I am installing 1.4.10 on Solaris 10 SPARC, below is the part of the output > from config.log where installation errored out. > Can you please let me know what should be the value of INCLUDE_FLAGS and > where should I look/adjust to keep the installation proceeding > > *Cache Variables:* > ac_cv_env_CFLAGS_value='-Xc -xstrconst -xcg92 *$(INCLUDE_FLAGS)* -O > -DSUN_OS5 -DNLS_ASIA -DAFSTUBS' > > *output Variables* > CFLAGS='-Xc -xstrconst -xcg92 *$(INCLUDE_FLAGS)* -O -DSUN_OS5 -DNLS_ASIA > -DAFSTUBS' > > configure:3305: result: /opt/SUNWspro/bin/cc > configure:3543: checking for C compiler version > configure:3550: /opt/SUNWspro/bin/cc --version >&5 > cc: Warning: Option --version passed to ld, if ld is invoked, ignored > otherwise > usage: cc [ options] files. Use 'cc -flags' for details > configure:3553: $? = 0 > configure:3560: /opt/SUNWspro/bin/cc -v >&5 > usage: cc [ options] files. Use 'cc -flags' for details > configure:3563: $? = 0 > configure:3570: /opt/SUNWspro/bin/cc -V >&5 > cc: Sun C 5.10 SunOS_sparc 2009/06/03 > usage: cc [ options] files. Use 'cc -flags' for details > configure:3573: $? = 0 > configure:3596: checking for C compiler default output file name > *configure:3623: /opt/SUNWspro/bin/cc -Xc -xstrconst -xcg92 > $(INCLUDE_FLAGS) -O -DSUN_OS5 -DNLS_ASIA -DAFSTUBS conftest.c >&5 > ld: fatal: file $(INCLUDE_FLAGS): open failed: No such file or directory* > *ld: fatal: File processing errors. No output written to a.out* > > Thanks > Raj > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Mon Jun 7 21:43:23 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 7 Jun 2010 21:43:23 +0200 Subject: What is the "list keyring content" command? Message-ID: <201006072143.23457.mailinglisten@hauke-laging.de> Hello, the man page says: "gpg2 may be run with no commands, in which case it will perform a reasonable action depending on the type of file it is given as input (an encrypted message is decrypted, a signature is verified, a file containing keys is listed)." Indeed: start cmd:> gpg secondsecring.gpg sec 1024R/0x297AB799 2010-06-02 Smartcard Test ssb 1024R/0xF64B4F0F 2010-06-02 ssb 1024R/0xF17AAD5B 2010-06-02 ssb 1024R/0xD62B6574 2010-06-02 But which command is used here? I don't find a suitable one. start cmd:> gpg --list-keys secondsecring.gpg gpg: error reading key: Kein ?ffentlicher Schl?ssel I hope there is a "tell me what this is" command that does nothing else (so that it can be safely used). If it is a keyring, list the content (like now without a command), if it is an encrypted file it would be nice to know that (and the recipients' key IDs) WITHOUT gpg automatically trying to decrypt it (assuming a cached passphrase). If it is a signature tell me the ID of the signing key (and the hash of the file?) without validating the signature (maybe the signed file is unavailable). CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From JPClizbe at tx.rr.com Tue Jun 8 04:05:20 2010 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 07 Jun 2010 21:05:20 -0500 Subject: What is the "list keyring content" command? In-Reply-To: <201006072143.23457.mailinglisten@hauke-laging.de> References: <201006072143.23457.mailinglisten@hauke-laging.de> Message-ID: <4C0DA560.8040904@tx.rr.com> Hauke Laging wrote: > > I hope there is a "tell me what this is" command that does nothing else (so > that it can be safely used). If it is a keyring, list the content (like now > without a command), if it is an encrypted file it would be nice to know that > (and the recipients' key IDs) WITHOUT gpg automatically trying to decrypt it > (assuming a cached passphrase). If it is a signature tell me the ID of the > signing key (and the hash of the file?) without validating the signature > (maybe the signed file is unavailable). --list-packets ? -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From joke at seiken.de Tue Jun 8 11:12:02 2010 From: joke at seiken.de (Joke de Buhr) Date: Tue, 8 Jun 2010 11:12:02 +0200 Subject: What is the "list keyring content" command? In-Reply-To: <201006072143.23457.mailinglisten@hauke-laging.de> References: <201006072143.23457.mailinglisten@hauke-laging.de> Message-ID: <201006081112.04198.joke@seiken.de> If I run the command on my primary keyring I get this output $ gpg2 ~/.gnupg/secring.gpg gpg: error reading key: No public key It doesn't look like the "reasonable action" is deterministic. On Monday 07 June 2010 21:43:23 Hauke Laging wrote: > Hello, > > the man page says: > > "gpg2 may be run with no commands, in which case it will perform a > reasonable action depending on the type of file it is given as input (an > encrypted message is decrypted, a signature is verified, a file containing > keys is listed)." > > Indeed: > start cmd:> gpg secondsecring.gpg > sec 1024R/0x297AB799 2010-06-02 Smartcard Test laging.de> > ssb 1024R/0xF64B4F0F 2010-06-02 > ssb 1024R/0xF17AAD5B 2010-06-02 > ssb 1024R/0xD62B6574 2010-06-02 > > But which command is used here? I don't find a suitable one. > > start cmd:> gpg --list-keys secondsecring.gpg > gpg: error reading key: Kein ?ffentlicher Schl?ssel > > I hope there is a "tell me what this is" command that does nothing else (so > that it can be safely used). If it is a keyring, list the content (like now > without a command), if it is an encrypted file it would be nice to know > that (and the recipients' key IDs) WITHOUT gpg automatically trying to > decrypt it (assuming a cached passphrase). If it is a signature tell me > the ID of the signing key (and the hash of the file?) without validating > the signature (maybe the signed file is unavailable). > > > CU > > Hauke -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From bmarwell at googlemail.com Fri Jun 4 19:55:37 2010 From: bmarwell at googlemail.com (Benjamin Marwell) Date: Fri, 4 Jun 2010 19:55:37 +0200 Subject: auto refresh-keys In-Reply-To: <87d3w6n1kh.fsf@algae.riseup.net> References: <87d3w6n1kh.fsf@algae.riseup.net> Message-ID: Hello every one! I'm new to this list, but this seems a very interesting topic to me. 2010/6/4 Micah Anderson : > > 0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1 Thanks for this wounderful idea. I update my keys every now and then, but it usually comes down to events like key signing parties. Which is, in fact, very seldom. > It seems like the best solution would be to build into gnupg the functionality > that is similar to the automatic trust database operation: have gpg auto-refresh > From the configured keyserver periodically. There are some considerations that > should be made here, such as how frequent should this refresh operation happen? > Should it happen on every use, before the key is used? Should it happen just on > the key(s) that the current operation is going to act on? What about network > problems, such as no network at all, keyserver down, or slow? There should > probably be a low timeout to not cause user annoyance, but also some sort of > indication/warning that when a keyserver update could not be performed that the > key is potentially out of date. Users should have the capability to configure in > their gpg.conf a 'no-auto-refresh-keys' variable if they do not want this > functionality. Perhaps even some sanity checking on the data that is coming in > would be good to guard against gigabytes of data coming down. Sounds good to me. Another consideration would be to pass this task to gui frontends, like kleopatra or seahorse. A warning printed out by gpg would be a good idea, too. Also, there should be a severe warning if you sign a key, which hasn't been updated for months (or so). Looking foreward to you opinions. Regards, Ben From micah at riseup.net Fri Jun 4 20:33:41 2010 From: micah at riseup.net (micah anderson) Date: Fri, 04 Jun 2010 14:33:41 -0400 Subject: auto refresh-keys In-Reply-To: References: <87d3w6n1kh.fsf@algae.riseup.net> Message-ID: <87fx12y7ei.fsf@algae.riseup.net> On Fri, 4 Jun 2010 19:55:37 +0200, Benjamin Marwell wrote: > Sounds good to me. Another consideration would be to pass this task to > gui frontends, like kleopatra or seahorse. A warning printed out by > gpg would be a good idea, too. Also, there should be a severe warning > if you sign a key, which hasn't been updated for months (or so). I wouldn't want it only in a GUI front-end because I don't use those, and I know that a lot of those front-ends simply just call gpg directly behind the scenes. micah -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From bmarwell at googlemail.com Tue Jun 8 11:18:10 2010 From: bmarwell at googlemail.com (Benjamin Marwell) Date: Tue, 8 Jun 2010 11:18:10 +0200 Subject: What is the "list keyring content" command? In-Reply-To: <201006081112.04198.joke@seiken.de> References: <201006072143.23457.mailinglisten@hauke-laging.de> <201006081112.04198.joke@seiken.de> Message-ID: Hi, try $ gpg2 --no-default-keyring --keyring --list-keys It doesn't give me the same output, but this seems the most obviuous command to me. I couldn't find the exact output either. I was missing fingerprints, but --with-fingerprint didn't help. Hope this helps, Ben 2010/6/8 Joke de Buhr : > If I run the command on my primary keyring I get this output > > ?$ gpg2 ~/.gnupg/secring.gpg > ? ?gpg: error reading key: No public key > > It doesn't look like the "reasonable action" is deterministic. > > > On Monday 07 June 2010 21:43:23 Hauke Laging wrote: >> Hello, >> >> the man page says: >> >> "gpg2 may be run with no commands, in which case it will perform a >> reasonable action depending on the type of file it is given as input (an >> encrypted message is decrypted, a signature is verified, a file containing >> keys is listed)." >> >> Indeed: >> start cmd:> gpg secondsecring.gpg >> sec ?1024R/0x297AB799 2010-06-02 Smartcard Test > laging.de> >> ssb ?1024R/0xF64B4F0F 2010-06-02 >> ssb ?1024R/0xF17AAD5B 2010-06-02 >> ssb ?1024R/0xD62B6574 2010-06-02 >> >> But which command is used here? I don't find a suitable one. >> >> start cmd:> gpg --list-keys secondsecring.gpg >> gpg: error reading key: Kein ?ffentlicher Schl?ssel >> >> I hope there is a "tell me what this is" command that does nothing else (so >> that it can be safely used). If it is a keyring, list the content (like now >> without a command), if it is an encrypted file it would be nice to know >> that (and the recipients' key IDs) WITHOUT gpg automatically trying to >> decrypt it (assuming a cached passphrase). If it is a signature tell me >> the ID of the signing key (and the hash of the file?) without validating >> the signature (maybe the signed file is unavailable). >> >> >> CU >> >> Hauke > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From mailinglisten at hauke-laging.de Tue Jun 8 13:19:45 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 8 Jun 2010 13:19:45 +0200 Subject: What is the "list keyring content" command? In-Reply-To: <4C0DA560.8040904@tx.rr.com> References: <201006072143.23457.mailinglisten@hauke-laging.de> <4C0DA560.8040904@tx.rr.com> Message-ID: <201006081319.52351.mailinglisten@hauke-laging.de> Am Dienstag 08 Juni 2010 04:05:20 schrieb John Clizbe: > Hauke Laging wrote: > > I hope there is a "tell me what this is" command that does nothing else > > (so that it can be safely used). > --list-packets ? No, that produces a comprehensive output for a keyring and tried to decrypt, too. I got the answer aside the list: It is (for a secret keyring) gpg --no-default-keyring --secret-keyring secondsecring.gpg --list-secret-keys I noticed meanwhile that you can use file for the information what kind of gpg file something is. But without the information I mentioned. Is there enough interest in such a command? ;-) CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Tue Jun 8 13:25:01 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 8 Jun 2010 13:25:01 +0200 Subject: What is the "list keyring content" command? In-Reply-To: References: <201006072143.23457.mailinglisten@hauke-laging.de> <201006081112.04198.joke@seiken.de> Message-ID: <201006081325.01486.mailinglisten@hauke-laging.de> Am Dienstag 08 Juni 2010 11:18:10 schrieb Benjamin Marwell: > I was missing fingerprints, but --with-fingerprint didn't help. gpg --no-default-keyring --secret-keyring secondsecring.gpg \ --fingerprint --fingerprint --list-secret-keys (the secret key version because my only additional keyring is a scret one ;-) ) CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From aa.lucelio at gmail.com Wed Jun 9 04:04:54 2010 From: aa.lucelio at gmail.com (=?ISO-8859-1?Q?Luc=E9lio_Gomes_de_Freitas?=) Date: Tue, 08 Jun 2010 23:04:54 -0300 Subject: help using Encrypt Message-ID: <4C0EF6C6.8030400@gmail.com> Hello, Please, anybody helps? I can't find where I'm making a mistake. Operating System: Fedora 2.6.33.5-112.fc13.x86_64 Command: [Lucelio at MAQ02 work]$ gpg --list-keys Lucelio pub 3072D/77C103F7 2010-06-06 uid Luc?lio Gomes de Freitas (Par de Chaves definitivas em 06/06/2010) pub 1024D/01150CE3 2010-06-07 uid Luc?lio (Teste de Chaves) [Lucelio at MAQ02 work]$ gpg -e -r lucelio ./abcdef gpg: lucelio: ignorado: Unusable public key gpg: ./abcdef: encryption failed: Unusable public key Why? thanks, Luc?lio. -- Luc?lio Gomes de Freitas ETFCSF-> U.G.F.-> P.U.C.(RJ) Eng?, Analista Suporte(Free Mind). Email:aa.lucelio at gmail.com Tel: 55 0XX 21 85964911 From mailinglisten at hauke-laging.de Wed Jun 9 10:40:13 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 9 Jun 2010 10:40:13 +0200 Subject: help using Encrypt In-Reply-To: <4C0EF6C6.8030400@gmail.com> References: <4C0EF6C6.8030400@gmail.com> Message-ID: <201006091040.19239.mailinglisten@hauke-laging.de> Am Mittwoch 09 Juni 2010 04:04:54 schrieb Luc?lio Gomes de Freitas: > Hello, > > Please, anybody helps? I can't find where I'm making a mistake. > > Operating System: Fedora 2.6.33.5-112.fc13.x86_64 > Command: > [Lucelio at MAQ02 work]$ gpg --list-keys Lucelio > pub 3072D/77C103F7 2010-06-06 > uid Luc?lio Gomes de Freitas (Par de Chaves definitivas > em 06/06/2010) > > pub 1024D/01150CE3 2010-06-07 > uid Luc?lio (Teste de Chaves) > > [Lucelio at MAQ02 work]$ gpg -e -r lucelio ./abcdef > gpg: lucelio: ignorado: Unusable public key > gpg: ./abcdef: encryption failed: Unusable public key > > Why? --list-keys doesn't tell you the key capabilities. start cmd:> LC_ALL=C gpg --edit-key eccb5814 [...] pub 1024D/0xECCB5814 created: 2005-09-05 expires: never usage: SCA trust: unknown validity: full sub 2048g/0xE623EF88 created: 2005-09-05 expired: 2010-04-03 usage: E sub 2048R/0x51B279FA created: 2010-03-04 expires: 2013-03-03 usage: E sub 2048R/0x3A403251 created: 2010-03-04 expires: 2013-03-03 usage: S sub 2048R/0x2282921E created: 2010-03-08 expires: 2013-03-07 usage: A Does the main key have E (encryption)? If not then you need create an encryption subkey (--edit-key ? addkey). CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Thu Jun 10 16:00:18 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 10 Jun 2010 10:00:18 -0400 Subject: Keyserver spam example References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> Message-ID: Hi everyone, Periodically there is a discussion on this list about whether having your key on a keyserver will result in more spam. My feeling on this is that you might get more spam, but it's a drop in the bucket compared to the usual onslaught that streams in daily. That being said, I just got my first piece of spam that was definitely caused by presence on a keyserver: Begin forwarded message: > From: "Stephen Lee" > Date: May 26, 2010 2:17:27 AM EDT > To: dshaw at jabberwocky.com > Subject: enquiry : wwwkeys.ch.pgp.net:11371 > Reply-To: "Stephen Lee" > > > We found your contact Email address from wwwkeys.ch.pgp.net:11371 > My name is Stephen and I come from China, Hong Kong. > (spam contents snipped - it goes on to offer to sell me LCD screens for my "retail store, shop, boutique or any public area") David -------------- next part -------------- An HTML attachment was scrubbed... URL: From joke at seiken.de Thu Jun 10 16:35:34 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 10 Jun 2010 16:35:34 +0200 Subject: Keyserver spam example In-Reply-To: References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> Message-ID: <201006101635.36328.joke@seiken.de> I've never gotten any keyserver related spam so far and my public keys with a valid mail address were published year ago. I think it's more likely you will get spam because you are posting to a mailing list which does have a html archive (liks this one). If you want to get rid of most spam, just filter everything sent from dynamic ip addresses and you're fine. On Thursday 10 June 2010 16:00:18 David Shaw wrote: > Hi everyone, > > Periodically there is a discussion on this list about whether having your > key on a keyserver will result in more spam. My feeling on this is that > you might get more spam, but it's a drop in the bucket compared to the > usual onslaught that streams in daily. > > That being said, I just got my first piece of spam that was definitely > caused by presence on a keyserver: > > Begin forwarded message: > > From: "Stephen Lee" > > Date: May 26, 2010 2:17:27 AM EDT > > To: dshaw at jabberwocky.com > > Subject: enquiry : wwwkeys.ch.pgp.net:11371 > > Reply-To: "Stephen Lee" > > > > > > We found your contact Email address from wwwkeys.ch.pgp.net:11371 > > My name is Stephen and I come from China, Hong Kong. > > (spam contents snipped - it goes on to offer to sell me LCD screens for my > "retail store, shop, boutique or any public area") > > David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Thu Jun 10 16:56:28 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 10 Jun 2010 10:56:28 -0400 Subject: Keyserver spam example In-Reply-To: <201006101635.36328.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> Message-ID: <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> > On Thursday 10 June 2010 16:00:18 David Shaw wrote: >> Hi everyone, >> >> Periodically there is a discussion on this list about whether having your >> key on a keyserver will result in more spam. My feeling on this is that >> you might get more spam, but it's a drop in the bucket compared to the >> usual onslaught that streams in daily. >> >> That being said, I just got my first piece of spam that was definitely >> caused by presence on a keyserver: >> >> Begin forwarded message: >>> From: "Stephen Lee" >>> Date: May 26, 2010 2:17:27 AM EDT >>> To: dshaw at jabberwocky.com >>> Subject: enquiry : wwwkeys.ch.pgp.net:11371 >>> Reply-To: "Stephen Lee" >>> >>> >>> We found your contact Email address from wwwkeys.ch.pgp.net:11371 >>> My name is Stephen and I come from China, Hong Kong. >> >> (spam contents snipped - it goes on to offer to sell me LCD screens for my >> "retail store, shop, boutique or any public area") On Jun 10, 2010, at 10:35 AM, Joke de Buhr wrote: > I've never gotten any keyserver related spam so far and my public keys with a > valid mail address were published year ago. > > I think it's more likely you will get spam because you are posting to a > mailing list which does have a html archive (liks this one). Please read the spam I quoted above: "We found your contact Email address from wwwkeys.ch.pgp.net:11371". When the spammer takes the time to tell me he crawled my address from a keyserver, and is even kind enough to tell me which one, I'm inclined to believe him. David From joke at seiken.de Thu Jun 10 17:22:16 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 10 Jun 2010 17:22:16 +0200 Subject: Keyserver spam example In-Reply-To: <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> Message-ID: <201006101722.18779.joke@seiken.de> I never said this particular spam message was not caused by someone scanning the keyserver. I only stated it isn't that common and never happened to me. The chance someone harvesting your email address through keyserver scanning is less common than harvesting archives of mailing lists. Keyservers have a large number of abandoned public keys with inactive email addresses. Whereas scanning trough a recent mailing list history will provide fresh addresses which are very likely to be working. On Thursday 10 June 2010 16:56:28 David Shaw wrote: > > On Thursday 10 June 2010 16:00:18 David Shaw wrote: > >> Hi everyone, > >> > >> Periodically there is a discussion on this list about whether having > >> your key on a keyserver will result in more spam. My feeling on this > >> is that you might get more spam, but it's a drop in the bucket compared > >> to the usual onslaught that streams in daily. > >> > >> That being said, I just got my first piece of spam that was definitely > >> caused by presence on a keyserver: > >> > >> Begin forwarded message: > >>> From: "Stephen Lee" > >>> Date: May 26, 2010 2:17:27 AM EDT > >>> To: dshaw at jabberwocky.com > >>> Subject: enquiry : wwwkeys.ch.pgp.net:11371 > >>> Reply-To: "Stephen Lee" > >>> > >>> > >>> We found your contact Email address from wwwkeys.ch.pgp.net:11371 > >>> My name is Stephen and I come from China, Hong Kong. > >> > >> (spam contents snipped - it goes on to offer to sell me LCD screens for > >> my "retail store, shop, boutique or any public area") > > On Jun 10, 2010, at 10:35 AM, Joke de Buhr wrote: > > I've never gotten any keyserver related spam so far and my public keys > > with a valid mail address were published year ago. > > > > I think it's more likely you will get spam because you are posting to a > > mailing list which does have a html archive (liks this one). > > Please read the spam I quoted above: "We found your contact Email address > from wwwkeys.ch.pgp.net:11371". > > When the spammer takes the time to tell me he crawled my address from a > keyserver, and is even kind enough to tell me which one, I'm inclined to > believe him. > > David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Thu Jun 10 17:29:18 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 10 Jun 2010 16:29:18 +0100 Subject: Keyserver spam example In-Reply-To: <201006101635.36328.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> Message-ID: <18110357645.20100610162918@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 June 2010 at 3:35:34 PM, in , Joke de Buhr wrote: > I've never gotten any keyserver related spam so far and > my public keys with a valid mail address were published > year ago. In order to *know* you have never received any keyserver-related spam, I take it the valid address on the key you published has never received any spam at all. I have a key with a valid (but unused) address that I published as a test three months ago. Since the address has never been used at all for any purpose, anybody using that address could only have got it from a keyserver. So far it has received no incoming messages at all. I have another key on the servers that shows a genuine address and has been there at least 18 months. I do use that address, but not for mailing lists, groups, etc. Spam typically comes in at the rate of about two or three messages a month. I have no reason to suspect the spammers harvested the address from a keyserver, but no way of knowing they didn't. David's example with the spammer saying where they got the address is very unusual, to say the least. > I think it's more likely you will get spam because you > are posting to a mailing list which does have a html > archive (liks this one). No comment on probabilities, but I should have thought going to the web interface of a keyserver and searching on "2010" (for example) would be a more efficient place to harvest email addresses than trawling through mailing list archives. > If you want to get rid of most spam, just filter > everything sent from dynamic ip addresses and you're > fine. Only if you consider sacrificing some legitimate incoming mail to be "fine." - -- Best regards MFPA mailto:expires2010 at ymail.com There is no job so simple that it cannot be done wrong -----BEGIN PGP SIGNATURE----- iQCVAwUBTBEExqipC46tDG5pAQpJcQQAiip5avz//ftrN9jlY1v0rppjyTo4c9Mg kmP0uGH+T4RFY4iCn9zt2p+TllYFrUp10cQae3g3tk7EG/d0QGoqps9QSQS2tkiP /O38HFJ+/snJ6uNT6bxnaFfMBmKQfVZzmhYFt/rYEfF2/zRZuOZabUkUyEhIHZ5I BLtFsgletuo= =WpLL -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Thu Jun 10 17:32:05 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 10 Jun 2010 11:32:05 -0400 Subject: Keyserver spam example In-Reply-To: <201006101722.18779.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> <201006101722.18779.joke@seiken.de> Message-ID: <4C110575.7030708@fifthhorseman.net> Hi Joke-- On 06/10/2010 11:22 AM, Joke de Buhr wrote: > I never said this particular spam message was not caused by someone scanning > the keyserver. I only stated it isn't that common and never happened to me. > > The chance someone harvesting your email address through keyserver scanning is > less common than harvesting archives of mailing lists. This is exactly what David said in his initial e-mail, yet your replies in this thread come off as though you are arguing with or dismissing his observation. For the record, i also got spammed with a similar message to the one David quoted; i don't remember which keyserver was indicated as the source, though. And i should probably add that it is indeed an infinitesimal drop in the bucket compared to the other spam i receive; i'm not concerned about it. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Thu Jun 10 17:39:46 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 10 Jun 2010 17:39:46 +0200 Subject: Keyserver spam example In-Reply-To: References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> Message-ID: <201006101739.46469.mailinglisten@hauke-laging.de> Am Donnerstag 10 Juni 2010 16:00:18 schrieb David Shaw: > Periodically there is a discussion on this list about whether having your > key on a keyserver will result in more spam. My feeling on this is that > you might get more spam, but it's a drop in the bucket compared to the > usual onslaught that streams in daily. But that is the wrong argument. The correct argument is about the key server share of spam in a world in which nearly everyone has a public key. Of course, in that world signatures may be used to prevent spam. So the problem is mainly the mean time. If you have an email address then you get spam. That is a reliable rule. But people cannot decide not to have an email address, that is virtually impossible. But people CAN decide not to have a public key (on key servers). In my opinion we should see three important aspects: 1) The situation will change if PGP becomes more common (what we want). 2) This is not only about spam but about the protection of privacy. It is inacceptable that everyone can easily check who is in contact with whom via the clear text addresses and the web of trust. It was mentioned here that this can even be dangerous for people who get suppressed by their government. 3) Big parts of the problem are easy to solve. Don't export clear text names or addresses any more but their hash only. Store those clear texts seperately from the keys like the trustdb file. Apropos hash, if I may "advertise" one of my proposals (no relation to PGP)... I think that it makes sense to make more use of hashes, visible to the user. Using this for the protection of names and addresses in gpg could be a guide for other applications (solving other problems, though). This could even be used for a "new" security mechanism (see the end of the document). For the part of the audience which can read German: http://www.hauke-laging.de/ideen/diktierhilfehash/ And for the rest: The more or less great result of the Google translator... ;-) http://translate.google.de/translate?js=y&prev=_t&hl=de&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fwww.hauke- laging.de%2Fideen%2Fdiktierhilfehash%2Findex_1_2.html&sl=de&tl=en CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From jrollins at finestructure.net Thu Jun 10 17:53:43 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Thu, 10 Jun 2010 11:53:43 -0400 Subject: Keyserver spam example In-Reply-To: <4C110575.7030708@fifthhorseman.net> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> <201006101722.18779.joke@seiken.de> <4C110575.7030708@fifthhorseman.net> Message-ID: <87bpbivq7s.fsf@servo.finestructure.net> On Thu, 10 Jun 2010 11:32:05 -0400, Daniel Kahn Gillmor wrote: > And i should probably add that it is indeed an infinitesimal drop in the > bucket compared to the other spam i receive; i'm not concerned about it. Not to mention that the bother of a couple of extra spams is completely dwarfed by the benefit of having the public keyserver network. jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From joke at seiken.de Thu Jun 10 17:57:50 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 10 Jun 2010 17:57:50 +0200 Subject: Keyserver spam example In-Reply-To: <18110357645.20100610162918@my_localhost> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> Message-ID: <201006101757.53020.joke@seiken.de> On Thursday 10 June 2010 17:29:18 MFPA wrote: > Hi > > > On Thursday 10 June 2010 at 3:35:34 PM, in > > , Joke de Buhr wrote: > > I've never gotten any keyserver related spam so far and > > my public keys with a valid mail address were published > > year ago. > > In order to *know* you have never received any keyserver-related spam, > I take it the valid address on the key you published has never > received any spam at all. One of the addresses of my key is totally unprotected against spam. Nothing is blocked or scanned there. And it doesn't get any spam at all. > I have a key with a valid (but unused) address that I published as a > test three months ago. Since the address has never been used at all > for any purpose, anybody using that address could only have got it > from a keyserver. So far it has received no incoming messages at all. > > I have another key on the servers that shows a genuine address and has > been there at least 18 months. I do use that address, but not for > mailing lists, groups, etc. Spam typically comes in at the rate of > about two or three messages a month. I have no reason to suspect the > spammers harvested the address from a keyserver, but no way of knowing > they didn't. > > David's example with the spammer saying where they got the address is > very unusual, to say the least. > > > I think it's more likely you will get spam because you > > are posting to a mailing list which does have a html > > archive (liks this one). > > No comment on probabilities, but I should have thought going to the > web interface of a keyserver and searching on "2010" (for example) > would be a more efficient place to harvest email addresses than > trawling through mailing list archives. As far as I know you cannot do a search like "2010" on keyserver webinterfaces to get recently created keys. > > > If you want to get rid of most spam, just filter > > everything sent from dynamic ip addresses and you're > > fine. > > Only if you consider sacrificing some legitimate incoming mail to be > "fine." You do not sacrifice legitimate incoming mail because there is an RFC that clearly states mailservers do not operate from dynamic IP addresses. Therefore they can not be considered valid. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Thu Jun 10 18:22:07 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 10 Jun 2010 12:22:07 -0400 Subject: [OT] spam avoidance via IP-based filtering at the MTA [was: Re: Keyserver spam example] In-Reply-To: <201006101757.53020.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> Message-ID: <4C11112F.7020704@fifthhorseman.net> On 06/10/2010 11:57 AM, Joke de Buhr wrote: > You do not sacrifice legitimate incoming mail because there is an RFC that > clearly states mailservers do not operate from dynamic IP addresses. Therefore > they can not be considered valid. Please cite this RFC. All IP addresses are "dynamic" in some sense -- you cannot guarantee that the same organization or entity will control them in a few years' time. This is now sufficiently off-topic for gnupg-users, so i'm not going to reply on this thread anymore. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Thu Jun 10 18:33:14 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 10 Jun 2010 17:33:14 +0100 Subject: Keyserver spam example In-Reply-To: <201006101757.53020.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> Message-ID: <177343632.20100610173314@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 June 2010 at 4:57:50 PM, in , Joke de Buhr wrote: > One of the addresses of my key is totally unprotected > against spam. Nothing is blocked or scanned there. And > it doesn't get any spam at all. Fair enough. > As far as I know you cannot do a search like "2010" on > keyserver webinterfaces to get recently created keys. You get keys with "2010" in the user-id. About half of those returned by pgp.mit.edu have a 2010 creation date... > You do not sacrifice legitimate incoming mail because > there is an RFC that clearly states mailservers do not > operate from dynamic IP addresses. Therefore they can > not be considered valid. Plenty of people send mail using server software on their own computer, particularly those who move around and connect to the internet via a plethora of different ISPs and WiFi locations. That doesn't make it "correct". But being sent from an RFC-ignorant server does not make a message spam or illegitimate or invalid. It just makes it slightly more suspect. - -- Best regards MFPA mailto:expires2010 at ymail.com Pain is inevitable, but misery is optional. -----BEGIN PGP SIGNATURE----- iQCVAwUBTBET16ipC46tDG5pAQopSQQAizSSLXxshROsQRoY4tHFpzo/vTAlt55/ lAZVRyOMJuoxAXkAK30y6DZhTEwufclGKcvXLGXv/3ir/wjF1ovJhkRjeT37IUPz JjOjXIFHaay+yyWV/mNyPunDWkUk57C3EePsjeMlHo4NkKCm77MjxAdcHZL2ipnH dY45QC0iBsc= =ldxc -----END PGP SIGNATURE----- From jrollins at finestructure.net Thu Jun 10 18:39:25 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Thu, 10 Jun 2010 12:39:25 -0400 Subject: Keyserver spam example In-Reply-To: <87bpbivq7s.fsf@servo.finestructure.net> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> <201006101722.18779.joke@seiken.de> <4C110575.7030708@fifthhorseman.net> <87bpbivq7s.fsf@servo.finestructure.net> Message-ID: <8739wuvo3m.fsf@servo.finestructure.net> Speaking of spam, I'm getting more spam from some sort of automated ticketing system that seems to be subscribed to this list that I ever have from a keyserver. The mail seems to come from: secure.mpcustomer.com and it often sets the From: to be from someone else. This is totally uncool. Is there a list moderator that can permanently ban anything From this address from the list? jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From mailinglisten at hauke-laging.de Thu Jun 10 19:04:37 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 10 Jun 2010 19:04:37 +0200 Subject: Keyserver spam example In-Reply-To: <8739wuvo3m.fsf@servo.finestructure.net> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <87bpbivq7s.fsf@servo.finestructure.net> <8739wuvo3m.fsf@servo.finestructure.net> Message-ID: <201006101904.37296.mailinglisten@hauke-laging.de> Am Donnerstag 10 Juni 2010 18:39:25 schrieb Jameson Rollins: > Speaking of spam, I'm getting more spam from some sort of automated > ticketing system that seems to be subscribed to this list that I ever > have from a keyserver. The mail seems to come from: > > secure.mpcustomer.com > > and it often sets the From: to be from someone else. This is totally > uncool. Is there a list moderator that can permanently ban anything > From this address from the list? I asked them what this is about several days ago. They told me that some ... had registered one ore more email addresses at several mailing lists and now they got all these emails. Sounds like an address with changed forwarding target after registration. Impossible to protect against that for a list owner I guess. This ticket system does NOT send its replies via this list (it couldn't) but sends it directly to you. So taking "their" email address off this list is probably all our list admin could do. These guys seem not no be of the very clever kind as they see from which mailserver they get the unwanted emails so that IMHO they could have solved that with that MTA's admin or could have blocked that MTA. It would help to know when this has started ? in case that the registration timestamp is stored. If not then it may be possible to send a few test mails, to half of the left possible addresses in order to find out which address causes these replies. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From peter at digitalbrains.com Thu Jun 10 18:42:13 2010 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 10 Jun 2010 18:42:13 +0200 Subject: Keyserver spam example In-Reply-To: <201006101757.53020.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> Message-ID: <4C1115E5.7080007@digitalbrains.com> On -10/01/37 20:59, Joke de Buhr wrote: > You do not sacrifice legitimate incoming mail because there is an RFC that > clearly states mailservers do not operate from dynamic IP addresses. Therefore > they can not be considered valid. Which RFC would this be? I could not find the word "dynamic" in RFC 2822 (proposed standard) or RFC 5322 (draft standard, obsoletes 2822). The most basic mailserver, AFAIK, only has to comply to this standard to be acceptable as a mailserver operating in the real world. A Google search also did not help finding this standard. It also begs the question how to define "a dynamic IP" in a manner worthy of an RFC wanting to be a standard, which was one of the reasons I wanted to find the RFC you mention. Meanwhile, in the real world, people do not always comply to all RFC's. If you define "legitimate mail" as "mail you'd like to receive" or "not spam" or something similar, you will lose legitimate mail. These days my mail server is on a static IP (on a consumer connection). With a previous ISP, this was not possible, and my mail server had a dynamic IP. I happily sent legitimate mail to my contacts from it. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) From expires2010 at ymail.com Fri Jun 11 02:16:21 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 11 Jun 2010 01:16:21 +0100 Subject: Keyserver spam example In-Reply-To: <201006101904.37296.mailinglisten@hauke-laging.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <87bpbivq7s.fsf@servo.finestructure.net> <8739wuvo3m.fsf@servo.finestructure.net> <201006101904.37296.mailinglisten@hauke-laging.de> Message-ID: <854648602.20100611011621@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 June 2010 at 6:04:37 PM, in , Hauke Laging wrote: > Am Donnerstag 10 Juni 2010 18:39:25 schrieb Jameson > Rollins: >> Speaking of spam, I'm getting more spam from some sort of automated >> ticketing system that seems to be subscribed to this list that I ever >> have from a keyserver. The mail seems to come from: >> secure.mpcustomer.com >> and it often sets the From: to be from someone else. Whenever I post to this list these days I get one of their auto-replies, and they always spoof the from address to whatever I had in the "to" field of my message to the list. >> This is totally uncool. Is there a list moderator >> that can permanently ban anything From this address >> from the list? It comes straight to my address (not via the list) shortly after after I post to this list. It seems somebody subscribed to GnuPG-users is forwarding all their list mail immediately to that ticketing system. > I asked them what this is about several days ago. Asked who? secure.mpcustomer.com? I tried contacting them a cvouple of weeks back but both the postmaster@ and abuse@ addresses bounce with "host mail.mpcustomer.com [208.43.138.199]: 550 No such person at this address" > This ticket system does NOT send its replies via this > list (it couldn't) but sends it directly to you. So > taking "their" email address off this list is probably > all our list admin could do. I'm assured the ticketing system is not subscribed to this list. > These guys seem not no be of the very clever kind as > they see from which mailserver they get the unwanted > emails so that IMHO they could have solved that with > that MTA's admin or could have blocked that MTA. They don't even have the "required" postmaster at domain and abuse at domain email addresses operating; they possibly also don't communicate with the admins of other servers. > It would help to know when this has started ? in case > that the registration timestamp is stored. I first noticed it around the beginning of May. > If not then > it may be possible to send a few test mails, to half of > the left possible addresses in order to find out which > address causes these replies. I guess somebody with a list of the addresses subscribed to this list could find out by sending a test message to each member in turn until the auto-reply is tripped, then ask that person to stop forwarding and delete them if they don't. Or one message to everybody with a customised subject line for each. Alternatively, those of us who are fed up with the messages could simply filter them out ourselves. (-; - -- Best regards MFPA mailto:expires2010 at ymail.com Ballerinas are always on their toes. We need taller ballerinas! -----BEGIN PGP SIGNATURE----- iQCVAwUBTBGAaqipC46tDG5pAQq75wQAxWA5v8lUjdxCz9ToZ/yS+HUIYMfIOHQ6 706KlZCzICTDjiO3WYb+CbO8dzS1uVXBL9V2v9EZIJoA/ndpksLYT6vcBfhOE65y qya9frJiQfZRqUrQ8VK24U4FeQEMAzSYlRHaLfE5eNiIT2UmNGOgrCP+eA8xTZ12 9dcNLoqvzv8= =Wgx8 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Jun 11 02:22:24 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 10 Jun 2010 20:22:24 -0400 Subject: Keyserver spam example In-Reply-To: <854648602.20100611011621@my_localhost> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <87bpbivq7s.fsf@servo.finestructure.net> <8739wuvo3m.fsf@servo.finestructure.net> <201006101904.37296.mailinglisten@hauke-laging.de> <854648602.20100611011621@my_localhost> Message-ID: <4C1181C0.7030700@sixdemonbag.org> On 6/10/2010 8:16 PM, MFPA wrote: > Whenever I post to this list these days I get one of their > auto-replies, and they always spoof the from address to whatever I had > in the "to" field of my message to the list. [lots of discussion deleted] I think it's safe to say the list moderators are now well aware of what's going on, and how many people are bothered by it. Let's table this discussion for a week and see what the list moderators do. If they don't do anything, then let's re-open this can of worms. Otherwise, let's just keep cool and let the list mods do what they're best at. :) From wk at gnupg.org Fri Jun 11 09:15:56 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jun 2010 09:15:56 +0200 Subject: Keyserver spam example In-Reply-To: <854648602.20100611011621@my_localhost> (MFPA's message of "Fri, 11 Jun 2010 01:16:21 +0100") References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <87bpbivq7s.fsf@servo.finestructure.net> <8739wuvo3m.fsf@servo.finestructure.net> <201006101904.37296.mailinglisten@hauke-laging.de> <854648602.20100611011621@my_localhost> Message-ID: <87k4q63uqb.fsf@vigenere.g10code.de> On Fri, 11 Jun 2010 02:16, expires2010 at ymail.com said: > delete them if they don't. Or one message to everybody with a > customised subject line for each. Alternatively, those of us who are That is a good idea. I was thinking of bisecting the mailing list to make sure that test mails receive the culprit as actual mailing list posts. But lets try the simple solution first. > fed up with the messages could simply filter them out ourselves. (-; That is actually much easier. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dhillonmani at gmail.com Fri Jun 11 07:23:09 2010 From: dhillonmani at gmail.com (Manpreet Singh Dhillon) Date: Fri, 11 Jun 2010 10:53:09 +0530 Subject: Importing private key from key server Message-ID: Greetings friends! I have this issue with which I want your help. Recently I installed Ubuntu Lucid Lynx 10.04 x64 on my laptop and as usual copied my .gnupg folder from my backup hard disk to my home directory. All my key configuration was back. Then I created a new key for my another email address and synced with key servers. I, then had to re-install Ubuntu again and alas! I forget to backup my .gnupg folder. Now my new key is on key servers and I want to import it but every time I import it, it is imported in public keys section. Is there any way that I can import that key to my private keys? -- Best Regards:- Manpreet S. Dhillon, -------------- next part -------------- An HTML attachment was scrubbed... URL: From henkdebruijn at gswot.org Fri Jun 11 10:39:02 2010 From: henkdebruijn at gswot.org (Henk M. de Bruijn) Date: Fri, 11 Jun 2010 10:39:02 +0200 Subject: Test mail to henkdebruijn@gswot.org In-Reply-To: References: Message-ID: <1532586190.20100611103902@gswot.org> On Fri, 11 Jun 2010, at 09:37:42 [GMT +0200] (which was 9:37 where I live) Werner Koch wrote: > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > Sorry for the inconvenience, Working! -- Met vriendelijke groet, Henk M.de Bruijn From wk at gnupg.org Fri Jun 11 11:33:05 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jun 2010 11:33:05 +0200 Subject: Crypto Stick released! In-Reply-To: <87d3w8w4b4.fsf@servo.finestructure.net> (Jameson Rollins's message of "Thu, 03 Jun 2010 10:58:55 -0400") References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> <4C07BF87.9040907@privacyfoundation.de> <87d3w8w4b4.fsf@servo.finestructure.net> Message-ID: <87fx0t52y6.fsf@vigenere.g10code.de> On Thu, 3 Jun 2010 16:58, jrollins at finestructure.net said: > regards to the Crypto Stick? Is that something that can be patched, or > is it a limitation of the communication protocol? Right that is a limitation of an internal communication protocol. Not hard to change but there are more important things to be done. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From richih.mailinglist at gmail.com Fri Jun 11 10:39:56 2010 From: richih.mailinglist at gmail.com (Richard Hartmann) Date: Fri, 11 Jun 2010 10:39:56 +0200 Subject: Test mail to richih.mailinglist@gmail.com In-Reply-To: References: Message-ID: On Fri, Jun 11, 2010 at 09:39, Werner Koch wrote: > Sorry for the inconvenience, No problem. It's not me :) Richard From stuffcorpse at archlinux.us Fri Jun 11 10:57:44 2010 From: stuffcorpse at archlinux.us (Rick W. Chen) Date: Fri, 11 Jun 2010 20:57:44 +1200 Subject: Test mail to stuffcorpse@archlinux.us In-Reply-To: References: Message-ID: <20100611085744.GA1020@axa.home.nz> On 11 Jun 2010 09:39 +0200, Werner Koch: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner Hi, how can I convince you that I was not the culprit? -- Rick From wk at gnupg.org Fri Jun 11 12:15:32 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jun 2010 12:15:32 +0200 Subject: FYI: About my test mails Message-ID: <87bpbh50zf.fsf@vigenere.g10code.de> Hi, a few hours ago I sent test mails to each subscribed user. The mails should look like regular mailing list mail but with your address also in the subject. This is a try to figure out who forwards postings to an automated systems which in turn spams the original poster. Please ignore these mails - there is no need to respond. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From andre at amorim.me Fri Jun 11 12:29:51 2010 From: andre at amorim.me (Andre Amorim) Date: Fri, 11 Jun 2010 11:29:51 +0100 Subject: Crypto Stick released! In-Reply-To: <87fx0t52y6.fsf@vigenere.g10code.de> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201006031612.09043.joke@seiken.de> <35C9A2CFC27ACC439F4F97B1915D3FA2016F80E2@EXVS01.dsw.net> <4C07BF87.9040907@privacyfoundation.de> <87d3w8w4b4.fsf@servo.finestructure.net> <87fx0t52y6.fsf@vigenere.g10code.de> Message-ID: Any news about V2 ? Thanks AA On 11 June 2010 10:33, Werner Koch wrote: > On Thu, ?3 Jun 2010 16:58, jrollins at finestructure.net said: > >> regards to the Crypto Stick? ?Is that something that can be patched, or >> is it a limitation of the communication protocol? > > Right that is a limitation of an internal communication protocol. ?Not > hard to change but there are more important things to be done. > > > Shalom-Salam, > > ? Werner > > -- > Die Gedanken sind frei. ?Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From erwinlam at dds.nl Fri Jun 11 12:01:45 2010 From: erwinlam at dds.nl (Erwin Lam) Date: Fri, 11 Jun 2010 12:01:45 +0200 Subject: Test mail to erwinlam@dds.nl In-Reply-To: References: Message-ID: <201006111201.47633.erwinlam@dds.nl> On Friday 11 June 2010 09:37:23 Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > No problem. -- Erwin Lam (erwinlam at dds.nl) From stargrave at stargrave.org Fri Jun 11 12:17:59 2010 From: stargrave at stargrave.org (Sergey Matveev) Date: Fri, 11 Jun 2010 14:17:59 +0400 Subject: Test mail to stargrave@stargrave.org In-Reply-To: References: Message-ID: <20100611101758.GA10814@stargrave.org> Greetings, On Fri, Jun 11, 2010 at 09:39:17AM +0200, Werner Koch wrote: > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. Well, it is not me. Asure you :-) -- Happy hacking, Sergey Matveev FSF Associate member #5968 | FSFE Fellow #1390 From gnupg.user at seibercom.net Fri Jun 11 12:27:12 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 11 Jun 2010 06:27:12 -0400 Subject: Test mail to gnupg.user@seibercom.net In-Reply-To: References: Message-ID: <20100611062712.59425274@scorpio> On Fri, 11 Jun 2010 09:37:34 +0200 Werner Koch articulated: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > I am assuming that you wanted me to reply to this message. Its intended purpose was not overly clear. At least not to me, but then again I have not had my second cup of coffee this morning. -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ As you grow older, you will still do foolish things, but you will do them with much more enthusiasm. The Cowboy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From jrollins at finestructure.net Fri Jun 11 13:33:23 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Fri, 11 Jun 2010 07:33:23 -0400 Subject: Test mail to gnupg.user@seibercom.net In-Reply-To: <20100611062712.59425274@scorpio> References: <20100611062712.59425274@scorpio> Message-ID: <87vd9pst18.fsf@servo.finestructure.net> On Fri, 11 Jun 2010 06:27:12 -0400, Jerry wrote: > I am assuming that you wanted me to reply to this message. Its intended > purpose was not overly clear. At least not to me, but then again I have > not had my second cup of coffee this morning. I think if he had wanted you to respond to it he would have asked you to respond to it. jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From wk at gnupg.org Fri Jun 11 13:42:29 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jun 2010 13:42:29 +0200 Subject: FYI: About my test mails In-Reply-To: <87bpbh50zf.fsf@vigenere.g10code.de> (Werner Koch's message of "Fri, 11 Jun 2010 12:15:32 +0200") References: <87bpbh50zf.fsf@vigenere.g10code.de> Message-ID: <877hm54wyi.fsf@vigenere.g10code.de> On Fri, 11 Jun 2010 12:15, wk at gnupg.org said: > the subject. This is a try to figure out who forwards postings to an > automated systems which in turn spams the original poster. The culprit was support at resell.biz - I unsubscribed this address and banned it from further subscriptions. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gnupg.user at seibercom.net Fri Jun 11 13:55:38 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 11 Jun 2010 07:55:38 -0400 Subject: Test mail to gnupg.user@seibercom.net In-Reply-To: <87vd9pst18.fsf@servo.finestructure.net> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> Message-ID: <20100611075538.231a6006@scorpio> On Fri, 11 Jun 2010 07:33:23 -0400 Jameson Rollins articulated: > On Fri, 11 Jun 2010 06:27:12 -0400, Jerry > wrote: > > I am assuming that you wanted me to reply to this message. Its > > intended purpose was not overly clear. At least not to me, but then > > again I have not had my second cup of coffee this morning. > > I think if he had wanted you to respond to it he would have asked you > to respond to it. Perhaps, then again, perhaps not. As a lifelong sports official, everything is considered legal unless specifically barred by a formal rule. In any case, I am not the only subscriber who replied to his post. I was simply following the lead of other responders before me. Which reminds me; there is a request at the end of every post I make. Would it be to much of an imposition for you to honor that request? -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ People that are really very weird can get into sensitive positions and have a tremendous impact on history. Dan Quayle US Republican politician (1947 - ) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From satish.alreja at gmail.com Fri Jun 11 13:27:51 2010 From: satish.alreja at gmail.com (Satish) Date: Fri, 11 Jun 2010 07:27:51 -0400 Subject: Test mail to satish.alreja@gmail.com In-Reply-To: References: Message-ID: Email received correctly On Fri, Jun 11, 2010 at 3:39 AM, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > > -- Satish Ph: (704) 464 0160 (Home) -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnupg.user at seibercom.net Fri Jun 11 12:23:25 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 11 Jun 2010 06:23:25 -0400 Subject: Keyserver spam example In-Reply-To: <87k4q63uqb.fsf@vigenere.g10code.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <87bpbivq7s.fsf@servo.finestructure.net> <8739wuvo3m.fsf@servo.finestructure.net> <201006101904.37296.mailinglisten@hauke-laging.de> <854648602.20100611011621@my_localhost> <87k4q63uqb.fsf@vigenere.g10code.de> Message-ID: <20100611062325.412ff076@scorpio> On Fri, 11 Jun 2010 09:15:56 +0200 Werner Koch articulated: > On Fri, 11 Jun 2010 02:16, expires2010 at ymail.com said: > > > delete them if they don't. Or one message to everybody with a > > customised subject line for each. Alternatively, those of us who are > > That is a good idea. I was thinking of bisecting the mailing list to > make sure that test mails receive the culprit as actual mailing list > posts. But lets try the simple solution first. > > > fed up with the messages could simply filter them out ourselves. (-; > > That is actually much easier. The "FreeBSD" mailing lists are also getting hammered with this crap. Someone has a seriously warped sense of humor. You might want to check this out: http://lists.freebsd.org/pipermail/freebsd-questions/2010-June/217498.html -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ People that are really very weird can get into sensitive positions and have a tremendous impact on history. Dan Quayle US Republican politician (1947 - ) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From shavital at mac.com Fri Jun 11 14:44:45 2010 From: shavital at mac.com (Charly Avital) Date: Fri, 11 Jun 2010 08:44:45 -0400 Subject: Test mail to shavital@mac.com In-Reply-To: References: Message-ID: <4C122FBD.60407@mac.com> Werner Koch wrote the following on 6/11/10 3:39 AM: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > > Text received, Werner. Tks, Charly From kevhilton at gmail.com Fri Jun 11 14:15:14 2010 From: kevhilton at gmail.com (Kevin Hilton) Date: Fri, 11 Jun 2010 07:15:14 -0500 Subject: Test mail to kevhilton@gmail.com In-Reply-To: References: Message-ID: Not sure who that was but I was not responsible On Jun 11, 2010 4:26 AM, "Werner Koch" wrote: Hi! One of the subscribers to this list created a mail forward to an automated ticketing system which responds to the the poster. The owner of the ticketing system at secure.mpcustomer.com does not respond to any of our queries to send us more information on the mails triggering the posting. Thus we need to send these test mails in the hope to figure out the culprit. Sorry for the inconvenience, Werner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeandavid8 at verizon.net Fri Jun 11 14:14:29 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Fri, 11 Jun 2010 08:14:29 -0400 Subject: Test mail to gnupg.user@seibercom.net In-Reply-To: <20100611075538.231a6006@scorpio> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> Message-ID: <4C1228A5.4030604@verizon.net> Jerry wrote (in part): > > Which reminds me; there is a request at the end of every post I make. > Would it be to much of an imposition for you to honor that request? > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the Reply-To header. I looked at the headers, and there is no Reply-To header in the e-mail I received from the list. An entire page of headers, but not that one. Even if Reply-To was a header, it would be too much to honor it unless my e-mailer honored it automatically (perhaps it does). Because some lists to which I subscribe automatically reply to the lists, and some automatically reply to the original sender, and I cannot remember which is which. I know asking any particular list to change is not worth the trouble; each list has its own policy and unwilling to change. I try to remember which is which. It is sometimes suggested to hit Reply-All, but this results in the original poster's getting two replies. I particularly hate this method as I then reply to which ever one I get first, usually direct to the author, thinking he wants a private reply since he sent it to me privately. Then a little later I get one from the list, and it is usually too much trouble to send another reply to the list. I wish all lists were set up so a reply to a message from the list went back to the list, but there is no point asking that from a list that does things another way. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:05:01 up 35 days, 16:00, 3 users, load average: 4.46, 4.45, 4.45 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From jcruff at gmail.com Fri Jun 11 13:43:35 2010 From: jcruff at gmail.com (John C. Ruff) Date: Fri, 11 Jun 2010 07:43:35 -0400 Subject: Test mail to jcruff@gmail.com In-Reply-To: References: Message-ID: <098FE6CB-D188-46C3-9145-07A4FC2A519A@gmail.com> __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0x052A4FAD gpg fgpr: 6530 8DA8 805C 707F 3611 9851 D057 FC41 052A 4FAD On Jun 11, 2010, at 3:37, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner Good luck with the search! From mwood at IUPUI.Edu Fri Jun 11 15:34:44 2010 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 11 Jun 2010 09:34:44 -0400 Subject: Keyserver spam example In-Reply-To: <201006101757.53020.joke@seiken.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> Message-ID: <20100611133444.GC2829@IUPUI.Edu> On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote: > You do not sacrifice legitimate incoming mail because there is an RFC that > clearly states mailservers do not operate from dynamic IP addresses. Therefore > they can not be considered valid. If there is such an RFC, it's rubbish; I run an MTA at home on my dynamic address, and it works just fine, and is quite valid. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From gnupg.user at seibercom.net Fri Jun 11 17:36:34 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 11 Jun 2010 11:36:34 -0400 Subject: Test mail to gnupg.user@seibercom.net In-Reply-To: <4C1228A5.4030604@verizon.net> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> <4C1228A5.4030604@verizon.net> Message-ID: <20100611113634.5f83cbde@scorpio> On Fri, 11 Jun 2010 08:14:29 -0400 Jean-David Beyer articulated: > Jerry wrote (in part): > > > > > Which reminds me; there is a request at the end of every post I > > make. Would it be to much of an imposition for you to honor that > > request? > > > > Disclaimer: off-list followups get on-list replies or get ignored. > > Please do not ignore the Reply-To header. > > > I looked at the headers, and there is no Reply-To header in the > e-mail I received from the list. An entire page of headers, but not > that one. > > Even if Reply-To was a header, it would be too much to honor it > unless my e-mailer honored it automatically (perhaps it does). > Because some lists to which I subscribe automatically reply to the > lists, and some automatically reply to the original sender, and I > cannot remember which is which. I know asking any particular list to > change is not worth the trouble; each list has its own policy and > unwilling to change. I try to remember which is which. It is > sometimes suggested to hit Reply-All, but this results in the > original poster's getting two replies. I particularly hate this > method as I then reply to which ever one I get first, usually direct > to the author, thinking he wants a private reply since he sent it to > me privately. Then a little later I get one from the list, and it is > usually too much trouble to send another reply to the list. I wish > all lists were set up so a reply to a message from the list went back > to the list, but there is no point asking that from a list that does > things another way. Evidently, the list manager employed here strips off any "Reply-To:" header and then fails to replace it with one that points to the list. Fortunately, not all mailing lists are configured in a similar manner. Fortunately, using claws-mail, I am able to circumvent that problem (in most cases). I would assume that other MUAs would have a similar configuration option. -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ That's always the way when you discover something new; everyone thinks you're crazy. Evelyn E. Smith -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From cwsiv at copper.net Fri Jun 11 16:47:58 2010 From: cwsiv at copper.net (Carl Spitzer) Date: Fri, 11 Jun 2010 07:47:58 -0700 Subject: Test mail to cwsiv@copper.net In-Reply-To: References: Message-ID: <1276267679.9278.7.camel@linux.site> working here On Fri, 2010-06-11 at 09:37 +0200, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > From expires2010 at ymail.com Fri Jun 11 18:10:54 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 11 Jun 2010 17:10:54 +0100 Subject: Keyserver spam example In-Reply-To: <201006101739.46469.mailinglisten@hauke-laging.de> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101739.46469.mailinglisten@hauke-laging.de> Message-ID: <889082073.20100611171054@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 June 2010 at 4:39:46 PM, in , Hauke Laging wrote: > But that is the wrong argument. The correct argument is > about the key server share of spam in a world in which > nearly everyone has a public key. Of course, in that > world signatures may be used to prevent spam. So the > problem is mainly the mean time. Another solution would be hashing the email address in a key's user-id, so that somebody knowing the address could find the key on the server, but the keyserver didn't publicly list the address. I just noticed you advocate this further on in your message (-; > If you have an email address then you get spam. That is > a reliable rule. But people cannot decide not to have > an email address, that is virtually impossible. They could always use disposable email addresses, or use a different address for communication with each contact. > But > people CAN decide not to have a public key (on key > servers). They can also choose to publish a key but not to include their email address in any of the user-ids. This makes the key pretty much impossible to find without the key-id. Unfortunately it also confuses some email clients, and has web-of-trust implications (because many people are unwilling to sign a key that shows no email address). - -- Best regards MFPA mailto:expires2010 at ymail.com Experience is the name everyone gives to their mistakes -----BEGIN PGP SIGNATURE----- iQCVAwUBTBJgG6ipC46tDG5pAQoahgP/TTRLw5Wq14HwzaZ7E9mtIGj4CrYYpJ2P E6qDpUkvHDjuprYbdiyiGFPmZsZGf7fdGXMGCy5Ym3mA0a3eVzaHHUOjS4FP/Cih J3fQSpIOYwlwmPYbweEQij6jQY5c7RO3FwpETat5cO4ChqeKNyk951gLJ2qoEpSe ZGwG7oGXVDA= =xcKY -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Fri Jun 11 18:18:05 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 11 Jun 2010 11:18:05 -0500 Subject: Keyserver spam example In-Reply-To: <20100611133444.GC2829@IUPUI.Edu> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> Message-ID: <4C1261BD.1030601@Mozilla-Enigmail.org> Mark H. Wood wrote: > On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote: >> You do not sacrifice legitimate incoming mail because there is an RFC that >> clearly states mailservers do not operate from dynamic IP addresses. Therefore >> they can not be considered valid. > > If there is such an RFC, it's rubbish; I run an MTA at home on my > dynamic address, and it works just fine, and is quite valid. EXACTLY what Mark said, "RUBBISH" MTA and keyserver here. My home ISP "blesses" me with a new address about once every six months. Router automagically updates my DNS provider and everything is good to go. Cite the RFC, please. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Fri Jun 11 18:23:38 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 11 Jun 2010 17:23:38 +0100 Subject: Keyserver spam example In-Reply-To: <87bpbivq7s.fsf@servo.finestructure.net> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <95EB5CE8-E605-4E83-B22B-0DF246C19066@jabberwocky.com> <201006101722.18779.joke@seiken.de> <4C110575.7030708@fifthhorseman.net> <87bpbivq7s.fsf@servo.finestructure.net> Message-ID: <204461283.20100611172338@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 June 2010 at 4:53:43 PM, in , Jameson Rollins wrote: > On Thu, 10 Jun 2010 11:32:05 -0400, Daniel Kahn Gillmor > wrote: >> And i should probably add that it is indeed an infinitesimal drop in the >> bucket compared to the other spam i receive; i'm not concerned about it. > Not to mention that the bother of a couple of extra > spams is completely dwarfed by the benefit of having > the public keyserver network. This is true, but it would be perfectly feasible to have a working network of public keyservers that did not reveal email addresses. User IDs could contain a hash of the email address. Applications querying the keyservers could query for the hashed email address. Privacy would be the main advantage to such a system; eliminating the possibility of keyserver spam is a positive side-effect. - -- Best regards MFPA mailto:expires2010 at ymail.com Can you imagine a world with no hypothetical situations? -----BEGIN PGP SIGNATURE----- iQCVAwUBTBJjEaipC46tDG5pAQqa8AQAk1AYt5BJlQ+WJFTz2aysR8SK6DbD0jjR HkQVxuogazcvNFpeb/I8NH4HmC8LS6U+FTGEK2zc9e+lfwYaUiEwUaBlGj5rI9mN jnW3Txo01I161mM0jQVKyLG3YFhv+GIUNCPFyhLyd8wO7rt6fUnDzX65Qjv06BS9 Cyz7lT37eOM= =fJHN -----END PGP SIGNATURE----- From sean at srima.eu Fri Jun 11 17:36:43 2010 From: sean at srima.eu (Sean Rima) Date: Fri, 11 Jun 2010 16:36:43 +0100 Subject: FYI: About my test mails In-Reply-To: <87bpbh50zf.fsf@vigenere.g10code.de> References: <87bpbh50zf.fsf@vigenere.g10code.de> Message-ID: <4C12580B.3050902@srima.eu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/06/2010 11:15, Werner Koch wrote: > Hi, > > a few hours ago I sent test mails to each subscribed user. The mails > should look like regular mailing list mail but with your address also in > the subject. This is a try to figure out who forwards postings to an > automated systems which in turn spams the original poster. > > Please ignore these mails - there is no need to respond. > Amd ignore my direct reply to you, watching World Cup and a few beers :) Sean - -- GSWoT and CaCert WOT Assurer http://www.google.com/profiles/thecivvie .tel http://rima.tel/ I believe that every human has a finite number of heartbeats. I don't intend to waste any of mine running around doing exercises. - Neil Armstrong -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Contact Details http://rima.tel Comment: My GPG Key http://thecivvie.fastmail.fm/sean.pubkey.txt iHIEAREIADIFAkwSWAsrFIAAAAAAFQANcGthLWFkZHJlc3NAZ251cGcub3Jnc2Vh bkBzcmltYS5ldQAKCRDJ1+LfaIt9mOXrAKC1SsJxI2RhyAYw/GeOjtBORY5W2wCg oQerptT4iVwM/XEt463Q+VwCpeI= =IjXf -----END PGP SIGNATURE----- From expires2010 at ymail.com Fri Jun 11 18:54:36 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 11 Jun 2010 17:54:36 +0100 Subject: Test mail to gnupg.user@seibercom.net In-Reply-To: <20100611113634.5f83cbde@scorpio> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> <4C1228A5.4030604@verizon.net> <20100611113634.5f83cbde@scorpio> Message-ID: <3010567256.20100611175436@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 11 June 2010 at 4:36:34 PM, in , Jerry wrote: > Evidently, the list manager employed here strips off > any "Reply-To:" header and then fails to replace it > with one that points to the list. Fortunately, not all > mailing lists are configured in a similar manner. > Fortunately, using claws-mail, I am able to circumvent > that problem (in most cases). I would assume that other > MUAs would have a similar configuration option. I was told the etiquette for this list was to reply to the list and also cc your reply to the person whose message you are replying to. So I set up my reply template to do just that. (-; - -- Best regards MFPA mailto:expires2010 at ymail.com During an eruption - move away from the volcano - not towards it -----BEGIN PGP SIGNATURE----- iQCVAwUBTBJqXqipC46tDG5pAQrlEgP/WIEi22+pknXDqNYivuu8RyTJFt5P6Joj esMhouJwbPm+64aPTZscypQRPZIbXSIASh6eoVyAPWk8Cafi+C/84n66EiL3+ubZ v3UeYlZg+bX22ahkBIsoZakI6FdKui9cHxhbI8oNi4AvN/cLvNBMujHCkKm9V3rJ zkJDpQUDJHY= =xGOI -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Jun 11 19:59:02 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 11 Jun 2010 13:59:02 -0400 Subject: Importing private key from key server In-Reply-To: References: Message-ID: <0FC0237F-DE61-4E28-B831-1CC233D4A2F4@jabberwocky.com> On Jun 11, 2010, at 1:23 AM, Manpreet Singh Dhillon wrote: > Greetings friends! > I have this issue with which I want your help. > Recently I installed Ubuntu Lucid Lynx 10.04 x64 on my laptop and as usual copied my .gnupg folder from my backup hard disk to my home directory. > All my key configuration was back. Then I created a new key for my another email address and synced with key servers. > I, then had to re-install Ubuntu again and alas! I forget to backup my .gnupg folder. > Now my new key is on key servers and I want to import it but every time I import it, it is imported in public keys section. > Is there any way that I can import that key to my private keys? Sorry, no. Keyservers only store public keys. Even if you somehow managed to manipulate things to get that key onto your private keyring it would still be a public key and not contain the private data. David From gnupg.user at seibercom.net Fri Jun 11 21:00:09 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 11 Jun 2010 15:00:09 -0400 Subject: Keyserver spam example In-Reply-To: <4C1261BD.1030601@Mozilla-Enigmail.org> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> Message-ID: <20100611150009.2719ae9e@scorpio> On Fri, 11 Jun 2010 11:18:05 -0500 John Clizbe articulated: > Mark H. Wood wrote: > > On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote: > >> You do not sacrifice legitimate incoming mail because there is an > >> RFC that clearly states mailservers do not operate from dynamic IP > >> addresses. Therefore they can not be considered valid. > > > > If there is such an RFC, it's rubbish; I run an MTA at home on my > > dynamic address, and it works just fine, and is quite valid. > > EXACTLY what Mark said, "RUBBISH" > > MTA and keyserver here. My home ISP "blesses" me with a new address > about once every six months. Router automagically updates my DNS > provider and everything is good to go. > > Cite the RFC, please. The Spamhaus PBL might very well list you. 76.185.38.113 is listed in the PBL Mailservers using this blocklist would probably block mail from you. Obtaining a static IP is easily done so I don't know why someone would want to risk using a dynamic IP. In any case, a very large percentage of SPAM originates from dynamic IPs, which is why I routinely block them. -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ He's just a politician trying to save both his faces... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From faramir.cl at gmail.com Fri Jun 11 21:45:47 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 11 Jun 2010 15:45:47 -0400 Subject: Test mail to faramir.cl@gmail.com In-Reply-To: References: Message-ID: <4C12926B.2010009@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch escribi?: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, Don't worry, but I hope you didn't have to send these test messages manually, I'd bet there are a lot of subscribers in the list... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMEpJrAAoJEMV4f6PvczxA4Z4IAKEdeJjvelQB3hBX+RW5BLdY wg2cKh1wcZHTMvZxuj8p7Ln0MpOEtp3oRFu6Hql45exg2TDjTym9NtJSzDZRk42c xftXW6iW70EZhoWDvMuRGq+p5bpB4arwCUvnudLD8+9MR6V/qVfmL0Bta2CrXOeb u/2T/7eQ+k9nNzHqC+UNwII5/YzPn3B4dx44aVYgCn8aJ1j/j1t1Ugj/DEHEhPox Jt8bQm5cBxsOJ+GcjKPYi/17MnFQOE817M0NQ9WcLlsvl4Nk3KauFU0vCAwZQuQZ +ihZ2VsoDYCTyloVCQQ3k/g4GRJxV2OHHQTZDhBaQMAMTBu3991XcVpLgwZELOQ= =A8Uh -----END PGP SIGNATURE----- From dougb at dougbarton.us Fri Jun 11 22:52:33 2010 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 11 Jun 2010 13:52:33 -0700 Subject: Mailing list etiquette In-Reply-To: <20100611075538.231a6006@scorpio> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> Message-ID: <4C12A211.2090200@dougbarton.us> On 06/11/10 04:55, Jerry wrote: > Which reminds me; there is a request at the end of every post I make. > Would it be to much of an imposition for you to honor that request? In a word, yes. The Internet's "Robustness Principle" says, "Be liberal in what you accept, and conservative in what you send." In other words, if you have preferences on how you deal with local mail, deal with them locally. Asking everyone on the Internet to adapt their way of working in order to fit your personal preferences is, in the politest possible terms, absurd. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From faramir.cl at gmail.com Fri Jun 11 22:05:13 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 11 Jun 2010 16:05:13 -0400 Subject: FYI: About my test mails In-Reply-To: <877hm54wyi.fsf@vigenere.g10code.de> References: <87bpbh50zf.fsf@vigenere.g10code.de> <877hm54wyi.fsf@vigenere.g10code.de> Message-ID: <4C1296F9.3010105@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch escribi?: > On Fri, 11 Jun 2010 12:15, wk at gnupg.org said: > >> the subject. This is a try to figure out who forwards postings to an >> automated systems which in turn spams the original poster. > > The culprit was support at resell.biz - I unsubscribed this address and > banned it from further subscriptions. I read it too late, I already replied. Anyway, I'm glad you could find the culprit, so your effort wasn't wasted. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEbBAEBCAAGBQJMEpb5AAoJEMV4f6PvczxAXGAH93sfXasnPIAm/jxWD6LJ8M4c Q1R7p0wpSHhVGCA5p/pgolDf3SeZG2K/qSWhGg9GUUiEOOxojvuH1UVN09Pfyq/w T42rRrFD5cyWYfg6q/80l7mYdnK1oRNuZE4IEohNUVVoAOZJRWC3/ozckbDCKUTI H7ofmfkfbo7z9+o5/1sO54cXzYacV/ILVexBXKEkkbhmEeBEYOQdp32oZDYOPfot EWRApIwRQx6vRs8EwlkkZOZcUKNI/c0Rh4tdaFZVBohW/dZBd23fkadxd6apVc18 3rYEvCLw504ATpuTcuk/ej3LiuPPSbRwmLoFlmJVi9cQoIpAFq/NwLDpp3mwRw== =DaFA -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Fri Jun 11 23:57:03 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 11 Jun 2010 22:57:03 +0100 Subject: FYI: About my test mails In-Reply-To: <877hm54wyi.fsf@vigenere.g10code.de> References: <87bpbh50zf.fsf@vigenere.g10code.de> <877hm54wyi.fsf@vigenere.g10code.de> Message-ID: On 11 June 2010 12:42, Werner Koch wrote: > The culprit was support at resell.biz - I unsubscribed this address and > banned it from further subscriptions. Did alavarre at gmail.com ever get removed? See http://lists.gnupg.org/pipermail/gnupg-users/2010-May/038724.html Ben From sonjamichelle at gmail.com Fri Jun 11 15:45:46 2010 From: sonjamichelle at gmail.com (Sonja Michelle Lina Thomas) Date: Fri, 11 Jun 2010 08:45:46 -0500 Subject: Test mail to gnupg.user In-Reply-To: <4C1228A5.4030604@verizon.net> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> <4C1228A5.4030604@verizon.net> Message-ID: <4C123E0A.8090606@sdf.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > my e-mailer honored it automatically (perhaps it does). Because some > lists to which I subscribe automatically reply to the lists, and some > automatically reply to the original sender, and I cannot remember which > is which. I know asking any particular list to change is not worth the > trouble; each list has its own policy and unwilling to change. I try to > remember which is which. It is sometimes suggested to hit Reply-All, but > this results in the original poster's getting two replies. I > To handle this issue I added the "reply to list" button to Thunderbird. Whenever I deal with a list, I hit that button. I added it through the right click > customize menu and drug the button to my toolbar. ___________________________________________________ Sonja Michelle Lina Thomas sonja at sdf.lonestar.org Oregano - The ancient art of pizza folding. On 6/11/2010 7:14, Jean-David Beyer wrote: > Jerry wrote (in part): > >> >> Which reminds me; there is a request at the end of every post I make. >> Would it be to much of an imposition for you to honor that request? >> >> Disclaimer: off-list followups get on-list replies or get ignored. >> Please do not ignore the Reply-To header. > > > I looked at the headers, and there is no Reply-To header in the e-mail I > received from the list. An entire page of headers, but not that one. > > Even if Reply-To was a header, it would be too much to honor it unless > my e-mailer honored it automatically (perhaps it does). Because some > lists to which I subscribe automatically reply to the lists, and some > automatically reply to the original sender, and I cannot remember which > is which. I know asking any particular list to change is not worth the > trouble; each list has its own policy and unwilling to change. I try to > remember which is which. It is sometimes suggested to hit Reply-All, but > this results in the original poster's getting two replies. I > particularly hate this method as I then reply to which ever one I get > first, usually direct to the author, thinking he wants a private reply > since he sent it to me privately. Then a little later I get one from the > list, and it is usually too much trouble to send another reply to the > list. I wish all lists were set up so a reply to a message from the list > went back to the list, but there is no point asking that from a list > that does things another way. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMEj4KAAoJEI+f8geCGt+F6NEP/22fQL36IyOGYgYUrxkLoLvf IxUr8VqugsJAelv6cs8JsdsXCWHlaPZsBWs7JLW9qbNc/bBN2n6hSPKNxgF0e8Pi V9mN7qwzwe73AXKAb4sT1OIAiDh8sLx1y9jOLttHi4k4Gpt2oSTyDLXGMrXsNylP gkKfBl0xZQls5qir2uGC2hMgHlB2wQiqNkJp5QtQxEul5eRxxHcjqox1pdvnyfWP 5TH6+3YsysKI70GpM8rYtZHiZg0at+8yRCwYFG/Vh0r+D3drnwguYG4ZgAY0ICyQ qWiHSY8nBN0FlTRdvqKaD6lhQQnrTAsZxgakz31/dQHKO1APXStq5KX+8T/q5xUz y2uIHI3OGXa9yJej8Juz/6uqwSik7k4h7e8MIrIyRoKGlaF4/Z3QQ+Up8qX9GgUF nSRwBCLtwAwQyUA6qRbUSO2fXyBJMjHIT9NcUa5FDMIKLrRMOOOp1MVRXrUIW1YP G19FfLyTOXlvZdCKVcGckTvu4eD+56Msuy1vNpVczuzEVw48lCNfKZFLCRc6gdg2 x6yKGJiOCXf0LDdRnTMewIC3k9t/MMu11VTa07rFc8E9jF4b6K/bUqqReY2laGMr RkL5kyNBUyCSX7oIV6J8qsaBwJ8ZyIO+Gm9ySuX8meT4sm+4UYvnss/6VTC6ai45 cfVxblFoNOhPpxFAnhe3 =/vF1 -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 100611-0, 06/11/2010 Tested on: 6/11/2010 8:45:48 AM avast! - copyright (c) 1988-2010 ALWIL Software. http://www.avast.com From expires2010 at ymail.com Sat Jun 12 03:36:08 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 12 Jun 2010 02:36:08 +0100 Subject: Keyserver spam example In-Reply-To: <20100611150009.2719ae9e@scorpio> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> Message-ID: <1014353020.20100612023608@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 11 June 2010 at 8:00:09 PM, in , Jerry wrote: > On Fri, 11 Jun 2010 11:18:05 -0500 John Clizbe > articulated: >> Mark H. Wood wrote: > On Thu, Jun 10, 2010 at >> 05:57:50PM +0200, Joke de Buhr wrote: >> You do not >> sacrifice legitimate incoming mail because there is an >> >> RFC that clearly states mailservers do not operate >> from dynamic IP >> addresses. Therefore they can not >> be considered valid. >> > If there is such an RFC, it's rubbish; I run an MTA >> at home on my > dynamic address, and it works just >> fine, and is quite valid. >> EXACTLY what Mark said, "RUBBISH" >> MTA and keyserver here. My home ISP "blesses" me with >> a new address about once every six months. Router >> automagically updates my DNS provider and everything >> is good to go. >> Cite the RFC, please. > The Spamhaus PBL might very well list you. > 76.185.38.113 is listed in the PBL > Mailservers using this blocklist would probably block > mail from you. Of course, even Spamhaus's own website says the PBL is not a blacklist and that you can remove your IP address from their list if you are running a "legitimate" mail server, but only if it's a static Ip address. They provide no definition (that I can find) of what constitutes a "legitimate" mail server > Obtaining a static IP is easily done so > I don't know why someone would want to risk using a > dynamic IP. Most ISPs I have seen charge considerably more for a static IP address; generally, commercial prices rather than home-user or small-business prices. Unless you have relatively high bandwidth requirements there is no point. It is *definitely* not worth the expense just just to avoid an occasional over-zealous mailserver admin spuriously binning one of your perfectly valid email messages. Even if you are hosting a website or an incoming mail server, there are plenty of dynamic DNS services available for many times less cost than having a static IP address. > In any case, a very large percentage of > SPAM originates from dynamic IPs, which is why I > routinely block them. A large percentage of spam originates from the USA. It would be just as rational to block mail from all IP addresses that are listed as being there. (-; - -- Best regards MFPA mailto:expires2010 at ymail.com When you're caffeinated, all is right with the world -----BEGIN PGP SIGNATURE----- iQCVAwUBTBLkkqipC46tDG5pAQofMwQAsQ1jBmTKmHpSb3ceh+HI8AS/llmkmIog MDzllKUmqFSi5gDU/TGtsi2A+cCYY+1k2ENxqc96iurWCn4pJ0pcT3nrkteRF6hp sBMVFuN5fGWej1mrBCDmXsIXK18X/+fwsL9hZ74mcpkF66EbIp1GgBdHahpMN+S2 3y+zc9ReI3w= =3ou2 -----END PGP SIGNATURE----- From expires2010 at ymail.com Sat Jun 12 04:03:32 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 12 Jun 2010 03:03:32 +0100 Subject: Keyserver spam example In-Reply-To: <20100611133444.GC2829@IUPUI.Edu> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> Message-ID: <964527453.20100612030332@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 11 June 2010 at 2:34:44 PM, in , Mark H. Wood wrote: > If there is such an RFC, it's rubbish; I think there is no such RFC, just an assertion from a messaging industry lobbying group that it's the "best" practice to block mail from people who don't do things their way. The whole idea looks suspiciously like it's designed to coerce people into abandoning simple, cheap/free "home brew" solutions and purchasing services from "maawg" members. http://www.maawg.org/ - -- Best regards MFPA mailto:expires2010 at ymail.com Free advice costs nothing until you act upon it -----BEGIN PGP SIGNATURE----- iQCVAwUBTBLq+6ipC46tDG5pAQoPtAP+NX96NgREM+mcniCHAWW2S7T9FZNKEOD9 O4zTZXrv5+pZWgL5P6TMhGQwPWusmmW1P3pNE8oKC9tcJxY1BKGanKnWUyrRISmA aybh5WqZoidm8DL/oQUyaA1tQslCyqVX/n0Ofu1CAxPehp8jafSDD3dYExm+tN15 ydTfQ1cRwsQ= =ALda -----END PGP SIGNATURE----- From shadoweyez at gmail.com Sat Jun 12 04:31:24 2010 From: shadoweyez at gmail.com (David) Date: Fri, 11 Jun 2010 19:31:24 -0700 Subject: Test mail to shadoweyez@gmail.com In-Reply-To: References: Message-ID: <4C12F17C.3010107@gmail.com> On 6/11/2010 12:39 AM, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > > Not me - hope you find who you are looking for. From jeandavid8 at verizon.net Sat Jun 12 12:59:41 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Sat, 12 Jun 2010 06:59:41 -0400 Subject: Keyserver spam example In-Reply-To: <1014353020.20100612023608@my_localhost> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> Message-ID: <4C13689D.5030206@verizon.net> MFPA wrote: > >> The Spamhaus PBL might very well list you. > >> 76.185.38.113 is listed in the PBL > >> Mailservers using this blocklist would probably block mail from >> you. > > Of course, even Spamhaus's own website says the PBL is not a > blacklist and that you can remove your IP address from their list if > you are running a "legitimate" mail server, but only if it's a static > Ip address. They provide no definition (that I can find) of what > constitutes a "legitimate" mail server > >> Obtaining a static IP is easily done so I don't know why someone >> would want to risk using a dynamic IP. My current ISP (Verizon) wants US$100/month more for a static IP address than for a dynamic one. In addition, I am not permitted to use my own MTA (in my case, sendmail) unless I have a commercial account instead of a home owner's account. > > Most ISPs I have seen charge considerably more for a static IP > address; generally, commercial prices rather than home-user or > small-business prices. Unless you have relatively high bandwidth > requirements there is no point. It is *definitely* not worth the > expense just just to avoid an occasional over-zealous mailserver > admin spuriously binning one of your perfectly valid email messages. > Even if you are hosting a website or an incoming mail server, there > are plenty of dynamic DNS services available for many times less cost > than having a static IP address. > My sister lives in France. I believe her ISP is the French Post Office. While I can receive e-mail from her, she cannot receive e-mail from me, even though I use Verizon as my ISP. My home has a dynamic IP address, but I assume Verizon have static IP addresses. We have worked on this for several years, but I cannot send to that sister. I have another sister in Canada. She has no trouble sending e-mail to her sister in France. Someone in France does seem to be blocking Verizon. At least, they are blocking me, and I cannot imagine it is just me. > >> In any case, a very large percentage of SPAM originates from >> dynamic IPs, which is why I routinely block them. > > A large percentage of spam originates from the USA. It would be just > as rational to block mail from all IP addresses that are listed as > being there. (-; > Maybe France is blocking all of USA, or all of Verizon. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 06:50:01 up 36 days, 14:45, 3 users, load average: 5.01, 4.73, 4.49 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From sonjamichelle at gmail.com Sat Jun 12 13:22:47 2010 From: sonjamichelle at gmail.com (Sonja Michelle Lina Thomas) Date: Sat, 12 Jun 2010 06:22:47 -0500 Subject: Keyserver spam example In-Reply-To: <4C13689D.5030206@verizon.net> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> Message-ID: <4C136E07.90707@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use gmail for my SMTP needs. I have accounts on a couple of unix machines, yahoo, gmail, aim, my business hosted via godaddy and I choose gmail as the default SMTP server for all of them. Works like a charm. http://lifehacker.com/111166/how-to-use-gmail-as-your-smtp-server Give them a try. Gmail is free and it can be a good account to pass to sites that you feel may be spam generators. Gmail has web/pop/imap access and has fairly decent spam filters. ___________________________________________________ Sonja Michelle Lina Thomas sonjamichelle at gmail.com "I realized fear one morning, when the blare of the fox-hunters sound. When they are all chasing after the poor bloody fox, it's safer to be dressed like a hound." On 6/12/2010 5:59, Jean-David Beyer wrote: > MFPA wrote: >> >>> The Spamhaus PBL might very well list you. >> >>> 76.185.38.113 is listed in the PBL >> >>> Mailservers using this blocklist would probably block mail from >>> you. >> >> Of course, even Spamhaus's own website says the PBL is not a >> blacklist and that you can remove your IP address from their list if >> you are running a "legitimate" mail server, but only if it's a static >> Ip address. They provide no definition (that I can find) of what >> constitutes a "legitimate" mail server >> >>> Obtaining a static IP is easily done so I don't know why someone >>> would want to risk using a dynamic IP. > > My current ISP (Verizon) wants US$100/month more for a static IP address > than for a dynamic one. In addition, I am not permitted to use my own > MTA (in my case, sendmail) unless I have a commercial account instead of > a home owner's account. >> >> Most ISPs I have seen charge considerably more for a static IP >> address; generally, commercial prices rather than home-user or >> small-business prices. Unless you have relatively high bandwidth >> requirements there is no point. It is *definitely* not worth the >> expense just just to avoid an occasional over-zealous mailserver >> admin spuriously binning one of your perfectly valid email messages. >> Even if you are hosting a website or an incoming mail server, there >> are plenty of dynamic DNS services available for many times less cost >> than having a static IP address. >> > My sister lives in France. I believe her ISP is the French Post Office. > While I can receive e-mail from her, she cannot receive e-mail from me, > even though I use Verizon as my ISP. My home has a dynamic IP address, > but I assume Verizon have static IP addresses. We have worked on this > for several years, but I cannot send to that sister. > > I have another sister in Canada. She has no trouble sending e-mail to > her sister in France. > > Someone in France does seem to be blocking Verizon. At least, they are > blocking me, and I cannot imagine it is just me. >> >>> In any case, a very large percentage of SPAM originates from >>> dynamic IPs, which is why I routinely block them. >> >> A large percentage of spam originates from the USA. It would be just >> as rational to block mail from all IP addresses that are listed as >> being there. (-; >> > Maybe France is blocking all of USA, or all of Verizon. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJME24HAAoJEGJQ84dhuhIJsogH/j+kvW9TgS13iJWqk6P/zgBe mAorQqAR+2uEAZtDD7LtouvzOInbjNeI9u+U+7bW63dfz8RGMBp9Iims/YNlC8os wNPMg48ToAC5+bYOSInaOkjqsFc42DZnhCYAkiylkI76oMrnjHJLExBwDGdL09pY /KXM9gBAEZ9zYWQEhPDrTNsgfpj74A4Gq2h4svpkVHpYvU2EP7dHfva+GRkZEgzw 5ksWAHS6XlZzonAOCIWsrAg2f0iYL/cieMYvNlxjB9vkimQ5d7UTZollQtCJyMc+ WbGwoPoJEv4XTi78MRTBg8ptOZph9f1iEXYXEWEQ0SRx/ft8tr1//tpG7Yke2i8= =5sMr -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 100612-0, 06/12/2010 Tested on: 6/12/2010 6:22:48 AM avast! - copyright (c) 1988-2010 ALWIL Software. http://www.avast.com From gnupg.user at seibercom.net Sat Jun 12 13:37:08 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sat, 12 Jun 2010 07:37:08 -0400 Subject: Keyserver spam example In-Reply-To: <4C136E07.90707@gmail.com> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> Message-ID: <20100612073708.6e27ee6f@scorpio> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 12 Jun 2010 06:22:47 -0500 Sonja Michelle Lina Thomas articulated: > I use gmail for my SMTP needs. I have accounts on a couple of unix > machines, yahoo, gmail, aim, my business hosted via godaddy and I > choose gmail as the default SMTP server for all of them. Works like a > charm. > > http://lifehacker.com/111166/how-to-use-gmail-as-your-smtp-server > > Give them a try. Gmail is free and it can be a good account to pass to > sites that you feel may be spam generators. Gmail has web/pop/imap > access and has fairly decent spam filters. I would not trust Google with your data, far less mine. They have all ready been accused of illegally pilfering through user data and mining for user wireless information. I avoid them like the plague whenever possible. What I would like to know is if the OP tried using the ISP's SMTP server, often referred to as "smarthost" feature in several MTAs. - -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ Alexander Hamilton started the U.S. Treasury with nothing - and that was the closest our country has ever been to being even. The Best of Will Rogers -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJME3FvAAoJEHnO4vtcDeotIZgH/1FJhMpRfj2waPVeLbDM3Urv EPUp6wXM3BfUaaA9xTmAv6M3DS1fQ3dPcWDj/njuEf+pCVY4SqBhwhsxUdkaAUxI JiaO3gTwWJgMBMCr36QpDkTpFpJLe/p6kcAgbliiYqKMrOgE+czj6lBeuPon5u2z Rssk8NCUpSznX86EooksDXWAiEZ/v8xg4Wop82DHvAw+9F6w428fRmtE6+Fslfe0 tDTQLMT4k1Rwk49Wn8nAknjipD+xqxrJon0riau0XjzjMZNrwBQYObMz77/W/wkz AZEIs02REq2rFIUU5UL5ysVwC/WRNyod4RMEgsOqNnMj3Jgw9ZfugrLdtsq+dm4= =qgOt -----END PGP SIGNATURE----- From jeandavid8 at verizon.net Sat Jun 12 14:39:00 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Sat, 12 Jun 2010 08:39:00 -0400 Subject: Keyserver spam example In-Reply-To: <20100612073708.6e27ee6f@scorpio> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> <20100612073708.6e27ee6f@scorpio> Message-ID: <4C137FE4.2090505@verizon.net> Jerry wrote: > On Sat, 12 Jun 2010 06:22:47 -0500 > Sonja Michelle Lina Thomas articulated: > > >> I use gmail for my SMTP needs. I have accounts on a couple of unix >> machines, yahoo, gmail, aim, my business hosted via godaddy and I >> choose gmail as the default SMTP server for all of them. Works like a >> charm. > >> http://lifehacker.com/111166/how-to-use-gmail-as-your-smtp-server > >> Give them a try. Gmail is free and it can be a good account to pass to >> sites that you feel may be spam generators. Gmail has web/pop/imap >> access and has fairly decent spam filters. > > I would not trust Google with your data, far less mine. They have all > ready been accused of illegally pilfering through user data and mining > for user wireless information. I avoid them like the plague whenever > possible. > > What I would like to know is if the OP tried using the ISP's SMTP > server, often referred to as "smarthost" feature in several MTAs. > Yes, I did. They will not accept anything from my MTA even when I use the smarthost feature. I can use either their web site server (that I detest) or Firefox, but they will not allow sendmail even with smarthost. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:35:01 up 36 days, 16:30, 3 users, load average: 4.62, 4.51, 4.56 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From sonjamichelle at gmail.com Sat Jun 12 14:58:19 2010 From: sonjamichelle at gmail.com (Sonja Michelle Lina Thomas) Date: Sat, 12 Jun 2010 07:58:19 -0500 Subject: Keyserver spam example In-Reply-To: <20100612073708.6e27ee6f@scorpio> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> <20100612073708.6e27ee6f@scorpio> Message-ID: <4C13846B.7010005@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I would not trust Google with your data, far less mine. They have all > ready been accused of illegally pilfering through user data and mining > for user wireless information. I avoid them like the plague whenever > possible. Pffft, they can't get to the really important stuff past my tinfoil hat! And google don't scare me! What I'm really worried about is the MiB. That van across the street, he ain't no plumber!! I could really use some coffee, but I forgot the combination. :-( If couldn't tell by now, I'm being a sarcastic b---h. I get so tired of the "tehy're out to get you" gabble people spout on the net. EVERY internet provider (AND the zit faced kid next door) has the ability to sniff your data and your packets. If I let that stop me from using the internet I'd be living in a foil lined airstream up in the hills pooping in a dirt hole and eating berries. Got any hard data to back up this claim, or are you just basing your oogie-boogie stay away on newsgroup, blog rumblings and sensationalized ratings focus media hype? I'm sure google just has a dedicated team rifling through the millions of gmail user's data looking for that ripe piece of information. I've been accused of having murderous intentions by a couple of employers, doesn't mean I have a couple of bodies buried in the back woods. It's like the facebook privacy fiasco. OMG!! FACEBOOK IS PUBLISHING MY RANTS AND THOUGHTS!!! Well here's a nugget of common sense, if ya didn't want anybody to know about it, then ya shouldn't have posted it to a semi-public location in the first place! ANYHOW, back on topic. ___________________________________________________ Sonja Michelle Lina Thomas sonjamichelle at gmail.com "I realized fear one morning, when the blare of the fox-hunters sound. When they are all chasing after the poor bloody fox, it's safer to be dressed like a hound." On 6/12/2010 6:37, Jerry wrote: > On Sat, 12 Jun 2010 06:22:47 -0500 > Sonja Michelle Lina Thomas articulated: > > >> I use gmail for my SMTP needs. I have accounts on a couple of unix >> machines, yahoo, gmail, aim, my business hosted via godaddy and I >> choose gmail as the default SMTP server for all of them. Works like a >> charm. > >> http://lifehacker.com/111166/how-to-use-gmail-as-your-smtp-server > >> Give them a try. Gmail is free and it can be a good account to pass to >> sites that you feel may be spam generators. Gmail has web/pop/imap >> access and has fairly decent spam filters. > > I would not trust Google with your data, far less mine. They have all > ready been accused of illegally pilfering through user data and mining > for user wireless information. I avoid them like the plague whenever > possible. > > What I would like to know is if the OP tried using the ISP's SMTP > server, often referred to as "smarthost" feature in several MTAs. > > -- > Jerry > GNUPG.user at seibercom.net > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the Reply-To header. > __________________________________________________________________ > > Alexander Hamilton started the U.S. Treasury with nothing - and that was > the closest our country has ever been to being even. > > The Best of Will Rogers _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJME4RqAAoJEGJQ84dhuhIJ03IIAI2Ap1eck481CTilHM7vzT7P syl5LBserRXdzMLi//9nihgXKVt+IAEOm4gkLKT31lM8DKyU4BI6tejrzXfAx/cY eBlMXLOg9WtdHkcsnxnyW9RxdNo761j/VeUtOIg1L4jCktoFGkIm3wEMaT0LD1aS NHw8ZWzCLCVevIcB/TG1nw8RdDr7KAw0kCrZRRqsDXRhMjDMLSSTRwm74GW8O/9A KYD6WPw5jDDeO6pHkCIVLdQxu9LP7SPybrrgd5Zz8wel4UdIT2g/Niw4zBAe4WrF N1gfK6FhYqe/YEl4wFc4FSQjSJ1cHeFErZPS9K/nsCK802x73tzx3g7f8elDBBc= =I64K -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 100612-0, 06/12/2010 Tested on: 6/12/2010 7:58:20 AM avast! - copyright (c) 1988-2010 ALWIL Software. http://www.avast.com From gnupg.user at seibercom.net Sat Jun 12 15:15:56 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sat, 12 Jun 2010 09:15:56 -0400 Subject: Keyserver spam example In-Reply-To: <4C137FE4.2090505@verizon.net> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> <20100612073708.6e27ee6f@scorpio> <4C137FE4.2090505@verizon.net> Message-ID: <20100612091556.651d0581@scorpio> On Sat, 12 Jun 2010 08:39:00 -0400 Jean-David Beyer articulated: > Yes, I did. They will not accept anything from my MTA even when I use > the smarthost feature. I can use either their web site server (that I > detest) or Firefox, but they will not allow sendmail even with > smarthost. Please send me two test messages. One via your MTA and another via your MTA using the smarthost feature. Send them directly to me. Also, what MTA are you employing? You said sendmail, but what version and on what platform. -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ Imagine me going around with a pot belly. It would mean political ruin. Adolf Hitler -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From expires2010 at ymail.com Sat Jun 12 19:57:57 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 12 Jun 2010 18:57:57 +0100 Subject: Keyserver spam example In-Reply-To: <20100612073708.6e27ee6f@scorpio> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> <20100612073708.6e27ee6f@scorpio> Message-ID: <73575199.20100612185757@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 12 June 2010 at 12:37:08 PM, in , Jerry wrote: > I would not trust Google with your data, far less mine. The problem is that you never know if your contact will forward things to a google account... - -- Best regards MFPA mailto:expires2010 at ymail.com Wisdom is a companion to age; yet age may travel alone. -----BEGIN PGP SIGNATURE----- iQCVAwUBTBPKqqipC46tDG5pAQqXmQQAwgWmCxlrxauPh55aUyXFUYg2AXyEBYxI msrCNYsRd0l2hVqGykhtL5Fwpzds14UpNbTcMH5uNW9cLzwUY3/uRd7QkisLt60i SwDuhlNQ7FdOhBlyx0Ev6jKqFE1Kn9xkoUU4z6OygOkv2BpmRh+ai5eOafOrWGGG Ia3Vu2e4wqU= =u0O1 -----END PGP SIGNATURE----- From cwsiv at keepandbeararms.com Fri Jun 11 21:09:16 2010 From: cwsiv at keepandbeararms.com (Carl Spitzer) Date: Fri, 11 Jun 2010 12:09:16 -0700 Subject: Test mail to cwsiv@keepandbeararms.com In-Reply-To: References: Message-ID: <1276283356.8976.1.camel@linux.site> Aok here. Looks like your list is set correctly c-R goes to you and c-L to the list. On Fri, 2010-06-11 at 09:37 +0200, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > -- o _______________________________ o _____ | CWSIV at KeepAndBearArms.com | .][__n_n_|DD[ ====_____ | M A R K L I N T R A I N S | > (________|__|_[_________]_|___________________________| _/oo OOOOO oo` ooo ooo 'o!o!o o!o!o` From cwsiv at copper.net Sat Jun 12 21:25:08 2010 From: cwsiv at copper.net (Carl Spitzer) Date: Sat, 12 Jun 2010 12:25:08 -0700 Subject: Test mail to gnupg.user In-Reply-To: <4C123E0A.8090606@sdf.lonestar.org> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> <4C1228A5.4030604@verizon.net> <4C123E0A.8090606@sdf.lonestar.org> Message-ID: <1276370708.11265.62.camel@linux.site> On Fri, 2010-06-11 at 08:45 -0500, Sonja Michelle Lina Thomas wrote: > To handle this issue I added the "reply to list" button to Thunderbird. > Whenever I deal with a list, I hit that button. I added it through the > right click > customize menu and drug the button to my toolbar. > I use Evolution which also gives me a choice if the list headers are done right. CWSIV From jeandavid8 at verizon.net Sat Jun 12 22:40:28 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Sat, 12 Jun 2010 16:40:28 -0400 Subject: Test mail to gnupg.user In-Reply-To: <4C123E0A.8090606@sdf.lonestar.org> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> <4C1228A5.4030604@verizon.net> <4C123E0A.8090606@sdf.lonestar.org> Message-ID: <4C13F0BC.9090809@verizon.net> Sonja Michelle Lina Thomas wrote: >> my e-mailer honored it automatically (perhaps it does). Because some >> lists to which I subscribe automatically reply to the lists, and some >> automatically reply to the original sender, and I cannot remember which >> is which. I know asking any particular list to change is not worth the >> trouble; each list has its own policy and unwilling to change. I try to >> remember which is which. It is sometimes suggested to hit Reply-All, but >> this results in the original poster's getting two replies. I > > > To handle this issue I added the "reply to list" button to Thunderbird. > Whenever I deal with a list, I hit that button. I added it through the > right click > customize menu and drug the button to my toolbar. > I see no way to do that. I have a Reply button and a Reply All button and no others. There is no such button on that screen that allows diddling buttons. Thunderbird 2.0.0.16, which is the latest for Red Hat Enterprise Linux 5. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 16:35:01 up 37 days, 30 min, 4 users, load average: 4.40, 4.57, 4.59 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From dougb at dougbarton.us Sat Jun 12 22:47:20 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sat, 12 Jun 2010 13:47:20 -0700 Subject: Test mail to gnupg.user In-Reply-To: <4C13F0BC.9090809@verizon.net> References: <20100611062712.59425274@scorpio> <87vd9pst18.fsf@servo.finestructure.net> <20100611075538.231a6006@scorpio> <4C1228A5.4030604@verizon.net> <4C123E0A.8090606@sdf.lonestar.org> <4C13F0BC.9090809@verizon.net> Message-ID: <4C13F258.1050302@dougbarton.us> On 06/12/10 13:40, Jean-David Beyer wrote: > I see no way to do that. I have a Reply button and a Reply All button > and no others. There is no such button on that screen that allows > diddling buttons. Thunderbird 2.0.0.16, which is the latest for Red Hat > Enterprise Linux 5. As much as I hate to contribute to this off topic thread, it's probably worth saying that there are buttons for 'reply' and 'reply list/all' in tbird 3. It's a great upgrade from tbird 2, which I used for years. You might try downloading the linux version from the mozilla site. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From gnupg.user at seibercom.net Sat Jun 12 23:21:34 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sat, 12 Jun 2010 17:21:34 -0400 Subject: Test mail to gnupg.user Message-ID: <20100612172134.77533d29@scorpio> On Sat, 12 Jun 2010 16:40:28 -0400 Jean-David Beyer articulated: > I see no way to do that. I have a Reply button and a Reply All button > and no others. There is no such button on that screen that allows > diddling buttons. Thunderbird 2.0.0.16, which is the latest for Red > Hat Enterprise Linux 5. Unfortunately, it might prove to be academic anyway. Unlike several other lists that I am subscribed to, this mailing list does not use a "Reply-To:" in the e-mail headers. It would definitely facilitate replying to list mail if the maintainer(s) of this list configured the mailer to insert such a header that pointed to this list. Conversely, many MUAs support the "reply to list" function that should work correctly on this list. -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ Consistency requires you to be as ignorant today as you were a year ago. Bernard Berenson From kloecker at kde.org Sun Jun 13 11:03:00 2010 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 13 Jun 2010 11:03:00 +0200 Subject: Test mail to gnupg.user In-Reply-To: <20100612172134.77533d29@scorpio> References: <20100612172134.77533d29@scorpio> Message-ID: <201006131103.01318@thufir.ingo-kloecker.de> On Saturday 12 June 2010, Jerry wrote: > On Sat, 12 Jun 2010 16:40:28 -0400 > > Jean-David Beyer articulated: > > I see no way to do that. I have a Reply button and a Reply All > > button and no others. There is no such button on that screen that > > allows diddling buttons. Thunderbird 2.0.0.16, which is the latest > > for Red Hat Enterprise Linux 5. > > Unfortunately, it might prove to be academic anyway. Unlike several > other lists that I am subscribed to, this mailing list does not use a > "Reply-To:" in the e-mail headers. It would definitely facilitate > replying to list mail if the maintainer(s) of this list configured > the mailer to insert such a header that pointed to this list. There is such a header: List-Post: Reply-to is intended to be used by the sender to state his preference for replies. If he prefers off-list replies then he should set it to his address and if he prefers on-list replies then he should set it to the mailing list address. (In fact, there's also the Mail-followup-to header which is even better suited for this than the Reply-to header.) IMNSHO, it's not up to the mailing list admins to dictate where replies to my posts should go. Therefore, the mailing list software should not touch the Reply-to header. > Conversely, many MUAs support the "reply to list" function that > should work correctly on this list. Exactly. It works correctly because those MUAs use the above mentioned standardized (RFC 2369) List-Post header. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From gnupg.user at seibercom.net Sun Jun 13 11:53:18 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sun, 13 Jun 2010 05:53:18 -0400 Subject: Test mail to gnupg.user In-Reply-To: <201006131103.01318@thufir.ingo-kloecker.de> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> Message-ID: <20100613055318.1fcfa821@scorpio> On Sun, 13 Jun 2010 11:03:00 +0200 Ingo Kl?cker articulated: > On Saturday 12 June 2010, Jerry wrote: > > On Sat, 12 Jun 2010 16:40:28 -0400 > > > > Jean-David Beyer articulated: > > > I see no way to do that. I have a Reply button and a Reply All > > > button and no others. There is no such button on that screen that > > > allows diddling buttons. Thunderbird 2.0.0.16, which is the latest > > > for Red Hat Enterprise Linux 5. > > > > Unfortunately, it might prove to be academic anyway. Unlike several > > other lists that I am subscribed to, this mailing list does not use > > a "Reply-To:" in the e-mail headers. It would definitely facilitate > > replying to list mail if the maintainer(s) of this list configured > > the mailer to insert such a header that pointed to this list. > > There is such a header: > List-Post: > > Reply-to is intended to be used by the sender to state his preference > for replies. If he prefers off-list replies then he should set it to > his address and if he prefers on-list replies then he should set it > to the mailing list address. (In fact, there's also the > Mail-followup-to header which is even better suited for this than the > Reply-to header.) There does not appear to be any universal support for the "Mail-Followup-To:" header. There was a draft for it: http://tools.ietf.org/id/draft-ietf-drums-mail-followup-to-00.txt however, as far as I know, it was never adopted. RFC 2822 does not mention it either. > IMNSHO, it's not up to the mailing list admins to dictate where > replies to my posts should go. Therefore, the mailing list software > should not touch the Reply-to header. Presently, the mailing list manager employed here strips away any "Reply-to: headers. > > Conversely, many MUAs support the "reply to list" function that > > should work correctly on this list. > > Exactly. It works correctly because those MUAs use the above > mentioned standardized (RFC 2369) List-Post header. -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ It's always a long day; 86400 doesn't fit into a short. From gnupg.user at seibercom.net Sun Jun 13 12:22:38 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sun, 13 Jun 2010 06:22:38 -0400 Subject: Keyserver spam example In-Reply-To: <4C13846B.7010005@gmail.com> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> <20100612073708.6e27ee6f@scorpio> <4C13846B.7010005@gmail.com> Message-ID: <20100613062238.4d468468@scorpio> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 12 Jun 2010 07:58:19 -0500 Sonja Michelle Lina Thomas articulated: > > I would not trust Google with your data, far less mine. They have > > all ready been accused of illegally pilfering through user data and > > mining for user wireless information. I avoid them like the plague > > whenever possible. > > Pffft, they can't get to the really important stuff past my tinfoil > hat! > > And google don't scare me! What I'm really worried about is the MiB. > That van across the street, he ain't no plumber!! > > I could really use some coffee, but I forgot the combination. :-( > > If couldn't tell by now, I'm being a sarcastic b---h. I get so tired > of the "tehy're out to get you" gabble people spout on the net. > > EVERY internet provider (AND the zit faced kid next door) has the > ability to sniff your data and your packets. If I let that stop me > from using the internet I'd be living in a foil lined airstream up in > the hills pooping in a dirt hole and eating berries. > > Got any hard data to back up this claim, or are you just basing your > oogie-boogie stay away on newsgroup, blog rumblings and > sensationalized ratings focus media hype? I'm sure google just has a > dedicated team rifling through the millions of gmail user's data > looking for that ripe piece of information. Interestingly enough, the first email I read this morning had a link to this: http://tech.slashdot.org/story/10/06/12/2339209/Google-Tells-Congress-It-Disclosed-Wi-Fi-Sniffing And that is just the tip of the ice burg. - -- Jerry GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ Life is a concentration camp. You're stuck here and there's no way out and you can only rage impotently against your persecutors. Woody Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJMFLF2AAoJEHnO4vtcDeotL00IAJpbGOEAVev1NjHCXNsX8AMY FLiXYy9MlBU9+hzKJ6828zXv9oIh6c6G8QoWjsAgKblweKjgmBuBLih+UFz65kQG Tf7kA0LlnhdWLIAkDqXumHUVhtbP7+aX+cNSpIW5fO5E0lumcdaaboUxrOSTLBT+ Ra4xtjwX7FHpO2EYRs2TBiFfCigGqRDANDHZaSE9go28UFefurS3u1kLL+7X1f0a 797ac4wFjetK46PdumZ+Wazfr3PzFSP3lGGs5kGWIWlFPFhwvqxfm/lp8iZU+hzI HxX16INLkh8sIU1YvNF/Zp4f0dIL0GAJSWv7qmZgvcuI9NbDLemZI1tVaKzZ2V0= =B8qb -----END PGP SIGNATURE----- From jeandavid8 at verizon.net Sun Jun 13 13:09:22 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Sun, 13 Jun 2010 07:09:22 -0400 Subject: Test mail to gnupg.user In-Reply-To: <201006131103.01318@thufir.ingo-kloecker.de> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> Message-ID: <4C14BC62.5030205@verizon.net> Ingo Kl?cker wrote: > On Saturday 12 June 2010, Jerry wrote: >> On Sat, 12 Jun 2010 16:40:28 -0400 >> >> Jean-David Beyer articulated: >>> I see no way to do that. I have a Reply button and a Reply All >>> button and no others. There is no such button on that screen that >>> allows diddling buttons. Thunderbird 2.0.0.16, which is the latest >>> for Red Hat Enterprise Linux 5. >> Unfortunately, it might prove to be academic anyway. Unlike several >> other lists that I am subscribed to, this mailing list does not use a >> "Reply-To:" in the e-mail headers. It would definitely facilitate >> replying to list mail if the maintainer(s) of this list configured >> the mailer to insert such a header that pointed to this list. > > There is such a header: > List-Post: So there is. > > Reply-to is intended to be used by the sender to state his preference > for replies. If he prefers off-list replies then he should set it to his > address and if he prefers on-list replies then he should set it to the > mailing list address. (In fact, there's also the Mail-followup-to header > which is even better suited for this than the Reply-to header.) > > IMNSHO, it's not up to the mailing list admins to dictate where replies > to my posts should go. Therefore, the mailing list software should not > touch the Reply-to header. > OK. > >> Conversely, many MUAs support the "reply to list" function that >> should work correctly on this list. Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the latest version available in .rpm for my distribution (RHEL 5.5). I hear Thunderbird 3 does have something like this. > > Exactly. It works correctly because those MUAs use the above mentioned > standardized (RFC 2369) List-Post header. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 07:00:01 up 37 days, 14:55, 3 users, load average: 5.59, 4.62, 4.33 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From kloecker at kde.org Sun Jun 13 13:56:37 2010 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun, 13 Jun 2010 13:56:37 +0200 Subject: Test mail to gnupg.user In-Reply-To: <4C14BC62.5030205@verizon.net> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <4C14BC62.5030205@verizon.net> Message-ID: <201006131356.46823@thufir.ingo-kloecker.de> On Sunday 13 June 2010, Jean-David Beyer wrote: > Ingo Kl?cker wrote: > > On Saturday 12 June 2010, Jerry wrote: > >> Conversely, many MUAs support the "reply to list" function that > >> should work correctly on this list. > > Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the > latest version available in .rpm for my distribution (RHEL 5.5). I > hear Thunderbird 3 does have something like this. https://addons.mozilla.org/en-US/thunderbird/addon/4455/ Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From jeandavid8 at verizon.net Sun Jun 13 14:13:31 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Sun, 13 Jun 2010 08:13:31 -0400 Subject: Test mail to gnupg.user In-Reply-To: <201006131356.46823@thufir.ingo-kloecker.de> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <4C14BC62.5030205@verizon.net> <201006131356.46823@thufir.ingo-kloecker.de> Message-ID: <4C14CB6B.3040008@verizon.net> Ingo Kl?cker wrote: > On Sunday 13 June 2010, Jean-David Beyer wrote: >> Ingo Kl?cker wrote: >>> On Saturday 12 June 2010, Jerry wrote: >>>> Conversely, many MUAs support the "reply to list" function that >>>> should work correctly on this list. >> Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the >> latest version available in .rpm for my distribution (RHEL 5.5). I >> hear Thunderbird 3 does have something like this. > > https://addons.mozilla.org/en-US/thunderbird/addon/4455/ > > > Regards, > Ingo > > Thank you. It works. I used it on this e-mail. It takes time, though. When I pressed Reply-List, it first put your personal e-mail address in the To: field and only later did it change it to the list itself. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:10:01 up 37 days, 16:05, 4 users, load average: 4.46, 4.63, 4.85 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Sun Jun 13 15:32:43 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 13 Jun 2010 14:32:43 +0100 Subject: [OT] Re: Test mail to gnupg.user In-Reply-To: <201006131103.01318@thufir.ingo-kloecker.de> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> Message-ID: <1947085617.20100613143243@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 13 June 2010 at 10:03:00 AM, in , Ingo Kl?cker wrote: > IMNSHO, it's not up to the mailing list admins to > dictate where replies to my posts should go. Therefore, > the mailing list software should not touch the Reply-to > header. As far as I know, this is the only list I have ever subscribed to that does not set a reply-to header to the list address. I'm not saying it is "right" or "wrong," just unique in my experience. The admins don't "dictate" where replies go: the person replying does whatever they want. However, I would suggest that it *is* perfectly proper for the admins of any list to set headers that encourage posters (or their email software) to follow the etiquette of that group. In the case of GnuPG-users, that would perhaps be a reply-to header containing both the list address and the senders address. - -- Best regards MFPA mailto:expires2010 at ymail.com Did you hear? They took the word gullible out of the dictionary -----BEGIN PGP SIGNATURE----- iQCVAwUBTBTeEaipC46tDG5pAQovlgP/ZM6sSGaX9gb+rm042SK23IRop39EmN/D JR7dhdPQ0yZRIIERldohuyaSz3wIwVXBs23AG156RABojALXAIAfcjAoc9oo1dII zcGhHNVIuXOYFJNt9cViuMnQ6ztk24rX0MiX7sOTBk6LF/pNsM3UPbCTSFqoGx3V Bq9QwGjaBnM= =AcRB -----END PGP SIGNATURE----- From r_runner at poczta.onet.pl Sun Jun 13 16:19:28 2010 From: r_runner at poczta.onet.pl (Road Runner) Date: Sun, 13 Jun 2010 16:19:28 +0200 Subject: Test mail to ... In-Reply-To: References: Message-ID: <4C14E8F0.7070103@poczta.onet.pl> On 2010-06-11 09:38, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner Like the others I'm living too. RR From sonjamichelle at gmail.com Sun Jun 13 17:13:23 2010 From: sonjamichelle at gmail.com (Sonja Michelle Lina Thomas) Date: Sun, 13 Jun 2010 10:13:23 -0500 Subject: Keyserver spam example In-Reply-To: <20100613062238.4d468468@scorpio> References: <201005260617.o4Q6HVLu004364@walrus.jabberwocky.com> <201006101635.36328.joke@seiken.de> <18110357645.20100610162918@my_localhost> <201006101757.53020.joke@seiken.de> <20100611133444.GC2829@IUPUI.Edu> <4C1261BD.1030601@Mozilla-Enigmail.org> <20100611150009.2719ae9e@scorpio> <1014353020.20100612023608@my_localhost> <4C13689D.5030206@verizon.net> <4C136E07.90707@gmail.com> <20100612073708.6e27ee6f@scorpio> <4C13846B.7010005@gmail.com> <20100613062238.4d468468@scorpio> Message-ID: <4C14F593.1030405@gmail.com> > Interestingly enough, the first email I read this morning had a link to > this: > > http://tech.slashdot.org/story/10/06/12/2339209/Google-Tells-Congress-It-Disclosed-Wi-Fi-Sniffing > > And that is just the tip of the ice burg. > > -- > Jerry OMG!! Google is stealing and archiving pictures of my dopey cat doing stupid stuff!!! OH KNOW!! Google now knows I have a hair appointment on Thursday all because I use google calendar. What am I going to do!!!! My privacy has been invaded!!! I feel so violated!!!!! Seriously, if it's personal and you don't want to take the risk of someone knowing about it, don't put it on the internet in the first place. And if you have to put it on the net or transmit it to a friend, encrypt it. I mean you ARE a GPG user, right? As far as google running around with a Wifi enabled car snagging data from unsecured access points, it's the end users own damn fault for blindly buying an AP and just slapping it on their network. I'm not that paranoid that I loose sleep over the possibility that google may be archiving pictures of my cat, the occasional dirty joke and a few "Hi Mom, we're doing great here, how are y'all?" emails. All my important stuff is on my PC on an encrypted hdd behind a router using two tiered encryption and a 25+ character passkey. And anything that is REALLY personal and SECRET is stuffed in a case hidden in my home under lock and key. And if it's damaging and detrimental to my character or freedom, it's only exists in my own head as a memory. I mean I've got better things to turn my attention to, like trying to finalize the processing and paper work to get my $59 million Nigerian nairas that my dead rich uncle (who I didn't realize I had) from the International Bank of Abuja. Just gotta run to the bank tomorrow and get that $2500 cashiers check for the processing and duty fees. Then I'll be on easy street!!! ___________________________________________________ Sonja Michelle Lina Thomas sonjamichelle at gmail.com "I realized fear one morning, when the blare of the fox-hunters sound. When they are all chasing after the poor bloody fox, it's safer to be dressed like a hound." On 6/13/2010 5:22, Jerry wrote: > On Sat, 12 Jun 2010 07:58:19 -0500 > Sonja Michelle Lina Thomas articulated: > >>> I would not trust Google with your data, far less mine. They have >>> all ready been accused of illegally pilfering through user data and >>> mining for user wireless information. I avoid them like the plague >>> whenever possible. > >> Pffft, they can't get to the really important stuff past my tinfoil >> hat! > >> And google don't scare me! What I'm really worried about is the MiB. >> That van across the street, he ain't no plumber!! > >> I could really use some coffee, but I forgot the combination. :-( > >> If couldn't tell by now, I'm being a sarcastic b---h. I get so tired >> of the "tehy're out to get you" gabble people spout on the net. > >> EVERY internet provider (AND the zit faced kid next door) has the >> ability to sniff your data and your packets. If I let that stop me >> from using the internet I'd be living in a foil lined airstream up in >> the hills pooping in a dirt hole and eating berries. > >> Got any hard data to back up this claim, or are you just basing your >> oogie-boogie stay away on newsgroup, blog rumblings and >> sensationalized ratings focus media hype? I'm sure google just has a >> dedicated team rifling through the millions of gmail user's data >> looking for that ripe piece of information. > > Interestingly enough, the first email I read this morning had a link to > this: > > http://tech.slashdot.org/story/10/06/12/2339209/Google-Tells-Congress-It-Disclosed-Wi-Fi-Sniffing > > And that is just the tip of the ice burg. > > -- > Jerry > GNUPG.user at seibercom.net > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the Reply-To header. > __________________________________________________________________ > > Life is a concentration camp. You're stuck here and there's no way > out and you can only rage impotently against your persecutors. > Woody Allen _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 552 bytes Desc: OpenPGP digital signature URL: From jeff.sadowski at gmail.com Sun Jun 13 19:01:34 2010 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Sun, 13 Jun 2010 11:01:34 -0600 Subject: Was I suppose to reply to the email titled with my email? Message-ID: I read it but didn't see that I had to do anything. Did I read it wrong seems a lot of people replied to theirs. From kloecker at kde.org Sun Jun 13 19:12:54 2010 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 13 Jun 2010 19:12:54 +0200 Subject: [OT] Re: Test mail to gnupg.user In-Reply-To: <1947085617.20100613143243@my_localhost> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <1947085617.20100613143243@my_localhost> Message-ID: <201006131912.55643@thufir.ingo-kloecker.de> On Sunday 13 June 2010, MFPA wrote: > Hi > > > On Sunday 13 June 2010 at 10:03:00 AM, in > , Ingo Kl?cker wrote: > > IMNSHO, it's not up to the mailing list admins to > > dictate where replies to my posts should go. Therefore, > > the mailing list software should not touch the Reply-to > > header. > > As far as I know, this is the only list I have ever subscribed to > that does not set a reply-to header to the list address. I'm not > saying it is "right" or "wrong," just unique in my experience. > > The admins don't "dictate" where replies go: the person replying does > whatever they want. True. But to do so the person replying has to decide whatever they want (reply to author or reply to list or reply to both). Also, not all MUAs make it easy to choose between reply to author or reply to list or reply to both. I'm not sure what the conclusion is. I guess the only sensible conclusion is using a decent MUA which gives the replier the choice. Optimizing the mailing list for crappy MUAs is just as wrong as optimizing web pages for crappy browsers. > However, I would suggest that it *is* perfectly > proper for the admins of any list to set headers that encourage > posters (or their email software) to follow the etiquette of that > group. In the case of GnuPG-users, that would perhaps be a reply-to > header containing both the list address and the senders address. Hmm, I never read anywhere that this would be the etiquette of this group. It's certainly not mentioned on the listinfo page of gnupg-users. Also, most people seem to reply to list only. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From filosottile.wiki at gmail.com Sun Jun 13 18:34:17 2010 From: filosottile.wiki at gmail.com (Filippo Valsorda) Date: Sun, 13 Jun 2010 18:34:17 +0200 Subject: Keys substitution Message-ID: Hi, i created a keyring a couple of years ago without any serious intent. I kept my keys "not so secure". Now i want to restart, without changing ID, as i am always the same person, but revoking all from the past. What have I to do? Thanks a lot ------------------------------------ sec 1024D/01A82A13 2008-09-21 uid Filippo V uid FiloSottile (Work and spam e-mail) ssb 2048R/19755070 2009-07-31 From gnupg.user at seibercom.net Sun Jun 13 20:37:33 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sun, 13 Jun 2010 14:37:33 -0400 Subject: [OT] Re: Test mail to gnupg.user In-Reply-To: <201006131912.55643@thufir.ingo-kloecker.de> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <1947085617.20100613143243@my_localhost> <201006131912.55643@thufir.ingo-kloecker.de> Message-ID: <20100613143733.7baf8c16@scorpio> On Sun, 13 Jun 2010 19:12:54 +0200 Ingo Kl?cker articulated: > Hmm, I never read anywhere that this would be the etiquette of this > group. It's certainly not mentioned on the listinfo page of > gnupg-users. Also, most people seem to reply to list only. While it would appear that most users direct their replies back to the list, there are a few morons who feel it is their sworn duty to CC: the OP. It gets worse; another user unintentionally replies to just such a message with the unwanted CC: intact. Now the OP starts receiving a chain of unwanted e-mails. While it is certainly possible to filter out just such nonsense, and personally I feel that reporting it as SPAM since it effective is, doing so would probably not bode well for the list's reputation.. -- Jerry ? GNUPG.user at seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ BEWARE! People acting under the influence of human nature. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From shavital at mac.com Sun Jun 13 22:04:27 2010 From: shavital at mac.com (Charly Avital) Date: Sun, 13 Jun 2010 16:04:27 -0400 Subject: Keys substitution In-Reply-To: References: Message-ID: <4C1539CB.9080101@mac.com> Filippo Valsorda wrote the following on 6/13/10 12:34 PM: > Hi, i created a keyring a couple of years ago without any serious > intent. I kept my keys "not so secure". > > Now i want to restart, without changing ID, as i am always the same > person, but revoking all from the past. > What have I to do? > Thanks a lot > > ------------------------------------ > sec 1024D/01A82A13 2008-09-21 > uid Filippo V > uid FiloSottile (Work and spam e-mail) > > ssb 2048R/19755070 2009-07-31 > This is what I get: ------------------------- pub 1024D/01A82A13 created: 2008-09-21 expires: never usage: SCA trust: unknown validity: unknown sub 2048R/19755070 created: 2009-07-31 expires: never usage: E This key was revoked on 2009-07-31 by DSA key 01A82A13 FiloSottile (Work and spam e-mail) sub 2048g/E159FB03 created: 2008-09-21 revoked: 2009-07-31 usage: E [ unknown] (1). FiloSottile (Work and spam e-mail) [ unknown] (2) Filippo V ------------------------- It seems that "all from the past" has already been revoked (by you, hopefully). I suggest that you generate a new key pair, with a good passphrase, generate the corresponding revocation certificate (that you will store in a secure place), and upload your new public key to a keyserver. Good luck. Charly From expires2010 at ymail.com Mon Jun 14 01:16:47 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 14 Jun 2010 00:16:47 +0100 Subject: Was I suppose to reply to the email titled with my email? In-Reply-To: References: Message-ID: <1537142737.20100614001647@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 13 June 2010 at 6:01:34 PM, in , Jeff Sadowski wrote: > I read it but didn't see that I had to do anything. Did > I read it wrong seems a lot of people replied to > theirs. I refer you to Werner's later post, after people started replying to them. Subject: "FYI: About my test mails" On Friday 11 June 2010 at 11:15:32 AM, in , Werner Koch wrote: > Hi, > a few hours ago I sent test mails to each subscribed > user. The mails should look like regular mailing list > mail but with your address also in the subject. This > is a try to figure out who forwards postings to an > automated systems which in turn spams the original > poster. > Please ignore these mails - there is no need to > respond. Werner later posted that he had found the culprit, unsubscribed the address and banned it from further subscriptions. The culprit address was was support at resell.biz - I am amused to find that http://resell.biz/ claims to have "friendly, responsive customer support!" (-; - -- Best regards MFPA mailto:expires2010 at ymail.com When you're through changing, you're through -----BEGIN PGP SIGNATURE----- iQCVAwUBTBVm56ipC46tDG5pAQoAPwP/RegHkMgZbJqJkvDV2Sged2JqMU6c7l2+ 9VGuyrrEkO8j72iZKpIX3aYImqeOfojCLEdOiM6bvH9PB77SREdVWKXo1kM9q7vf FvAZ3woQt3opoLsglSeU9S7TwolT3UYEMPhx47o2smD3Dhxd75nxdp2rJspu+5cB cozcyk2gVEo= =OKeE -----END PGP SIGNATURE----- From expires2010 at ymail.com Mon Jun 14 02:07:21 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 14 Jun 2010 01:07:21 +0100 Subject: [OT] Re: Test mail to gnupg.user In-Reply-To: <20100613143733.7baf8c16@scorpio> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <1947085617.20100613143243@my_localhost> <201006131912.55643@thufir.ingo-kloecker.de> <20100613143733.7baf8c16@scorpio> Message-ID: <132742378.20100614010721@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 13 June 2010 at 7:37:33 PM, in , Jerry wrote: > While it would appear that most users direct their > replies back to the list, there are a few morons who > feel it is their sworn duty to CC: the OP. After my first few postings to this list, I received a complaint from somebody whose post I replied to, for not copying my replies directly to the OP. I amended my reply template to do so, and have received no complaint since. > It gets > worse; another user unintentionally replies to just > such a message with the unwanted CC: intact. Now the OP > starts receiving a chain of unwanted e-mails. I guess nobody has done that when replying to me, since I've experienced no such chain. > While it is certainly possible to filter out just such > nonsense, and personally I feel that reporting it as > SPAM since it effective is, doing so would probably not > bode well for the list's reputation.. SPAM (in capital letters) is a canned precooked meat product made by the Hormel Foods Corporation. (-; - -- Best regards MFPA mailto:expires2010 at ymail.com Life is far too important a thing ever to talk seriously about -----BEGIN PGP SIGNATURE----- iQCVAwUBTBVywaipC46tDG5pAQoqGwQAjYh1Sg5+0cQRYrbDWfoaP1BoT3cdQe/G o7n3PDyvQxGwfxJWVBKVQR4Fh72KKCVUgc0tFhnsPWgPVjf7iwgx1Cp4W8Sc6m5S Jr6cr90tM3kIid5MvJQQNn6N+zi2+RT+dCnGS9dztelO1+VdUL1ype/pQ/3HNP9R zPXBcRmHl3k= =lsUD -----END PGP SIGNATURE----- From sonjamichelle at gmail.com Mon Jun 14 02:17:38 2010 From: sonjamichelle at gmail.com (Sonja Michelle Lina Thomas) Date: Sun, 13 Jun 2010 19:17:38 -0500 Subject: [OT] Re: Test mail to gnupg.user In-Reply-To: <132742378.20100614010721@my_localhost> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <1947085617.20100613143243@my_localhost> <201006131912.55643@thufir.ingo-kloecker.de> <20100613143733.7baf8c16@scorpio> <132742378.20100614010721@my_localhost> Message-ID: <4C157522.8000002@gmail.com> > > SPAM (in capital letters) is a canned precooked meat product made by > the Hormel Foods Corporation. (-; > Which is pretty good when sliced thin, pan fried and put on a toasted English muffin with spicy mustard! ___________________________________________________ Sonja Michelle Lina Thomas sonjamichelle at gmail.com "I realized fear one morning, when the blare of the fox-hunters sound. When they are all chasing after the poor bloody fox, it's safer to be dressed like a hound." On 6/13/2010 19:07, MFPA wrote: > Hi > > > On Sunday 13 June 2010 at 7:37:33 PM, in > , Jerry wrote: > > >> While it would appear that most users direct their >> replies back to the list, there are a few morons who >> feel it is their sworn duty to CC: the OP. > > After my first few postings to this list, I received a complaint from > somebody whose post I replied to, for not copying my replies directly > to the OP. I amended my reply template to do so, and have received no > complaint since. > > > >> It gets >> worse; another user unintentionally replies to just >> such a message with the unwanted CC: intact. Now the OP >> starts receiving a chain of unwanted e-mails. > > I guess nobody has done that when replying to me, since I've > experienced no such chain. > > > >> While it is certainly possible to filter out just such >> nonsense, and personally I feel that reporting it as >> SPAM since it effective is, doing so would probably not >> bode well for the list's reputation.. > > SPAM (in capital letters) is a canned precooked meat product made by > the Hormel Foods Corporation. (-; > > > > -- > Best regards > > MFPA mailto:expires2010 at ymail.com > > Life is far too important a thing ever to talk seriously about _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 552 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Mon Jun 14 01:52:03 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 14 Jun 2010 00:52:03 +0100 Subject: [OT] Re: Test mail to gnupg.user In-Reply-To: <201006131912.55643@thufir.ingo-kloecker.de> References: <20100612172134.77533d29@scorpio> <201006131103.01318@thufir.ingo-kloecker.de> <1947085617.20100613143243@my_localhost> <201006131912.55643@thufir.ingo-kloecker.de> Message-ID: <1472226730.20100614005203@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 13 June 2010 at 6:12:54 PM, in , Ingo Kl?cker wrote: > Hmm, I never read anywhere that this would be the > etiquette of this group. It's certainly not mentioned > on the listinfo page of gnupg-users. Also, most people > seem to reply to list only. When I first posted here, I wondered why I kept getting copies of replies to my posts sent directly to my address as well as via the list. Soon, somebody corrected me for not copying them in on my reply to their post as well as sending it to the list. They told me that was the etiquette here. Since my experience at the time supported that statement, I duly set up my reply template to do just that. I can't remember who that was, and probably no longer have a copy of the message. I still often receive copies of replies to my posts directly as well as via the list; sometimes both addresses are in the "to" field, but more often one or other is a "cc." I still have my reply template set up to do the same. - -- Best regards MFPA mailto:expires2010 at ymail.com No man ever listened himself out of a job -----BEGIN PGP SIGNATURE----- iQCVAwUBTBV2c6ipC46tDG5pAQpzmgP8CuvmihkXJiSBMNfjwENzEe4qaC2Ibxu1 mDHHOdefWk3HZ7zhvT3/M0BqCRBr32cpTS/aw7bSjpneZTKgSzUizAfBoP6wyEQN peRewNNUT/ena3A06E/627R5Zm1Ux9GO3nrF0iyJxFS5zUk9sbHjn6NDwGX0CF6+ P8PLRZ75pr0= =yGjw -----END PGP SIGNATURE----- From dougb at dougbarton.us Mon Jun 14 07:06:37 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 13 Jun 2010 22:06:37 -0700 Subject: libassuan dependency mismatch with gnupg 2.0.15 and dirmngr Message-ID: <4C15B8DD.7040708@dougbarton.us> Howdy, Working on updating gnupg in FreeBSD and ran into a problem. GnuPG 2.0.15 requires libassuan 2.0.0, but to build the gpgsm module it requires dirmngr, which requires libassuan 1.x. My understanding is that there is a dirmngr update planned (http://lists.gnupg.org/pipermail/gnupg-devel/2010-March/025565.html) is there any progress on that? My temporary solution has been to create a libassuan-1 port for the things that depend on it, update the libassuan port to 2.0.0, and update gnupg without the option to build gpgsm, but these are all kludges I'd like to avoid. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From wk at gnupg.org Mon Jun 14 09:18:46 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 14 Jun 2010 09:18:46 +0200 Subject: FYI: About my test mails In-Reply-To: (Benjamin Donnachie's message of "Fri, 11 Jun 2010 22:57:03 +0100") References: <87bpbh50zf.fsf@vigenere.g10code.de> <877hm54wyi.fsf@vigenere.g10code.de> Message-ID: <87eiga2iax.fsf@vigenere.g10code.de> On Fri, 11 Jun 2010 23:57, benjamin at py-soft.co.uk said: > Did alavarre at gmail.com ever get removed? See > http://lists.gnupg.org/pipermail/gnupg-users/2010-May/038724.html I can see no evidence that this address is abusing this ML. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jun 14 09:23:48 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 14 Jun 2010 09:23:48 +0200 Subject: libassuan dependency mismatch with gnupg 2.0.15 and dirmngr In-Reply-To: <4C15B8DD.7040708@dougbarton.us> (Doug Barton's message of "Sun, 13 Jun 2010 22:06:37 -0700") References: <4C15B8DD.7040708@dougbarton.us> Message-ID: <87aaqy2i2j.fsf@vigenere.g10code.de> On Mon, 14 Jun 2010 07:06, dougb at dougbarton.us said: > Working on updating gnupg in FreeBSD and ran into a problem. GnuPG > 2.0.15 requires libassuan 2.0.0, but to build the gpgsm module it > requires dirmngr, which requires libassuan 1.x. My understanding is Oppps. I though I released a new dirmngr version - hmmm that was only a release candidate. I try to get it out today. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jun 14 10:00:17 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 14 Jun 2010 10:00:17 +0200 Subject: libassuan dependency mismatch with gnupg 2.0.15 and dirmngr In-Reply-To: <4C15B8DD.7040708@dougbarton.us> (Doug Barton's message of "Sun, 13 Jun 2010 22:06:37 -0700") References: <4C15B8DD.7040708@dougbarton.us> Message-ID: <871vca2gdq.fsf@vigenere.g10code.de> Hi, I just released dirmngr 1.1.0 which requires libassuan 2.0. Let me know if you have any problems, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dougb at dougbarton.us Mon Jun 14 12:09:33 2010 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 14 Jun 2010 03:09:33 -0700 Subject: libassuan dependency mismatch with gnupg 2.0.15 and dirmngr In-Reply-To: <871vca2gdq.fsf@vigenere.g10code.de> References: <4C15B8DD.7040708@dougbarton.us> <871vca2gdq.fsf@vigenere.g10code.de> Message-ID: <4C15FFDD.9040101@dougbarton.us> On 06/14/10 01:00, Werner Koch wrote: > Hi, > > I just released dirmngr 1.1.0 which requires libassuan 2.0. > > Let me know if you have any problems, Looks good so far, thanks so much for the quick response! :) Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From dkg at fifthhorseman.net Mon Jun 14 18:50:32 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 14 Jun 2010 12:50:32 -0400 Subject: auto refresh-keys In-Reply-To: <87d3w6n1kh.fsf@algae.riseup.net> References: <87d3w6n1kh.fsf@algae.riseup.net> Message-ID: <4C165DD8.5020903@fifthhorseman.net> On 06/04/2010 01:35 PM, Micah Anderson wrote: > It seems like the best solution would be to build into gnupg the functionality > that is similar to the automatic trust database operation: have gpg auto-refresh > from the configured keyserver periodically. I think something like this would be a good idea. I've found that many users (even sophisticated users) of GnuPG never refresh their keyrings manually, which means that they use a good strong tool to (for example) encrypt messages to known-revoked keys (in a recent case, to a key whose revocation certificate was published over 2? years ago). This is bad security for those users. GnuPG should help those users to Do The Right Thing as automatically as possible. > There are some considerations that > should be made here, such as how frequent should this refresh operation happen? > Should it happen on every use, before the key is used? Should it happen just on > the key(s) that the current operation is going to act on? here's a proposal: gpg could keep track of the last time it refreshed any given key from a public keyserver. when the user tries to use that key, if the last-refreshed time is more than X days ago, the key is refreshed (and the associated part of the trustdb updated?) before use. Upon succes, the last-refreshed time associated with that key should be updated. > What about network > problems, such as no network at all, keyserver down, or slow? There should > probably be a low timeout to not cause user annoyance, but also some sort of > indication/warning that when a keyserver update could not be performed that the > key is potentially out of date. Network or keyserver failures during an auto-refresh should be accepted and the rest of the operation should continue (though the last-refreshed time shouldn't be updated). What if the network and keyserver are both available, but the keyserver has never heard of the key in question? > Users should have the capability to configure in > their gpg.conf a 'no-auto-refresh-keys' variable if they do not want this > functionality. Sounds good to me. i could even imagine this being a per-key setting, but that might be more complexity cost than is worth incurring for the (minimal) gain. > Perhaps even some sanity checking on the data that is coming in > would be good to guard against gigabytes of data coming down. for signature data coming from keyservers during an auto-refresh, i could see doing the following triage to avoid storing gigabytes of unnecessary stuff: * discard all certifications made by keys which we do not have a local copy of (since they are meaningless for computing calculated validity of a key). * discard all certifications which are not cryptographically valid, or are executed with cryptographic algorithms we do not support, or which rely on known-weak cryptographic algorithms. * discard all certifications which are larger than some Certifications fetched are either over: 0) a User ID and a primary Key, or 1) a primary key and an associated subkey (these are usually self-sigs or revocations), or 2) a primary key itself (also usually self-sigs or revocations) For each thing being certified: * for cryptographically-valid certifications (or revocations) from any given public key (or its associated subkeys): only store the certifications with the most-recent certification date. This prevents fetching, say, 1000 certifications from an abusive certifier. What do other folks think about this? The more we can make gpg do the right thing automatically (and this includes picking up revocations and updates), the more useful it will be in terms of providing real secured communications for its users. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Mon Jun 14 19:19:58 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 14 Jun 2010 13:19:58 -0400 Subject: auto refresh-keys In-Reply-To: <4C165DD8.5020903@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> Message-ID: <4C1664BE.1080500@fifthhorseman.net> On 06/14/2010 12:50 PM, Daniel Kahn Gillmor wrote: > * discard all certifications which are larger than some sorry, this thought didn't get finished. it should have said: * discard all certifications which are larger than some pre-defined value (e.g. do no not bother processing certifications that are > 512KB in size, as there are currently no certifications that need to be anywhere near this size. The goal, again, is to avoid auto-refresh from chewing up too much space on the local disk. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From mijiaaila80 at gmail.com Mon Jun 14 19:54:42 2010 From: mijiaaila80 at gmail.com (=?ISO-8859-1?Q?Mica=EBl?= P.) Date: Mon, 14 Jun 2010 19:54:42 +0200 Subject: Test mail to mijiaaila80@gmail.com In-Reply-To: References: Message-ID: <1276538082.6187.5.camel@micael-bureau> It's not me. No problem. Le vendredi 11 juin 2010 ? 09:38 +0200, Werner Koch a ?crit : > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lord.icervantes at gmail.com Mon Jun 14 22:27:08 2010 From: lord.icervantes at gmail.com (=?ISO-8859-1?Q?Iv=E1n_Cervantes?=) Date: Mon, 14 Jun 2010 15:27:08 -0500 Subject: Test mail to lord.icervantes@gmail.com In-Reply-To: References: Message-ID: not me. On Fri, Jun 11, 2010 at 2:38 AM, Werner Koch wrote: > Hi! > > One of the subscribers to this list created a mail forward to an > automated ticketing system which responds to the the poster. The > owner of the ticketing system at secure.mpcustomer.com does not > respond to any of our queries to send us more information on the mails > triggering the posting. Thus we need to send these test mails in the > hope to figure out the culprit. > > Sorry for the inconvenience, > > Werner > > -- M. en C. Iv?n Cervantes -------------- next part -------------- An HTML attachment was scrubbed... URL: From expires2010 at ymail.com Tue Jun 15 01:54:33 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 15 Jun 2010 00:54:33 +0100 Subject: auto refresh-keys In-Reply-To: <4C1664BE.1080500@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <4C1664BE.1080500@fifthhorseman.net> Message-ID: <12751866.20100615005433@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 14 June 2010 at 6:19:58 PM, in , Daniel Kahn Gillmor wrote: > On 06/14/2010 12:50 PM, Daniel Kahn Gillmor wrote: >> * discard all certifications which are larger than some > sorry, this thought didn't get finished. it should > have said: > * discard all certifications which are larger than some > pre-defined value (e.g. do no not bother processing > certifications that are > 512KB in size, as there are > currently no certifications that need to be anywhere > near this size. > The goal, again, is to avoid auto-refresh from chewing > up too much space on the local disk. Although, of course, the certifications are all part of OxDECAFDAD.asc and therefore are still dowmloaded and consume bandwidth. With isks in excess of a terabyte, why bother expending the extra CPU cycles to conserve a little disk space? - -- Best regards MFPA mailto:expires2010 at ymail.com When duty calls...hang up immediately -----BEGIN PGP SIGNATURE----- iQCVAwUBTBbBPaipC46tDG5pAQokmwQAxl9rG/x95kplr1NSETXDCtJmXLj3nImA fW3iUY3BBGdqVDJmcJRzM0l2W52j2Zrr60rYDpr0LlU9c34Q+XtzDXqluhjAaigU mehGxf80irIgI8ziZwRTVexHNl3aizSq+7Y2nsxLkhYSI/tF2wmGWyLwDZlGhvta be3CHUFAQY0= =3lAv -----END PGP SIGNATURE----- From expires2010 at ymail.com Tue Jun 15 01:58:55 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 15 Jun 2010 00:58:55 +0100 Subject: auto refresh-keys In-Reply-To: <4C165DD8.5020903@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> Message-ID: <955396815.20100615005855@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 14 June 2010 at 5:50:32 PM, in , Daniel Kahn Gillmor wrote: > Network or keyserver failures during an auto-refresh > should be accepted and the rest of the operation should > continue (though the last-refreshed time shouldn't be > updated). > What if the network and keyserver are both available, > but the keyserver has never heard of the key in > question? Same as Network or keyserver failure: there is no available auto-update, so warn and continue with the requested operations. - -- Best regards MFPA mailto:expires2010 at ymail.com Was time invented by an Irishman named O'Clock? -----BEGIN PGP SIGNATURE----- iQCVAwUBTBbCQqipC46tDG5pAQrkfQQApS39GtHfr3BQU921e9jt7Zw3xqf5Iy5C r1YXdszWQfko9L3Rilup0vCwoLVf+t92S/XruzM0YaCpmi0zdJ2j+65Je0tLoq8c JAa9FCQ6YhXbxLLVzbo0uIKwZTgFBeaEjpkgJcIXiKx8w50snR2YFBrH+XUAczw+ /iN50W0cPYE= =SWv7 -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Tue Jun 15 02:46:30 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 14 Jun 2010 20:46:30 -0400 Subject: auto refresh-keys In-Reply-To: <12751866.20100615005433@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <4C1664BE.1080500@fifthhorseman.net> <12751866.20100615005433@my_localhost> Message-ID: <4C16CD66.7000509@fifthhorseman.net> On 06/14/2010 07:54 PM, MFPA wrote: > On Monday 14 June 2010 at 6:19:58 PM, in > , Daniel Kahn Gillmor wrote: >> The goal, again, is to avoid auto-refresh from chewing >> up too much space on the local disk. > > Although, of course, the certifications are all part of OxDECAFDAD.asc > and therefore are still dowmloaded and consume bandwidth. With isks in > excess of a terabyte, why bother expending the extra CPU cycles to > conserve a little disk space? Your disks might be in excess of a terabyte. The large majority of mine aren't. Even if mine were, given that i'd like to see GnuPG easily available on mobile telephones and similar devices, i think disk space is a relevant metric. And even on the machines i use or administer that do have disks in excess of 1TB, disk I/O is a regular source of bottlenecks. Writing useless material to disks in any regular fashion is behavior to avoid. Plus, if we can demonstrate that GnuPG cares about minimizing costs to the user in terms of disk space, we also stand in a better rhetorical position to encourage development (or adoption) of alternate keyserver fetch requests that could apply similar minimization heuristics to bandwidth. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From aldolat at gmail.com Tue Jun 15 07:09:40 2010 From: aldolat at gmail.com (Aldo Latino) Date: Tue, 15 Jun 2010 07:09:40 +0200 Subject: Test mail to aldolat@gmail.com In-Reply-To: References: Message-ID: 2010/6/11 Werner Koch > Sorry for the inconvenience, > No problem. -- Aldo Latino OpenPGP key: 4096R/0xA18E41E8 | bit.ly/keyDSA 84E2 2BC8 ABE3 DCC0 9F15 E511 4357 7ECD 4397 C730 -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Jun 15 09:18:44 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 15 Jun 2010 09:18:44 +0200 Subject: auto refresh-keys In-Reply-To: <4C165DD8.5020903@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 14 Jun 2010 12:50:32 -0400") References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> Message-ID: <87fx0o227f.fsf@vigenere.g10code.de> On Mon, 14 Jun 2010 18:50, dkg at fifthhorseman.net said: > here's a proposal: gpg could keep track of the last time it refreshed > any given key from a public keyserver. when the user tries to use that That is one of the reasons why we should move away from the pubring.gpg format. The new keybox format allows to store such meta data. I hope to finish the migration of secret keys to gpg-agent in a few weeks. After that has been done gpg can move to the keybox format. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From honia2002 at hotmail.com Mon Jun 14 18:30:02 2010 From: honia2002 at hotmail.com (Honia A) Date: Mon, 14 Jun 2010 12:30:02 -0400 Subject: =?windows-1256?Q?undefined_?= =?windows-1256?Q?symbol:_gc?= =?windows-1256?Q?ry=5Fmd=5Fhash?= =?windows-1256?Q?=5Fbuffer=FE?= Message-ID: Hi, (i think i previously sent this question to the wrong mailinglist) I am installing collectd-4.10.0 on a CentOS 5 machine: 1) Configured collectd: ./configure --with-librrd=/opt/rrdtool-1.4.3/ --with-liboping=/opt/oping --with-libnetlink=/home/username/iproute2-2.6.29-1 --with-libgcrypt=/usr/lib 2) make followed by make install 3) Configured collectd.conf and this is the network plugin: SecurityLevel "Sign" Username "client2" Password "password2" # TimeToLive "128" # Forward false # CacheFlush 1800 # ReportStats false 4) Restarted collectd and got the following error: Stopping collectd: [FAILED] Starting collectd: /opt/collectd/sbin/collectd: symbol lookup error: /opt/collectd/lib/collectd/network.so: undefined symbol: gcry_md_hash_buffer I looked everywhere to find the problem but had no luck. I installed the same version of collectd on another machine exactly the steps above but it went smoothly and had no problem. Can someone please help me with this? Thanks in advace, h _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -------------- next part -------------- An HTML attachment was scrubbed... URL: From r_runner at poczta.onet.pl Tue Jun 15 18:34:39 2010 From: r_runner at poczta.onet.pl (Road Runner) Date: Tue, 15 Jun 2010 18:34:39 +0200 Subject: Test mail to ... In-Reply-To: <807355.98058.qm@web36301.mail.mud.yahoo.com> References: <807355.98058.qm@web36301.mail.mud.yahoo.com> Message-ID: <4C17AB9F.6090206@poczta.onet.pl> Werner's email was a good email to look for bots. Regards RR On 2010-06-13 16:24, FederalHill wrote: > I have been reading them and trying to understand this issue, I thought it was solved. > > > > > --- On Sun, 6/13/10, Road Runner wrote: > > > From: Road Runner > Subject: Re: Test mail to ... > To: "gnupg-users" > Date: Sunday, June 13, 2010, 10:19 AM > > > On 2010-06-11 09:38, Werner Koch wrote: >> Hi! >> >> One of the subscribers to this list created a mail forward to an >> automated ticketing system which responds to the the poster. The >> owner of the ticketing system at secure.mpcustomer.com does not >> respond to any of our queries to send us more information on the mails >> triggering the posting. Thus we need to send these test mails in the >> hope to figure out the culprit. >> >> Sorry for the inconvenience, >> >> Werner > > Like the others I'm living too. > > RR > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > From benjamin at py-soft.co.uk Tue Jun 15 18:51:23 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 15 Jun 2010 17:51:23 +0100 Subject: FYI: About my test mails In-Reply-To: <87eiga2iax.fsf@vigenere.g10code.de> References: <87bpbh50zf.fsf@vigenere.g10code.de> <877hm54wyi.fsf@vigenere.g10code.de> <87eiga2iax.fsf@vigenere.g10code.de> Message-ID: <1719488456547294723@unknownmsgid> On 14 Jun 2010, at 08:18, Werner Koch wrote: >> Did alavarre at gmail.com ever get removed? > I can see no evidence that this address is abusing this ML. It was also forwarding to the MP Customer ticket system but now seems resolved. Ben From marcio.barbado at gmail.com Wed Jun 16 00:20:37 2010 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Tue, 15 Jun 2010 19:20:37 -0300 Subject: Fwd: [Full-disclosure] Introducing TGP... In-Reply-To: References: Message-ID: Hello, there's this guy, named Timothy Mullen who recently released this TGP (Thor?s Godly Privacy) encryption utility for the cloud. Timothy wrote (note that his complete text goes forwarded below): "... I designed TGP with ?encryption for the cloud? in mind. ?That means that not only does TGP do everything your normal PGP-type applications do, but it does things a bit differently ? differently in a way that can change the way you work with your encrypted data. ?At the simplest level, this is done by encrypting data into byte arrays, and then converting those byte arrays into Base64 encoded text wrapped inside XML tags. ?In this way, not only do you get your typical file-based encrypted representation of your data, but you also get data that you can copy and paste directly into any email, mailing list, blog-page, or social networking site..." Have anyone tested it so far? How different can this XML wrapped byte array encryption be? Is this cloud oriented difference only about its XML capabilities? He continues: "... What I think is interesting about this is that if we choose to, we no longer have to be the custodians of our encrypted data ? we don?t have to worry about actually housing the files: we can just post them to the internet and let someone else assume the burden of storing the files for us... I can do the same with my keys..." Is this crazy stuff? Maybe I'm the one who's getting crazy (and old) for not accepting this so called "cloud" trendy paradigm driven by "megacorporations" but that seems weird to me even if I think of combining this guy's proposal with, say, that Diceware methodology. Comments are really welcome. Thank you, regards, ---------- Forwarded message ---------- From: Thor (Hammer of God) Date: Sun, Jun 13, 2010 at 6:44 PM Subject: [Full-disclosure] Introducing TGP... To: "full-disclosure at lists.grok.org.uk" This is what I?ve been talking about... Here is the first part of the docs I wrote up - make sure you see that I'm not yet supporting huge files unless you have huge RAM.? **.Net 4.0 Client profile is required to run this.** Right now the install bits are only available on the pilot site at: http://www.owa.hammerofgod.com in the downloads section.? ?I have to wait on Raging Haggis to return from Canada before posting on www.hammerofgod.com . Here's a bit from the TGP Overview document included with the install and on the web site.? Please read through it before asking silly questions. :) Also, feel free to hack it up as much as you would like.? I know this is full disclosure, so feel free to zing them at me, or if you prefer, I can work with you on any issues you might have. Remember, this is totally free, so my ability to handle custom requests will be limited.? For those looking to break it, I would look at fuzzing the XML documents and the "drag and drop public XML" parsing feature. If you have questions or challenges about any of the security, I would ask to keep it on the list so that everyone can get the full benefit of productive security development.? ?The read-me should pretty much lay everything out for you.? If not, we'll take it up from there. t TGP ? ?Thor?s Godly Privacy? 06/13/10 v1.1.06 TGP is a small yet very powerful encryption utility.? With all eyes on ?the cloud,? I decided to write an encryption application better suited to an environment where portability and security were, at the least, challenging.?? In cloud computing, not only is the use of file structures becoming more abstract, but the very concept of a ?file server? is becoming more and more ubiquitous. As such, I designed TGP with ?encryption for the cloud? in mind.? That means that not only does TGP do everything your normal PGP-type applications do, but it does things a bit differently ? differently in a way that can change the way you work with your encrypted data.? At the simplest level, this is done by encrypting data into byte arrays, and then converting those byte arrays into Base64 encoded text wrapped inside XML tags.? In this way, not only do you get your typical file-based encrypted representation of your data, but you also get data that you can copy and paste directly into any email, mailing list, blog-page, or social networking site. What I think is interesting about this is that if we choose to, we no longer have to be the custodians of our encrypted data ? we don?t have to worry about actually housing the files: we can just post them to the internet and let someone else assume the burden of storing the files for us. If I want to share encrypted files with someone or secure my own files, all I have to do is TGP encrypt the data I want, and post it to a mailing list somewhere.? In the case of a list like Bugtraq or Full Disclosure, the data is actually automatically replicated out to any number of archive sites, thus distributing my data for me.? I can literally be anywhere in the world and just do a quick search for my post to retrieve my data.? And since the TGP public key files are also text representations of encrypted key data, I can do the same with my keys. Normally, you want to keep your private keys as safe as possible. This is still the case with TGP.? However, it is trivial to build as many private keys as you wish to use for anything you want to use them for.? TGP Private Key files are password protected and individually salted, so with a strong passphrase you have very reasonable assurance that no one is going to get to your key any time soon.? So, you can create a private key with a strong password, post that, and then, say, encrypt a scan of your passport and post that.? Then if you are ever in a pinch while travelling or something like that, you can simply use Google or Bing to access your data wherever you are. Of course, that?s just an example, but I think it illustrates the power of encrypted file structures like this.? You can literally use Facebook to post encrypted documents that you don?t have to maintain. That?s really the main different between TGP and an application like PGP.? That and of course, TGP is free, and personally, I think PGP is tardware.? It?s bloated, it?s far too expensive, it?s hard to use, and if you don?t watch your licensing, you can get screwed hard like I did when I didn?t want to buy the extended support and one day my encrypted drives stopped working until I paid them.? That doesn?t fly. ?TGP also doesn?t require that you are an admin to install.? However, the .NET installer for the 4.0 client profile does ? that?s not my doing.? Regardless, here are the file structures TGP uses: Things that still suck about TGP Currently TGP uses a memory stream for the destination of the AES cryptostream.? This sucks because it makes the maximum file one can encrypt based on available memory.? It?s not a huge deal, but it does keep you from encrypting a gigabyte file.? I?ll be changing that soon. Timothy ?Thor? Mullen Hammer of God thor at hammerofgod.com www.hammerofgod.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Marcio Barbado, Jr. From rjh at sixdemonbag.org Wed Jun 16 03:00:30 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 15 Jun 2010 21:00:30 -0400 Subject: Fwd: [Full-disclosure] Introducing TGP... In-Reply-To: References:

Message-ID: <4C18222E.9060606@sixdemonbag.org> On 6/15/2010 6:20 PM, M.B.Jr. wrote: > there's this guy, named Timothy Mullen who recently released this TGP > (Thor?s Godly Privacy) encryption utility for the cloud. There is no formal spec for TGP which I've been able to find. I did not see any links to source on the site. While no source and no spec doesn't automatically mean TGP is bogus, it doesn't engender much confidence in the product. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From alavarre at gmail.com Wed Jun 16 04:06:42 2010 From: alavarre at gmail.com (C. Andrews Lavarre) Date: Tue, 15 Jun 2010 22:06:42 -0400 Subject: Gnupg-users Digest, Vol 81, Issue 19 In-Reply-To: References: Message-ID: <4C1831B2.1040000@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ben hello: >On 14 Jun 2010, at 08:18, Werner Koch wrote: >> >> Did alavarre at gmail.com ever get removed? > > I can see no evidence that this address is abusing this ML. > It was also forwarding to the MP Customer ticket system but now seems > resolved. =============== Please tell me more. When was this? I'd like not to be doing so and did not do so intentionally. =============== I suspected that I had a rootkit a couple of months ago, but reformatted the disk and reinstalled (OpenSUSE 11.2), use guarddog and rkhunter assiduously, with no indications of a problem. Haven't studied MUA reply protocols: https://wiki.mozilla.org/Thunderbird:Help_Documentation:Mail-Followup-To_and_Mail-Reply-To But shall do so now, to ensure I am not offending you or others. But at present I see no reply-to addresses in my headers. If I am doing so it is certainly unintentional, as I have only replied here once before, and that by accident, which may have triggered werner's comment. It was late and I was intending to reply to gnucash, not gnupg... So this is only my second knowingly posted transmission to the group, so if you are getting others then something is decidedly wrong. Please instruct me. Best regards, Andy Lavarre -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iJwEAQECAAYFAkwYMbIACgkQOMMPCS4qbIZznAP/Ze4xI7a/fsBqWDSw6vUvzSlg 5s0JhI/nYQVVlqEXIV6EM+qP8Ykf5IIhLnB7nTIJpmOrFAwoeLAG6XR5Eouk3EdJ 8ppZ+6qFvO+PHUq/G0/40ZB/EURrPlm46MkTfKcNvRl7VMjW7usDg9mmDuUS8OWe B5F0BlrD9BjcDHPoXXk= =hP49 -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Wed Jun 16 09:46:05 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 16 Jun 2010 09:46:05 +0200 Subject: Fwd: [Full-disclosure] Introducing TGP... In-Reply-To: References:

Message-ID: <201006160946.22013.mailinglisten@hauke-laging.de> Am Mittwoch 16 Juni 2010 00:20:37 schrieb M.B.Jr.: > don?t have to worry about actually housing the files: we can just post > them to the internet and let someone else assume the burden of storing > the files for us... I can do the same with my keys..." > > Is this crazy stuff? No, because later he writes: > TGP Private Key files are password protected and individually > salted, so with a strong passphrase you have very reasonable assurance > that no one is going to get to your key any time soon. So it's more or less the same like GnuPG where you can export your keys and use symmetric encryption with a strong password for that file. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Jun 16 11:47:55 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 16 Jun 2010 11:47:55 +0200 Subject: Gnupg-users Digest, Vol 81, Issue 19 In-Reply-To: <4C1831B2.1040000@gmail.com> (C. Andrews Lavarre's message of "Tue, 15 Jun 2010 22:06:42 -0400") References: <4C1831B2.1040000@gmail.com> Message-ID: <87vd9jwbp0.fsf@vigenere.g10code.de> On Wed, 16 Jun 2010 04:06, alavarre at gmail.com said: > But shall do so now, to ensure I am not offending you or others. But at > present I see no reply-to addresses in my headers. That was not the problem. The owner of support at resell.biz uses procmail/formail or similar to redirect certain incoming mails to the ticket system and someone subscribed this address to gnupg-users and a couple of other mailing lists. I don't know why Ben assumed that you did this; analyzing mail programs is not easy and can easily lead to false claims. Sorry for that. No action required by you. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Jun 16 11:56:57 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 16 Jun 2010 11:56:57 +0200 Subject: Compile PTH on AIX In-Reply-To: <28592272.post@talk.nabble.com> (beppecosta@yahoo.it's message of "Mon, 17 May 2010 23:57:38 -0700 (PDT)") References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> <28592272.post@talk.nabble.com> Message-ID: <87r5k7wb9y.fsf@vigenere.g10code.de> On Tue, 18 May 2010 08:57, beppecosta at yahoo.it said: > We understand that the problem is about FDSETSIZE. > PTH has been configured and compiled --with-fdsetsize=8192 Which should have installed a pth.h file with the test #if defined(FD_SETSIZE) #if FD_SETSIZE > 8192 #error "FD_SETSIZE is larger than what GNU Pth can handle." #endif #endif I assume that your system picked up the old pth.h header and not the one from the newly compiled pth. > However gnupg-2 doesn't recognize this option: > "configure: WARNING: unrecognized options: --with-fdsetsize" Not relevant. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From beppecosta at yahoo.it Wed Jun 16 14:39:47 2010 From: beppecosta at yahoo.it (beppecosta) Date: Wed, 16 Jun 2010 05:39:47 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <87r5k7wb9y.fsf@vigenere.g10code.de> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> <28592272.post@talk.nabble.com> <87r5k7wb9y.fsf@vigenere.g10code.de> Message-ID: <28902331.post@talk.nabble.com> > should have installed a pth.h file with the test > #if defined(FD_SETSIZE) > I assume that your system picked up the old pth.h header and not the > one from the newly compiled pth. There are 2 pth.h. One is in "/pth.20.07", while the other is in "/usr/local/include" and both have the test /* check if the user requests a bigger FD_SETSIZE ..... #if defined(FD_SETSIZE) ..... -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28902331.html Sent from the GnuPG - User mailing list archive at Nabble.com. From expires2010 at ymail.com Wed Jun 16 19:03:19 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 16 Jun 2010 18:03:19 +0100 Subject: auto refresh-keys In-Reply-To: <4C16CD66.7000509@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <4C1664BE.1080500@fifthhorseman.net> <12751866.20100615005433@my_localhost> <4C16CD66.7000509@fifthhorseman.net> Message-ID: <33530061.20100616180319@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 15 June 2010 at 1:46:30 AM, in , Daniel Kahn Gillmor wrote: > On 06/14/2010 07:54 PM, MFPA wrote: >> On Monday 14 June 2010 at 6:19:58 PM, in >> , Daniel Kahn Gillmor wrote: >>> The goal, again, is to avoid auto-refresh from chewing >>> up too much space on the local disk. >> Although, of course, the certifications are all part >> of OxDECAFDAD.asc and therefore are still dowmloaded >> and consume bandwidth. With isks in excess of a >> terabyte, why bother expending the extra CPU cycles to >> conserve a little disk space? > Your disks might be in excess of a terabyte. The large > majority of mine aren't. I actually meant they are inexpensive and readily available, not that I have (or need) that size. > Even if mine were, given that > i'd like to see GnuPG easily available on mobile > telephones and similar devices, i think disk space is a > relevant metric. I wasn't thinking of mobile phones etc. In that scenario, disk space is scarce, and so is memory. Also, mobile internet speeds (the real speed, not the "up to" quoted by the network) are generally very slow compared to ADSL, although usually quicker than dialup. > disk I/O is a regular source of bottlenecks. Writing > useless material to disks in any regular fashion is > behavior to avoid. Ok... > Plus, if we can demonstrate that GnuPG cares about > minimizing costs to the user in terms of disk space, we > also stand in a better rhetorical position to encourage > development (or adoption) of alternate keyserver fetch > requests that could apply similar minimization > heuristics to bandwidth. What sort of alternate fetch requests do you envision? Fetch-minimal? Fetch-no-photos? - -- Best regards MFPA mailto:expires2010 at ymail.com Editing is a rewording activity -----BEGIN PGP SIGNATURE----- iQCVAwUBTBkD36ipC46tDG5pAQrqAQQApQzQplOtlV3b1g5cElub2d1FuxFQslnZ 7mi9+drx7WXuYCpLkuSniJiUhQDZcoER/ITE8CBCnM0brrqbRzTIhidPWFav/AOc EOEXfnqh56zOzoSxop6hES13ykJwWZSUcnpKR40RLnFpxAHGml+SwiPasPf6OzbM XuUQYAE4veo= =/Xuz -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Wed Jun 16 19:10:17 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 16 Jun 2010 13:10:17 -0400 Subject: auto refresh-keys In-Reply-To: <33530061.20100616180319@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <4C1664BE.1080500@fifthhorseman.net> <12751866.20100615005433@my_localhost> <4C16CD66.7000509@fifthhorseman.net> <33530061.20100616180319@my_localhost> Message-ID: <4C190579.40900@fifthhorseman.net> On 06/16/2010 01:03 PM, MFPA wrote: >> Plus, if we can demonstrate that GnuPG cares about >> minimizing costs to the user in terms of disk space, we >> also stand in a better rhetorical position to encourage >> development (or adoption) of alternate keyserver fetch >> requests that could apply similar minimization >> heuristics to bandwidth. > > What sort of alternate fetch requests do you envision? Fetch-minimal? > Fetch-no-photos? I was considering the same heuristics that i outlined here (though they'd be relative to the keys that they *keyserver* knows about, rather than the keys that the user knows about, of course). This would be a species of "fetch-reduced" Your "fetch-minimal" would probably only fetch the latest cryptographically-valid self-certifications made by the key itself (or its subkeys. This would facilitate fetching revocations, expiration updates, changes in algorithm preferences, etc. a "no-UATs" flag (what i think you mean by "no-photos") might also be useful in minimizing bandwidth if the mechanism doing the checking has no way of dealing with UATs. Do you have other suggestions? We should consider bringing a prioritized form of these to the sks-devel list. Probably "fetch-minimal" would have the best work-to-reward ratio, though it would involve teaching SKS about how to compute the crypto. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Jun 16 19:25:01 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 16 Jun 2010 19:25:01 +0200 Subject: Compile PTH on AIX In-Reply-To: <28902331.post@talk.nabble.com> (beppecosta@yahoo.it's message of "Wed, 16 Jun 2010 05:39:47 -0700 (PDT)") References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> <28592272.post@talk.nabble.com> <87r5k7wb9y.fsf@vigenere.g10code.de> <28902331.post@talk.nabble.com> Message-ID: <87k4pyx53m.fsf@vigenere.g10code.de> On Wed, 16 Jun 2010 14:39, beppecosta at yahoo.it said: > /* check if the user requests a bigger FD_SETSIZE ..... > #if defined(FD_SETSIZE) ..... The next 2 is more important; the one below /usr/local should have a #if FD_SETSIZE > 8192 No? Then you did not install pth properly or gpg does not use the corresponding libpth.so Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Wed Jun 16 21:26:11 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 16 Jun 2010 21:26:11 +0200 Subject: auto refresh-keys In-Reply-To: <4C190579.40900@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <33530061.20100616180319@my_localhost> <4C190579.40900@fifthhorseman.net> Message-ID: <201006162126.17550.mailinglisten@hauke-laging.de> Am Mittwoch 16 Juni 2010 19:10:17 schrieb Daniel Kahn Gillmor: > Do you have other suggestions? We should consider bringing a > prioritized form of these to the sks-devel list. A different approach might save even more bandwidth: Most keys do now change often. It is useless to download a key that has not changed. Thus the client could send a list of all keys it wants to check and the server could respond with a list of fingerprints and modification timestamps. If the server wants to do its job (without TLS) especially well then it signs this list and solves a today unsolved problem by that. This way you could even check whether a key update of yourself has reached a (non-TLS) key server. It would have to be decided whether this key server time stamp refers to the newest time stamp of a signature in the respective key (then the time stamp would be the same from all key servers and the client could check the local key to find out whether it has the current key) or to the timestamp of the last update on the key server (which would require the client to store the timestamp of the last key download for every key server). CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Wed Jun 16 23:21:23 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 16 Jun 2010 22:21:23 +0100 Subject: auto refresh-keys In-Reply-To: <4C190579.40900@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <4C1664BE.1080500@fifthhorseman.net> <12751866.20100615005433@my_localhost> <4C16CD66.7000509@fifthhorseman.net> <33530061.20100616180319@my_localhost> <4C190579.40900@fifthhorseman.net> Message-ID: <1973976580.20100616222123@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 16 June 2010 at 6:10:17 PM, in , Daniel Kahn Gillmor wrote: > On 06/16/2010 01:03 PM, MFPA wrote: >> What sort of alternate fetch requests do you envision? >> Fetch-minimal? Fetch-no-photos? > I was considering the same heuristics that i outlined > here (though they'd be relative to the keys that they > *keyserver* knows about, rather than the keys that the > user knows about, of course). This would be a species > of "fetch-reduced" So, discard all certifications made by keys not on the server, all but the latest certification from each key, unknown/weak algos etc, as per your earlier message in this thread. I'm having difficult deciding why this would still be all that useful, when it has to be informed by which keys the keyserver recognises rather than which are recognised by the user. > Your "fetch-minimal" would probably only fetch the > latest cryptographically-valid self-certifications made > by the key itself (or its subkeys. This would > facilitate fetching revocations, expiration updates, > changes in algorithm preferences, etc. This seems to me the most appropriate "fetch" for an auto-refresh function, as well as good for use where storage and/or bandwidth are limited. > a "no-UATs" flag (what i think you mean by "no-photos") > might also be useful in minimizing bandwidth if the > mechanism doing the checking has no way of dealing with > UATs. Even if the mechanism doing the checking did support UATs, there are enough keys around with (for example) inappropriately large images to make this a valuable option where storage/bandwidth are under pressure or where data transfer is metered and expensive... > Do you have other suggestions? We should consider > bringing a prioritized form of these to the sks-devel > list. Probably "fetch-minimal" would have the best > work-to-reward ratio, though it would involve teaching > SKS about how to compute the crypto. Would the certifications all be analysed by the server "on the fly" before returning the requested key? If so, what are the likely implications for increased server workload and fetch request processing times? Maybe the analysis would sit better at the point of uploading the key? I mean:- 1. the key is uploaded to the server. 2. the server analyses the key and generates the alternative versions (minimal, reduced, no-UATs etc) 3. the several versions are hosted, and the form of the fetch request determines which version is served. 4. there may be some merit in periodically re-analysing the certifications on stored keys to refresh the modified versions, eg the reduced version may change due to keys being uploaded to the server that have already certified that key. What happens if the fetch request for something other than the full version comes after (1) but before (2) is completed? Is it best to return the full version in that event (perhaps subject to a cut-off size)? Should (2) be completed as soon as (1) or added to a queue to be processed periodically in batches? When the server receives a new or updated key through synchronising with another server, should the modified key versions be passed along as well? If so, should the receiving server use these just in the interim until it has calculated its own modified versions? - -- Best regards MFPA mailto:expires2010 at ymail.com What's another word for synonym? -----BEGIN PGP SIGNATURE----- iQCVAwUBTBlAYqipC46tDG5pAQpUUAQAr1BehvzOnTbaximLahgfjluGm8ncBal8 1rSDj09uXLQaUO02uSeDmvPv5hSuZ4u5OCD2fRYvuGj7/Y2mki989gr0/gy9g8Ci tUFsBDLVtF6nVBG9XydX3MD1q1veGcz/QdMm9ptEwokhsD3sHcVMLcwPDXcQpe2O zTF8SYDnlOE= =n0gp -----END PGP SIGNATURE----- From honia2002 at hotmail.com Wed Jun 16 20:01:48 2010 From: honia2002 at hotmail.com (honi@) Date: Wed, 16 Jun 2010 11:01:48 -0700 (PDT) Subject: =?UTF-8?Q?Re:_undefined_symbol:_gcry=5Fmd=5Fhash=5Fbuffer=E2=80=8F?= In-Reply-To: References: Message-ID: <28905755.post@talk.nabble.com> Can anyone please help me with this? Thanks in advance -- View this message in context: http://old.nabble.com/undefined-symbol%3A-gcry_md_hash_buffer%E2%80%8F-tp28889767p28905755.html Sent from the GnuPG - User mailing list archive at Nabble.com. From beppecosta at yahoo.it Thu Jun 17 11:29:05 2010 From: beppecosta at yahoo.it (beppecosta) Date: Thu, 17 Jun 2010 02:29:05 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <87k4pyx53m.fsf@vigenere.g10code.de> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> <28592272.post@talk.nabble.com> <87r5k7wb9y.fsf@vigenere.g10code.de> <28902331.post@talk.nabble.com> <87k4pyx53m.fsf@vigenere.g10code.de> Message-ID: <28912285.post@talk.nabble.com> >The next 2 is more important; the one below /usr/local should have a > #if FD_SETSIZE > 8192 YES - All pth.h have these lines : #define PTH_VERSION_STR "2.0.7 (08-Jun-2006)" .... /* check if the user requests a bigger FD_SETSIZE than we can handle */ #if defined(FD_SETSIZE) #if FD_SETSIZE > 8192 #error "FD_SETSIZE is larger than what GNU Pth can handle." #endif #endif -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28912285.html Sent from the GnuPG - User mailing list archive at Nabble.com. From knottnhupfer at gmail.com Thu Jun 17 11:05:42 2010 From: knottnhupfer at gmail.com (dave) Date: Thu, 17 Jun 2010 11:05:42 +0200 Subject: verifying secret key while import Message-ID: Hi, I'm trying to import secret keys from a file and at the same time I would like to verify if the user has the passphrases for the secret keys. Is there a way to check the key ID before importing the secret key? Then I could first ask for the secret keys ID in the exported file, next send to the user a request for the passphrase for each secret key and finally import and verify all secret keys. Unfortunately the --dry-run flag doesn't show the ID ... thx in advance /david -- "Zwei Dinge sind unendlich: das Universum und die menschliche Dummheit; aber bei dem Universum bin ich mir noch nicht ganz sicher (Albert Einstein)." From dkg at fifthhorseman.net Thu Jun 17 16:15:24 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Jun 2010 10:15:24 -0400 Subject: undefined symbol: =?UTF-8?B?Z2NyeV9tZF9oYXNoX2J1ZmZlcuKAjw==?= In-Reply-To: References: Message-ID: <4C1A2DFC.5030100@fifthhorseman.net> On 06/14/2010 12:30 PM, Honia A wrote: > > Hi, (i think i previously sent this question to the wrong mailinglist) no, you went it on the right one first -- this is a gcrypt question, not a gnupg question. i've answered you on gcrypt-devel. Sorry that no one else has answered in the meantime.s --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From asger at e-advice.dk Thu Jun 17 15:23:37 2010 From: asger at e-advice.dk (Asger Larsen) Date: Thu, 17 Jun 2010 15:23:37 +0200 Subject: Importing public key in OpenGPG - error. MAC OS X Message-ID: Hello! Some keys I cannot import, others OK. See attachments Both sending computer and receiving computer use: gpgme: 0.3.14 Thunderbird mail client 3.0.4 (enigmail 1.0.1 Add-on) Mac OS X Snowleopard 10.6.4 Typically Public keys which are exported as file are OK. If you just rightclick the key and choose: "send as e-mail": not possible to import. Hope for help! Asger -- "New Website System (Joomla CMS) now available on e-advice webserver: http://www.e-advice.dk. Please contact us for more info" From pgorugantu at APUS.EDU Thu Jun 17 15:59:46 2010 From: pgorugantu at APUS.EDU (Gorugantu, Prakash) Date: Thu, 17 Jun 2010 09:59:46 -0400 Subject: Can we use GNUPG with PGP for commercial use Message-ID: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> Hi, Our project has a requirement where we need to pull a file using PGP encryption/decryption from one of our clients ftp servers. Please let us know if we can use GNUPG to encrypt/decrypt files with PGP. We read somewhere in your licensing agreement that GNUPG for PGP is only for non-commercial use and we have to purchase it from PGP Corp. if we have to use it. Thanks, Prakash -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Thu Jun 17 18:21:32 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Jun 2010 12:21:32 -0400 Subject: Can we use GNUPG with PGP for commercial use In-Reply-To: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> References: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> Message-ID: <4C1A4B8C.4090604@fifthhorseman.net> Hi Prakash-- On 06/17/2010 09:59 AM, Gorugantu, Prakash wrote: > Our project has a requirement where we need to pull a file using PGP > encryption/decryption from one of our clients ftp servers. Please let us > know if we can use GNUPG to encrypt/decrypt files with PGP. We read > somewhere in your licensing agreement that GNUPG for PGP is only for > non-commercial use and we have to purchase it from PGP Corp. if we have > to use it. GnuPG is a tool which provides an RFC 4880-compliant implementation of the OpenPGP standard. It is free software (under the terms of the General Public License), and you can use it for whatever purposes you want. It is interoperable with other OpenPGP implementations which comply with RFC 4880. PGP is a proprietary tool sold by PGP Corp. It also implements the OpenPGP standard, and should interoperate with GnuPG (and other OpenPGP implemetnations), as far as i understand it. I do not know specifically what PGP Corp's licensing restrictions are for their PGP tool. You should probably ask them directly; this list is a GnuPG discussion list, and has no affiliation with PGP Corp. Hope this helps answer your question, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From joke at seiken.de Thu Jun 17 18:45:19 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 17 Jun 2010 18:45:19 +0200 Subject: Can we use GNUPG with PGP for commercial use In-Reply-To: <4C1A4B8C.4090604@fifthhorseman.net> References: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> <4C1A4B8C.4090604@fifthhorseman.net> Message-ID: <201006171845.21856.joke@seiken.de> On Thursday 17 June 2010 18:21:32 Daniel Kahn Gillmor wrote: > Hi Prakash-- > > On 06/17/2010 09:59 AM, Gorugantu, Prakash wrote: > > Our project has a requirement where we need to pull a file using PGP > > encryption/decryption from one of our clients ftp servers. Please let us > > know if we can use GNUPG to encrypt/decrypt files with PGP. We read > > somewhere in your licensing agreement that GNUPG for PGP is only for > > non-commercial use and we have to purchase it from PGP Corp. if we have > > to use it. > > GnuPG is a tool which provides an RFC 4880-compliant implementation of > the OpenPGP standard. It is free software (under the terms of the > General Public License), and you can use it for whatever purposes you > want. It is interoperable with other OpenPGP implementations which > comply with RFC 4880. > > PGP is a proprietary tool sold by PGP Corp. It also implements the > OpenPGP standard, and should interoperate with GnuPG (and other OpenPGP > implemetnations), as far as i understand it. I do not know specifically > what PGP Corp's licensing restrictions are for their PGP tool. You > should probably ask them directly; this list is a GnuPG discussion list, > and has no affiliation with PGP Corp. > > Hope this helps answer your question, > > --dkg Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You can't sue anyone if GnuPG does not do what it's supposed to do. If you need commercial support and liability stick to PGP and pay for it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Thu Jun 17 19:00:21 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 17 Jun 2010 13:00:21 -0400 Subject: Can we use GNUPG with PGP for commercial use In-Reply-To: <201006171845.21856.joke@seiken.de> References: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> <4C1A4B8C.4090604@fifthhorseman.net> <201006171845.21856.joke@seiken.de> Message-ID: <4C1A54A5.5020206@fifthhorseman.net> On 06/17/2010 12:45 PM, Joke de Buhr wrote: > Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You can't sue > anyone if GnuPG does not do what it's supposed to do. If your goal is to be able to sue someone over proprietary software, i strongly advise you to read the relevant EULA first: http://www.pgp.com/products/eula.html section 9 in particular is illuminating about the scope and duration of whatever minimal warranty you get from having purchased a license. > If you need commercial support and liability stick to PGP and pay for it. If you need commercial support, there is no reason to avoid free software. Several companies offer commercial support for GnuPG: http://www.gnupg.org/service.en.html Please don't spread the false idea that only proprietary software is available with commercial support. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From Dave.Smith at st.com Thu Jun 17 18:15:23 2010 From: Dave.Smith at st.com (David Smith) Date: Thu, 17 Jun 2010 17:15:23 +0100 Subject: Can we use GNUPG with PGP for commercial use In-Reply-To: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> References: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> Message-ID: <4C1A4A1B.9080303@st.com> Gorugantu, Prakash wrote: > Our project has a requirement where we need to pull a file using PGP > encryption/decryption from one of our clients ftp servers. Please let us > know if we can use GNUPG to encrypt/decrypt files with PGP. We read > somewhere in your licensing agreement that GNUPG for PGP is only for > non-commercial use and we have to purchase it from PGP Corp. if we have > to use it. GnuPG and PGP are different tools. PGP is a commercial tool, although some versions of it are free for non-commercial use. GnuPG is a FOSS (Free, Open Source Software) tool released under the GNU General Public License (GPL), and it can therefore be used free-of-charge for both commercial and non-commercial use. GnuPG and PGP are generally compatible with each other (i.e. a file encrypted with PGP can be decrypted with GnuPG and vice-versa), as they both work to a publicly-defined standard. HTH & HAND. From joke at seiken.de Thu Jun 17 19:51:38 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 17 Jun 2010 19:51:38 +0200 Subject: Can we use GNUPG with PGP for commercial use In-Reply-To: <4C1A54A5.5020206@fifthhorseman.net> References: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> <201006171845.21856.joke@seiken.de> <4C1A54A5.5020206@fifthhorseman.net> Message-ID: <201006171951.40684.joke@seiken.de> On Thursday 17 June 2010 19:00:21 Daniel Kahn Gillmor wrote: > On 06/17/2010 12:45 PM, Joke de Buhr wrote: > > Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You > > can't sue anyone if GnuPG does not do what it's supposed to do. > > If your goal is to be able to sue someone over proprietary software, i > strongly advise you to read the relevant EULA first: > > http://www.pgp.com/products/eula.html > > section 9 in particular is illuminating about the scope and duration of > whatever minimal warranty you get from having purchased a license. As far as I remember the software needs to do mostly what it's supposed to do. It should do at least some kind of encryption and start without segfaulting. And advertised features need to be included and working. In Germany some court ruled what certain parts of EULAs do not even apply. And if you're legal region is the USA there might be a possibility you can sue PGP if the color of their icons is to bright and you get blinded. Nevertheless legal departments of companies like to work with over companies just to pretend there is someone who can be sued. And project managers like know what support hotline to phone if something went wrong. > > If you need commercial support and liability stick to PGP and pay for it. > > If you need commercial support, there is no reason to avoid free > software. Several companies offer commercial support for GnuPG: > > http://www.gnupg.org/service.en.html > > Please don't spread the false idea that only proprietary software is > available with commercial support. > > Regards, > > --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Thu Jun 17 20:27:47 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 17 Jun 2010 19:27:47 +0100 Subject: Importing public key in OpenGPG - error. MAC OS X In-Reply-To: References: Message-ID: <1983679122.20100617192747@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 17 June 2010 at 2:23:37 PM, in , Asger Larsen wrote: > Hello! Some keys I cannot import, others OK. See > attachments I see no attachments. As far as I remember, this list removes attachments. > Both sending computer and receiving > computer use: gpgme: 0.3.14 Thunderbird mail client > 3.0.4 (enigmail 1.0.1 Add-on) Mac OS X Snowleopard > 10.6.4 > Typically Public keys which are exported as file are > OK. If you just rightclick the key and choose: "send as > e-mail": not possible to import. > Hope for help! Asger When you say "not possible to import," do you mean you see some sort of error message? Providing the details would make it easier for people to help you. (I do not use any of the software you listed above.) - -- Best regards MFPA mailto:expires2010 at ymail.com An idealist is a person who helps other people to be prosperous -----BEGIN PGP SIGNATURE----- iQCVAwUBTBppLaipC46tDG5pAQoxOgQAvCraeBMmaIeHBVa532pthIe8VlwP1/xY hM1GF/aZF8wblUnGWx6XReqzvEJNgyceOHyHR52FYfnpliDtS2yMduQypO7b72go V1JnLG21mN7XYRnajYyghSnjRXzN0EmBBczxZdCtY5/w1N1OOEqo9t4qMKB7xIPM pLyTAB0uyrM= =PIeW -----END PGP SIGNATURE----- From expires2010 at ymail.com Thu Jun 17 21:23:40 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 17 Jun 2010 20:23:40 +0100 Subject: auto refresh-keys In-Reply-To: <201006162126.17550.mailinglisten@hauke-laging.de> References: <87d3w6n1kh.fsf@algae.riseup.net> <33530061.20100616180319@my_localhost> <4C190579.40900@fifthhorseman.net> <201006162126.17550.mailinglisten@hauke-laging.de> Message-ID: <744785252.20100617202340@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 16 June 2010 at 8:26:11 PM, in , Hauke Laging wrote: > Am Mittwoch 16 Juni 2010 19:10:17 schrieb Daniel Kahn > Gillmor: >> Do you have other suggestions? We should consider >> bringing a prioritized form of these to the sks-devel >> list. > A different approach might save even more bandwidth: > Most keys do now change often. It is useless to > download a key that has not changed. A key may be sitting on a non-synchronising server that has not been modified at all recently but contains certifications not on my local copy. The key has not changed but contains information not in my copy. Downloading it is not useless. > Thus the client could send a list of all keys it wants > to check and the server could respond with a list of > fingerprints and modification timestamps. In the case of a key flagged with a preferred keyserver-URL, the "keyserver-url" may just point to a key file. Does the client just receive the file, or can it see the last modification date and terminate the connection without downloading the file? > If the server wants to do its job (without TLS) > especially well then it signs this list and solves a > today unsolved problem by that. Please expand. > This way you could even > check whether a key update of yourself has reached a > (non-TLS) key server. Why/does the keyserver signing its list make a difference to that? > It would have to be decided whether this key server > time stamp refers to the newest time stamp of a > signature in the respective key This would be a security problem in the event that somebody uploads to the servers a revocation certificate they had prepared in advance; this revocation would be overlooked if the latest modification date of the key were taken to be newest time stamp of a signature. > (then the time stamp > would be the same from all key servers and the client > could check the local key to find out whether it has > the current key) Assuming all the servers the user ever checks against are synchronised. Also assuming the certification to be uploaded most recently to the servers always equates the one containing the latest time-stamp. > or to the timestamp of the last update > on the key server (which would require the client to > store the timestamp of the last key download for every > key server). If the client could reliably tell from the server's response that it synchronised with a particular group-ID of keyservers, the client would need only the timestamp for the last time that key was downloaded from a member of that group. Probably easier to store the info per synchronising group-ID than per individual keyserver, but still a major undertaking if you are storing it for all the keys on a large keyring. (Maybe the file of which servers synchronise with which others should be a local file rather than relying on what the servers tell you.) - -- Best regards MFPA mailto:expires2010 at ymail.com Oven mitt: A partially charred grease stain that fits over the hand. -----BEGIN PGP SIGNATURE----- iQCVAwUBTBp2RKipC46tDG5pAQoq0AP/VkqhnPRzaPc8pzTCCSLFOnBi4PUGhuJf sPZqTeyUzXAhhkmjx7kpqdU0wuIV7dXAGiJmyQIJfx8lK7Slgg0G7ZlDBVrboCOe cBm/xnwOsKW2Tk6duZ5ojvzuQaUQ3g7SbarJVmhwGc0lJc5UeBxDdB63et+M9gBx iYsnoKD6swk= =/MYK -----END PGP SIGNATURE----- From mlb at imparisystems.com Thu Jun 17 21:07:49 2010 From: mlb at imparisystems.com (mlb at imparisystems.com) Date: Thu, 17 Jun 2010 13:07:49 -0600 Subject: Can we use GNUPG with PGP for commercial use In-Reply-To: <201006171951.40684.joke@seiken.de> References: <07A4DA369831C2449F0527BFB88DECCD0DB2ED5E@STEXCH.amunet.edu> <201006171845.21856.joke@seiken.de> <4C1A54A5.5020206@fifthhorseman.net> <201006171951.40684.joke@seiken.de> Message-ID: <0ab2ae1c340bb73fdbcebef806bbd4d2@imparisystems.com> On Thu, 17 Jun 2010 19:51:38 +0200, Joke de Buhr wrote: > On Thursday 17 June 2010 19:00:21 Daniel Kahn Gillmor wrote: >> On 06/17/2010 12:45 PM, Joke de Buhr wrote: >> > Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You >> > can't sue anyone if GnuPG does not do what it's supposed to do. >> >> If your goal is to be able to sue someone over proprietary software, i >> strongly advise you to read the relevant EULA first: >> >> http://www.pgp.com/products/eula.html >> >> section 9 in particular is illuminating about the scope and duration of >> whatever minimal warranty you get from having purchased a license. > > As far as I remember the software needs to do mostly what it's supposed to > do. > It should do at least some kind of encryption and start without > segfaulting. > And advertised features need to be included and working. > > In Germany some court ruled what certain parts of EULAs do not even apply. > And if you're legal region is the USA there might be a possibility you can > sue > PGP if the color of their icons is to bright and you get blinded. > > Nevertheless legal departments of companies like to work with over > companies > just to pretend there is someone who can be sued. And project managers > like > know what support hotline to phone if something went wrong. > I've bought software at companies like MCI, IBM and a couple of others. They just care if there's a contract and the contract is legal - meaning "I'm paying for software "X" and you're going to deliver it this way" or "You're going to come and install this software and it's going to work as you advertised or you will refund our money". I'm working for more and more companies that are getting open source software - not just OS's, but things like KnowledgeTree, Alfresco and Pentaho. I work and live in the United States and I'm not going to even guess about any other country and their laws. Certainly, if you work for someone who doesn't like open source - you'll get every kind of excuse from Monday and their arguments are all about as reasonable as a schizophrenic homeless person could offer up. Basically, companies are all about making money and at some point somebody will realize that they can get Pentaho BI or Talend up and running for about 1/10th the price of some Oracle solution and they'll take the risk for the cash. My humble opinion.... >> > If you need commercial support and liability stick to PGP and pay for >> > it. >> >> If you need commercial support, there is no reason to avoid free >> software. Several companies offer commercial support for GnuPG: >> >> http://www.gnupg.org/service.en.html >> >> Please don't spread the false idea that only proprietary software is >> available with commercial support. >> >> Regards, >> >> --dkg From mailinglisten at hauke-laging.de Thu Jun 17 22:14:55 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 17 Jun 2010 22:14:55 +0200 Subject: auto refresh-keys In-Reply-To: <744785252.20100617202340@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006162126.17550.mailinglisten@hauke-laging.de> <744785252.20100617202340@my_localhost> Message-ID: <201006172215.01214.mailinglisten@hauke-laging.de> Am Donnerstag 17 Juni 2010 21:23:40 schrieb MFPA: > > A different approach might save even more bandwidth: > > Most keys do now change often. It is useless to > > download a key that has not changed. > > A key may be sitting on a non-synchronising server that has not been > modified at all recently but contains certifications not on my local > copy. The key has not changed but contains information not in my copy. > Downloading it is not useless. My aim was not to prevent the first unnecessary download but the others. Download it once from every keyserver and store the timestamp for every server. Something I forgot: The keyserver should not update the timestamp for a key just because of a new upload. The timestamp should be modified only if the key is modified somehow. > In the case of a key flagged with a preferred keyserver-URL, the > "keyserver-url" may just point to a key file. Does the client just > receive the file, or can it see the last modification date and > terminate the connection without downloading the file? As I was talking about a keyserver feature I just don't care about non- keyserver scenarios. In general it might be possible to create similar optimizations for other transport (application) protocols. If it's an http URL then gpg might store the etag or timestamp and use If- None-Match or If-Modified-Since in the request. But isn't this a rather exotic case? How many keys are configured that way? Are their owners to be freed from unnecessary traffic...? I would advise to care about the keyservers first. > > If the server wants to do its job (without TLS) > > especially well then it signs this list and solves a > > today unsolved problem by that. > > Please expand. If your keyservers don't support TLS (I have no idea whether the important ones use it) then you are open to a MitM attack when checking them. If the response is signed then you are not (if you are sure about the signing key :-) ). One more advantage: The signed response could be distributed among several systems of the same user or several users with similar keyrings. This would result in omitted or smaller requests (containing just those IDs not covered by the response). Several users might even combine their ID wishlist so that only one of them has to ask the keyserver. > > This way you could even > > check whether a key update of yourself has reached a > > (non-TLS) key server. > > Why/does the keyserver signing its list make a difference to that? MitM again. If you upload a changed key you cannot be sure (without TLS) whether it has arrived at the keyserver or just at one of the bad guys. > > It would have to be decided whether this key server > > time stamp refers to the newest time stamp of a > > signature in the respective key > > This would be a security problem in the event that somebody uploads to > the servers a revocation certificate they had prepared in advance; > this revocation would be overlooked if the latest modification date of > the key were taken to be newest time stamp of a signature. Right. So the keyserver would use the timestamp of the latest change at it > If the client could reliably tell from the server's response that it > synchronised with a particular group-ID of keyservers, the client > would need only the timestamp for the last time that key was > downloaded from a member of that group. Probably easier to store the > info per synchronising group-ID than per individual keyserver, but > still a major undertaking if you are storing it for all the keys on a > large keyring. Look at it the other way round: The more keys there are in the keyring the more bandwith is saved. I am convinced that users with large keyrings have enough local storage for that... Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From lopaki at gmail.com Thu Jun 17 20:16:48 2010 From: lopaki at gmail.com (Scott Lambdin) Date: Thu, 17 Jun 2010 14:16:48 -0400 Subject: encryption bloats file In-Reply-To: <20090110034954.GA4666@jabberwocky.com> References: <529e76830901091233s6f4a8a15v18823a1319764007@mail.gmail.com> <529e76830901091933m409b7dcdj508412264f7524a5@mail.gmail.com> <20090110034954.GA4666@jabberwocky.com> Message-ID: The vender told our trading partner their PGP software bloats the file and that is just the way it is. I do not understand how the encrypted file (or the file that contains the encrypted file) can be over twice the size of the original, when the senders believe they have used compression. I also wonder why gpg doesn't report whatever extra junk exists in the file. --Scott $ gpg --list-packets archive/somefile.061610.081519.pgp gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information :pubkey enc packet: version 3, algo 1, keyid BOOBFACEB00BFACE data: [2048 bits] You need a passphrase to unlock the secret key for user: "Bob Lawblaw " 2048-bit RSA key, ID B00BFACE, created 1846-17-15 :encrypted data packet: length: 50160977 gpg: encrypted with 2048-bit RSA key, ID B00BFACE, created 1846-17-15 "Bob Lawblaw " :compressed packet: algo=1 :literal data packet: mode t (74), created 1509949440, name="BLAH.BLAHBLAH.BLA.BLAHBL", raw data: 271163905 bytes gpg: WARNING: message was not integrity protected $ On Fri, Jan 9, 2009 at 11:49 PM, David Shaw wrote: > On Fri, Jan 09, 2009 at 10:33:52PM -0500, Scott Lambdin wrote: > > I found a file in rejects, but it may be partial. It gives us some > > information, though. > > > > The pgp file was 406184088 bytes and unencrypted is 175246253 bytes. > > > > gpg -v -v -o a_file.out -d a_file.pgp > > > > gpg: armor: BEGIN PGP MESSAGE > > gpg: armor header: Version: McAfee E-Business Server v7.5 - Full License > > :pubkey enc packet: version 3, algo 1, keyid 123456789012345 > > data: [2047 bits] > > gpg: public key is ABCD1234 > > You need a passphrase to unlock the secret key for > > user: "Janeane Garofalo " > > 2048-bit RSA key, ID ABCD4321 > > > > gpg: public key encrypted data: good DEK > > :encrypted data packet: > > length: 42097820 > > gpg: encrypted with 2048-bit RSA key, ID ABCD4321 > > gpg: IDEA encrypted data > > :compressed packet: algo=1 > > :literal data packet: > > mode t (74), created 1509949440, name="file-100-1", > > raw data: 227869810 bytes > > gpg: original file name="file100" > > gpg: no valid OpenPGP data found. > > gpg: fatal: zlib inflate problem: invalid block type > > secmem usage: 2208/4704 bytes in 5/15 blocks of pool 4960/32768 > > That's helpful, as it indicates that the file was corrupt. This could > explain why an encrypted file is so much larger than the decrypted > file - the decrypted file is truncated because the decryption failed > partway through. Of course, that could just be this rejected file. > > Can you check if your real file has some non-OpenPGP cruft glued to > the end of it? > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- There's a box? -------------- next part -------------- An HTML attachment was scrubbed... URL: From hamilric at us.ibm.com Fri Jun 18 00:04:41 2010 From: hamilric at us.ibm.com (Richard Hamilton) Date: Thu, 17 Jun 2010 16:04:41 -0600 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) Message-ID: I am out of the office until 06/24/2010. I am out of the office until Thursday June 24th. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at Robert.Olson at williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message "Re: Can we use GNUPG with PGP for commercial use" sent on 6/17/10 10:21:32. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Jun 18 01:21:32 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 17 Jun 2010 19:21:32 -0400 Subject: encryption bloats file In-Reply-To: References: <529e76830901091233s6f4a8a15v18823a1319764007@mail.gmail.com> <529e76830901091933m409b7dcdj508412264f7524a5@mail.gmail.com> <20090110034954.GA4666@jabberwocky.com> Message-ID: <4C1AADFC.8050802@sixdemonbag.org> On 6/17/2010 2:16 PM, Scott Lambdin wrote: > The vender told our trading partner their PGP software bloats the file > and that is just the way it is. I do not understand how the encrypted > file (or the file that contains the encrypted file) can be over twice > the size of the original, when the senders believe they have used > compression. This is not unheard of. First, compression only works when the data hasn't already been compressed. Many data formats (.jpgs, .pdfs, etc.) incorporate compression, and so cannot be further reduced. Second, if the sender is using ASCII armoring for their message, that will result in an enormous increase in file size. (On the plus side, it means the message is a text message, which is more convenient for some purposes.) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From expires2010 at ymail.com Fri Jun 18 02:10:22 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 18 Jun 2010 01:10:22 +0100 Subject: auto refresh-keys In-Reply-To: <201006172215.01214.mailinglisten@hauke-laging.de> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006162126.17550.mailinglisten@hauke-laging.de> <744785252.20100617202340@my_localhost> <201006172215.01214.mailinglisten@hauke-laging.de> Message-ID: <1929905668.20100618011022@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 17 June 2010 at 9:14:55 PM, in , Hauke Laging wrote: >> A key may be sitting on a non-synchronising server >> that has not been modified at all recently but >> contains certifications not on my local copy. The key >> has not changed but contains information not in my >> copy. Downloading it is not useless. > My aim was not to prevent the first unnecessary > download but the others. Download it once from every > keyserver and store the timestamp for every server. I was only trying to point out that it might not be useless to download a key that hasn't changed. > Something I forgot: The keyserver should not update the > timestamp for a key just because of a new upload. The > timestamp should be modified only if the key is > modified somehow. I'd presumed that, but it is worth stating. >> In the case of a key flagged with a preferred >> keyserver-URL, the "keyserver-url" may just point to a >> key file. Does the client just receive the file, or >> can it see the last modification date and terminate >> the connection without downloading the file? > As I was talking about a keyserver feature I just don't > care about non- keyserver scenarios. In general it > might be possible to create similar optimizations for > other transport (application) protocols. > If it's an http URL then gpg might store the etag or > timestamp and use If- None-Match or If-Modified-Since > in the request. But isn't this a rather exotic case? > How many keys are configured that way? I don't know how common or uncommon it might be. I just know that, of the keys in my keyring of about 400 keys, I have noticed more deviations away from my default keyserver to key.asc files than to alternate keyservers. I don't spend a lot of time watching the screen when I refresh all keys, so my observation is not in the least scientific. And even if it was, my sample size would be orders of magnatude too small. (-; > Are their owners > to be freed from unnecessary traffic...? > I would advise to care about the keyservers first. I was actually caring about the user who is refreshing the key; it would be good to avoid un-necessary data transfer/processing/storage whether the key is on a keyserver, hosted on the creater's website or on BigLumber. Since the bulk of key downloads are probably from servers, that is the first place to look for efficiencies in this respect. But the other scenarios and hosting/download platforms merit consideration from the start. >> > If the server wants to do its job (without TLS) > >> especially well then it signs this list and solves a > >> today unsolved problem by that. >> Please expand. > If your keyservers don't support TLS (I have no idea > whether the important ones use it) then you are open to > a MitM attack when checking them. If the response is > signed then you are not (if you are sure about the > signing key :-) ). OK, up to a point. But the web of trust should thwart this MitM attack. Or am I missing something? > One more advantage: The signed response could be > distributed among several systems of the same user or > several users with similar keyrings. This would result > in omitted or smaller requests (containing just those > IDs not covered by the response). A user with several systems could use common keyrings. Or his own local keyserver. Or just export all keys from the keyring he has just updated and import them into each of his other keyrings. (I'm guessing/hoping the new keybox format allows identification of all keys modified since a particular time/date, so that just those could be exported/imported when doing that.) > Several users might > even combine their ID wishlist so that only one of them > has to ask the keyserver. Possibly in a corporate or group setting, where one person could refresh the keyring and push the update to his colleagues? >> > This way you could even > check whether a key update >> of yourself has reached a > (non-TLS) key server. >> Why/does the keyserver signing its list make a >> difference to that? > MitM again. If you upload a changed key you cannot be > sure (without TLS) whether it has arrived at the > keyserver or just at one of the bad guys. I guess there is a risk if the change was a revocation because the key has been compromised, and it only reached the bad guy but not the real keyserver, and you had only tried to send it to that one server. >> > It would have to be decided whether this key server >> > time stamp refers to the newest time stamp of a > >> signature in the respective key >> This would be a security problem in the event that >> somebody uploads to the servers a revocation >> certificate they had prepared in advance; this >> revocation would be overlooked if the latest >> modification date of the key were taken to be newest >> time stamp of a signature. > Right. So the keyserver would use the timestamp of the > latest change at it >> If the client could reliably tell from the server's >> response that it synchronised with a particular >> group-ID of keyservers, the client would need only the >> timestamp for the last time that key was downloaded >> from a member of that group. Probably easier to store >> the info per synchronising group-ID than per >> individual keyserver, but still a major undertaking if >> you are storing it for all the keys on a large >> keyring. > Look at it the other way round: The more keys there are > in the keyring the more bandwith is saved. I am > convinced that users with large keyrings have enough > local storage for that... And if they are using a mobile device with limited storage they probably aren't using a large keyring? - -- Best regards MFPA mailto:expires2010 at ymail.com Don't ask me, I'm making this up as I go! -----BEGIN PGP SIGNATURE----- iQCVAwUBTBq5d6ipC46tDG5pAQp16gP9FrnuEfUQKYzKGr79BoWU5raWWG7LvMBq Jtk/RZOMmy6u9K/2WcbfCHZ3y2QpyXwqibj3bOI9nXnDDFlOxceqG+N7wXZJn8U1 jmAVCZVKcdIEqaoaotQNgSY2SPW7Oq2Xfcibhs6V1Iitw5BsyaqCn9YxHHbIGlQr wicXiXWPqtI= =5T6Z -----END PGP SIGNATURE----- From lopaki at gmail.com Fri Jun 18 02:19:17 2010 From: lopaki at gmail.com (Scott Lambdin) Date: Thu, 17 Jun 2010 20:19:17 -0400 Subject: encryption bloats file In-Reply-To: <4C1AADFC.8050802@sixdemonbag.org> References: <529e76830901091233s6f4a8a15v18823a1319764007@mail.gmail.com> <529e76830901091933m409b7dcdj508412264f7524a5@mail.gmail.com> <20090110034954.GA4666@jabberwocky.com> <4C1AADFC.8050802@sixdemonbag.org> Message-ID: No Sir. The files compress well. They compress to the same size as the packet reported by --list-packets. Ascii armor did what a previous poster predicted, growing the file by about 1/3. here is what should happen: 270Mbyte text file => compressed to 50 Mbyte => X 1.38 yielding 69Mbytes to go over the network. But for some reason, McA... er I mean the vender PGP does: 270Mbyte text file => 671MB to choke the network That should be unheard of. --Scott On Thu, Jun 17, 2010 at 7:21 PM, Robert J. Hansen wrote: > On 6/17/2010 2:16 PM, Scott Lambdin wrote: > > The vender told our trading partner their PGP software bloats the file > > and that is just the way it is. I do not understand how the encrypted > > file (or the file that contains the encrypted file) can be over twice > > the size of the original, when the senders believe they have used > > compression. > > This is not unheard of. > > First, compression only works when the data hasn't already been > compressed. Many data formats (.jpgs, .pdfs, etc.) incorporate > compression, and so cannot be further reduced. > > Second, if the sender is using ASCII armoring for their message, that > will result in an enormous increase in file size. (On the plus side, it > means the message is a text message, which is more convenient for some > purposes.) > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- There's a box? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Fri Jun 18 09:13:52 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 18 Jun 2010 09:13:52 +0200 Subject: auto refresh-keys In-Reply-To: <1929905668.20100618011022@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006172215.01214.mailinglisten@hauke-laging.de> <1929905668.20100618011022@my_localhost> Message-ID: <201006180913.57817.mailinglisten@hauke-laging.de> Hello, Am Freitag 18 Juni 2010 02:10:22 schrieb MFPA: > I don't know how common or uncommon it might be. I just know that, of > the keys in my keyring of about 400 keys, I have noticed more > deviations away from my default keyserver to key.asc files than to > alternate keyservers. but this is about the share of file URLs in the keyring not the number of file URLs against the number of alternative key servers. Another point: With a good auto refresh infrastructure less people might feel the need to use such a file URL. > > If your keyservers don't support TLS (I have no idea > > whether the important ones use it) then you are open to > > a MitM attack when checking them. If the response is > > signed then you are not (if you are sure about the > > signing key :-) ). > > OK, up to a point. But the web of trust should thwart this MitM > attack. Or am I missing something? You are missing the kind of attack. The WoT prevents you from being attacked by modified keys. It does not prevent you from being "attacked" by non-updated keys. The attacker can send you the file you already have. This is more a DoS attack with security implications for revoked and added keys and organizational implications if you need more signatures to verify a key. > A user with several systems could use common keyrings. Or his own > local keyserver. Or just export all keys from the keyring he has just > updated and import them into each of his other keyrings. Yes but it seems to me that none of that is equally convenient to simply passing the timestamp file to the other systems. OK, I admit that I have just considered the case that no keys have to be updated. It makes sense to create a singed bulk download option, too. First you request the timestamps, next you request all keys you need to update. That would allow to avoid server accesses completely by simply passing both signed files (timestamp list and key collection). > > Several users might > > even combine their ID wishlist so that only one of them > > has to ask the keyserver. > > Possibly in a corporate or group setting, where one person could > refresh the keyring and push the update to his colleagues? Yes. That would be kind of a caching proxy service. Privacy protection could be reached by taking "secret" IDs off the list for the "proxy guy". Unrevealed IDs would be checked directly. If gpg was to be extended by an option to create an ID list I would suggest the feature to mark keys as not to be revealed by such update lists. > I guess there is a risk if the change was a revocation because the key > has been compromised, and it only reached the bad guy but not the real > keyserver, and you had only tried to send it to that one server. Sending to several keyservers does not help if the MitM attack point is on your side. > > Look at it the other way round: The more keys there are > > in the keyring the more bandwith is saved. I am > > convinced that users with large keyrings have enough > > local storage for that... > > And if they are using a mobile device with limited storage they > probably aren't using a large keyring? How large is your keyring file? I assume that for ten checked keyservers the file for storing the last timestamp for each key and keyserver would not even have the size of the keyring. And if there are only 40 KiB of space left on the device then IMHO you simply have to face the truth: That the wrong device it used for the application GnuPG. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From koushkov at gmail.com Fri Jun 18 05:33:35 2010 From: koushkov at gmail.com (Boris) Date: Fri, 18 Jun 2010 00:33:35 -0300 Subject: Multiple signatures Message-ID: Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Thanks, Koushkov -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnupg.user at seibercom.net Fri Jun 18 12:27:58 2010 From: gnupg.user at seibercom.net (Jerry) Date: Fri, 18 Jun 2010 06:27:58 -0400 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: References: Message-ID: <20100618062758.17e44e5b@scorpio> On Thu, 17 Jun 2010 16:04:41 -0600 Richard Hamilton articulated: > I am out of the office until 06/24/2010. > > I am out of the office until Thursday June 24th. If this is a > production problem, please call the solution center at 918-573-2336 > or email Bob Olson at Robert.Olson at williams.com. I will have limited > mail and cell phone access. > > > Note: This is an automated response to your message "Re: Can we use > GNUPG with PGP for commercial use" sent on 6/17/10 10:21:32. > > This is the only notification you will receive while this person is > away. I was just stating to a colleague that it had been months since an errant "vacation" message had been posted on this forum. Well, thanks to Bob, that drought has been quenched. With the summer season now upon us and vacations becoming the norm, I rest assured that more such individuals will be advising us of their schedule. Then again, maybe, just maybe, this might be a good time for all of us to check that we have our mail programs, be them what they may, properly configured so as to not pollute forums with useless OOF/vacation garbage announcements. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. I'll be comfortable on the couch. Famous last words. Lenny Bruce From palle_sejer at dk.ibm.com Fri Jun 18 10:58:27 2010 From: palle_sejer at dk.ibm.com (Palle Sejer Larsen) Date: Fri, 18 Jun 2010 10:58:27 +0200 Subject: Help adding IDEA within GnuPG 2.0.9 Message-ID: Hi group, I am trying to include support for IDEA within GnuPG 2.0.9 running under Linux. I have downloaded the idea.c module via the link on this page: http://www.gnupg.org/faq/why-not-idea.html, have compiled it and have added the load-extension /idea statement to my conf file in ~/.gnupg/gpg.conf But it does not seem to load IDEA support anyway. I have placed the idea module in the ~/.gnupg/ folder - could that be the problem ? I have verified on another server - with GnuPG 1.4.10 installed - that here the IDEA support actually gets added with this setup. The "gpg --load-extension /idea -v --version" command within GnuPG 2.0.9 yields the following: batch at psdkxd02:~/.gnupg> gpg --load-extension /usr/local/ps/batch/.gnupg/idea -v --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) Used libraries: gcrypt(1.4.1) Any help will be greatly appreciated. Regards, Palle Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above: IBM Danmark ApS Nym?llevej 91 2800 Kongens Lyngby, Danmark CVR nr.: 65305216 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Jun 18 14:13:56 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 18 Jun 2010 08:13:56 -0400 Subject: Multiple signatures In-Reply-To: References: Message-ID: <4C1B6304.5050605@sixdemonbag.org> On 6/17/10 11:33 PM, Boris wrote: > Hi, > > I would like to know if there is a way to add multiple signatures for a > file (in a separate file) and check who signed with just one command (so > not by signing a signed file...). gpg --armor -u signer -u signer2 -u signer3 --clearsign filename Warning: these signatures will break old versions of PGP. 6.5.8 and the 6.5.8CKT builds will crash when trying to verify them. From jeandavid8 at verizon.net Fri Jun 18 14:27:04 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Fri, 18 Jun 2010 08:27:04 -0400 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: <20100618062758.17e44e5b@scorpio> References: <20100618062758.17e44e5b@scorpio> Message-ID: <4C1B6618.3000305@verizon.net> Jerry wrote: > On Thu, 17 Jun 2010 16:04:41 -0600 > I was just stating to a colleague that it had been months since an > errant "vacation" message had been posted on this forum. Well, thanks > to Bob, that drought has been quenched. With the summer season now > upon us and vacations becoming the norm, I rest assured that more such > individuals will be advising us of their schedule. > > Then again, maybe, just maybe, this might be a good time for all of us > to check that we have our mail programs, be them what they may, > properly configured so as to not pollute forums with useless > OOF/vacation garbage announcements. > If I understand correctly, this is done by setting the precedence of the vacation e-mail to "bulk" instead of something else ("list"?), and that mailing list programs do not send the stuff marked bulk. Is that not how mailing list programs work? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:20:01 up 42 days, 16:15, 3 users, load average: 4.65, 4.81, 4.56 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Fri Jun 18 15:06:10 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 18 Jun 2010 09:06:10 -0400 Subject: Multiple signatures In-Reply-To: References: Message-ID: <34C2A2E3-312F-4357-A949-D5852D3B6477@jabberwocky.com> On Jun 17, 2010, at 11:33 PM, Boris wrote: > Hi, > > I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Sure. gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. Alternately, you can do the same "multiple signer" trick with regular --sign if you want the data and signatures to be put together into a single file. David From jeandavid8 at verizon.net Fri Jun 18 15:16:50 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Fri, 18 Jun 2010 09:16:50 -0400 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: <4C1B68D7.7050408@st.com> References: <20100618062758.17e44e5b@scorpio> <4C1B6618.3000305@verizon.net> <4C1B68D7.7050408@st.com> Message-ID: <4C1B71C2.1060407@verizon.net> David Smith wrote: > Jean-David Beyer wrote: >> If I understand correctly, this is done by setting the precedence of the >> vacation e-mail to "bulk" instead of something else ("list"?), and that >> mailing list programs do not send the stuff marked bulk. >> >> Is that not how mailing list programs work? > > > Not quite. > > Mailing lists programs normally send mails with the "Precedence: bulk" > or "Precedence: junk" header, and then the autoresponder should > recognise this and choose not to respond to mails with the "bulk" or > "junk" precedence header. It is up to the autoresponder to act correctly. > Well, the stuff I get from the Gnupg-users at gnupg.org list has "precedence: list" set. Other lists to which I subscribe use "Precedence normal" or "precedence: bulk". Regular e-mail does not have precedence set at all. It seems to me that mailing lists should get their acts together. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 09:10:01 up 42 days, 17:05, 3 users, load average: 4.63, 4.80, 4.74 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From Dave.Smith at st.com Fri Jun 18 15:24:05 2010 From: Dave.Smith at st.com (David Smith) Date: Fri, 18 Jun 2010 14:24:05 +0100 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: <4C1B71C2.1060407@verizon.net> References: <20100618062758.17e44e5b@scorpio> <4C1B6618.3000305@verizon.net> <4C1B68D7.7050408@st.com> <4C1B71C2.1060407@verizon.net> Message-ID: <4C1B7375.8000108@st.com> Jean-David Beyer wrote: > David Smith wrote: >> Mailing lists programs normally send mails with the "Precedence: bulk" >> or "Precedence: junk" header, and then the autoresponder should >> recognise this and choose not to respond to mails with the "bulk" or >> "junk" precedence header. It is up to the autoresponder to act correctly. >> > Well, the stuff I get from the Gnupg-users at gnupg.org list has > "precedence: list" set. Other lists to which I subscribe use "Precedence > normal" or "precedence: bulk". Regular e-mail does not have precedence > set at all. It seems to me that mailing lists should get their acts > together. OK, Maybe "Precedence: list" is also a valid implementation; I haven't looked in detail at the RFQs, etc. - I was just typing from memory. The basic method of operation is the same, though - the MLM marks the message as a mailing list message using the "Precedence" header, and the autoresponder interprets this header when deciding whether to respond. From dshaw at jabberwocky.com Fri Jun 18 15:25:44 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 18 Jun 2010 09:25:44 -0400 Subject: Multiple signatures In-Reply-To: References: <34C2A2E3-312F-4357-A949-D5852D3B6477@jabberwocky.com> Message-ID: <216F753C-DEC4-4ACE-AF9F-76CAB51C2A29@jabberwocky.com> > On Jun 17, 2010, at 11:33 PM, Boris wrote: > > > Hi, > > > > I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). > > Sure. > > gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign > > You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. > > Alternately, you can do the same "multiple signer" trick with regular --sign if you want the data and signatures to be put together into a single file. On Jun 18, 2010, at 9:14 AM, Boris wrote: > Ok, Thanks David, > > But what if the file is signed by people working on different computers? > So they will had their signature on the current separate file (correesponding to the people who already signed a specific file). If you want a bunch of people all signing the same file, have each signer do this: gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign Then have them all send you their "file-to-sign.sig" files. You create a file containing all of them: cat signer-1-signature signer-2-signature signer-3-signature > file-to-sign.sig Then anyone can verify file-to-sign.sig against the original file-to-sign and see all the signatures verified. David From Dave.Smith at st.com Fri Jun 18 15:31:20 2010 From: Dave.Smith at st.com (David Smith) Date: Fri, 18 Jun 2010 14:31:20 +0100 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: <4C1B71C2.1060407@verizon.net> References: <20100618062758.17e44e5b@scorpio> <4C1B6618.3000305@verizon.net> <4C1B68D7.7050408@st.com> <4C1B71C2.1060407@verizon.net> Message-ID: <4C1B7528.8030607@st.com> Jean-David Beyer wrote: > Well, the stuff I get from the Gnupg-users at gnupg.org list has > "precedence: list" set. Other lists to which I subscribe use "Precedence > normal" or "precedence: bulk". Regular e-mail does not have precedence > set at all. It seems to me that mailing lists should get their acts > together. Just checked the relevant RFC (3834), and it says (rather unhelpfully): (Because Precedence is not a standard header field, and its use and interpretation vary widely in the wild, no particular responder behavior in the presence of Precedence is recommended by this specification.) From sean at srima.eu Fri Jun 18 15:33:06 2010 From: sean at srima.eu (Sean Rima) Date: Fri, 18 Jun 2010 14:33:06 +0100 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: <4C1B7375.8000108@st.com> References: <20100618062758.17e44e5b@scorpio> <4C1B6618.3000305@verizon.net> <4C1B68D7.7050408@st.com> <4C1B71C2.1060407@verizon.net> <4C1B7375.8000108@st.com> Message-ID: <4C1B7592.20008@srima.eu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 18/06/2010 14:24, David Smith wrote: > Jean-David Beyer wrote: >> David Smith wrote: >>> Mailing lists programs normally send mails with the "Precedence: bulk" >>> or "Precedence: junk" header, and then the autoresponder should >>> recognise this and choose not to respond to mails with the "bulk" or >>> "junk" precedence header. It is up to the autoresponder to act correctly. >>> >> Well, the stuff I get from the Gnupg-users at gnupg.org list has >> "precedence: list" set. Other lists to which I subscribe use "Precedence >> normal" or "precedence: bulk". Regular e-mail does not have precedence >> set at all. It seems to me that mailing lists should get their acts >> together. > > OK, Maybe "Precedence: list" is also a valid implementation; I haven't > looked in detail at the RFQs, etc. - I was just typing from memory. The > basic method of operation is the same, though - the MLM marks the > message as a mailing list message using the "Precedence" header, and the > autoresponder interprets this header when deciding whether to respond. > Many years ago I used to maintain the Linux vacation and one of the checks it did was to check for the existence of the Precedence header. We also started to add support for Mailman listheaders. Any decently written OOF/vacation should be able to ignore most mailing lists Sean - -- GSWoT and CaCert WOT Assurer http://www.google.com/profiles/thecivvie .tel http://rima.tel/ I believe that every human has a finite number of heartbeats. I don't intend to waste any of mine running around doing exercises. - Neil Armstrong -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Contact Details http://rima.tel Comment: My GPG Key http://thecivvie.fastmail.fm/sean.pubkey.txt iHIEAREIADIFAkwbdZErFIAAAAAAFQANcGthLWFkZHJlc3NAZ251cGcub3Jnc2Vh bkBzcmltYS5ldQAKCRDJ1+LfaIt9mCNgAJ4m68Bnco+1kptidhnaoG43GriaVgCf VueIW/P8HxhPvPs3gbcqxc/QKfI= =dQ1J -----END PGP SIGNATURE----- From jevestops at googlemail.com Fri Jun 18 20:40:11 2010 From: jevestops at googlemail.com (His Steveness) Date: Fri, 18 Jun 2010 20:40:11 +0200 Subject: Uninstall Message-ID: <2FBABB6F-5666-418E-869F-46E2A1F888EB@googlemail.com> Hi there, for a Test i installed GPG on MacOsX 5.8, so far so good, works fine, thank you Guys btw. for that nice Work. But now i hang there and im not able to uninstall the hole thing. Can someone tell me a workthrough, cause im not so close to Procedures that be probable neccessary to it. Best wishes from Germany Andy From dshaw at jabberwocky.com Fri Jun 18 21:42:31 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 18 Jun 2010 15:42:31 -0400 Subject: auto refresh-keys In-Reply-To: <4C165DD8.5020903@fifthhorseman.net> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> Message-ID: <67BE2DF6-B832-4D0C-B176-F1C93986B92F@jabberwocky.com> On Jun 14, 2010, at 12:50 PM, Daniel Kahn Gillmor wrote: > On 06/04/2010 01:35 PM, Micah Anderson wrote: >> It seems like the best solution would be to build into gnupg the functionality >> that is similar to the automatic trust database operation: have gpg auto-refresh >> from the configured keyserver periodically. > > I think something like this would be a good idea. I've found that many > users (even sophisticated users) of GnuPG never refresh their keyrings > manually, which means that they use a good strong tool to (for example) > encrypt messages to known-revoked keys (in a recent case, to a key whose > revocation certificate was published over 2? years ago). When I wrote the new keyserver stuff, I thought about this sort of thing, but the lack of a good way to store metadata was a problem (the keybox fixes this), as well as the concern that keyservers are effective trackers of who is using what key. For example, a keyserver operator could tell (based on how often which keys were refreshed), who your encrypted correspondents were, in rough frequency-of-communication order, to boot. This doesn't necessarily make it a bad idea, of course - for some people, the benefits outweigh the disadvantages. It should be something users would have to elect to turn on, rather than having it turned on by default, though. I'd want to hear from the keyserver community about this. It's easy to talk about improving behavior, but they're running a free public service out of the kindness of their hearts. This client-side change could mean a rather significant increase in the amount of bandwidth their free service consumes. Some other useful client-side optimizations require the keyservers to actually do crypto (rather than be the easier packet stores), which requires a pretty dramatic change in the keyservers themselves. David From dshaw at jabberwocky.com Fri Jun 18 21:42:39 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 18 Jun 2010 15:42:39 -0400 Subject: auto refresh-keys In-Reply-To: <955396815.20100615005855@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <955396815.20100615005855@my_localhost> Message-ID: On Jun 14, 2010, at 7:58 PM, MFPA wrote: > On Monday 14 June 2010 at 5:50:32 PM, in > , Daniel Kahn Gillmor wrote: > > >> Network or keyserver failures during an auto-refresh >> should be accepted and the rest of the operation should >> continue (though the last-refreshed time shouldn't be >> updated). > >> What if the network and keyserver are both available, >> but the keyserver has never heard of the key in >> question? > > Same as Network or keyserver failure: there is no available > auto-update, so warn and continue with the requested operations. The danger here is that it might take a long time (minutes+) to realize that the keyserver and/or network wasn't going to cooperate. This could seriously slow down many GPG operations. David From hawke at hawkesnest.net Fri Jun 18 22:10:29 2010 From: hawke at hawkesnest.net (Alex Mauer) Date: Fri, 18 Jun 2010 15:10:29 -0500 Subject: Scute: sec_error_pkcs11_function_failed (was Re: Crypto Stick released!) In-Reply-To: <201005031717.37997.joke__23903.7188156091$1272899995$gmane$org@seiken.de> References: <4BDAF109.2000800@privacyfoundation.de> <201005031222.21850.joke@seiken.de> <87iq75drio.fsf@vigenere.g10code.de> <201005031717.37997.joke__23903.7188156091$1272899995$gmane$org@seiken.de> Message-ID: On 05/03/2010 10:17 AM, Joke de Buhr wrote: > I'm using Ubuntu lucid (amd64) with firefox 3.6.3. > > On Monday 03 May 2010 15:49:35 Werner Koch wrote: >> On Mon, 3 May 2010 12:22, joke at seiken.de said: >>> selecting my key I always get this firefox error message >>> "sec_error_pkcs11_function_failed". >> >> Okay we need to check this. This should really work. I can report that I also experience this problem with Ubuntu lucid i386 and Scute 1.2. Slightly related: is there a reason that Scute-1.4 is not listed on the download page at http://www.scute.org/download.xhtml ? Thanks ?Alex Mauer ?hawke? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From vedaal at nym.hush.com Fri Jun 18 21:39:41 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 18 Jun 2010 15:39:41 -0400 Subject: Multiple signatures Message-ID: <20100618193941.92EF6B8079@smtp.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Fri Jun 18 14:13:56 CEST 2010 : >> I would like to know if there is a way to add multiple >signatures for a >> file (in a separate file) and check who signed with just one >command (so >> not by signing a signed file...). > > >gpg --armor -u signer -u signer2 -u signer3 --clearsign filename > >Warning: these signatures will break old versions of PGP. 6.5.8 >and the >6.5.8CKT builds will crash when trying to verify them. no. 6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple signatures of the same text when *clearsigned*. Verifying 'Multiple simultaneous signatures' done in armored signed format, or in signed and encrypted format, or as detached signatures, will not cause any problem for 6.5.8, 6.5.8 ckt, or 6.5.8 commandline. vedaal From dougb at dougbarton.us Fri Jun 18 23:13:02 2010 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 18 Jun 2010 14:13:02 -0700 Subject: auto refresh-keys In-Reply-To: References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <955396815.20100615005855@my_localhost> Message-ID: <4C1BE15E.60403@dougbarton.us> On 06/18/10 12:42, David Shaw wrote: > > The danger here is that it might take a long time (minutes+) to realize that the keyserver and/or network wasn't going to cooperate. This could seriously slow down many GPG operations. I've been following this discussion with interest as I've seen problems related to others not updating keys in the past. However I think David has identified the same 2 critical problems that I did, non-trivial amounts of modifications to the keyserver network, and the one he mentions above. Personally I think better education for users about the importance of refreshing their keys is a better way to go. The idea that has been percolating in my brain is a warning message of some sort when gpg accesses a key that hasn't been refreshed in $PERIOD. If I understand the keybox idea properly it should be possible to store the "last refreshed" time in a format that gpg can easily deal with in line, so hopefully adding a warning won't be too difficult if that's desirable. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From expires2010 at ymail.com Sat Jun 19 13:36:15 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 19 Jun 2010 12:36:15 +0100 Subject: auto refresh-keys In-Reply-To: <201006180913.57817.mailinglisten@hauke-laging.de> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006172215.01214.mailinglisten@hauke-laging.de> <1929905668.20100618011022@my_localhost> <201006180913.57817.mailinglisten@hauke-laging.de> Message-ID: <479018260.20100619123615@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 18 June 2010 at 8:13:52 AM, in , Hauke Laging wrote: > but this is about the share of file URLs in the keyring > not the number of file URLs against the number of > alternative key servers. My guess would be maybe 1-2% of my keyring. I'm not about to examine 400+ keys to find out. Anyway, as I said before my keyring is too small a sample to be statistically valid. > Another point: With a good auto refresh infrastructure > less people might feel the need to use such a file URL. Maybe, but it also depends on people's reasons for trying to direct people to the file URL that they control... > You are missing the kind of attack. The WoT prevents > you from being attacked by modified keys. It does not > prevent you from being "attacked" by non-updated keys. > The attacker can send you the file you already have. > This is more a DoS attack with security implications > for revoked and added keys and organizational > implications if you need more signatures to verify a > key. Hmm. I spotted the security issue of missed revocations if the timestamp of the most recent signature was used to identify the last update, but failed to see this. Maybe I should only reply when awake and alert. > Yes but it seems to me that none of that is equally > convenient to simply passing the timestamp file to the > other systems. Convenience would depend on the users preferred ways of working, as well as the hardware and software that make up his multiple systems. Also, I had not thought of the list of timestamps as being a file rather than just a reply in the dialogue between the client and the keyserver. >> > Several users might > even combine their ID >> wishlist so that only one of them > has to ask the >> keyserver. >> Possibly in a corporate or group setting, where one >> person could refresh the keyring and push the update >> to his colleagues? > Yes. That would be kind of a caching proxy service. > Privacy protection could be reached by taking "secret" > IDs off the list for the "proxy guy". Unrevealed IDs > would be checked directly. If the secret IDs were hashes of the name and of the email address of the creator, leaving them on the list would not compromise privacy (other than maybe "associating" the user with that key, and thereby with its creator...). I consider a key UID that shows my name and especially my email addresses to be an un-necessary erosion of privacy. > If gpg was to be extended by > an option to create an ID list I would suggest the > feature to mark keys as not to be revealed by such > update lists. As we are talking about updating keys already on the keyring, I see no need for the update list to contain any user-IDs, just the key_IDs or fingerprints. Any un-necessary generation and transmission of unencrypted lists containing names and/or email addresses is something to be avoided. >> I guess there is a risk if the change was a revocation >> because the key has been compromised, and it only >> reached the bad guy but not the real keyserver, and >> you had only tried to send it to that one server. > Sending to several keyservers does not help if the MitM > attack point is on your side. Even if you send the key over an encrypted connection to a server? For example https://pgp.webtru.st/ >> > Look at it the other way round: The more keys there >> are > in the keyring the more bandwith is saved. I am >> > convinced that users with large keyrings have enough >> > local storage for that... >> And if they are using a mobile device with limited >> storage they probably aren't using a large keyring? > How large is your keyring file? Nearly 6MB. But I'm not using it on a mobile device with tiny storage. > I assume that for ten > checked keyservers the file for storing the last > timestamp for each key and keyserver would not even > have the size of the keyring. That would probably be true, since most keys these days take up more bytes than it would take to write the time and date ten times plus ten keyserver URLs. > And if there are only 40 KiB of space left on the > device then IMHO you simply have to face the truth: > That the wrong device it used for the application > GnuPG. If it's *that* small or full and can't be expanded or more space cleared, you are probably right. - -- Best regards MFPA mailto:expires2010 at ymail.com Why is the universe here? Well, where else would it be? -----BEGIN PGP SIGNATURE----- iQCVAwUBTByrvqipC46tDG5pAQo8SwP+NC0k9GyDUaAcsn7tBtAren2SskJID5ig wGsx/yLsQyhjFhCQP4sgLc7lNwsIEy10mxXhIBzhgdVUIGcKUDze/aqld1Ze6m6F JmGHkbHNttp4gHDR+cqzed+NzWu+lNndeWBp5whXxTdHH9Y+mhqTwt9o4FmrnXZ4 OfTUsEFcH+Y= =L5+w -----END PGP SIGNATURE----- From expires2010 at ymail.com Sat Jun 19 13:50:38 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 19 Jun 2010 12:50:38 +0100 Subject: auto refresh-keys In-Reply-To: References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <955396815.20100615005855@my_localhost> Message-ID: <537721911.20100619125038@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 18 June 2010 at 8:42:39 PM, in , David Shaw wrote: > The danger here is that it might take a long time > (minutes+) to realize that the keyserver and/or network > wasn't going to cooperate. This could seriously slow > down many GPG operations. And a short timeout of a few seconds could result in updates/revocations being missed. Maybe keys with failed updates could be tagged, and an option introduced to update all keys carrying that tag? - -- Best regards MFPA mailto:expires2010 at ymail.com Never trust a dog with orange eyebrows -----BEGIN PGP SIGNATURE----- iQCVAwUBTByvGaipC46tDG5pAQrlIAQAmlEI8rGn3bkARDExkWbtuEKzCQrRTsRc iqO/wkbc82JRq2uNdlZ7VSThLF3WKrVfB0ZXRI4p4OLvrC1m1YG/8GNdtdU+WWDQ ROhzxTIMCeXsC9eTUr2dDf0pzUzpeRS0w3MRenjVj+Tb8zuxfbz6pm94eNrTPJSC j5i/9+v9GGc= =IgiK -----END PGP SIGNATURE----- From expires2010 at ymail.com Sat Jun 19 14:27:23 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 19 Jun 2010 13:27:23 +0100 Subject: auto refresh-keys In-Reply-To: <67BE2DF6-B832-4D0C-B176-F1C93986B92F@jabberwocky.com> References: <87d3w6n1kh.fsf@algae.riseup.net> <4C165DD8.5020903@fifthhorseman.net> <67BE2DF6-B832-4D0C-B176-F1C93986B92F@jabberwocky.com> Message-ID: <552267339.20100619132723@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 18 June 2010 at 8:42:31 PM, in , David Shaw wrote: > When I wrote the new keyserver stuff, I thought about > this sort of thing, but the lack of a good way to store > metadata was a problem (the keybox fixes this), as well > as the concern that keyservers are effective trackers > of who is using what key. For example, a keyserver > operator could tell (based on how often which keys were > refreshed), who your encrypted correspondents were, in > rough frequency-of-communication order, to boot. The potential tracking could be mitigated against by an ability to configure a list of keyservers rather than just one, and using a random selection from the list for each keyserver operation. - -- Best regards MFPA mailto:expires2010 at ymail.com Can you imagine a world with no hypothetical situations? -----BEGIN PGP SIGNATURE----- iQCVAwUBTBy3sqipC46tDG5pAQrEUAQAkYQPp0jqsibnojxiEZZEFUpVcN/4YT+/ 31xL1ySP+kqlu1XD0/ReoYhkLlfKofCIfGKNDl0/SVvk/hEBlp3TMRFKWPBEpeFP l6+Lh0elIIP8z3fUBELX/kSPkrtSlHyjSpUbFHz3BFvgFBqni/NCOQ2WI3dVju1O n30mZ7qtUUU= =InoV -----END PGP SIGNATURE----- From expires2010 at ymail.com Sat Jun 19 15:53:23 2010 From: expires2010 at ymail.com (MFPA) Date: Sat, 19 Jun 2010 14:53:23 +0100 Subject: auto refresh-keys In-Reply-To: <479018260.20100619123615@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006172215.01214.mailinglisten@hauke-laging.de> <1929905668.20100618011022@my_localhost> <201006180913.57817.mailinglisten@hauke-laging.de> <479018260.20100619123615@my_localhost> Message-ID: <793592252.20100619145323@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 19 June 2010 at 12:36:15 PM, in , I wrote: > Hi > On Friday 18 June 2010 at 8:13:52 AM, in > , > Hauke Laging wrote: >> but this is about the share of file URLs in the >> keyring not the number of file URLs against the number >> of alternative key servers. > My guess would be maybe 1-2% of my keyring. I'm not > about to examine 400+ keys to find out. Anyway, as I > said before my keyring is too small a sample to be > statistically valid. It occurred to me to comment out the keyserver in my gpg.conf file, run "gpg --refresh-keys" and examine the output. My keyring currently contains 415 keys. 42 of them refreshed (or attempted). Of those, thirteen used a file URL rather than a keyserver. 