From singh.madhusudan at gmail.com  Fri Oct  1 04:41:26 2010
From: singh.madhusudan at gmail.com (Madhusudan Singh)
Date: Thu, 30 Sep 2010 21:41:26 -0500
Subject: Can't use GPG key - secret key not available
In-Reply-To: <4CA4C312.9000102@mac.com>
References: <AANLkTin_5O9VaZY_JjFbLog2YXFChCgTbieBdR4bLQ_6__4534.18483161858$1285793491$gmane$org@mail.gmail.com>
	<i81fdn$89u$1@dough.gmane.org> <4CA49646.1010104@mac.com>
	<AANLkTinw9Dv4xFAbiE7_ujxA1YdOyNNozE9qqc9ERShp@mail.gmail.com>
	<4CA4C312.9000102@mac.com>
Message-ID: <AANLkTinWaCSpLJmqiqVCny4yCQFsRqDDweC4QX47i8N9@mail.gmail.com>

Thanks. I will try this out.

This is not for a mail user agent. This is for a duplicity backup to S3.

On Thu, Sep 30, 2010 at 12:04 PM, Charly Avital <shavital at mac.com> wrote:

> Madhusudan Singh wrote the following on 9/30/10 11:40 AM:
> > It did not work. I still get the same error as before.
> >
> > I somehow doubt that this suggested solution would work, but how do I
> > get the 16 last characters ? I remember seeing it when it was generated.
>
> In Terminal:
> gpg --fingerprint [your 8 characters Key ID) return.
> Select the last four 4 hexadecimal characters groups, and merge them
> into one 8 characters string.
>
>
> 1. It works for me.
> and/or
> 2. Configure your default key in the settings of the MUA you are using.
>
> Charly
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100930/12e24bb5/attachment.htm>

From singh.madhusudan at gmail.com  Fri Oct  1 20:35:14 2010
From: singh.madhusudan at gmail.com (Madhusudan Singh)
Date: Fri, 1 Oct 2010 13:35:14 -0500
Subject: Can't use GPG key - secret key not available
In-Reply-To: <4CA49646.1010104@mac.com>
References: <AANLkTin_5O9VaZY_JjFbLog2YXFChCgTbieBdR4bLQ_6__4534.18483161858$1285793491$gmane$org@mail.gmail.com>
	<i81fdn$89u$1@dough.gmane.org> <4CA49646.1010104@mac.com>
Message-ID: <AANLkTim9i-wWAY0uqO2d63A_ArnCtE1FvchybF3K-sD1@mail.gmail.com>

Tried this.

No use.

I have two keys installed on this machine (different email addresses). It
just can't seem to use the newer one, regardless of the default-key
parameter.

Do I have to restart start-gpg-agent on Mac ? If so, how do I restart
without rebooting ?

On Thu, Sep 30, 2010 at 8:53 AM, Charly Avital <shavital at mac.com> wrote:

> Noiano wrote the following on 9/30/10 3:48 AM:
> > Hi,
> > check your gpg.conf. You should have a "default-key" parameter set. I
> > have "default-key AB10E8D2".
> >
> > Hope this helps.
> >
> >
> > Noiano
>
> If the above does not help, try using the long key ID, 16 last
> characters (instead of 8) of the key's fingerprint.
>
> Charly
> MacOS 10.6.4-MacBook Intel C2Duo 2GHz-GnuPG 1.4.10-MacGPG 2.0.14
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8)
> Gecko/20100802 Thunderbird/3.1.2 - Running Enigmail version 1.1.2
> (20100629-1412)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101001/5d6c0ec6/attachment-0001.htm>

From jcruff at gmail.com  Sat Oct  2 05:44:08 2010
From: jcruff at gmail.com (Chris Ruff)
Date: Fri, 01 Oct 2010 23:44:08 -0400
Subject: bad file descriptor
Message-ID: <1285991048.19956.43.camel@silence.i.fourings.com>

Anyone seen this error and know what could be the problem?  I've tried
rebuilding gnupg (2.0.16) but no luck.  It work previously on my
OpenSUSE 11.3 system w/o issue, but now when I try to sign or decrypt
something I get the following errors for each operation.  Still works on
my Mac OS X system.  Using OpenPGP SmartCard v2.0.

gpg: signing failed: Bad file descriptor

gpg: public key decryption failed: Bad file descriptor

Is it somehow related to scdaemon?  I did take an strace when doing
basic detach signing operation on a file:

read(9, "INQUIRE PINENTRY_LAUNCHED 28548\n", 1002) = 32
write(9, "END", 3)                      = 3
write(9, "\n", 1)                       = 1
read(9, "ERR 32779 Bad file descriptor <U"..., 1002) = 51

[...skipped messages about missing locales...]

mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb733c000
write(2, "gpg: signing failed: Bad file de"..., 41gpg: signing failed:
Bad file descriptor
) = 41
unlink("RR-4568.pdf.asc")               = 0
close(8)                                = 0
write(2, "gpg: signing failed: Bad file de"..., 41gpg: signing failed:
Bad file descriptor
) = 41
munmap(0xb733e000, 32768)               = 0
exit_group(2)                           = ?


-- 
__________________________________
Chris Ruff
email: jcruff at gmail.com
gpg key: 0xDD55B6FC
gpg fgpr: 1BA1 71D7 ADA7 1E8B 1623
          A43D 283B 2F81 BDD5 B810





From jcruff at gmail.com  Sat Oct  2 05:18:34 2010
From: jcruff at gmail.com (Chris Ruff)
Date: Fri, 01 Oct 2010 23:18:34 -0400
Subject: Can't use GPG key - secret key not available
In-Reply-To: <AANLkTinw9Dv4xFAbiE7_ujxA1YdOyNNozE9qqc9ERShp@mail.gmail.com>
References: <AANLkTin_5O9VaZY_JjFbLog2YXFChCgTbieBdR4bLQ_6__4534.18483161858$1285793491$gmane$org@mail.gmail.com>
	<i81fdn$89u$1@dough.gmane.org> <4CA49646.1010104@mac.com>
	<AANLkTinw9Dv4xFAbiE7_ujxA1YdOyNNozE9qqc9ERShp@mail.gmail.com>
Message-ID: <1285989514.19956.33.camel@silence.i.fourings.com>

The long key id can be view with the command: 

gpg --list-keys --keyid-format long <keyid>

-- 
__________________________________
Chris Ruff
email: jcruff at gmail.com
gpg key: 0xBDD5B810
gpg fgpr: 1BA1 71D7 ADA7 1E8B 1623
          A43D 283B 2F81 BDD5 B810


-----Original Message-----
From: Madhusudan Singh <singh.madhusudan at gmail.com>
To: gnupg-users at gnupg.org
Subject: Re: Can't use GPG key - secret key not available
Date: Thu, 30 Sep 2010 10:40:21 -0500

It did not work. I still get the same error as before.


I somehow doubt that this suggested solution would work, but how do I
get the 16 last characters ? I remember seeing it when it was generated.

On Thu, Sep 30, 2010 at 8:53 AM, Charly Avital <shavital at mac.com> wrote:
        Noiano wrote the following on 9/30/10 3:48 AM:
        > Hi,
        > check your gpg.conf. You should have a "default-key" parameter
        set. I
        > have "default-key AB10E8D2".
        >
        > Hope this helps.
        >
        >
        > Noiano
        
        
        If the above does not help, try using the long key ID, 16 last
        characters (instead of 8) of the key's fingerprint.
        
        Charly
        MacOS 10.6.4-MacBook Intel C2Duo 2GHz-GnuPG 1.4.10-MacGPG 2.0.14
        Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
        rv:1.9.2.8)
        Gecko/20100802 Thunderbird/3.1.2 - Running Enigmail version
        1.1.2
        (20100629-1412)


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



From alphazo at gmail.com  Sun Oct  3 23:25:26 2010
From: alphazo at gmail.com (Alphazo)
Date: Sun, 3 Oct 2010 23:25:26 +0200
Subject: gpg-agent and scdaemon confusion when card is removed
Message-ID: <AANLkTimGpuqc4s8szm87Cx3e+6VNEGgKkQAo2UQf0h=0@mail.gmail.com>

Hello,

Just received a Crypto Stick from the German Privacy Fundation. It is
basically a USB token that embeds an OpenPGP card and a CCID smart card
reader.

My OS is Archlinux 64-bit and it has the following packages installed:
- gnupg 1.4.10-2
- gnupg2 2.0.16-2
- ccid 1.4.0-2
- pcsclite 1.6.4-2

Since it has a pretty recent version of ccid I didn't have to patch ccid nor
use any custom udev rule. The Crypto Stick worked out of the box.

--> Crypto Stick inserted
# gpg --card-status
gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 00 00'
Application ID ...: D2760001240102000005000005840000
Version ..........: 2.0
.....
--> Crypto Stick removed
# gpg --card-status
gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e)
gpg: lecteur de cartes indisponible
gpg: la carte OpenPGP n'est pas disponible: erreur g?n?rale

--> Crypto Stick inserted
# gpg --card-status
gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 00 00'
Application ID ...: D2760001240102000005000005840000
Version ..........: 2.0
.....

Then I managed to get SSH authentication working with that CryptoStick
following instructions found here
http://www.programmierecke.net/howto/gpg-ssh.html. That required to enable
gpg-agent and configure ssh support for it. However for some reasons it
breaks when Crypto Stick is removed then inserted back. I no longer have
access to the card. I have to kill scdaemon in order to get access to the
card again. Here are my config files:

/etc/profile.d/gpg-agent.sh
#!/bin/sh
envfile="${HOME}/.gnupg/gpg-agent.env"
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d:
-f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
else
    eval "$(gpg-agent --enable-ssh-support --daemon --write-env-file
"$envfile")"
fi


~/.gnupg/gpg-agent.conf
# Cache settings
default-cache-ttl 3600
default-cache-ttl-ssh 10800
allow-mark-trusted
# Keyboard control
#no-grab
# PIN entry program
pinentry-program /usr/bin/pinentry-gtk-2

So now with gpg-agent enable I have the following behavior:
# ps aux | grep gpg
alpha     5455  0.0  0.0  15140   560 ?        Ss   22:20   0:00 gpg-agent
--enable-ssh-support --daemon --write-env-file
/home/alpha/.gnupg/gpg-agent.env

--> Crypto Stick inserted
# gpg --card-status
Application ID ...: D2760001240102000005000005840000
Version ..........: 2.0
.....

--> Crypto Stick removed
# gpg --card-status
gpg: selecting openpgp failed: ec=6.32848
gpg: la carte OpenPGP n'est pas disponible: erreur g?n?rale

--> Crypto Stick inserted
# gpg --card-status
gpg: selecting openpgp failed: ec=6.32848
gpg: la carte OpenPGP n'est pas disponible: erreur g?n?rale

#kill -9 scdaemon

# gpg --card-status
Application ID ...: D2760001240102000005000005840000
Version ..........: 2.0
.....

Is there a way to avoid that behavior or to have some kind of script to kill
scdaemon automatically?

Thanks
Alphazo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101003/57bac27e/attachment.htm>

From kgo at grant-olson.net  Mon Oct  4 01:25:15 2010
From: kgo at grant-olson.net (Grant Olson)
Date: Sun, 03 Oct 2010 19:25:15 -0400
Subject: gpg-agent and scdaemon confusion when card is removed
In-Reply-To: <AANLkTimGpuqc4s8szm87Cx3e+6VNEGgKkQAo2UQf0h=0@mail.gmail.com>
References: <AANLkTimGpuqc4s8szm87Cx3e+6VNEGgKkQAo2UQf0h=0@mail.gmail.com>
Message-ID: <4CA910DB.2010808@grant-olson.net>

On 10/3/2010 5:25 PM, Alphazo wrote:
> gHowever for some reasons it
> breaks when Crypto Stick is removed then inserted back. I no longer have
> access to the card. I have to kill scdaemon in order to get access to the
> card again. 

This is apparently a known issue:

http://lists.gnupg.org/pipermail/gnupg-users/2010-September/039505.html

-- 
Grant

"Can you construct some sort of rudimentary lathe?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101003/e00039ce/attachment.pgp>

From lionel at mamane.lu  Mon Oct  4 17:22:25 2010
From: lionel at mamane.lu (Lionel Elie Mamane)
Date: Mon, 4 Oct 2010 17:22:25 +0200
Subject: Certification-only key
In-Reply-To: <20050905230300.GB7834@tofu.mamane.lu>
References: <20050905144140.GA27381@tofu.mamane.lu>
	<20050905174607.GB1750@jabberwocky.com>
	<20050905193550.GB2713@tofu.mamane.lu>
	<20050905204646.GC1750@jabberwocky.com>
	<20050905230300.GB7834@tofu.mamane.lu>
Message-ID: <20101004152225.GA15991@capsaicin.mamane.lu>

On Tue, Sep 06, 2005 at 01:03:00AM +0200, Lionel Elie Mamane wrote:
> On Mon, Sep 05, 2005 at 04:46:46PM -0400, David Shaw wrote:
>> On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote:

>>> You could argue I could have this without marking the key as
>>> certificate-only, by never issuing data signatures with the primary
>>> key. That's harder on me. I have to be more cautious. Over the course
>>> of twenty years, I *will* screw up.

>> GnuPG actually makes it hard for you to screw up here.  If there is
>> a subkey that can sign, GnuPG will use it rather than the primary.
>> The only way to get a signature (as opposed to a key certification)
>> from the primary is to specify its key ID explicitly with an
>> exclamation point.

> Ah. Good. I just hope mutt doesn't pass the KeyID with an exclamation
> point. Should check that.

Also, when my signature subkey expires, it would (I guess) silently
start using the primary. Which makes me _very_ happy I chose to make
my primary certification-only, because signatures started to fail
instead, which gave me notice and allowed me to issue a new signature
subkey :)

-- 
Lionel


From dougb at dougbarton.us  Mon Oct  4 19:45:02 2010
From: dougb at dougbarton.us (Doug Barton)
Date: Mon, 04 Oct 2010 10:45:02 -0700
Subject: Certification-only key
In-Reply-To: <20101004152225.GA15991@capsaicin.mamane.lu>
References: <20050905144140.GA27381@tofu.mamane.lu>	<20050905174607.GB1750@jabberwocky.com>	<20050905193550.GB2713@tofu.mamane.lu>	<20050905204646.GC1750@jabberwocky.com>	<20050905230300.GB7834@tofu.mamane.lu>
	<20101004152225.GA15991@capsaicin.mamane.lu>
Message-ID: <4CAA129E.6080105@dougbarton.us>

On 10/4/2010 8:22 AM, Lionel Elie Mamane wrote:
> Also, when my signature subkey expires, it would (I guess) silently
> start using the primary. Which makes me_very_  happy I chose to make
> my primary certification-only, because signatures started to fail
> instead, which gave me notice and allowed me to issue a new signature
> subkey:)

Why did you choose to make your signature subkey expire, and why would 
you not simply extend the expiration date of the existing key rather 
than create a new one?


Doug

-- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go
http://SupersetSolutions.com/


From jcruff at gmail.com  Mon Oct  4 20:07:33 2010
From: jcruff at gmail.com (John Ruff)
Date: Mon, 4 Oct 2010 14:07:33 -0400
Subject: gpg-agent and scdaemon confusion when card is removed
In-Reply-To: <4CA910DB.2010808@grant-olson.net>
References: <AANLkTimGpuqc4s8szm87Cx3e+6VNEGgKkQAo2UQf0h=0@mail.gmail.com>
	<4CA910DB.2010808@grant-olson.net>
Message-ID: <CEB45E57-D0ED-414A-8EE6-58841930976F@gmail.com>


On Oct 3, 2010, at 7:25 PM, Grant Olson wrote:

> On 10/3/2010 5:25 PM, Alphazo wrote:
>> gHowever for some reasons it
>> breaks when Crypto Stick is removed then inserted back. I no longer  
>> have
>> access to the card. I have to kill scdaemon in order to get access  
>> to the
>> card again.

I've been using the scd-event script found in the 'doc/examples'  
folders in the source distribution to activate & lock my screensaver  
when the card is pulled.  Logic exist in the script that would allow  
you to call 'gpgconf --reload scdaemon' or 'pkill -9 scdaemon' when  
the card is inserted.  You could play with this as a workaround.

This is only a workaround and not any official solution since the list  
message below confirms code as the real issue.

>
> This is apparently a known issue:
>
> http://lists.gnupg.org/pipermail/gnupg-users/2010-September/ 
> 039505.html
>
> -- 
> Grant
>
> "Can you construct some sort of rudimentary lathe?"
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___________________
Chris Ruff
jcruff at gmail.com
GPG Key: 0xDD55B6FC
GPG Fgpr: CF61 AE7A C909 973D 6C21
           A8DA 9FF8 CA22 DD55 B6FC

"No one can see past a choice they don't understand." --The Oracle







-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 527 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20101004/29b61628/attachment-0001.pgp>

From TCollier at Prospera.ca  Mon Oct  4 23:29:27 2010
From: TCollier at Prospera.ca (Tammy Collier)
Date: Mon, 4 Oct 2010 14:29:27 -0700
Subject: Decrypting a file with a passphrase via command line
Message-ID: <51A6A48F9624A443A50033DF6FF29BF7A09F27@mail01.fvecu.com>

I have gpg2 installed and I get prompted for the passphrase when I try
to decrypt the file.  If I enter in the passphrase and don't log out it
doesn't prompt me the next time as it is cached, but I need to
disconnect from the RDP connection so that's not an option.  I can
figure out how to put the passphrase into the command line so that it
does not require user intervention.  Help?

 

Tammy Collier, DCIS, MCTS
Systems Administrator, Information Technology

Prospera Credit Union | Insurance
direct: 604 864 6578

cell: 778 549 0148 

toll-free:  1 888 440 4480
fax:  604 864 6556

web: prospera.ca <http://prospera.ca/> 
email: tcollier at prospera.ca <mailto:tcarson at prospera.ca> 

Urgent email, 24 hours a day: pcuops at prospera.ca
<mailto:pcuops at prospera.ca> 

 



This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.

If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you receive this email in error, please immediately notify the sender.

Please note that this financial institution neither accepts nor discloses confidential member account information via email. This includes password related inquiries, financial transaction instructions and address changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101004/a072fa9f/attachment.htm>

From koladina at web.de  Tue Oct  5 13:18:00 2010
From: koladina at web.de (koladina)
Date: Tue, 05 Oct 2010 13:18:00 +0200
Subject: import key to smart cards
Message-ID: <4CAB0968.3080405@web.de>

Hello eyeryone,

I?ve got a special question concerning GnuPG and smart card
My question is: How can I import a (sec-pub-)key which was
generated on a crypto stick (containing an integrated smart card)
into another crypto stick? A crypto stick like:
http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/

Normaly it should work by using the keytocard-command:
http://www.gnupg.org/howtos/card-howto/en/ch05.html#id2523191
But in my case (and I guess I?m not the only one) the process can?t
conclude. See my example here:

___________________________

office:~ home$ gpg2 --edit-key F4C8....
gpg (GnuPG/MacGnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/F4C8....  created:  2010-02-17 expires: never   usage: SC
                     trust: ultimate      validity: ultimate
sub 2048R/DAE5.... created: 2010-02-17 expires: never      usage: A
sub 2048R/BD84.... created: 2010-02-17 expires: never 	usage. E
[ultimate] (1). <my at mailaddress.org>

Command> toggle
sec   2048R/F4C8.... created:  2010-02-17 expires: never
			   card number:0006 000002FD
ssb 	2048R/DAE7.... created:  2010-02-17 expires: never
			   card number:0006 000002FD
ssb  	2048R/BD84.... created:  2010-02-17 expires: never
			   card number:0006 000002FD
(1) name <my at mailadress.org>

Command> keytocard
Really move the primary key? (y/N) y
Signature key ....: E5B0 AA49 39A0 01D1 29A9  9042 28D4 524A 2AB4 7879
Encryption key....: 93CF AB4A AD27 DEC3 986E  C90F 2AEB 898F F651 78AC
Authentication key: BA48 357B 5E13 9D2A 4E14  AEB7 07A6 51FA 53CD 0819

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 3

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

gpg: secret key is already stored on a card

Command>
_____________________________

The problem seems to be either that GnuPG blocks importing the key
because the key is already stored on another card. Or GnuPG ?things?
the key is already stored on the card on which I want to import the key.
Is there a way to work with a trick in order to ?persuade? GnuPG to do
that nevertheless (to allow the key-import). Does anyone know the trick?

A big thanks in advance

Kola


From wk at gnupg.org  Tue Oct  5 17:18:27 2010
From: wk at gnupg.org (Werner Koch)
Date: Tue, 05 Oct 2010 17:18:27 +0200
Subject: import key to smart cards
In-Reply-To: <4CAB0968.3080405@web.de> (koladina@web.de's message of "Tue, 05
	Oct 2010 13:18:00 +0200")
References: <4CAB0968.3080405@web.de>
Message-ID: <87fwwkmzwc.fsf@vigenere.g10code.de>

On Tue,  5 Oct 2010 13:18, koladina at web.de said:

> My question is: How can I import a (sec-pub-)key which was
> generated on a crypto stick (containing an integrated smart card)
> into another crypto stick? A crypto stick like:

The whole point of generating keys on a smartcard is that it is
impossible to get it back out of the card - you may only use the
generated key with certain command provided by the smartcard.

And thus you can't import it to another smartcard.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From l_elcocks at hotmail.co.uk  Tue Oct  5 17:18:46 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Tue, 5 Oct 2010 16:18:46 +0100
Subject: schedule batch file
Message-ID: <SNT115-W51A1B9994FD0176FB36288DF6D0@phx.gbl>


Hello 

 

I have installed GNUGP 1.4.10 installed on windows XP. I need to create a script that will allow me to do the following.

 

Create a 'drop folder' in a directory, where any files dropped in that location will be encrypted and signed with the same keys.

 

Create a 'decrpted' folder where any encyrpted files that are dropped to this location are decypted using the same keys.

 

The keys will have passphrases on them, i need to automate this also so their is no human interaction.

 

I plan to schedule the batch files using XP scheduler

 

Any help, and i mean any help at all would be greatly appreciated!

 

Many Thanks

 

Lee
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101005/a9f38455/attachment.htm>

From burley at telus.net  Tue Oct  5 18:21:11 2010
From: burley at telus.net (Max Burley)
Date: Tue, 05 Oct 2010 09:21:11 -0700
Subject: How to delete a signature from a key with delsig?
Message-ID: <1286295671.2718.25.camel@max-desktop64>

I have two keys: 
- a personal key (used to sign this message); and
- a business key.

Inadvertently, I signed the business key with the personal key. Trying
to remove that personal signature with delsig fails.
Bringing up the business key with "gpg --edit-key <key_name>" gives me
the "command>" prompt, at which point entering "<UID (n)> delsig" runs
without an error message, but the personal key signature is still
attached to the business key when I run "gpg --list-sigs <key_name>".

Am I missing something terribly obvious here?
Max Burley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20101005/e11fe536/attachment.pgp>

From dkg at fifthhorseman.net  Tue Oct  5 20:11:46 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 05 Oct 2010 14:11:46 -0400
Subject: How to delete a signature from a key with delsig?
In-Reply-To: <1286295671.2718.25.camel@max-desktop64>
References: <1286295671.2718.25.camel@max-desktop64>
Message-ID: <4CAB6A62.6060904@fifthhorseman.net>

On 10/05/2010 12:21 PM, Max Burley wrote:
> I have two keys: 
> - a personal key (used to sign this message); and
> - a business key.
> 
> Inadvertently, I signed the business key with the personal key. Trying
> to remove that personal signature with delsig fails.

how does it fail?

to be clear, if this sig is already pushed to the keyservers you cannot
delete it effectively, and your best bet is to revoke it.

> Bringing up the business key with "gpg --edit-key <key_name>" gives me
> the "command>" prompt, at which point entering "<UID (n)> delsig" runs
> without an error message, but the personal key signature is still
> attached to the business key when I run "gpg --list-sigs <key_name>".
> 
> Am I missing something terribly obvious here?

It's not terribly obvious, but i think what you want to do within the
gpg --edit-key prompt is a multi-line approach:

 uid <X>
 delsig

 <then keep pressing "n" until you see the sig you want to delete --
  at that point, choose Y>

 <choose q if there are no more sigs you want to delete>
 save

and then you should be back at your shell's prompt.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101005/27def3d3/attachment-0001.pgp>

From tchitwoo at us.ibm.com  Tue Oct  5 20:16:28 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 5 Oct 2010 11:16:28 -0700
Subject: Encrypt Error - There is no assurance this key belongs to the named
	user
Message-ID: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>

I am getting this error when trying to encrypt a file using a public key 
generated by PGP Desktop 10.0.2 (Build 13). I am using gpg (GnuPG) 1.4.5. 
I think the error is being caused by the validity setting for this key in 
my keyring which is "validity: unknown".

Two questions:

First, is there a way to set the validity parameter in the version of 
GnuPG I am using.

Second, are there any known incompatibilities between PGP Desktop 10.0.2 
(Build 13) and gpg (GnuPG) 1.4.5?

Thank You in advance for your assistance.

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101005/a4564c56/attachment.htm>

From rjh at sixdemonbag.org  Tue Oct  5 22:04:31 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 05 Oct 2010 16:04:31 -0400
Subject: Encrypt Error - There is no assurance this key belongs to the
	named	user
In-Reply-To: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>
Message-ID: <4CAB84CF.8030302@sixdemonbag.org>

On 10/5/2010 2:16 PM, Thomas Chitwood wrote:
> I am getting this error when trying to encrypt a file using a public key
> generated by PGP Desktop 10.0.2 (Build 13). I am using gpg (GnuPG)
> 1.4.5. I think the error is being caused by the validity setting for
> this key in my keyring which is "validity: unknown".

Is this an error (something that actually prevents you from encrypting),
or is it just a warning (letting you know about something, but not
preventing the encryption)?

> First, is there a way to set the validity parameter in the version of
> GnuPG I am using.

This is done by validating the key and signing it with your own key.

If you want to shut off all validation checks, putting "--trust-model
always" on the command line will do that.

> Second, are there any known incompatibilities between PGP Desktop 10.0.2
> (Build 13) and gpg (GnuPG) 1.4.5?

None worth mentioning, but I believe a security vulnerability has been
discovered which affects version 1.4.5.  You may want to consider
upgrading to the latest 1.4 (1.4.10 as of this writing).


From tchitwoo at us.ibm.com  Wed Oct  6 00:13:58 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 5 Oct 2010 15:13:58 -0700
Subject: Encrypt Error - There is no assurance this key belongs to
	the	named user
In-Reply-To: <4CAB84CF.8030302@sixdemonbag.org>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>
	<4CAB84CF.8030302@sixdemonbag.org>
Message-ID: <OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>

Robert,

This is a error that is preventing us from encrypting. The key has been 
trusted and signed.


pub  2048R/F56DBCBE  created: 2010-09-28  expires: never       usage: SC 
                     trust: full          validity: unknown
sub  2048R/CEA16A49  created: 2010-09-28  expires: never       usage: E 
[ unknown] (1). Patrick Ashbrook <pashbrook at chcw.com>

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118



From:
"Robert J. Hansen" <rjh at sixdemonbag.org>
To:
gnupg-users at gnupg.org
Date:
10/05/2010 01:07 PM
Subject:
Re: Encrypt Error - There is no assurance this key belongs to the named 
user
Sent by:
gnupg-users-bounces at gnupg.org



On 10/5/2010 2:16 PM, Thomas Chitwood wrote:
> I am getting this error when trying to encrypt a file using a public key
> generated by PGP Desktop 10.0.2 (Build 13). I am using gpg (GnuPG)
> 1.4.5. I think the error is being caused by the validity setting for
> this key in my keyring which is "validity: unknown".

Is this an error (something that actually prevents you from encrypting),
or is it just a warning (letting you know about something, but not
preventing the encryption)?

> First, is there a way to set the validity parameter in the version of
> GnuPG I am using.

This is done by validating the key and signing it with your own key.

If you want to shut off all validation checks, putting "--trust-model
always" on the command line will do that.

> Second, are there any known incompatibilities between PGP Desktop 10.0.2
> (Build 13) and gpg (GnuPG) 1.4.5?

None worth mentioning, but I believe a security vulnerability has been
discovered which affects version 1.4.5.  You may want to consider
upgrading to the latest 1.4 (1.4.10 as of this writing).

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101005/cec62382/attachment.htm>

From andre at amorim.me  Tue Oct  5 23:35:43 2010
From: andre at amorim.me (Andre Amorim)
Date: Tue, 5 Oct 2010 22:35:43 +0100
Subject: import key to smart cards
In-Reply-To: <87fwwkmzwc.fsf@vigenere.g10code.de>
References: <4CAB0968.3080405@web.de>
	<87fwwkmzwc.fsf@vigenere.g10code.de>
Message-ID: <AANLkTinHeXQz9MfkX4JrE6EzRzrM_oe+yBXYYQMnWz0a@mail.gmail.com>

If you dont have off-card key backup. Sorry, better forget it.

-- Andre Amorim

On 5 October 2010 16:18, Werner Koch <wk at gnupg.org> wrote:
> On Tue, ?5 Oct 2010 13:18, koladina at web.de said:
>
>> My question is: How can I import a (sec-pub-)key which was
>> generated on a crypto stick (containing an integrated smart card)
>> into another crypto stick? A crypto stick like:
>
> The whole point of generating keys on a smartcard is that it is
> impossible to get it back out of the card - you may only use the
> generated key with certain command provided by the smartcard.
>
> And thus you can't import it to another smartcard.
>
>
> Shalom-Salam,
>
> ? Werner
>
> --
> Die Gedanken sind frei. ?Ausnahmen regelt ein Bundesgesetz.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From burley at telus.net  Wed Oct  6 00:58:57 2010
From: burley at telus.net (Max Burley)
Date: Tue, 05 Oct 2010 15:58:57 -0700
Subject: How to delete a signature from a key with delsig?
In-Reply-To: <4CAB6A62.6060904@fifthhorseman.net>
References: <1286295671.2718.25.camel@max-desktop64>
	<4CAB6A62.6060904@fifthhorseman.net>
Message-ID: <1286319537.2663.138.camel@max-desktop64>

Daniel,
Thanks for taking the time. See below for the unexpected (to me at
least) solution.

Good point about the public servers, but in this case neither of the two
keys had been published. Also, fwiw this is on an Ubuntu 10.04 machine.

As for "how does it fail", the command> prompt from --edit-key
<key_name> kept returning "Invalid command (try "help")" for any input
not in the form "uid <key_name or n>." Whether a "delsig" was appended
to the command> or not, it returned to "command>" without affecting any
signature. I was unable to input a multi-line command without the
Invalid output. 

However, your response encouraged me to go back and hack at it some
more. After another failure and return to "command> (try "help")", I
actually tried "help" at the command prompt. Lo and behold, context
sensitive help. At the end of help's 30-item list of possible commands
was:
"minimize    compact unusable user IDs and remove all signatures from
key."

SOLUTION
$ gpg --edit-key <key_name>
Typing "minimize" at the "command>" prompt returned:
"User ID "name <email>": 1 signature removed"; and
returned me to "command>" where a "save" command saved changes, quit GPG
and returned me to my shell prompt. 
The key's self-signature was intact and the unwanted personal key
signature was gone.

Regards,
Max Burley



On Tue, 2010-10-05 at 14:11 -0400, Daniel Kahn Gillmor wrote:
> On 10/05/2010 12:21 PM, Max Burley wrote:
> > I have two keys: 
> > - a personal key (used to sign this message); and
> > - a business key.
> > 
> > Inadvertently, I signed the business key with the personal key. Trying
> > to remove that personal signature with delsig fails.
> 
> how does it fail?
> 
> to be clear, if this sig is already pushed to the keyservers you cannot
> delete it effectively, and your best bet is to revoke it.
> 
> > Bringing up the business key with "gpg --edit-key <key_name>" gives me
> > the "command>" prompt, at which point entering "<UID (n)> delsig" runs
> > without an error message, but the personal key signature is still
> > attached to the business key when I run "gpg --list-sigs <key_name>".
> > 
> > Am I missing something terribly obvious here?
> 
> It's not terribly obvious, but i think what you want to do within the
> gpg --edit-key prompt is a multi-line approach:
> 
>  uid <X>
>  delsig
> 
>  <then keep pressing "n" until you see the sig you want to delete --
>   at that point, choose Y>
> 
>  <choose q if there are no more sigs you want to delete>
>  save
> 
> and then you should be back at your shell's prompt.
> 
> hth,
> 
> 	--dkg
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20101005/f5c88e48/attachment.pgp>

From kgo at grant-olson.net  Wed Oct  6 01:05:14 2010
From: kgo at grant-olson.net (Grant Olson)
Date: Tue, 05 Oct 2010 19:05:14 -0400
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>
	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
Message-ID: <4CABAF2A.3060309@grant-olson.net>

On 10/5/10 6:13 PM, Thomas Chitwood wrote:
> 
> Robert,
> 
> This is a error that is preventing us from encrypting. The key has been
> trusted and signed.
> 
> 
> pub  2048R/F56DBCBE  created: 2010-09-28  expires: never       usage: SC  
>                      trust: full          validity: unknown
> sub  2048R/CEA16A49  created: 2010-09-28  expires: never       usage: E  
> [ unknown] (1). Patrick Ashbrook <pashbrook at chcw.com>
> 
> Tom Chitwood
> MCP, MCSE, CNA
> Wellpoint Account
> Information Technology Services Americas
> Global Services, IBM
> 818.234.4118
> 
> 

Since it's listing the validity as unknown, gpg doesn't seem to think
the key is signed by your key.  (Maybe you didn't set your own key to
ultimate trust?)

As Robert said, unknown validity will usually Y/N prompt you for
confirmation instead of completely failing.  Are you encrypting from a
batch file?  From a gui front end?  From the command line?

And that's still not an actual error message.  Could you try something
like the following and post the acutal error?


johnmudhead:~ grant$ echo foo > bar.txt
johnmudhead:~ grant$ gpg -r pashbrook at chcw.com --encrypt bar.txt
gpg: pashbrook at chcw.com: skipped: No public key
gpg: bar.txt: encryption failed: No public key

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101005/28a1e469/attachment-0001.pgp>

From larry-lists at maxqe.com  Wed Oct  6 00:46:03 2010
From: larry-lists at maxqe.com (Larry Brower)
Date: Tue, 05 Oct 2010 17:46:03 -0500
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>
	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
Message-ID: <4CABAAAB.2050103@maxqe.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Chitwood wrote:
> Robert,
> 
> This is a error that is preventing us from encrypting. The key has been 
> trusted and signed.
> 
> 
> pub  2048R/F56DBCBE  created: 2010-09-28  expires: never       usage: SC 
>                      trust: full          validity: unknown
> sub  2048R/CEA16A49  created: 2010-09-28  expires: never       usage: E 
> [ unknown] (1). Patrick Ashbrook <pashbrook at chcw.com>
> 

Can you provide the output of --list-sigs ?

That doesn't look like it has been signed or perhaps you didn't issue
save afterward?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMq6qrAAoJEPXCUD/44PWqGvsQAMrRIyqk8yl42aHga1uMXZde
bEhzA4oO8IEZZlRTQ0Lvz58DHpP+pIxvGhZERYqgo+jiv90Jntwj+Rz4LhZi/qUZ
iap7POF+EcNEaw/JpNvZ1ubLt9CriRJYHyhhmL5nZ3UQwdIVcDBADrNdPHxnWZpE
IQ/6WI1hTEibHx8QmbTnt5jSJy31O9IUPQaMa5tcjd99iJz2nT3cR3u6WaTgkbUW
eQYOnJgONBKAi0D/rS0szz39wONI2QZ6krx56jjOOTZNuXQ2HuODQ1WRMuamVGbf
sAANUgljz6HErbsgb16mru/fWTaNnD4UEttYqTlaMyrsHetrfGNewkyE5hIE1PgD
TW/wA/HJrGVAu3aNWvFd1aiS5Uz9fxEWBYp0pd02A3/c7AJKN84EntkrMYfDM01v
Bv/Nq6dTImHVHwvyjqErZYCHQbJ79s7qqGZl3sMEmVbOifLGvebQ6vkunO/+Oe1D
QEKcBoNDtJn8PYCXC9ixkT3oD7gS8QzFVfIQOlJrqsxNO6x4ET7RGTvGg0bbaUPJ
PTPGq+m9XrSopscY5efs8SwR6v7uu4okrhvEM+7FQ796qD3QYw8HVgHHlJ/P9Ewn
b42krovPFDgZ0Ffx6DD96DeySFN/wpjy2lebVegdXFMetdh6UMZzT2BneKvByKr7
z4Zuq70fFAXxsg+viUKX
=Zttz
-----END PGP SIGNATURE-----


From tchitwoo at us.ibm.com  Wed Oct  6 02:28:18 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 5 Oct 2010 17:28:18 -0700
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <4CABAAAB.2050103@maxqe.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>
	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
	<4CABAAAB.2050103@maxqe.com>
Message-ID: <OFD569B1A7.406CF8CB-ON872577B4.00028E83-882577B4.00029632@us.ibm.com>

Here you go.

$ gpg --list-sigs F56DBCBE
pub   2048R/F56DBCBE 2010-09-28
uid                  Patrick Ashbrook <pashbrook at chcw.com>
sig      N   F56DBCBE 2010-09-28  Patrick Ashbrook <pashbrook at chcw.com>
sig          359B3EB2 2010-10-05  it.security.ftp at bcbs-ga.com (Key created 
for adp on 2/1/2005) <it.security.ftp at bcbs-ga.com>
sub   2048R/CEA16A49 2010-09-28
sig          F56DBCBE 2010-09-28  Patrick Ashbrook <pashbrook at chcw.com>

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118



From:
Larry Brower <larry-lists at maxqe.com>
To:
Thomas Chitwood/Los Angeles/IBM at IBMUS
Cc:
gnupg-users at gnupg.org
Date:
10/05/2010 03:46 PM
Subject:
Re: Encrypt Error - There is no assurance this key belongs to the named 
user



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Chitwood wrote:
> Robert,
> 
> This is a error that is preventing us from encrypting. The key has been 
> trusted and signed.
> 
> 
> pub  2048R/F56DBCBE  created: 2010-09-28  expires: never       usage: SC 

>                      trust: full          validity: unknown
> sub  2048R/CEA16A49  created: 2010-09-28  expires: never       usage: E 
> [ unknown] (1). Patrick Ashbrook <pashbrook at chcw.com>
> 

Can you provide the output of --list-sigs ?

That doesn't look like it has been signed or perhaps you didn't issue
save afterward?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMq6qrAAoJEPXCUD/44PWqGvsQAMrRIyqk8yl42aHga1uMXZde
bEhzA4oO8IEZZlRTQ0Lvz58DHpP+pIxvGhZERYqgo+jiv90Jntwj+Rz4LhZi/qUZ
iap7POF+EcNEaw/JpNvZ1ubLt9CriRJYHyhhmL5nZ3UQwdIVcDBADrNdPHxnWZpE
IQ/6WI1hTEibHx8QmbTnt5jSJy31O9IUPQaMa5tcjd99iJz2nT3cR3u6WaTgkbUW
eQYOnJgONBKAi0D/rS0szz39wONI2QZ6krx56jjOOTZNuXQ2HuODQ1WRMuamVGbf
sAANUgljz6HErbsgb16mru/fWTaNnD4UEttYqTlaMyrsHetrfGNewkyE5hIE1PgD
TW/wA/HJrGVAu3aNWvFd1aiS5Uz9fxEWBYp0pd02A3/c7AJKN84EntkrMYfDM01v
Bv/Nq6dTImHVHwvyjqErZYCHQbJ79s7qqGZl3sMEmVbOifLGvebQ6vkunO/+Oe1D
QEKcBoNDtJn8PYCXC9ixkT3oD7gS8QzFVfIQOlJrqsxNO6x4ET7RGTvGg0bbaUPJ
PTPGq+m9XrSopscY5efs8SwR6v7uu4okrhvEM+7FQ796qD3QYw8HVgHHlJ/P9Ewn
b42krovPFDgZ0Ffx6DD96DeySFN/wpjy2lebVegdXFMetdh6UMZzT2BneKvByKr7
z4Zuq70fFAXxsg+viUKX
=Zttz
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101005/061eb496/attachment.htm>

From larry-lists at maxqe.com  Wed Oct  6 02:33:34 2010
From: larry-lists at maxqe.com (Larry Brower)
Date: Tue, 05 Oct 2010 19:33:34 -0500
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <OFD569B1A7.406CF8CB-ON872577B4.00028E83-882577B4.00029632@us.ibm.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>
	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
	<4CABAAAB.2050103@maxqe.com>
	<OFD569B1A7.406CF8CB-ON872577B4.00028E83-882577B4.00029632@us.ibm.com>
Message-ID: <4CABC3DE.9060401@maxqe.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Chitwood wrote:
> Here you go.
> 
> $ gpg --list-sigs F56DBCBE
> pub   2048R/F56DBCBE 2010-09-28
> uid                  Patrick Ashbrook <pashbrook at chcw.com>
> sig      N   F56DBCBE 2010-09-28  Patrick Ashbrook <pashbrook at chcw.com>
> sig          359B3EB2 2010-10-05  it.security.ftp at bcbs-ga.com (Key created 
> for adp on 2/1/2005) <it.security.ftp at bcbs-ga.com>
> sub   2048R/CEA16A49 2010-09-28
> sig          F56DBCBE 2010-09-28  Patrick Ashbrook <pashbrook at chcw.com>
> 

Is the key you signed this with the 0x359B3EB2 one? If so, is this one
marked as trusted in your keyring?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMq8PeAAoJEPXCUD/44PWqviUQAKBzwb/B7MHJqqDuNKpvNjN8
/r0f0O/46SB0lvl59bHcN6pLWMHCNgCp1tNNoQrwNmgltZ9vC58KMSUe5iQl6AeC
h9t0Fi62lmNifaqogz9cVX2To1m9d1cy7fC9KKK9NH4wl3hbgBgq+Cq1r1xptUk7
NcfoxSJdEV4ia/vFg8Fb8Igxh30jSteaxzPe6H/Ti0moY/V1S/x30Fyhu8rOOi4j
tQ3U4Ai9tqjJx5jCzN6HMitodTNOgF/HVLdMH0QKrVgY+Cvo6nuqNlCDgPvc/JSF
fw6OjGzjCJxLMhwkktClsTh/EA4ASzf/kcKjxxkYs+YF6hpHR/h6gJA/YMRn2OYQ
3+XOG5n/qxd9AQM3/P4kiFq8pJpQm7b9a6499diqpe0U5xXJ+7dBSeaRBOcbIyGb
79DZowkIXw5HRpKo5roovfVmzEzHKKFU2rjLGCEJRJYDe5NS0Twu3WdQbhoasVXa
S2SCeDK74pnF8ybHJiXTiIP2ma9V1yFBrc1tI5YYNx5TW8oPX0oW/UhUXRnT4Z7n
KrLsnKrmFkri7xDYill6GFOBMmaibjRNAqim26EY0fGkgrE42yVg0InuFiNAJ2cr
io2m9tQD0YY004OX5xwWRo4V++X+HgZfztXyI2vO4QygbvedcQOvWimcBRZYxYpg
JwW3N3uvwjs+tBuqL/Zj
=fqLi
-----END PGP SIGNATURE-----


From tchitwoo at us.ibm.com  Wed Oct  6 03:37:27 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 5 Oct 2010 18:37:27 -0700
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <4CABC3DE.9060401@maxqe.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>
	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
	<4CABAAAB.2050103@maxqe.com>
	<OFD569B1A7.406CF8CB-ON872577B4.00028E83-882577B4.00029632@us.ibm.com>
	<4CABC3DE.9060401@maxqe.com>
Message-ID: <OF4C7797E8.416D6A8D-ON872577B4.0008E405-882577B4.0008EAF8@us.ibm.com>

Yes, that is our key.

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118



From:
Larry Brower <larry-lists at maxqe.com>
To:
Thomas Chitwood/Los Angeles/IBM at IBMUS
Cc:
gnupg-users at gnupg.org
Date:
10/05/2010 05:33 PM
Subject:
Re: Encrypt Error - There is no assurance this key belongs to the named 
user



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Chitwood wrote:
> Here you go.
> 
> $ gpg --list-sigs F56DBCBE
> pub   2048R/F56DBCBE 2010-09-28
> uid                  Patrick Ashbrook <pashbrook at chcw.com>
> sig      N   F56DBCBE 2010-09-28  Patrick Ashbrook <pashbrook at chcw.com>
> sig          359B3EB2 2010-10-05  it.security.ftp at bcbs-ga.com (Key 
created 
> for adp on 2/1/2005) <it.security.ftp at bcbs-ga.com>
> sub   2048R/CEA16A49 2010-09-28
> sig          F56DBCBE 2010-09-28  Patrick Ashbrook <pashbrook at chcw.com>
> 

Is the key you signed this with the 0x359B3EB2 one? If so, is this one
marked as trusted in your keyring?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMq8PeAAoJEPXCUD/44PWqviUQAKBzwb/B7MHJqqDuNKpvNjN8
/r0f0O/46SB0lvl59bHcN6pLWMHCNgCp1tNNoQrwNmgltZ9vC58KMSUe5iQl6AeC
h9t0Fi62lmNifaqogz9cVX2To1m9d1cy7fC9KKK9NH4wl3hbgBgq+Cq1r1xptUk7
NcfoxSJdEV4ia/vFg8Fb8Igxh30jSteaxzPe6H/Ti0moY/V1S/x30Fyhu8rOOi4j
tQ3U4Ai9tqjJx5jCzN6HMitodTNOgF/HVLdMH0QKrVgY+Cvo6nuqNlCDgPvc/JSF
fw6OjGzjCJxLMhwkktClsTh/EA4ASzf/kcKjxxkYs+YF6hpHR/h6gJA/YMRn2OYQ
3+XOG5n/qxd9AQM3/P4kiFq8pJpQm7b9a6499diqpe0U5xXJ+7dBSeaRBOcbIyGb
79DZowkIXw5HRpKo5roovfVmzEzHKKFU2rjLGCEJRJYDe5NS0Twu3WdQbhoasVXa
S2SCeDK74pnF8ybHJiXTiIP2ma9V1yFBrc1tI5YYNx5TW8oPX0oW/UhUXRnT4Z7n
KrLsnKrmFkri7xDYill6GFOBMmaibjRNAqim26EY0fGkgrE42yVg0InuFiNAJ2cr
io2m9tQD0YY004OX5xwWRo4V++X+HgZfztXyI2vO4QygbvedcQOvWimcBRZYxYpg
JwW3N3uvwjs+tBuqL/Zj
=fqLi
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101005/56c750e0/attachment.htm>

From larry-lists at maxqe.com  Wed Oct  6 03:57:55 2010
From: larry-lists at maxqe.com (Larry Brower)
Date: Tue, 05 Oct 2010 20:57:55 -0500
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <OF4C7797E8.416D6A8D-ON872577B4.0008E405-882577B4.0008EAF8@us.ibm.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>
	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>
	<4CABAAAB.2050103@maxqe.com>
	<OFD569B1A7.406CF8CB-ON872577B4.00028E83-882577B4.00029632@us.ibm.com>
	<4CABC3DE.9060401@maxqe.com>
	<OF4C7797E8.416D6A8D-ON872577B4.0008E405-882577B4.0008EAF8@us.ibm.com>
Message-ID: <4CABD7A3.4070909@maxqe.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Chitwood wrote:
> Yes, that is our key.
> 

Have you verified it is trusted on the system you are trying to use it
 on? Perhaps the key isn't trusted.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIbBAEBAgAGBQJMq9eiAAoJEPXCUD/44PWqevsP+JdrIt71gjQg1TVXB2cxie45
oeIe7pEX5/kL7welfwbPwAPjRBCERHYfJTeh13qXvxMEtJ/ilqMJtJFipiIM+0DH
6RbmvNVDViFfsqTnSbrHpDKnPbXzYhbr5k67jU2uUP34saUA7oZJgT1A3FVe67Pr
iD93pjzxyeXM8t0WMTY01duQWVOBsfdsCjQCrKx3ouZLq10S/peYwhRv9hRCQDUA
TLfXDnLgbumRu1c5+3yyInztUGAznWqLcKoqc+2K6CEwTkPYB2OwRw2ZVyc1zfjm
xR4Zlec/9BYagq4w6zN1g7LocQ3OwiiUnRCafl6ZU9gZU2oeS6ULL003reFfcSER
SNKMUxgUzH6YNBQmh7d8qhUTktPC8XSiQZRun8iil7PoeWfhcBC0/tdCw7/9OnkL
m0bAA1jFeQcEHEjWlQMZvFKhfsn/OMUju52X3m3SrhxUx0HQt/uYTMttpxyJwvnN
GH2o3+klajfAfZUfzlUYk342hPYyK3O7jI5j04S1jJSTar8kLB02vqj4basD3+Uv
mTlvK2TWOUZBW1kqefUx6GNnIPHUwl0dMrOoe/JtE6JRBbTFVYdCNEyOPjUeFQeS
kR76YmQTmOufKAOa0sMYiPoDhJhwpjwQfm+3+/kaqFwlYZtijXrMP2fxtFrPgRqI
i1TY+s6p9zTMmiTpflw=
=SEBx
-----END PGP SIGNATURE-----


From drpartha at gmail.com  Wed Oct  6 10:34:19 2010
From: drpartha at gmail.com (drpartha)
Date: Wed, 6 Oct 2010 01:34:19 -0700 (PDT)
Subject: Help for testing GPG installation
Message-ID: <29894544.post@talk.nabble.com>


I have switched over to GPG from PGP recently. I need a volunteer who can try
out a few exercises reg. encryption, decryption, siging etc. This will take
only a few exchanges by email for about a week. Can someone help me please ?
My GPG Public key is accessible from ::
http://algolog.tripod.com/publikey.htm  Please send me an encrypted message
(using my GPG public key), to start with.

Thank you,

partha

drpartha AT gmail DOT com
-- 
View this message in context: http://old.nabble.com/Help-for-testing-GPG-installation-tp29894544p29894544.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From TCollier at Prospera.ca  Wed Oct  6 16:38:37 2010
From: TCollier at Prospera.ca (Tammy Collier)
Date: Wed, 6 Oct 2010 07:38:37 -0700
Subject: Gnupg-users Digest, Vol 85, Issue 3
In-Reply-To: <mailman.6217.1286301802.2574.gnupg-users@gnupg.org>
References: <mailman.6217.1286301802.2574.gnupg-users@gnupg.org>
Message-ID: <51A6A48F9624A443A50033DF6FF29BF7A0A031@mail01.fvecu.com>

We figured it out.  We needed an extra parameter to get the passphrase to be entered from a file into the command line.

"C:\Program Files\GNU\GnuPG\gpg2" --batch --passphrase-file "C:\Program Files\GNU\GnuPG\pass.txt" -du "Username <person at email.ca>" -o "C:\RPTS%3%2%1.zip" "C:\RPTS%3%2%1.pgp"

Tammy Collier, DCIS, MCTS
Systems Administrator, Information Technology

direct:?604 864 6578
cell:?778 549 0148
email:?tcollier at prospera.ca
Urgent email, 24 hours a day: pcuops at prospera.ca



-----Original Message-----
From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of gnupg-users-request at gnupg.org
Sent: Tuesday, October 05, 2010 11:03 AM
To: gnupg-users at gnupg.org
Subject: Gnupg-users Digest, Vol 85, Issue 3

Send Gnupg-users mailing list submissions to
	gnupg-users at gnupg.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.gnupg.org/mailman/listinfo/gnupg-users
or, via email, send a message with subject or body 'help' to
	gnupg-users-request at gnupg.org

You can reach the person managing the list at
	gnupg-users-owner at gnupg.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Gnupg-users digest..."


Today's Topics:

   1. Decrypting a file with a passphrase via command line
      (Tammy Collier)
   2. import key to smart cards (koladina)
   3. Re: import key to smart cards (Werner Koch)
   4. schedule batch file (Lee Elcocks)
   5. How to delete a signature from a key with delsig? (Max Burley)
   6. Re: How to delete a signature from a key with delsig?
      (Daniel Kahn Gillmor)


----------------------------------------------------------------------

Message: 1
Date: Mon, 4 Oct 2010 14:29:27 -0700
From: "Tammy Collier" <TCollier at Prospera.ca>
To: <gnupg-users at gnupg.org>
Subject: Decrypting a file with a passphrase via command line
Message-ID: <51A6A48F9624A443A50033DF6FF29BF7A09F27 at mail01.fvecu.com>
Content-Type: text/plain; charset="us-ascii"

I have gpg2 installed and I get prompted for the passphrase when I try
to decrypt the file.  If I enter in the passphrase and don't log out it
doesn't prompt me the next time as it is cached, but I need to
disconnect from the RDP connection so that's not an option.  I can
figure out how to put the passphrase into the command line so that it
does not require user intervention.  Help?

 

Tammy Collier, DCIS, MCTS
Systems Administrator, Information Technology

Prospera Credit Union | Insurance
direct: 604 864 6578

cell: 778 549 0148 

toll-free:  1 888 440 4480
fax:  604 864 6556

web: prospera.ca <http://prospera.ca/> 
email: tcollier at prospera.ca <mailto:tcarson at prospera.ca> 

Urgent email, 24 hours a day: pcuops at prospera.ca
<mailto:pcuops at prospera.ca> 

 



This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.

If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you receive this email in error, please immediately notify the sender.

Please note that this financial institution neither accepts nor discloses confidential member account information via email. This includes password related inquiries, financial transaction instructions and address changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101004/a072fa9f/attachment-0001.htm>

------------------------------

Message: 2
Date: Tue, 05 Oct 2010 13:18:00 +0200
From: koladina <koladina at web.de>
To: gnupg-users at gnupg.org
Subject: import key to smart cards
Message-ID: <4CAB0968.3080405 at web.de>
Content-Type: text/plain; charset=UTF-8

Hello eyeryone,

I?ve got a special question concerning GnuPG and smart card
My question is: How can I import a (sec-pub-)key which was
generated on a crypto stick (containing an integrated smart card)
into another crypto stick? A crypto stick like:
http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/

Normaly it should work by using the keytocard-command:
http://www.gnupg.org/howtos/card-howto/en/ch05.html#id2523191
But in my case (and I guess I?m not the only one) the process can?t
conclude. See my example here:

___________________________

office:~ home$ gpg2 --edit-key F4C8....
gpg (GnuPG/MacGnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/F4C8....  created:  2010-02-17 expires: never   usage: SC
                     trust: ultimate      validity: ultimate
sub 2048R/DAE5.... created: 2010-02-17 expires: never      usage: A
sub 2048R/BD84.... created: 2010-02-17 expires: never 	usage. E
[ultimate] (1). <my at mailaddress.org>

Command> toggle
sec   2048R/F4C8.... created:  2010-02-17 expires: never
			   card number:0006 000002FD
ssb 	2048R/DAE7.... created:  2010-02-17 expires: never
			   card number:0006 000002FD
ssb  	2048R/BD84.... created:  2010-02-17 expires: never
			   card number:0006 000002FD
(1) name <my at mailadress.org>

Command> keytocard
Really move the primary key? (y/N) y
Signature key ....: E5B0 AA49 39A0 01D1 29A9  9042 28D4 524A 2AB4 7879
Encryption key....: 93CF AB4A AD27 DEC3 986E  C90F 2AEB 898F F651 78AC
Authentication key: BA48 357B 5E13 9D2A 4E14  AEB7 07A6 51FA 53CD 0819

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 3

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

gpg: secret key is already stored on a card

Command>
_____________________________

The problem seems to be either that GnuPG blocks importing the key
because the key is already stored on another card. Or GnuPG ?things?
the key is already stored on the card on which I want to import the key.
Is there a way to work with a trick in order to ?persuade? GnuPG to do
that nevertheless (to allow the key-import). Does anyone know the trick?

A big thanks in advance

Kola



------------------------------

Message: 3
Date: Tue, 05 Oct 2010 17:18:27 +0200
From: Werner Koch <wk at gnupg.org>
To: koladina <koladina at web.de>
Cc: gnupg-users at gnupg.org
Subject: Re: import key to smart cards
Message-ID: <87fwwkmzwc.fsf at vigenere.g10code.de>
Content-Type: text/plain; charset=us-ascii

On Tue,  5 Oct 2010 13:18, koladina at web.de said:

> My question is: How can I import a (sec-pub-)key which was
> generated on a crypto stick (containing an integrated smart card)
> into another crypto stick? A crypto stick like:

The whole point of generating keys on a smartcard is that it is
impossible to get it back out of the card - you may only use the
generated key with certain command provided by the smartcard.

And thus you can't import it to another smartcard.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




------------------------------

Message: 4
Date: Tue, 5 Oct 2010 16:18:46 +0100
From: Lee Elcocks <l_elcocks at hotmail.co.uk>
To: <gnupg-users at gnupg.org>
Subject: schedule batch file
Message-ID: <SNT115-W51A1B9994FD0176FB36288DF6D0 at phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"


Hello 

 

I have installed GNUGP 1.4.10 installed on windows XP. I need to create a script that will allow me to do the following.

 

Create a 'drop folder' in a directory, where any files dropped in that location will be encrypted and signed with the same keys.

 

Create a 'decrpted' folder where any encyrpted files that are dropped to this location are decypted using the same keys.

 

The keys will have passphrases on them, i need to automate this also so their is no human interaction.

 

I plan to schedule the batch files using XP scheduler

 

Any help, and i mean any help at all would be greatly appreciated!

 

Many Thanks

 

Lee
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101005/a9f38455/attachment-0001.htm>

------------------------------

Message: 5
Date: Tue, 05 Oct 2010 09:21:11 -0700
From: Max Burley <burley at telus.net>
To: gnupg-users at gnupg.org
Subject: How to delete a signature from a key with delsig?
Message-ID: <1286295671.2718.25.camel at max-desktop64>
Content-Type: text/plain; charset="utf-8"

I have two keys: 
- a personal key (used to sign this message); and
- a business key.

Inadvertently, I signed the business key with the personal key. Trying
to remove that personal signature with delsig fails.
Bringing up the business key with "gpg --edit-key <key_name>" gives me
the "command>" prompt, at which point entering "<UID (n)> delsig" runs
without an error message, but the personal key signature is still
attached to the business key when I run "gpg --list-sigs <key_name>".

Am I missing something terribly obvious here?
Max Burley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20101005/e11fe536/attachment-0001.pgp>

------------------------------

Message: 6
Date: Tue, 05 Oct 2010 14:11:46 -0400
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
To: Max Burley <burley at telus.net>
Cc: gnupg-users at gnupg.org
Subject: Re: How to delete a signature from a key with delsig?
Message-ID: <4CAB6A62.6060904 at fifthhorseman.net>
Content-Type: text/plain; charset="utf-8"

On 10/05/2010 12:21 PM, Max Burley wrote:
> I have two keys: 
> - a personal key (used to sign this message); and
> - a business key.
> 
> Inadvertently, I signed the business key with the personal key. Trying
> to remove that personal signature with delsig fails.

how does it fail?

to be clear, if this sig is already pushed to the keyservers you cannot
delete it effectively, and your best bet is to revoke it.

> Bringing up the business key with "gpg --edit-key <key_name>" gives me
> the "command>" prompt, at which point entering "<UID (n)> delsig" runs
> without an error message, but the personal key signature is still
> attached to the business key when I run "gpg --list-sigs <key_name>".
> 
> Am I missing something terribly obvious here?

It's not terribly obvious, but i think what you want to do within the
gpg --edit-key prompt is a multi-line approach:

 uid <X>
 delsig

 <then keep pressing "n" until you see the sig you want to delete --
  at that point, choose Y>

 <choose q if there are no more sigs you want to delete>
 save

and then you should be back at your shell's prompt.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101005/27def3d3/attachment.pgp>

------------------------------

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


End of Gnupg-users Digest, Vol 85, Issue 3
******************************************


This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.

If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you receive this email in error, please immediately notify the sender.

Please note that this financial institution neither accepts nor discloses confidential member account information via email. This includes password related inquiries, financial transaction instructions and address changes.


From dkg at fifthhorseman.net  Wed Oct  6 18:02:44 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 06 Oct 2010 12:02:44 -0400
Subject: Encrypt Error - There is no assurance this key belongs to the
	named user
In-Reply-To: <4CABD7A3.4070909@maxqe.com>
References: <OFB31C2611.3ED54AAC-ON872577B3.0063871B-882577B3.006461D8@us.ibm.com>	<4CAB84CF.8030302@sixdemonbag.org>	<OF980BC573.BF93E0C2-ON872577B3.0071DFD6-882577B3.007A204E@us.ibm.com>	<4CABAAAB.2050103@maxqe.com>	<OFD569B1A7.406CF8CB-ON872577B4.00028E83-882577B4.00029632@us.ibm.com>	<4CABC3DE.9060401@maxqe.com>	<OF4C7797E8.416D6A8D-ON872577B4.0008E405-882577B4.0008EAF8@us.ibm.com>
	<4CABD7A3.4070909@maxqe.com>
Message-ID: <4CAC9DA4.3080909@fifthhorseman.net>

On 10/05/2010 09:57 PM, Larry Brower wrote:
> Have you verified it is trusted on the system you are trying to use it
>  on? Perhaps the key isn't trusted.

This is not about trust for this key -- it is about validity.

The point is that the key does not have a valid binding to its User ID,
so encrypting "to the User ID" isn't going to work without prompting.

If the User ID + Key have been certified by some third party whose
certifications you're happy to rely on (and whose key already has a
valid binding to its user ID), you should mark that third party as fully
trusted.  Then their certifications will be acceptable, and the target
key will have a valid binding to its User ID.

Note that you'll need at least one key in your keyring to be marked as
"ultimate" ownertrust, in order to get the chain started someplace.
Usually, you'd mark your own key with ultimate ownertrust, since
(presumably) you know for sure which key is yours.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101006/8e845d47/attachment.pgp>

From dougb at dougbarton.us  Wed Oct  6 19:15:39 2010
From: dougb at dougbarton.us (Doug Barton)
Date: Wed, 06 Oct 2010 10:15:39 -0700
Subject: Help for testing GPG installation
In-Reply-To: <29894544.post@talk.nabble.com>
References: <29894544.post@talk.nabble.com>
Message-ID: <4CACAEBB.5050207@dougbarton.us>

On 10/6/2010 1:34 AM, drpartha wrote:
>
> I have switched over to GPG from PGP recently. I need a volunteer who can try
> out a few exercises reg. encryption, decryption, siging etc. This will take
> only a few exchanges by email for about a week. Can someone help me please ?
> My GPG Public key is accessible from ::
> http://algolog.tripod.com/publikey.htm  Please send me an encrypted message
> (using my GPG public key), to start with.
>
> Thank you,
>
> partha
>
> drpartha AT gmail DOT com

FYI, trying to obfuscate your e-mail address in any fashion is pointless 
since the spammers can reconstruct it just as easily as anyone else. 
It's particularly pointless to do so in your own e-mail message. :)

In any case, this group can help with your PGP technique practice:

http://tech.groups.yahoo.com/group/PGPNET/


hope this helps,

Doug

-- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go
http://SupersetSolutions.com/


From bressman at unc.edu  Wed Oct  6 19:19:02 2010
From: bressman at unc.edu (Benjamin Bressman)
Date: Wed, 06 Oct 2010 13:19:02 -0400
Subject: Remove key from an encrypted file?
Message-ID: <4CACAF86.1020406@unc.edu>

If I use GnuPG to encrypt a file with multiple keys is it possible to
remove one of those keys at a later date?

Let's say I encrypt sensitive information so that three users could
decrypt it, but one of those users leaves the organization at some
point. Could I just remove that key's access to the file, or would I
need to decrypt the file and then re-encrypt it with only the desired keys?

I'm assuming the file encryption is symmetric using a "random" key, and
then that "random" key is encrypted asymmetrically once for each of the
multiple keys, but let me know if that's not the case.



From dkg at fifthhorseman.net  Wed Oct  6 21:04:03 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 06 Oct 2010 15:04:03 -0400
Subject: Remove key from an encrypted file?
In-Reply-To: <4CACAF86.1020406@unc.edu>
References: <4CACAF86.1020406@unc.edu>
Message-ID: <4CACC823.5000105@fifthhorseman.net>

On 10/06/2010 01:19 PM, Benjamin Bressman wrote:
> If I use GnuPG to encrypt a file with multiple keys is it possible to
> remove one of those keys at a later date?

it's possible, but it's a bit clumsy.  you could use gpgsplit to handle
the situation:

 mkdir cleandir
 cd cleandir
 gpgsplit < $message
 rm 00000X-001.pk_enc  (make sure this is the one you want to remove!)
 cat * > $message


if you're not sure which pk_enc packet is the one you want, you can see
which key belongs to which with gpg --list-packets.  If $keyID is the 16
hex-digit ID you want to strip out, then the following should work:

  for foo in *-001.pk_enc ; do
   if [ "$keyID" = \
 $( gpg --list-packets < $foo | grep ^:pubkey | sed 's/.*keyid //' ) ];
   then
     rm "$foo"
   fi
  done

(these scripts are untested -- please test and verify before using them
in production!)

> Let's say I encrypt sensitive information so that three users could
> decrypt it, but one of those users leaves the organization at some
> point. Could I just remove that key's access to the file, or would I
> need to decrypt the file and then re-encrypt it with only the desired keys?

you could also do this, though it would require you knowing one of the keys.

note that neither method will protect you if the user in question has a
local copy of the encrypted file that still has the old info.

> I'm assuming the file encryption is symmetric using a "random" key, and
> then that "random" key is encrypted asymmetrically once for each of the
> multiple keys, but let me know if that's not the case.

yes, this is right.  What you're calling the "random" key is known as
the session key.

Each of the *-001.pk_enc is a "Public-Key Encrypted Session Key Packet":

  http://tools.ietf.org/html/rfc4880#section-5.1

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101006/e5ec37ad/attachment-0001.pgp>

From rjh at sixdemonbag.org  Wed Oct  6 21:04:51 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 06 Oct 2010 15:04:51 -0400
Subject: Remove key from an encrypted file?
In-Reply-To: <4CACAF86.1020406@unc.edu>
References: <4CACAF86.1020406@unc.edu>
Message-ID: <4CACC853.8010804@sixdemonbag.org>

On 10/6/2010 1:19 PM, Benjamin Bressman wrote:
> If I use GnuPG to encrypt a file with multiple keys is it possible to
> remove one of those keys at a later date?

Possible?  Probably.  Practical?  Probably not.

Your best bet is to re-encrypt the material to the remaining two keys.


From dshaw at jabberwocky.com  Wed Oct  6 21:12:31 2010
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 6 Oct 2010 15:12:31 -0400
Subject: Remove key from an encrypted file?
In-Reply-To: <4CACAF86.1020406@unc.edu>
References: <4CACAF86.1020406@unc.edu>
Message-ID: <BB141F01-6B36-4FFD-8A65-7D77BF1AB492@jabberwocky.com>

On Oct 6, 2010, at 1:19 PM, Benjamin Bressman wrote:

> If I use GnuPG to encrypt a file with multiple keys is it possible to
> remove one of those keys at a later date?
> 
> Let's say I encrypt sensitive information so that three users could
> decrypt it, but one of those users leaves the organization at some
> point. Could I just remove that key's access to the file, or would I
> need to decrypt the file and then re-encrypt it with only the desired keys?

You can remove a single key's access to the file, but it might not work the way you intended.

> I'm assuming the file encryption is symmetric using a "random" key, and
> then that "random" key is encrypted asymmetrically once for each of the
> multiple keys, but let me know if that's not the case.

That is correct.

An encrypted message consists of several OpenPGP packets, concatenated together.  So for example, if I encrypt a file to Alice, Baker, and Charlie's keys, I'll end up with something that looks like this (somewhat simplified - see RFC-4880 for the actual bits):

     (session key encrypted to Alice) + (session key encrypted to Baker) + (session key encrypted to Charlie) + (encrypted data)

If I wanted to remove Alice's access to the file, I could just strip off her packet, thus leaving:

     (session key encrypted to Baker) + (session key encrypted to Charlie) + (encrypted data)

Now, Alice won't be able to decrypt that file.  However (and this is the potential gotcha), it does not affect any copies of the file that Alice already has.  So if you encrypt your data for three users, and one of those users makes a copy of the encrypted file before you strip his access, that user can still decrypt since he's working off a copy that still has the session key encrypted to him.

Note that this isn't a problem specific to stripping a single key from a file.  The same problem exists when re-encrypting to the remaining people.  Either way, if Alice makes a copy before you strip or re-encrypt, she has the file and can decrypt it.

David



From l_elcocks at hotmail.co.uk  Wed Oct  6 21:50:49 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Wed, 6 Oct 2010 20:50:49 +0100
Subject: encryption automation
Message-ID: <SNT115-W35A5B22786DC2B668338B9DF6E0@phx.gbl>





 
Hello all
 
I am trying to automate gnupg and im really struggling with the batch file in trying to use, please could somebody help me?
 
for test purposes i have created a drop folder in the root of C:
 
C:\outgoingdropfolder
 
i want to be able to drop any type of file in here with any file name, GPG to encrypt the file and place the encrypted version of that file in another location (for test purposes this is C:\encryptedfolder)
 
this is the command ive placed into a batch 
 
cd C:\program files (x86)\gnu\gnupg
gpg --batch --yes --output C:\encryptedfiles\*.gpg -e -u leeelcockstokey -r leeelcocksfromkey C:\outgoingdropfolder\*
 
What i need the automation to do is the following
 
for example
 
I drop the file lee.txt into drop folder, GPG then encrypts it and places into encrypted files folder called lee.txt.gpg
 
I have the batch running every minute on windows scheduler.
 
I want to drop any file into the drop folder and GPG to output the encyrpted file with the same name.
 
The file names will be different everytime.
 
Any help with this greatly appreciated
 
Lee Elcocks

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101006/e5056b1a/attachment.htm>

From l_elcocks at hotmail.co.uk  Wed Oct  6 21:49:24 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Wed, 6 Oct 2010 20:49:24 +0100
Subject: No subject
Message-ID: <SNT115-W26751E7F19B99E924E15FBDF6E0@phx.gbl>


 

Hello all

 

I am trying to automate gnupg and im really struggling with the batch file in trying to use, please could somebody help me?

 

for test purposes i have created a drop folder in the root of C:

 

C:\outgoingdropfolder

 

i want to be able to drop any type of file in here with any file name, GPG to encrypt the file and place the encrypted version of that file in another location (for test purposes this is C:\encryptedfolder)

 

this is the command ive placed into a batch 

 

cd C:\program files (x86)\gnu\gnupg
gpg --batch --yes --output C:\encryptedfiles\*.gpg -e -u leeelcockstokey -r leeelcocksfromkey C:\outgoingdropfolder\*

 

What i need the automation to do is the following

 

for example

 

I drop the file lee.txt into drop folder, GPG then encrypts it and places into encrypted files folder called lee.txt.gpg

 

I have the batch running every minute on windows scheduler.

 

I want to drop any file into the drop folder and GPG to output the encyrpted file with the same name.

 

The file names will be different everytime.

 

Any help with this greatly appreciated

 

Lee Elcocks

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101006/a4bbd5c4/attachment.htm>

From drpartha at gmail.com  Thu Oct  7 05:21:08 2010
From: drpartha at gmail.com (drpartha)
Date: Wed, 6 Oct 2010 20:21:08 -0700 (PDT)
Subject: Seahorse
Message-ID: <29902685.post@talk.nabble.com>


I am a regular user of KDE and KGPG. I tried to ride "seahorse", but I find
the interface very confusing. I found out how to encrypt/decrypt, after some
struggle and experimentation. I am still not able to sign/verify a file. How
do I do that ? Why cant interface designers make things a little less
enigmatic  :{ ?

partha
-- 
View this message in context: http://old.nabble.com/Seahorse-tp29902685p29902685.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From rjh at sixdemonbag.org  Thu Oct  7 18:36:37 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 07 Oct 2010 12:36:37 -0400
Subject: Seahorse
In-Reply-To: <29902685.post@talk.nabble.com>
References: <29902685.post@talk.nabble.com>
Message-ID: <4CADF715.6090502@sixdemonbag.org>

On 10/6/2010 11:21 PM, drpartha wrote:
> Why cant interface designers make things a little less enigmatic  :{

During grad school I did a few semesters of human-computer interface
(HCI) design, particularly with respect to OpenPGP user interfaces.
It's a fascinating subject but ultimately left me very, very cynical.
Here's why.



[sets the rant switch to ENGAGED]

The reason why user interfaces suck: crypto is hard, making good user
interfaces is hard, the OpenPGP spec is human-unfriendly, and there is
an enormous resistance in the community to newer and better interfaces.

Consider signatures on a user ID.  A signature issued by someone you
don't trust is utterly meaningless.  It's noise.  There are a couple of
possible use cases (e.g., trying to find ways to connect two disjoint
webs of trust, or mapping out a target's social network), but those are
pretty niche when compared to average users and their needs.

So, already, one way to make interfaces simpler: omit all untrusted
signatures.  If a signature doesn't contribute to the overall trust
calculation on a key, don't display it -- reduce the cognitive spam.

Another culprit: we've now got about 15 years of experience with a
really awful user interface that should have never been fielded.
Unfortunately, that interface has now become standard, and any attempt
to change it will get pushback from users.

Table-oriented data is principally useful in two conditions:
non-interactive interfaces and contextual views.

In non-interactive interfaces (like printed almanacs), all the data has
to be visible all the time.  If I want to look up the population of
Zimbabwe, well, the almanac can't interactively ask me the country I'm
looking for.  It has no option but to present all countries, and give me
a user interface that makes it possible to find what I'm looking for.

In contextual views (like Excel spreadsheets), the data in one area is
contextualized with information from another area.  When looking at a
business's profit-and-loss statement, it's useful to be able to
immediately see how much each business unit contributed to the bottom
line.  Or, in your email client, it's useful to be able to see your
emails in chronological order: the sequence in which they arrived is
contextual information relevant to each email.

So... consider the traditional OpenPGP certificate management interface.
 It presents all these certificates in an enormously complex tabular
format.  Click on a certificate and it reveals user IDs and subkeys.
Click on a user ID or a subkey and it reveals signatures.  Etc., etc., etc.

This interface is user-hostile.  There are two compelling reasons to use
tabular data -- noninteractive interfaces and contextual data -- and
neither of them applies to OpenPGP certificates.  The key manager is an
interactive interface, and if I'm looking at certificate 0xDEADBEEF I
really don't give half a damn about 0xDECAFBAD, 0xBADD00D5, or
0xBADF00D5... so why am I getting cognitively spammed with information
about them?

Unfortunately, PGP 5.0 presented all certificates to the user in this
tabular format -- and ever since, that's what users have demanded.  It's
what they know, it's what they want, and if you seriously suggest
getting rid of a table view people will refuse to use your interface.



At the end of the HCI course I had a prototype key manager that avoided
the table widget and ruthlessly suppressed useless data.  It consisted
of pretty much just a search box into which you could type an email
address, a certificate ID, a user name, a comment, whatever.  Once you'd
narrowed your certificates under a dozen, a list would pop up showing a
certificate ID, the best-matching user ID on the certificate, and its
trust level.  Double-click on an element in the list and bang, a
certificate editor appeared, with helpful wizards to walk you through
the process of validating a key, uploading it to a key server, etc., etc.

Ultimately it was just a prototype: it was never a fully functional
certificate manager.  Two things convinced me to let this project die
and not pursue it further.  One was there was a strange problem
involving GnuPG refusing to communicate via a pipe with Java.  The
problem strongly appeared to be in GnuPG.  Ultimately, that's a minor
problem.

The real downer came when I showed long-time GnuPG users this interface.
 Opinions ran about five to one, "hey, this is a really sweet interface,
and I like it -- but it'd be even better if there was a big table widget
with all my certificates there.  I'd use that instead.  I'm familiar
with that user interface!"




... I should point out, BTW, that although being told "don't make a
better interface, make it just like the interfaces we know" is a downer,
I'm not faulting people one bit for it.  People have invested a lot of
time and effort in learning these bad, broken, user-hostile interfaces.
 It is *absolutely* reasonable for them to want to use an interface they
know, rather than learn yet another interface -- even if I'm immodest
enough to claim these new interfaces would be vastly better.  :)



From will at cs.wisc.edu  Thu Oct  7 17:28:38 2010
From: will at cs.wisc.edu (Will McDonald)
Date: Thu, 7 Oct 2010 15:28:38 +0000
Subject: What's the best way to test a long list of passphrases?
Message-ID: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>

Hi,
I have a GPG key to which I've forgotten the passphrase. That is, I remember
the mnemonic I used, but not the particular set of l33tspeak substitutions
and punctuation used, and guessing hasn't worked. It's a ~26 character
passphrase, and since I know the options I might have used I was able to
write a perl script to generate the 30,000 or so possible permutations that
I might have used.

Given that, what's the best way for me to test my 30,000 possible
passphrases? I'd prefer to ask gnupg directly via some API (I'm fine writing
a small C program if I know the relevant functions to use) rather than
trying to script around the text ui (and it's 1-second delay after input).

Any suggestions?

-will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101007/af6ede25/attachment.htm>

From reid.thompson at ateb.com  Thu Oct  7 21:15:17 2010
From: reid.thompson at ateb.com (Reid Thompson)
Date: Thu, 07 Oct 2010 15:15:17 -0400
Subject: What's the best way to test a long list of passphrases?
In-Reply-To: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
References: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
Message-ID: <1286478917.12400.1.camel@raker.ateb.com>

On Thu, 2010-10-07 at 15:28 +0000, Will McDonald wrote:
> Hi,
> I have a GPG key to which I've forgotten the passphrase. That is, I
> remember the mnemonic I used, but not the particular set of l33tspeak
> substitutions and punctuation used, and guessing hasn't worked. It's a
> ~26 character passphrase, and since I know the options I might have
> used I was able to write a perl script to generate the 30,000 or so
> possible permutations that I might have used.