13 is just over 3% of 415, or about one key in 32. - -- Best regards MFPA mailto:expires2010 at ymail.com I think not, said Descartes, and promptly disappeared -----BEGIN PGP SIGNATURE----- iQCVAwUBTBzL4aipC46tDG5pAQqaSQQAmFa4tEX0WHTMljZUUoiGuALvmOiELEwP x/fQP8n8T8hHgi/Epk+HlfQ7F04pr7f1c1k2AAE/Q5wOmvRNC6max4gkFQEUG5Lp HI0nGmGs/98xnbhfNhQs0Lv79yOSPWEDwWC+u4UPkNymgQ9h0m6MLFpq4T7U12ky 0/UKxaKBB6s= =LcBP -----END PGP SIGNATURE----- From mlisten at hammernoch.net Sat Jun 19 19:22:26 2010 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat, 19 Jun 2010 19:22:26 +0200 Subject: Uninstall In-Reply-To: <2FBABB6F-5666-418E-869F-46E2A1F888EB@googlemail.com> References: <2FBABB6F-5666-418E-869F-46E2A1F888EB@googlemail.com> Message-ID: <4C1CFCD2.4020907@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, His Steveness wrote on 18.06.10 20:40: > for a Test i installed GPG on MacOsX 5.8, > so far so good, works fine, thank you Guys btw. for that nice Work. > But now i hang there and im not able to uninstall the hole thing. > > Can someone tell me a workthrough, cause im not so close to Procedures > that be probable neccessary to it. Which package did you install? Instructions for removal depend heavily on the source. Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJMHPzSAAoJEA52XAUJWdLjb84H/jaJmZ60d/ymvIFUWvkopYeU UT0g/DD2Oi0fjmFUNoLC9c64The3SY02TN1/383Fkx+LoWri30ku0pqaZehzuOiR 1LDWN+O/IniTh/Pm+vfCAhdHFxjwETDy8vcftZ682+ChRm4/Yns8pJlM/A1zeRSf JGL7ajKH783LDTVNQBEMTj/OLE/QL71u/uaYl1CDikmJEQknGR7bxXFjV/whssgF prPlV84i48Xz+Fdw6MbOCdFpjf9LofxSQoQ0lVjIJJ157Ky7blYnVKQreOF6vhDt yzuP03ofUSvHk9nfoISvuCCNk0X4g46UKhwTxL/rEmrEi7bFmTwR9mqk6Kl0Rlc= =3TYK -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Sun Jun 20 02:14:59 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 20 Jun 2010 02:14:59 +0200 Subject: auto refresh-keys In-Reply-To: <479018260.20100619123615@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006180913.57817.mailinglisten@hauke-laging.de> <479018260.20100619123615@my_localhost> Message-ID: <201006200215.05035.mailinglisten@hauke-laging.de> Am Samstag 19 Juni 2010 13:36:15 schrieb MFPA: > > Sending to several keyservers does not help if the MitM > > attack point is on your side. > > Even if you send the key over an encrypted connection to a server? For > example https://pgp.webtru.st/ No. Thus I wrote: "If your keyservers don't support TLS (I have no idea whether the important ones use it) then you are open to a MitM attack". So in order to be safe you need additional CPU load either for TLS or for signing. Signing is superior IMHO because it allows reuse of the data (one crypto action (covering less data) for several users vs. one for each user with TLS) and makes more sense because you don't need a second crypto system (X.509) to protect the first (OpenPGP). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Sun Jun 20 03:50:41 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 20 Jun 2010 02:50:41 +0100 Subject: auto refresh-keys In-Reply-To: <201006200215.05035.mailinglisten@hauke-laging.de> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006180913.57817.mailinglisten@hauke-laging.de> <479018260.20100619123615@my_localhost> <201006200215.05035.mailinglisten@hauke-laging.de> Message-ID: <172490119.20100620025041@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 20 June 2010 at 1:14:59 AM, in , Hauke Laging wrote: > So in order to be safe you need additional CPU load > either for TLS or for signing. Signing is superior IMHO > because it allows reuse of the data (one crypto action > (covering less data) for several users vs. one for each > user with TLS) and makes more sense because you don't > need a second crypto system (X.509) to protect the > first (OpenPGP). Starting from where we are now, as far as I know there are no keyservers that sign their output, but there are keyservers that use TLS. And TLS does not have to be x.590. There is a draft spec for using openpgp keys with TLS http://tools.ietf.org/search/rfc5081 which is implemented in the GnuTLS library http://www.gnu.org/software/gnutls/gnutls.html - -- Best regards MFPA mailto:expires2010 at ymail.com Teamwork is essential - it allows you to blame someone else -----BEGIN PGP SIGNATURE----- iQCVAwUBTB1z+aipC46tDG5pAQr/ywP9GRgIZrt/hWw/fKY3zXqDGQUCs4MfXoxQ 4BCzIyj5ZFyyVFMm7OsirkWSt0bF1LJCoOlZktk3e4vLaZ3L1A0d3Y0VKgZ0bbto 6ON1wyfJwwPwyElwqywpg0osSRmj8q1tMzanuGX8zmMv2yikUhkoNwjOCxDhByGo zS31cBkMofQ= =5j+v -----END PGP SIGNATURE----- From jrollins at finestructure.net Sun Jun 20 20:32:48 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Sun, 20 Jun 2010 14:32:48 -0400 Subject: keyserver queries over TLS [was: Re: auto refresh-keys] In-Reply-To: <172490119.20100620025041@my_localhost> References: <87d3w6n1kh.fsf@algae.riseup.net> <201006180913.57817.mailinglisten@hauke-laging.de> <479018260.20100619123615@my_localhost> <201006200215.05035.mailinglisten@hauke-laging.de> <172490119.20100620025041@my_localhost> Message-ID: <87fx0hpnan.fsf@servo.finestructure.net> On Sun, 20 Jun 2010 02:50:41 +0100, MFPA wrote: > > So in order to be safe you need additional CPU load > > either for TLS or for signing. Signing is superior IMHO > > because it allows reuse of the data (one crypto action > > (covering less data) for several users vs. one for each > > user with TLS) and makes more sense because you don't > > need a second crypto system (X.509) to protect the > > first (OpenPGP). > > Starting from where we are now, as far as I know there are no > keyservers that sign their output, but there are keyservers that use > TLS. > > And TLS does not have to be x.590. There is a draft spec for using > openpgp keys with TLS http://tools.ietf.org/search/rfc5081 which is > implemented in the GnuTLS library > http://www.gnu.org/software/gnutls/gnutls.html This is turning into a separate thread, but while we're on it, I just wanted to point out that the Monkeysphere Project [0] currently provides a means for doing OpenPGP-based site authentication/encryption over TLS, and has discussed building a gpg plugin that can do OpenPGP validation of hkps keyserver queries: https://labs.riseup.net/code/issues/2016 jamie. [0] http://web.monkeysphere.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From 1c_admin at ukr.net Fri Jun 18 14:09:55 2010 From: 1c_admin at ukr.net (=?WINDOWS-1251?Q?=D0=EE=EC=E0=ED_=D8=E5=F0=F1=F2=FE=EA?=) Date: Fri, 18 Jun 2010 15:09:55 +0300 Subject: Setting up SKS Keyserver Message-ID: Good day! ?Sorry for disturb, please. I have been setup SKS server on Linux Debian 5.0.3 and I'd like to ask you how can I see detailed statistic.? I need to see all list of keys in my database and have possibility locate the keys that already expired and will be expired at nearly future. Is there any web interface for this futures? Thank you very much! -------------- next part -------------- An HTML attachment was scrubbed... URL: From koushkov at gmail.com Fri Jun 18 15:14:40 2010 From: koushkov at gmail.com (Boris) Date: Fri, 18 Jun 2010 10:14:40 -0300 Subject: Multiple signatures In-Reply-To: <34C2A2E3-312F-4357-A949-D5852D3B6477@jabberwocky.com> References: <34C2A2E3-312F-4357-A949-D5852D3B6477@jabberwocky.com> Message-ID: Ok, Thanks David, But what if the file is signed by people working on different computers? So they will had their signature on the current separate file (correesponding to the people who already signed a specific file). Koushkov 2010/6/18 David Shaw > On Jun 17, 2010, at 11:33 PM, Boris wrote: > > > Hi, > > > > I would like to know if there is a way to add multiple signatures for a > file (in a separate file) and check who signed with just one command (so not > by signing a signed file...). > > Sure. > > gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign > > You'll end up with a file-to-sign.sig that contains all three signatures. > When you verify file-to-sign.sig, all three signatures will be checked. > > Alternately, you can do the same "multiple signer" trick with regular > --sign if you want the data and signatures to be put together into a single > file. > > David > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From koushkov at gmail.com Fri Jun 18 15:57:15 2010 From: koushkov at gmail.com (Boris) Date: Fri, 18 Jun 2010 10:57:15 -0300 Subject: Multiple signatures In-Reply-To: <216F753C-DEC4-4ACE-AF9F-76CAB51C2A29@jabberwocky.com> References: <34C2A2E3-312F-4357-A949-D5852D3B6477@jabberwocky.com> <216F753C-DEC4-4ACE-AF9F-76CAB51C2A29@jabberwocky.com> Message-ID: Thank you very much David It is exactly what I wanted 2010/6/18 David Shaw > > On Jun 17, 2010, at 11:33 PM, Boris wrote: > > > > > Hi, > > > > > > I would like to know if there is a way to add multiple signatures for a > file (in a separate file) and check who signed with just one command (so not > by signing a signed file...). > > > > Sure. > > > > gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign > > > > You'll end up with a file-to-sign.sig that contains all three signatures. > When you verify file-to-sign.sig, all three signatures will be checked. > > > > Alternately, you can do the same "multiple signer" trick with regular > --sign if you want the data and signatures to be put together into a single > file. > > On Jun 18, 2010, at 9:14 AM, Boris wrote: > > > Ok, Thanks David, > > > > But what if the file is signed by people working on different computers? > > So they will had their signature on the current separate file > (correesponding to the people who already signed a specific file). > > If you want a bunch of people all signing the same file, have each signer > do this: > > gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign > > Then have them all send you their "file-to-sign.sig" files. You create a > file containing all of them: > > cat signer-1-signature signer-2-signature signer-3-signature > > file-to-sign.sig > > Then anyone can verify file-to-sign.sig against the original file-to-sign > and see all the signatures verified. > > David > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From juergenbader at o2online.de Sat Jun 19 13:31:06 2010 From: juergenbader at o2online.de (Juergen Bader) Date: Sat, 19 Jun 2010 13:31:06 +0200 Subject: AW: Gnupg-users Digest, Vol 81, Issue 22 In-Reply-To: Message-ID: <201006191130.o5JBUIZS020651@mail06.o2online.de> -- Gesendet von meinem Palm Pr? gnupg-users-request at gnupg.org schrieb: Send Gnupg-users mailing list submissions to gnupg-users at gnupg.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnupg.org/mailman/listinfo/gnupg-users or, via email, send a message with subject or body 'help' to gnupg-users-request at gnupg.org You can reach the person managing the list at gnupg-users-owner at gnupg.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Gnupg-users digest..." Today's Topics: 1. Re: Can we use GNUPG with PGP for commercial use (Daniel Kahn Gillmor) 2. Re: Can we use GNUPG with PGP for commercial use (David Smith) 3. Re: Can we use GNUPG with PGP for commercial use (Joke de Buhr) 4. Re: Importing public key in OpenGPG - error. MAC OS X (MFPA) 5. Re: auto refresh-keys (MFPA) 6. Re: Can we use GNUPG with PGP for commercial use (mlb at imparisystems.com) 7. Re: auto refresh-keys (Hauke Laging) ---------------------------------------------------------------------- Message: 1 Date: Thu, 17 Jun 2010 13:00:21 -0400 From: Daniel Kahn Gillmor <dkg at fifthhorseman.net> Subject: Re: Can we use GNUPG with PGP for commercial use To: GnuPG Users <gnupg-users at gnupg.org> Message-ID: <4C1A54A5.5020206 at fifthhorseman.net> Content-Type: text/plain; charset="utf-8" On 06/17/2010 12:45 PM, Joke de Buhr wrote: > Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You can't sue > anyone if GnuPG does not do what it's supposed to do. If your goal is to be able to sue someone over proprietary software, i strongly advise you to read the relevant EULA first: http://www.pgp.com/products/eula.html section 9 in particular is illuminating about the scope and duration of whatever minimal warranty you get from having purchased a license. > If you need commercial support and liability stick to PGP and pay for it. If you need commercial support, there is no reason to avoid free software. Several companies offer commercial support for GnuPG: http://www.gnupg.org/service.en.html Please don't spread the false idea that only proprietary software is available with commercial support. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: </pipermail/attachments/20100617/4201dccd/attachment-0001.pgp> ------------------------------ Message: 2 Date: Thu, 17 Jun 2010 17:15:23 +0100 From: David Smith <Dave.Smith at st.com> Subject: Re: Can we use GNUPG with PGP for commercial use To: "Gorugantu, Prakash" <pgorugantu at APUS.EDU>, <gnupg-users at gnupg.org> Message-ID: <4C1A4A1B.9080303 at st.com> Content-Type: text/plain; charset="ISO-8859-1" Gorugantu, Prakash wrote: > Our project has a requirement where we need to pull a file using PGP > encryption/decryption from one of our clients ftp servers. Please let us > know if we can use GNUPG to encrypt/decrypt files with PGP. We read > somewhere in your licensing agreement that GNUPG for PGP is only for > non-commercial use and we have to purchase it from PGP Corp. if we have > to use it. GnuPG and PGP are different tools. PGP is a commercial tool, although some versions of it are free for non-commercial use. GnuPG is a FOSS (Free, Open Source Software) tool released under the GNU General Public License (GPL), and it can therefore be used free-of-charge for both commercial and non-commercial use. GnuPG and PGP are generally compatible with each other (i.e. a file encrypted with PGP can be decrypted with GnuPG and vice-versa), as they both work to a publicly-defined standard. HTH & HAND. ------------------------------ Message: 3 Date: Thu, 17 Jun 2010 19:51:38 +0200 From: Joke de Buhr <joke at seiken.de> Subject: Re: Can we use GNUPG with PGP for commercial use To: GnuPG Users <gnupg-users at gnupg.org> Message-ID: <201006171951.40684.joke at seiken.de> Content-Type: text/plain; charset="utf-8" On Thursday 17 June 2010 19:00:21 Daniel Kahn Gillmor wrote: > On 06/17/2010 12:45 PM, Joke de Buhr wrote: > > Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You > > can't sue anyone if GnuPG does not do what it's supposed to do. > > If your goal is to be able to sue someone over proprietary software, i > strongly advise you to read the relevant EULA first: > > http://www.pgp.com/products/eula.html > > section 9 in particular is illuminating about the scope and duration of > whatever minimal warranty you get from having purchased a license. As far as I remember the software needs to do mostly what it's supposed to do. It should do at least some kind of encryption and start without segfaulting And advertised features need to be included and working. In Germany some court ruled what certain parts of EULAs do not even apply. And if you're legal region is the USA there might be a possibility you can sue PGP if the color of their icons is to bright and you get blinded. Nevertheless legal departments of companies like to work with over companies just to pretend there is someone who can be sued. And project managers like know what support hotline to phone if something went wrong. > > If you need commercial support and liability stick to PGP and pay for it. > > If you need commercial support, there is no reason to avoid free > software. Several companies offer commercial support for GnuPG: > > http://www.gnupg.org/service.en.html > > Please don't spread the false idea that only proprietary software is > available with commercial support. > > Regards, > > --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: </pipermail/attachments/20100617/5e5cebf2/attachment-0001.pgp> ------------------------------ Message: 4 Date: Thu, 17 Jun 2010 19:27:47 +0100 From: MFPA <expires2010 at ymail.com> Subject: Re: Importing public key in OpenGPG - error. MAC OS X To: "Asger Larsen on GnuPG-Users" <gnupg-users at gnupg.org> Message-ID: <1983679122.20100617192747 at my_localhost> Content-Type: text/plain; charset=iso-8859-15 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 17 June 2010 at 2:23:37 PM, in <mid:C83FEE79.2F1E%asger at e-advice.dk>, Asger Larsen wrote: > Hello! Some keys I cannot import, others OK. See > attachments I see no attachments. As far as I remember, this list removes attachments. > Both sending computer and receiving > computer use: gpgme: 0.3.14 Thunderbird mail client > 3.0.4 (enigmail 1.0.1 Add-on) Mac OS X Snowleopard > 10.6.4 > Typically Public keys which are exported as file are > OK. If you just rightclick the key and choose: "send as > e-mail": not possible to import. > Hope for help! Asger When you say "not possible to import," do you mean you see some sort of error message? Providing the details would make it easier for people to help you. (I do not use any of the software you listed above.) - -- Best regards MFPA mailto:expires2010 at ymail.com An idealist is a person who helps other people to be prosperous -----BEGIN PGP SIGNATURE----- iQCVAwUBTBppLaipC46tDG5pAQoxOgQAvCraeBMmaIeHBVa532pthIe8VlwP1/xY hM1GF/aZF8wblUnGWx6XReqzvEJNgyceOHyHR52FYfnpliDtS2yMduQypO7b72go V1JnLG21mN7XYRnajYyghSnjRXzN0EmBBczxZdCtY5/w1N1OOEqo9t4qMKB7xIPM pLyTAB0uyrM= =PIeW -----END PGP SIGNATURE----- ------------------------------ Message: 5 Date: Thu, 17 Jun 2010 20:23:40 +0100 From: MFPA <expires2010 at ymail.com> Subject: Re: auto refresh-keys To: "Hauke Laging on GnuPG-Users" <gnupg-users at gnupg.org> Message-ID: <744785252.20100617202340 at my_localhost> Content-Type: text/plain; charset=iso-8859-15 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 16 June 2010 at 8:26:11 PM, in <mid:201006162126.17550.mailinglisten at hauke-laging.de>, Hauke Laging wrote: > Am Mittwoch 16 Juni 2010 19:10:17 schrieb Daniel Kahn > Gillmor: >> Do you have other suggestions? We should consider >> bringing a prioritized form of these to the sks-devel >> list. > A different approach might save even more bandwidth: > Most keys do now change often. It is useless to > download a key that has not changed. A key may be sitting on a non-synchronising server that has not been modified at all recently but contains certifications not on my local copy. The key has not changed but contains information not in my copy. Downloading it is not useless. > Thus the client could send a list of all keys it wants > to check and the server could respond with a list of > fingerprints and modification timestamps. In the case of a key flagged with a preferred keyserver-URL, the "keyserver-url" may just point to a key file. Does the client just receive the file, or can it see the last modification date and terminate the connection without downloading the file? > If the server wants to do its job (without TLS) > especially well then it signs this list and solves a > today unsolved problem by that. Please expand. > This way you could even > check whether a key update of yourself has reached a > (non-TLS) key server. Why/does the keyserver signing its list make a difference to that? > It would have to be decided whether this key server > time stamp refers to the newest time stamp of a > signature in the respective key This would be a security problem in the event that somebody uploads to the servers a revocation certificate they had prepared in advance; this revocation would be overlooked if the latest modification date of the key were taken to be newest time stamp of a signature. > (then the time stamp > would be the same from all key servers and the client > could check the local key to find out whether it has > the current key) Assuming all the servers the user ever checks against are synchronised. Also assuming the certification to be uploaded most recently to the servers always equates the one containing the latest time-stamp. > or to the timestamp of the last update > on the key server (which would require the client to > store the timestamp of the last key download for every > key server). If the client could reliably tell from the server's response that it synchronised with a particular group-ID of keyservers, the client would need only the timestamp for the last time that key was downloaded from a member of that group. Probably easier to store the info per synchronising group-ID than per individual keyserver, but still a major undertaking if you are storing it for all the keys on a large keyring. (Maybe the file of which servers synchronise with which others should be a local file rather than relying on what the servers tell you.) - -- Best regards MFPA mailto:expires2010 at ymail.com Oven mitt: A partially charred grease stain that fits over the hand. -----BEGIN PGP SIGNATURE----- iQCVAwUBTBp2RKipC46tDG5pAQoq0AP/VkqhnPRzaPc8pzTCCSLFOnBi4PUGhuJf sPZqTeyUzXAhhkmjx7kpqdU0wuIV7dXAGiJmyQIJfx8lK7Slgg0G7ZlDBVrboCOe cBm/xnwOsKW2Tk6duZ5ojvzuQaUQ3g7SbarJVmhwGc0lJc5UeBxDdB63et+M9gBx iYsnoKD6swk= =/MYK -----END PGP SIGNATURE----- ------------------------------ Message: 6 Date: Thu, 17 Jun 2010 13:07:49 -0600 From: <mlb at imparisystems.com> Subject: Re: Can we use GNUPG with PGP for commercial use To: Joke de Buhr <joke at seiken.de> Cc: GnuPG Users <gnupg-users at gnupg.org> Message-ID: <0ab2ae1c340bb73fdbcebef806bbd4d2 at imparisystems.com> Content-Type: text/plain; charset=UTF-8 On Thu, 17 Jun 2010 19:51:38 +0200, Joke de Buhr <joke at seiken.de> wrote: > On Thursday 17 June 2010 19:00:21 Daniel Kahn Gillmor wrote: >> On 06/17/2010 12:45 PM, Joke de Buhr wrote: >> > Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You >> > can't sue anyone if GnuPG does not do what it's supposed to do. >> >> If your goal is to be able to sue someone over proprietary software, i >> strongly advise you to read the relevant EULA first: >> >> http://www.pgp.com/products/eula.html >> >> section 9 in particular is illuminating about the scope and duration of >> whatever minimal warranty you get from having purchased a license. > > As far as I remember the software needs to do mostly what it's supposed to > do. > It should do at least some kind of encryption and start without > segfaulting. > And advertised features need to be included and working. > > In Germany some court ruled what certain parts of EULAs do not even apply. > And if you're legal region is the USA there might be a possibility you can > sue > PGP if the color of their icons is to bright and you get blinded. > > Nevertheless legal departments of companies like to work with over > companies > just to pretend there is someone who can be sued. And project managers > like > know what support hotline to phone if something went wrong. > I've bought software at companies like MCI, IBM and a couple of others. They just care if there's a contract and the contract is legal - meaning "I'm paying for software "X" and you're going to deliver it this way" or "You're going to come and install this software and it's going to work as you advertised or you will refund our money". I'm working for more and more companies that are getting open source software - not just OS's, but things like KnowledgeTree, Alfresco and Pentaho. I work and live in the United States and I'm not going to even guess about any other country and their laws. Certainly, if you work for someone who doesn't like open source - you'll get every kind of excuse from Monday and their arguments are all about as reasonable as a schizophrenic homeless person could offer up. Basically, companies are all about making money and at some point somebody will realize that they can get Pentaho BI or Talend up and running for about 1/10th the price of some Oracle solution and they'll take the risk for the cash. My humble opinion.... >> > If you need commercial support and liability stick to PGP and pay for >> > it. >> >> If you need commercial support, there is no reason to avoid free >> software. Several companies offer commercial support for GnuPG: >> >> http://www.gnupg.org/service.en.html >> >> Please don't spread the false idea that only proprietary software is >> available with commercial support. >> >> Regards, >> >> --dkg ------------------------------ Message: 7 Date: Thu, 17 Jun 2010 22:14:55 +0200 From: Hauke Laging <mailinglisten at hauke-laging.de> Subject: Re: auto refresh-keys To: gnupg-users at gnupg.org Message-ID: <201006172215.01214.mailinglisten at hauke-laging.de> Content-Type: text/plain; charset="iso-8859-15" Am Donnerstag 17 Juni 2010 21:23:40 schrieb MFPA: > > A different approach might save even more bandwidth: > > Most keys do now change often. It is useless to > > download a key that has not changed. > > A key may be sitting on a non-synchronising server that has not been > modified at all recently but contains certifications not on my local > copy. The key has not changed but contains information not in my copy. > Downloading it is not useless. My aim was not to prevent the first unnecessary download but the others. Download it once from every keyserver and store the timestamp for every server. Something I forgot: The keyserver should not update the timestamp for a key just because of a new upload. The timestamp should be modified only if the key is modified somehow. > In the case of a key flagged with a preferred keyserver-URL, the > "keyserver-url" may just point to a key file. Does the client just > receive the file, or can it see the last modification date and > terminate the connection without downloading the file? As I was talking about a keyserver feature I just don't care about non- keyserver scenarios. In general it might be possible to create similar optimizations for other transport (application) protocols. If it's an http URL then gpg might store the etag or timestamp and use If- None-Match or If-Modified-Since in the request. But isn't this a rather exotic case? How many keys are configured that way? Are their owners to be freed from unnecessary traffic...? I would advise to care about the keyservers first. > > If the server wants to do its job (without TLS) > > especially well then it signs this list and solves a > > today unsolved problem by that. > > Please expand. If your keyservers don't support TLS (I have no idea whether the important ones use it) then you are open to a MitM attack when checking them. If the response is signed then you are not (if you are sure about the signing key :-) ). One more advantage: The signed response could be distributed among several systems of the same user or several users with similar keyrings. This would result in omitted or smaller requests (containing just those IDs not covered by the response). Several users might even combine their ID wishlist so that only one of them has to ask the keyserver. > > This way you could even > > check whether a key update of yourself has reached a > > (non-TLS) key server. > > Why/does the keyserver signing its list make a difference to that? MitM again. If you upload a changed key you cannot be sure (without TLS) whether it has arrived at the keyserver or just at one of the bad guys. > > It would have to be decided whether this key server > > time stamp refers to the newest time stamp of a > > signature in the respective key > > This would be a security problem in the event that somebody uploads to > the servers a revocation certificate they had prepared in advance; > this revocation would be overlooked if the latest modification date of > the key were taken to be newest time stamp of a signature. Right. So the keyserver would use the timestamp of the latest change at it > If the client could reliably tell from the server's response that it > synchronised with a particular group-ID of keyservers, the client > would need only the timestamp for the last time that key was > downloaded from a member of that group. Probably easier to store the > info per synchronising group-ID than per individual keyserver, but > still a major undertaking if you are storing it for all the keys on a > large keyring. Look at it the other way round: The more keys there are in the keyring the more bandwith is saved. I am convinced that users with large keyrings have enough local storage for that... Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: </pipermail/attachments/20100617/f89121f8/attachment.pgp> ------------------------------ _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users End of Gnupg-users Digest, Vol 81, Issue 22 ******************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwood at IUPUI.Edu Mon Jun 21 14:47:13 2010 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon, 21 Jun 2010 08:47:13 -0400 Subject: AUTO: Richard Hamilton is out of the office (returning 06/24/2010) In-Reply-To: <4C1B7528.8030607@st.com> References: <20100618062758.17e44e5b@scorpio> <4C1B6618.3000305@verizon.net> <4C1B68D7.7050408@st.com> <4C1B71C2.1060407@verizon.net> <4C1B7528.8030607@st.com> Message-ID: <20100621124713.GA24791@IUPUI.Edu> RFC2919, anyone? This list uses the List-* headers. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From rjh at sixdemonbag.org Mon Jun 21 16:48:34 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 21 Jun 2010 10:48:34 -0400 Subject: Multiple signatures In-Reply-To: <20100618193941.92EF6B8079@smtp.hushmail.com> References: <20100618193941.92EF6B8079@smtp.hushmail.com> Message-ID: <4C1F7BC2.8020705@sixdemonbag.org> On 6/18/10 3:39 PM, vedaal at nym.hush.com wrote: >> gpg --armor -u signer -u signer2 -u signer3 --clearsign filename > > no. > > 6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple > signatures of the same text when *clearsigned*. Perhaps I'm in error here, but -- isn't a clearsign the command I specified? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From John at Mozilla-Enigmail.org Mon Jun 21 21:35:37 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 21 Jun 2010 14:35:37 -0500 Subject: Setting up SKS Keyserver In-Reply-To: References: Message-ID: <4C1FBF09.5080009@Mozilla-Enigmail.org> ????? ??????? wrote: > Good day! > Sorry for disturb, please. > I have been setup SKS server on Linux Debian 5.0.3 and I'd like to ask Perhaps your post would get a better answer on the SKS list, sks-devel at nongnu.org > you how can I see detailed statistic. Assuming the statistics code ran at least once, http://localhost:11371/pks/lookup?op=stats Change localhost to point to your server > I need to see all list of keys in my database and have possibility > locate the keys that already expired and will be expired at nearly future. Don't think you can without looking at each key individually. It's not stored separately > Is there any web interface for this futures? You need to setup index.html in the web directory alongside KDB and PTree See http://keyserver.gingerbear.net:11371/ for an example implementation > Thank you very much! You're welcome. -- John P. Clizbe Inet: John (a) Gingerbear DAWT net You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From hawke at hawkesnest.net Tue Jun 22 00:11:50 2010 From: hawke at hawkesnest.net (Alex Mauer) Date: Mon, 21 Jun 2010 17:11:50 -0500 Subject: local signatures: should they be importable by default in some cases? Message-ID: I see that there is currently the import-option "import-local-sigs" which obviously allows the import of key-signatures marked non-exportable. It seems to me that it would be helpful to have a variant of this, which would only allow import of local signatures where the corresponding secret key was already available, and for this behavior to be the default. Does this seem like a good idea? ?Alex Mauer ?hawke? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Tue Jun 22 00:32:13 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 21 Jun 2010 18:32:13 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: References: Message-ID: On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote: > I see that there is currently the import-option "import-local-sigs" > which obviously allows the import of key-signatures marked non-exportable. > > It seems to me that it would be helpful to have a variant of this, which > would only allow import of local signatures where the corresponding > secret key was already available, and for this behavior to be the default. Not only is it reasonable, it is already the case :) David From kahnan at gmail.com Tue Jun 22 00:35:12 2010 From: kahnan at gmail.com (Kahnan Patel) Date: Mon, 21 Jun 2010 18:35:12 -0400 Subject: openpgp to sexp conversion .. Message-ID: Hi Friends, My name is Kahnan and I am looking to convert openpgp keys in to sexp including key data .. Or is there any way I can use key management with libgcrypt? Please advice Thanks, Kahnan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Jun 22 02:34:06 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 21 Jun 2010 20:34:06 -0400 Subject: openpgp to sexp conversion .. In-Reply-To: References: Message-ID: <4C2004FE.40804@sixdemonbag.org> > My name is Kahnan and I am looking to convert openpgp keys in to sexp > including key data .. Explain 'sexp', please? When I hear someone talk about sexps, I think they're talking about LISP S-expressions. I don't know if that's what you have in mind. From kahnan at gmail.com Tue Jun 22 03:38:37 2010 From: kahnan at gmail.com (Kahnan Patel) Date: Mon, 21 Jun 2010 21:38:37 -0400 Subject: openpgp to sexp conversion .. In-Reply-To: <4C2004FE.40804@sixdemonbag.org> References: <4C2004FE.40804@sixdemonbag.org> Message-ID: yes sir it is LISP S-expressions....it's a canonical formate. open pgp has it's own formate of keys and message and I want to convert this to sexp format which is supported by libgcrypt protocol .. any way apart from this if you know any auther solution for key management + cryptolib then please explore. Thanks, Kahnan On Mon, Jun 21, 2010 at 8:34 PM, Robert J. Hansen wrote: > > My name is Kahnan and I am looking to convert openpgp keys in to sexp > > including key data .. > > Explain 'sexp', please? When I hear someone talk about sexps, I think > they're talking about LISP S-expressions. I don't know if that's what > you have in mind. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Tue Jun 22 06:25:15 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 22 Jun 2010 00:25:15 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: References:

Message-ID: <4C203B2B.3020303@fifthhorseman.net> On 06/21/2010 06:32 PM, David Shaw wrote: > On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote: > >> I see that there is currently the import-option "import-local-sigs" >> which obviously allows the import of key-signatures marked non-exportable. >> >> It seems to me that it would be helpful to have a variant of this, which >> would only allow import of local signatures where the corresponding >> secret key was already available, and for this behavior to be the default. > > Not only is it reasonable, it is already the case :) Why is it more reasonable to auto-import local signatures if the secret key of the issuer is available than otherwise? I'm trying to understand the use case that you guys both seem to have intuitively picked up. Some of the common use cases i've seen for non-exportable sigs definitely do *not* have people importing them from keys they control, so i'm not seeing why it's a special case. Can you help me understand? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Tue Jun 22 07:39:20 2010 From: kgo at grant-olson.net (Grant Olson) Date: Tue, 22 Jun 2010 01:39:20 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <4C203B2B.3020303@fifthhorseman.net> References:

<4C203B2B.3020303@fifthhorseman.net> Message-ID: <4C204C88.2030105@grant-olson.net> On 6/22/10 12:25 AM, Daniel Kahn Gillmor wrote: > On 06/21/2010 06:32 PM, David Shaw wrote: >> On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote: >> >>> I see that there is currently the import-option "import-local-sigs" >>> which obviously allows the import of key-signatures marked non-exportable. >>> >>> It seems to me that it would be helpful to have a variant of this, which >>> would only allow import of local signatures where the corresponding >>> secret key was already available, and for this behavior to be the default. >> >> Not only is it reasonable, it is already the case :) > > Why is it more reasonable to auto-import local signatures if the secret > key of the issuer is available than otherwise? > > I'm trying to understand the use case that you guys both seem to have > intuitively picked up. Some of the common use cases i've seen for > non-exportable sigs definitely do *not* have people importing them from > keys they control, so i'm not seeing why it's a special case. > > Can you help me understand? > To me a local sig is basically saying, "I'm signing this key as a convenience, but I haven't done proper verification, so I'm not going to publicly vouch for this key." In that case, the only local sigs I can trust are the ones that I myself created. And if I have the public key that's a pretty good indication that the local signature came from me. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From dougb at dougbarton.us Tue Jun 22 08:00:22 2010 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 21 Jun 2010 23:00:22 -0700 (PDT) Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <4C203B2B.3020303@fifthhorseman.net> References:

<4C203B2B.3020303@fifthhorseman.net> Message-ID: On Tue, 22 Jun 2010, Daniel Kahn Gillmor wrote: > On 06/21/2010 06:32 PM, David Shaw wrote: >> On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote: >> >>> I see that there is currently the import-option "import-local-sigs" >>> which obviously allows the import of key-signatures marked non-exportable. >>> >>> It seems to me that it would be helpful to have a variant of this, which >>> would only allow import of local signatures where the corresponding >>> secret key was already available, and for this behavior to be the default. >> >> Not only is it reasonable, it is already the case :) > > Why is it more reasonable to auto-import local signatures if the secret > key of the issuer is available than otherwise? What do you think "local" signatures are, and what do you think they mean? (And no, I'm not trying to be snarky, you're asking about "intuition," so it makes sense to address the base assumptions.) > I'm trying to understand the use case that you guys both seem to have > intuitively picked up. Some of the common use cases i've seen for > non-exportable sigs definitely do *not* have people importing them from > keys they control, so i'm not seeing why it's a special case. Can you elaborate on the usage you're describing? Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From dkg at fifthhorseman.net Tue Jun 22 08:36:26 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 22 Jun 2010 02:36:26 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: References:

<4C203B2B.3020303@fifthhorseman.net> Message-ID: <4C2059EA.9010704@fifthhorseman.net> On 06/22/2010 02:00 AM, Doug Barton wrote: > What do you think "local" signatures are, and what do you think they > mean? (And no, I'm not trying to be snarky, you're asking about > "intuition," so it makes sense to address the base assumptions.) non-exportable certifications are simply certifications which keyservers have been instructed to ignore. >> I'm trying to understand the use case that you guys both seem to have >> intuitively picked up. Some of the common use cases i've seen for >> non-exportable sigs definitely do *not* have people importing them from >> keys they control, so i'm not seeing why it's a special case. > > Can you elaborate on the usage you're describing? I'm thinking of a situation involving three people: Alice, Bob, and Charlie. Alice has met Bob in person and has verified his key. Alice does not want this information to be publicly available (e.g., she has concerns about exposing a transparent social graph via the keyservers). However, Alice knows and trusts Charlie and wants to put Bob in touch with Charlie, even though Charlie and Bob have never spoken before, and certainly have not verified each others' keys. Alice makes a non-exportable certification over Bob's key+userID, and mails it to Charlie (in an encrypted message, of course). Charlie imports the certification. Now even if Charlie does something like "gpg --send $BobsKeyID", the fact that Alice has met Bob will not be publicly exposed. Seem like a reasonable use case for non-exportable certifications? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Jun 22 10:20:37 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 22 Jun 2010 10:20:37 +0200 Subject: openpgp to sexp conversion .. In-Reply-To: <4C2004FE.40804@sixdemonbag.org> (Robert J. Hansen's message of "Mon, 21 Jun 2010 20:34:06 -0400") References: <4C2004FE.40804@sixdemonbag.org> Message-ID: <874ogvsckq.fsf@vigenere.g10code.de> On Tue, 22 Jun 2010 02:34, rjh at sixdemonbag.org said: > Explain 'sexp', please? When I hear someone talk about sexps, I think > they're talking about LISP S-expressions. I don't know if that's what > you have in mind. This is likely about the S-expression format as used with spki. Libgcrypt uses them to represent public key data. See http://people.csail.mit.edu/rivest/sexp.html Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Jun 22 10:25:34 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 22 Jun 2010 10:25:34 +0200 Subject: openpgp to sexp conversion .. In-Reply-To: <4C2004FE.40804@sixdemonbag.org> (Robert J. Hansen's message of "Mon, 21 Jun 2010 20:34:06 -0400") References: <4C2004FE.40804@sixdemonbag.org> Message-ID: <87zkynqxs1.fsf@vigenere.g10code.de> On Tue, 22 Jun 2010 02:34, rjh at sixdemonbag.org said: >> My name is Kahnan and I am looking to convert openpgp keys in to sexp >> including key data .. [I have not seen Kahnan mail (maybe spam filter issue). ] The GnuPG SVN trunk has a lot of code to do the conversion. For example: gnupg/g10/pkglue.c gnupg/common/sexputil.c Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at jabberwocky.com Tue Jun 22 15:27:39 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 22 Jun 2010 09:27:39 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <4C203B2B.3020303@fifthhorseman.net> References:

<4C203B2B.3020303@fifthhorseman.net> Message-ID: On Jun 22, 2010, at 12:25 AM, Daniel Kahn Gillmor wrote: > On 06/21/2010 06:32 PM, David Shaw wrote: >> On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote: >> >>> I see that there is currently the import-option "import-local-sigs" >>> which obviously allows the import of key-signatures marked non-exportable. >>> >>> It seems to me that it would be helpful to have a variant of this, which >>> would only allow import of local signatures where the corresponding >>> secret key was already available, and for this behavior to be the default. >> >> Not only is it reasonable, it is already the case :) > > Why is it more reasonable to auto-import local signatures if the secret > key of the issuer is available than otherwise? > > I'm trying to understand the use case that you guys both seem to have > intuitively picked up. Some of the common use cases i've seen for > non-exportable sigs definitely do *not* have people importing them from > keys they control, so i'm not seeing why it's a special case. The definition of a local, or non-exportable, signature is one that is not intended (for whatever reason) to be used by someone other than the issuer. Perhaps I should say the "original" definition, as with many other things, people can come up with creative uses for it that were not specifically discussed in the standard. In any event, if a signature is not intended to be used by someone other than the issuer, then it is reasonable that the issuer (or in practice, someone who possesses the issuing secret key) should be able to import the signature without it being stripped off. After all, it's a signature made by themselves for their own benefit. David From dshaw at jabberwocky.com Tue Jun 22 15:27:46 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 22 Jun 2010 09:27:46 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <4C2059EA.9010704@fifthhorseman.net> References:

<4C203B2B.3020303@fifthhorseman.net> <4C2059EA.9010704@fifthhorseman.net> Message-ID: <575FBB60-292E-4C3F-9F8F-71539C87794C@jabberwocky.com> On Jun 22, 2010, at 2:36 AM, Daniel Kahn Gillmor wrote: >> Can you elaborate on the usage you're describing? > > I'm thinking of a situation involving three people: Alice, Bob, and Charlie. > > Alice has met Bob in person and has verified his key. Alice does not > want this information to be publicly available (e.g., she has concerns > about exposing a transparent social graph via the keyservers). However, > Alice knows and trusts Charlie and wants to put Bob in touch with > Charlie, even though Charlie and Bob have never spoken before, and > certainly have not verified each others' keys. > > Alice makes a non-exportable certification over Bob's key+userID, and > mails it to Charlie (in an encrypted message, of course). Charlie > imports the certification. Now even if Charlie does something like "gpg > --send $BobsKeyID", the fact that Alice has met Bob will not be publicly > exposed. I'm not sure this is good behavior for Alice. If she is concerned about whether her linkage to Bob is publicly known, why would she risk that by giving Charlie a signature (local or otherwise)? Now she has not only to worry about keeping her linkage secret herself, but she also has to worry about Charlie keeping her linkage secret. In the above scenario, it seems more reasonable for Charlie to locally sign Bob's key himself on Alice's say-so. David From jrollins at finestructure.net Tue Jun 22 15:51:58 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Tue, 22 Jun 2010 09:51:58 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <575FBB60-292E-4C3F-9F8F-71539C87794C@jabberwocky.com> References:

<4C203B2B.3020303@fifthhorseman.net> <4C2059EA.9010704@fifthhorseman.net> <575FBB60-292E-4C3F-9F8F-71539C87794C@jabberwocky.com> Message-ID: <87eifzkwe9.fsf@servo.finestructure.net> On Tue, 22 Jun 2010 09:27:46 -0400, David Shaw wrote: > On Jun 22, 2010, at 2:36 AM, Daniel Kahn Gillmor wrote: > >> Can you elaborate on the usage you're describing? > > > > I'm thinking of a situation involving three people: Alice, Bob, and Charlie. > > > > Alice has met Bob in person and has verified his key. Alice does not > > want this information to be publicly available (e.g., she has concerns > > about exposing a transparent social graph via the keyservers). However, > > Alice knows and trusts Charlie and wants to put Bob in touch with > > Charlie, even though Charlie and Bob have never spoken before, and > > certainly have not verified each others' keys. > > > > Alice makes a non-exportable certification over Bob's key+userID, and > > mails it to Charlie (in an encrypted message, of course). Charlie > > imports the certification. Now even if Charlie does something like "gpg > > --send $BobsKeyID", the fact that Alice has met Bob will not be publicly > > exposed. > > I'm not sure this is good behavior for Alice. If she is concerned > about whether her linkage to Bob is publicly known, why would she risk > that by giving Charlie a signature (local or otherwise)? Now she has > not only to worry about keeping her linkage secret herself, but she > also has to worry about Charlie keeping her linkage secret. I think that is a red herring. Charlie could also make a myspace page that talks about what great friends Alice and Bob are. No one can forcibly guarantee that all their linkages are kept secret. Alice has to ultimately trust Charlie on some level that he won't maliciously make those linkages public. I think the situation Daniel points out is one of the better usages for local signatures, and probably the main reason for having them in the first place. > In the above scenario, it seems more reasonable for Charlie to locally > sign Bob's key himself on Alice's say-so. But that creates a different trust path than the one Daniel describes. Just as with exportable signatures, Alice's certification of Bob is different in Charlie's eyes that Charlie's own certification. Charlie wouldn't (or shouldn't) make an exportable signature of someone whose identity he hasn't verified, so why should he make even a local one? According to your logic, everyone should just sign the keys of everyone they wish to have trust paths too, whether they've actually met them or not, just based on the fact that others they know have signed their keys, rather than relying on the calculated validity through known trust paths. The point of the scenario that Daniel is pointing out is that Alice and Charlie can use OpenPGP to *cryptographically* verify Bob's identity, without Charlie having to make certifications he otherwise wouldn't make. jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From jrollins at finestructure.net Tue Jun 22 16:13:39 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Tue, 22 Jun 2010 10:13:39 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <87eifzkwe9.fsf@servo.finestructure.net> References:

<4C203B2B.3020303@fifthhorseman.net> <4C2059EA.9010704@fifthhorseman.net> <575FBB60-292E-4C3F-9F8F-71539C87794C@jabberwocky.com> <87eifzkwe9.fsf@servo.finestructure.net> Message-ID: <871vbzkve4.fsf@servo.finestructure.net> On Tue, 22 Jun 2010 09:51:58 -0400, Jameson Rollins wrote: > I think the situation Daniel points out is one of the better usages for > local signatures, and probably the main reason for having them in the > first place. Actually, looking at the RFC 4880 now, I see that the original definition definitely was that local signatures were intended to *only* be used by the issuer. From section 5.2.3.11 [0]: Non-exportable, or "local", certifications are signatures made by a user to mark a key as valid within that user's implementation only. Thus, when an implementation prepares a user's copy of a key for transport to another user (this is the process of "exporting" the key), any local certification signatures are deleted from the key. The receiver of a transported key "imports" it, and likewise trims any local certifications. jamie. [0] http://tools.ietf.org/html/rfc4880#section-5.2.3.11 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From dshaw at jabberwocky.com Tue Jun 22 19:29:32 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 22 Jun 2010 13:29:32 -0400 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <87eifzkwe9.fsf@servo.finestructure.net> References:

<4C203B2B.3020303@fifthhorseman.net> <4C2059EA.9010704@fifthhorseman.net> <575FBB60-292E-4C3F-9F8F-71539C87794C@jabberwocky.com> <87eifzkwe9.fsf@servo.finestructure.net> Message-ID: <802BF4C1-50AA-4C96-94C4-7F9FB74055DE@jabberwocky.com> On Jun 22, 2010, at 9:51 AM, Jameson Rollins wrote: > On Tue, 22 Jun 2010 09:27:46 -0400, David Shaw wrote: >> On Jun 22, 2010, at 2:36 AM, Daniel Kahn Gillmor wrote: >>>> Can you elaborate on the usage you're describing? >>> >>> I'm thinking of a situation involving three people: Alice, Bob, and Charlie. >>> >>> Alice has met Bob in person and has verified his key. Alice does not >>> want this information to be publicly available (e.g., she has concerns >>> about exposing a transparent social graph via the keyservers). However, >>> Alice knows and trusts Charlie and wants to put Bob in touch with >>> Charlie, even though Charlie and Bob have never spoken before, and >>> certainly have not verified each others' keys. >>> >>> Alice makes a non-exportable certification over Bob's key+userID, and >>> mails it to Charlie (in an encrypted message, of course). Charlie >>> imports the certification. Now even if Charlie does something like "gpg >>> --send $BobsKeyID", the fact that Alice has met Bob will not be publicly >>> exposed. >> >> I'm not sure this is good behavior for Alice. If she is concerned >> about whether her linkage to Bob is publicly known, why would she risk >> that by giving Charlie a signature (local or otherwise)? Now she has >> not only to worry about keeping her linkage secret herself, but she >> also has to worry about Charlie keeping her linkage secret. > > I think that is a red herring. Charlie could also make a myspace page > that talks about what great friends Alice and Bob are. No one can > forcibly guarantee that all their linkages are kept secret. Alice has > to ultimately trust Charlie on some level that he won't maliciously make > those linkages public. The issue is not whether Charlie will maliciously expose Alice, but that information about Alice is under the control of someone other than Alice. For example, say Charlie is hacked - the information given by Alice can be leaked without Charlie's consent. Worse, since the information we're talking about here is in the form of a signature that could only have been issued by Alice (or at least someone with access to Alice's key), you get into non-repudiation issues. Alice can deny a myspace page ("I have no idea what this guy Charlie is going on about - I've never met that Bob person"). Denying a signature is harder. >> In the above scenario, it seems more reasonable for Charlie to locally >> sign Bob's key himself on Alice's say-so. > > But that creates a different trust path than the one Daniel describes. > Just as with exportable signatures, Alice's certification of Bob is > different in Charlie's eyes that Charlie's own certification. Charlie > wouldn't (or shouldn't) make an exportable signature of someone whose > identity he hasn't verified, so why should he make even a local one? That's one of the main uses for local signatures - the "I believe this key is valid for me, but I'm not willing to say so in public for everyone" case. That might be because of privacy, or it might be because Charlie is satisfied that the key is valid, but doesn't have enough proof to be willing to have other people rely on that. This case is actually quite common. For example - I've been working with Werner on GnuPG stuff for almost 10 years now. I'm pretty sure his key is his by now ;) Would I sign his key? No, I wouldn't - because I can't perform the appropriate checks. Would I sign it locally? Sure. Signing locally only makes a commitment to myself. Everyone is free to make local signatures to whoever they like, on whatever criteria they like. That's what's so wonderful about local signatures - they don't hurt anyone but the signer, so if you believe that the key is valid, lsign away. In the case of Charlie using Alice's local signature, that's a strange use - a signature that was made with the express setting that it shouldn't be public, made into something public. You can often stretch and bend a standard into doing these sorts of things, but it usually hurts. Note, for example, that not all OpenPGP programs will even let you do this, so it immediately fails as soon as someone isn't using GnuPG. David From mailinglisten at hauke-laging.de Tue Jun 22 20:03:30 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 22 Jun 2010 20:03:30 +0200 Subject: local signatures: should they be importable by default in some cases? In-Reply-To: <802BF4C1-50AA-4C96-94C4-7F9FB74055DE@jabberwocky.com> References: <87eifzkwe9.fsf@servo.finestructure.net> <802BF4C1-50AA-4C96-94C4-7F9FB74055DE@jabberwocky.com> Message-ID: <201006222003.30681.mailinglisten@hauke-laging.de> Am Dienstag 22 Juni 2010 19:29:32 schrieb David Shaw: > That's one of the main uses for local signatures - the "I believe this key > is valid for me, but I'm not willing to say so in public for everyone" > case. That might be because of privacy, or it might be because Charlie is > satisfied that the key is valid, but doesn't have enough proof to be > willing to have other people rely on that. This case is actually quite > common. [...] Thanks for the explanation; this wasn't clear to me (too) before. Doesn't it make sense to put this (or a hint where to find such an explanation) into the man page? :-) Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From kahnan at gmail.com Tue Jun 22 19:27:29 2010 From: kahnan at gmail.com (Kahnan Patel) Date: Tue, 22 Jun 2010 13:27:29 -0400 Subject: GPG-ME issue .. Message-ID: Hi every one, Do any one know about this problam: GPG-ME crash after 246 data decryption, There is no problem in encryption. the error is : no data I am feeling that there is some memory issue which gpgme could not handle. Thanks, Kahnan -------------- next part -------------- An HTML attachment was scrubbed... URL: From danm at prime.gushi.org Wed Jun 23 04:09:37 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Tue, 22 Jun 2010 22:09:37 -0400 (EDT) Subject: IDEA Status? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey there, The FAQ for IDEA states that "The official GnuPG distribution does not contain IDEA due to a patent restriction. The patent does not expire before 2007 so don't expect official support before then." (http://gnupg.org/documentation/faqs.en.html#q3.3) Is this very old and it's now supported? Or is it still not in for some other reason (either oversight, legal, or other). - -Dan - -- - --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org - --------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkwhbOIACgkQ+75aMGJLskl+HwCgxUxctq090JveZu+QZmRi+Ziy GeUAoMiqGgZZp+Rs+5eQfXomssnaqf0k =GTdI -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Jun 23 04:20:16 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 22 Jun 2010 22:20:16 -0400 Subject: IDEA Status? In-Reply-To: References: Message-ID: <4C216F60.1000606@sixdemonbag.org> On 6/22/10 10:09 PM, Dan Mahoney, System Admin wrote: > Is this very old and it's now supported? Or is it still not in for some > other reason (either oversight, legal, or other). By modern standards, IDEA is not considered a promising cipher. There are some very good theoretical attacks against it. Between the varying patent expiration dates (2011 or so in some countries, IIRC) and the thin safety margin, the GnuPG community has generally decided IDEA is not a priority for inclusion. From danm at prime.gushi.org Wed Jun 23 04:30:25 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Tue, 22 Jun 2010 22:30:25 -0400 (EDT) Subject: IDEA Status? In-Reply-To: <4C216F60.1000606@sixdemonbag.org> References: <4C216F60.1000606@sixdemonbag.org> Message-ID: On Tue, 22 Jun 2010, Robert J. Hansen wrote: > On 6/22/10 10:09 PM, Dan Mahoney, System Admin wrote: >> Is this very old and it's now supported? Or is it still not in for some >> other reason (either oversight, legal, or other). > > By modern standards, IDEA is not considered a promising cipher. There > are some very good theoretical attacks against it. Between the varying > patent expiration dates (2011 or so in some countries, IIRC) and the > thin safety margin, the GnuPG community has generally decided IDEA is > not a priority for inclusion. Could the FAQ be updated then, assuming you speak with some authority? -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From dshaw at jabberwocky.com Wed Jun 23 04:39:57 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 22 Jun 2010 22:39:57 -0400 Subject: IDEA Status? In-Reply-To: References: Message-ID: <36216816-A554-48AE-A1A8-242566955F53@jabberwocky.com> On Jun 22, 2010, at 10:09 PM, Dan Mahoney, System Admin wrote: > The FAQ for IDEA states that "The official GnuPG distribution does not contain IDEA due to a patent restriction. The patent does not expire before 2007 so don't expect official support before then." > > (http://gnupg.org/documentation/faqs.en.html#q3.3) > > Is this very old and it's now supported? Or is it still not in for some other reason (either oversight, legal, or other). I'm not sure about the 2007 patent expiration - I recall it being right around now, actually (2010-2011). In any event, it's mostly not supported. IDEA in OpenPGP is a funny thing - it sort of missed its useful window because of the patent stuff. PGP 2.x used it, but when things went to OpenPGP, 3DES was used instead, and IDEA was downgraded to a SHOULD implement in the first OpenPGP spec, and then downgraded further to a MAY implement in the revised spec. Time moved on, and better ciphers became available, so these days even though the patent is expiring, there isn't really a use for IDEA outside of interoperating with users of PGP 2.x. I'd be surprised to see much PGP 2.x usage these days. OpenPGP even explicitly rejects making new PGP 2.x-style keys. David From danm at prime.gushi.org Wed Jun 23 05:02:49 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Tue, 22 Jun 2010 23:02:49 -0400 (EDT) Subject: Using the "clean" function (and the "PGP Global Directory") Message-ID: It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. Finally, it will sign your non-photo-uids. With a very short signature time, and pollute them so they look like this: uid Dan Mahoney sig 3 E919EC51 2008-11-22 Dan Mahoney sig 3 E8048D08 2009-10-15 Peter Losher sig 68D482E2 2009-08-31 Guy Sisalli sig CF9890F8 2009-07-01 Mark Andrews sig 08F13AD2 2009-10-14 Evan Hunt sig 3 294EC062 2009-06-30 Paul Vlaar sig 2DC6FF82 2009-10-14 Rob Austein sig 8FA50232 2010-06-13 Emma Smith sig X CA57AD7C 2009-12-16 PGP Global Directory Verification Key sig X CA57AD7C 2009-12-29 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-12 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-25 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-07 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-20 PGP Global Directory Verification Key sig B38DB1BE 2010-06-13 Francisco Obispo (ISC) uid Dan Mahoney Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS. From the same ENTITY. So, to correct this, gpg has the "clean" function, except that it seems to be broken. I can then re-upload my key. "clean" kills off any local signature and uid that is expired, but it also removes keys I have no trust value for. This might make sense on someone ELSE'S key in my homedir. But I want EVERY nonexpired signature to stay on my public key, even if I don't have an explicit trust value for the person. A workaround is to assign some trust value to every other person who's signed my key, then run --clean, but this seems broken. So, all that said, two questions. 1) Is there some option I'm missing that will just remove expired signatures, and not other things? Assume I'm still interested in the social networking aspect of who-knows-who and who-trusts-who, but not interested in this automated "I figured out a web url three years ago" noise. 2) If I find the magic way to do #1, and upload it to a keyserver, will they accept it, or will they just re-merge the expired sigs in? (For most common keyservers). -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From rjh at sixdemonbag.org Wed Jun 23 05:21:34 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 22 Jun 2010 23:21:34 -0400 Subject: IDEA Status? In-Reply-To: References: <4C216F60.1000606@sixdemonbag.org> Message-ID: <4C217DBE.5070002@sixdemonbag.org> On 6/22/10 10:30 PM, Dan Mahoney, System Admin wrote: > Could the FAQ be updated then, assuming you speak with some authority? I am correct, but I am not authoritative. I'm not one of the GnuPG developers, so I have no authority to make declarations on behalf of GnuPG. From dshaw at jabberwocky.com Wed Jun 23 05:25:32 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 22 Jun 2010 23:25:32 -0400 Subject: Using the "clean" function (and the "PGP Global Directory") In-Reply-To: References: Message-ID: <46514534-9D08-4A9B-BED7-C91EDAFF327F@jabberwocky.com> On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: > It seems there's two interesting problems which inter-relate. > > The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. > It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. > Finally, it will sign your non-photo-uids. With a very short signature time, and pollute them so they look like this: > > uid Dan Mahoney > sig 3 E919EC51 2008-11-22 Dan Mahoney > sig 3 E8048D08 2009-10-15 Peter Losher > sig 68D482E2 2009-08-31 Guy Sisalli > sig CF9890F8 2009-07-01 Mark Andrews > sig 08F13AD2 2009-10-14 Evan Hunt > sig 3 294EC062 2009-06-30 Paul Vlaar > sig 2DC6FF82 2009-10-14 Rob Austein > sig 8FA50232 2010-06-13 Emma Smith > sig X CA57AD7C 2009-12-16 PGP Global Directory Verification Key > sig X CA57AD7C 2009-12-29 PGP Global Directory Verification Key > sig X CA57AD7C 2010-01-12 PGP Global Directory Verification Key > sig X CA57AD7C 2010-01-25 PGP Global Directory Verification Key > sig X CA57AD7C 2010-02-07 PGP Global Directory Verification Key > sig X CA57AD7C 2010-02-20 PGP Global Directory Verification Key > sig B38DB1BE 2010-06-13 Francisco Obispo (ISC) > uid Dan Mahoney > > Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS. From the same ENTITY. > > So, to correct this, gpg has the "clean" function, except that it seems to be broken. I can then re-upload my key. > > "clean" kills off any local signature and uid that is expired, but it also removes keys I have no trust value for. This might make sense on someone ELSE'S key in my homedir. But I want EVERY nonexpired signature to stay on my public key, even if I don't have an explicit trust value for the person. Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. > A workaround is to assign some trust value to every other person who's signed my key, then run --clean, but this seems broken. > > So, all that said, two questions. > > 1) Is there some option I'm missing that will just remove expired signatures, and not other things? Assume I'm still interested in the social networking aspect of who-knows-who and who-trusts-who, but not interested in this automated "I figured out a web url three years ago" noise. Hard to answer since you seem to be reporting behavior (signatures from keys that have no trust value being stripped off) that is not in accordance with what I'm seeing. What version of GPG are you seeing it on? Can you demonstrate the problem? > 2) If I find the magic way to do #1, and upload it to a keyserver, will they accept it, or will they just re-merge the expired sigs in? (For most common keyservers). SKS servers will re-merge. The GD won't re-merge, but will take the new key whole. David From rjh at sixdemonbag.org Wed Jun 23 05:25:54 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 22 Jun 2010 23:25:54 -0400 Subject: IDEA Status? In-Reply-To: <36216816-A554-48AE-A1A8-242566955F53@jabberwocky.com> References: <36216816-A554-48AE-A1A8-242566955F53@jabberwocky.com> Message-ID: <4C217EC2.4070004@sixdemonbag.org> On 6/22/10 10:39 PM, David Shaw wrote: > I'm not sure about the 2007 patent expiration - I recall it being > right around now, actually (2010-2011). A little digging around revealed the United States patent expiration: January 7, 2012. I am not a patent attorney, I don't pretend to be an authoritative source on patent law. All we can say definitively is the original patent expires January 7, 2012: subsequent patents may have extended this date. From danm at prime.gushi.org Wed Jun 23 05:44:10 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Tue, 22 Jun 2010 23:44:10 -0400 (EDT) Subject: Using the "clean" function (and the "PGP Global Directory") In-Reply-To: <46514534-9D08-4A9B-BED7-C91EDAFF327F@jabberwocky.com> References: <46514534-9D08-4A9B-BED7-C91EDAFF327F@jabberwocky.com> Message-ID: On Tue, 22 Jun 2010, David Shaw wrote: > On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: > >> It seems there's two interesting problems which inter-relate. >> >> The first is PGP corporation's "global directory", which seems to >> operate orthogonally from every other keyserver I've seen. It's >> HTTP-only, not queryable by any of the open-source clients (in fact, it >> doesn't support wildcard searches at all, and returns a captcha before >> delivering results), and not SUBMITTABLE to from any of the open source >> clients. > > Not exactly. The GD speaks LDAP, so you can set your keyserver to > ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). > >> It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. > > The SKS servers (i.e. pretty much everything that isn't the GD) do > support photo IDs, but they do not use the web interface to show you the > photo. That was what I meant to imply, perhaps I was unclear. > Are you sure about that? "clean" strips off useless signatures (useless > being defined as an invalid signature, a superseded signature, a revoked > signature, and a signature from a key that isn't present on the > keyring). Signatures from keys that are present, but have no trust > value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. -Dan -- "GO HOME AND COOK!!!" Donielle Cocossa, Taco Bell, 2:30 AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From danm at prime.gushi.org Wed Jun 23 06:03:02 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Wed, 23 Jun 2010 00:03:02 -0400 (EDT) Subject: Using the "clean" function (and the "PGP Global Directory") In-Reply-To: References: <46514534-9D08-4A9B-BED7-C91EDAFF327F@jabberwocky.com> Message-ID: On Tue, 22 Jun 2010, Dan Mahoney, System Admin wrote: > On Tue, 22 Jun 2010, David Shaw wrote: > >> On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: >> >>> It seems there's two interesting problems which inter-relate. >>> >>> The first is PGP corporation's "global directory", which seems to operate >>> orthogonally from every other keyserver I've seen. It's HTTP-only, not >>> queryable by any of the open-source clients (in fact, it doesn't support >>> wildcard searches at all, and returns a captcha before delivering >>> results), and not SUBMITTABLE to from any of the open source clients. >> >> Not exactly. The GD speaks LDAP, so you can set your keyserver to >> ldap://keyserver.pgp.com and you can query and submit, etc. > > Interesting, I didn't see mention of that. I must try this (assuming I've > built with LDAP support, that is, which under BSD is a bit obtuse). > >> >>> It's also the ONLY keyserver I've seen that supports photo IDs, and >>> actually uses the web interface to show you the person. >> >> The SKS servers (i.e. pretty much everything that isn't the GD) do support >> photo IDs, but they do not use the web interface to show you the photo. > > That was what I meant to imply, perhaps I was unclear. > >> Are you sure about that? "clean" strips off useless signatures (useless >> being defined as an invalid signature, a superseded signature, a revoked >> signature, and a signature from a key that isn't present on the keyring). >> Signatures from keys that are present, but have no trust value are not >> stripped off. > > Let me double check. I saw it earlier today when transferring my work sig to > my personal one. But it might just have been that my coworkers did not have > sigs present. It's entirely possible I mangled the windows. Yup, that's what happened. I had imported my work key to my personal machine, but didn't have the keys of all my coworkers on my personal box, so "clean" decided to be helpful. I pulled it off the keyserver again, and then pulled down the keys of all my coworkers, and was good. On a related subject, is there a way to say "pull down the keys of all keyids who have signed key X"? -Dan -- "Long live little fat girls!" -Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas) --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From dshaw at jabberwocky.com Wed Jun 23 06:35:19 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 23 Jun 2010 00:35:19 -0400 Subject: IDEA Status? In-Reply-To: <4C217EC2.4070004@sixdemonbag.org> References: <36216816-A554-48AE-A1A8-242566955F53@jabberwocky.com> <4C217EC2.4070004@sixdemonbag.org> Message-ID: <5154913F-EA7E-44ED-A67B-20C5E299870A@jabberwocky.com> On Jun 22, 2010, at 11:25 PM, Robert J. Hansen wrote: > On 6/22/10 10:39 PM, David Shaw wrote: >> I'm not sure about the 2007 patent expiration - I recall it being >> right around now, actually (2010-2011). > > A little digging around revealed the United States patent expiration: > January 7, 2012. > > I am not a patent attorney, I don't pretend to be an authoritative > source on patent law. All we can say definitively is the original > patent expires January 7, 2012: subsequent patents may have extended > this date. So it's still patented, starting to show cracks, and only really used for compatibility with a very deprecated key type and codebase. It's not even clear where you could get a license if you really had to use IDEA. The mediacrypt.com site where you can get a license was offline for a long time. It's back online now (and goes to the Nagra/Kudelski page, which may be amusing to those who used Nagra reel-to-reel tape recorders at one point - odd what companies expand into), but I still see nothing about IDEA licensing. David From dshaw at jabberwocky.com Wed Jun 23 06:44:30 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 23 Jun 2010 00:44:30 -0400 Subject: Using the "clean" function (and the "PGP Global Directory") In-Reply-To: References: <46514534-9D08-4A9B-BED7-C91EDAFF327F@jabberwocky.com> Message-ID: <32C34336-38F5-40FB-9926-5D34D64F2365@jabberwocky.com> On Jun 23, 2010, at 12:03 AM, Dan Mahoney, System Admin wrote: >>> Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. >> >> Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. > > Yup, that's what happened. I had imported my work key to my personal machine, but didn't have the keys of all my coworkers on my personal box, so "clean" decided to be helpful. > > I pulled it off the keyserver again, and then pulled down the keys of all my coworkers, and was good. Ah, good. I'm glad. > On a related subject, is there a way to say "pull down the keys of all keyids who have signed key X"? Not directly, but you can do something like this: gpg --recv-keys `gpg --with-colons --fixed-list-mode --list-sigs $THE_KEY | egrep '^sig:' | cut -f5 -d: | sort -u` David From danm at prime.gushi.org Wed Jun 23 10:17:19 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Wed, 23 Jun 2010 04:17:19 -0400 (EDT) Subject: Searching multiple keyservers Message-ID: Hey all, Is there an easy syntax to chain multiple keyservers for searching? In theory it shouldn't be necessary, but there are distinct keyserver networks out there that don't share, as well as "private" hkp keyservers which might need to be searched first. -Dan -- "SOY BOMB!" -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From laurent.jumet at skynet.be Wed Jun 23 10:27:01 2010 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Wed, 23 Jun 2010 10:27:01 +0200 Subject: Searching multiple keyservers In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Dan ! "Dan Mahoney, System Admin" wrote: > Is there an easy syntax to chain multiple keyservers for searching? In > theory it shouldn't be necessary, but there are distinct keyserver > networks out there that don't share, as well as "private" hkp keyservers > which might need to be searched first. Using GPGShell allows "Update from all keyservers". - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iHEEAREDADEFAkwhxYYqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMllcAoOFMRlLUi+S9B1tYJAUAAEZ1naCFAJ45 euWmTIJWhzGAdIroC7KuliRK+A== =W/63 -----END PGP SIGNATURE----- From services at secureonline-chasepaymentech2.net Tue Jun 22 17:12:07 2010 From: services at secureonline-chasepaymentech2.net (Chase Paymentech) Date: Tue, 22 Jun 2010 15:12:07 -0000 Subject: Expired Password Message-ID: An HTML attachment was scrubbed... URL: From sasha.sirotkin at gmail.com Tue Jun 22 16:41:40 2010 From: sasha.sirotkin at gmail.com (Alexander (Sasha) Sirotkin) Date: Tue, 22 Jun 2010 17:41:40 +0300 Subject: decrypt corrupted file Message-ID: Hello. I have a partially corrupted pgp encrypted file. Decryption fails with the following message: gpg: fatal: zlib inflate problem: invalid block type Is it somehow possible to tell pgp to skip the problematic block and continue in order to rescue at least some information? From vhdolcourt at comcast.net Wed Jun 23 03:22:58 2010 From: vhdolcourt at comcast.net (VH Dolcourt) Date: Tue, 22 Jun 2010 18:22:58 -0700 Subject: Help for a newby - gen-key error message Message-ID: <000001cb1272$9db297d0$d917c770$@net> This is a Windows 7 question: I was able to mouse around in Google and found out how to modify the proper PATH environment variable. Therefore, at the command prompt I'm able to execute gpg without having to migrate to the directory where gpg lives. The good news is that I'm able to run "gpg --version" and get gpg to talk to me. The bad news is that I am getting an error message when I invoke gpg --gen-key at the command prompt. There error is \gpg.conf:5: invalid auto-key-locate list. I've re-installed gpg, but that did not help. Any ideas for fixing the problem? Thank you in advance. Vic -------------- next part -------------- An HTML attachment was scrubbed... URL: From kgo at grant-olson.net Wed Jun 23 15:53:04 2010 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 23 Jun 2010 09:53:04 -0400 Subject: Help for a newby - gen-key error message In-Reply-To: <000001cb1272$9db297d0$d917c770$@net> References: <000001cb1272$9db297d0$d917c770$@net> Message-ID: <4C2211C0.6030503@grant-olson.net> On 6/22/10 9:22 PM, VH Dolcourt wrote: > This is a Windows 7 question: > > > > I was able to mouse around in Google and found out how to modify the proper > PATH environment variable. Therefore, at the command prompt I'm able to > execute gpg without having to migrate to the directory where gpg lives. The > good news is that I'm able to run "gpg --version" and get gpg to talk to me. > The bad news is that I am getting an error message when I invoke gpg > --gen-key at the command prompt. There error is directory>\gpg.conf:5: invalid auto-key-locate list. I've re-installed gpg, > but that did not help. > > > > Any ideas for fixing the problem? > What does line 5 of your gpg.conf file say? Will things work if you simply comment that line out with a # sign? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Wed Jun 23 18:59:03 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 23 Jun 2010 17:59:03 +0100 Subject: Searching multiple keyservers In-Reply-To: References: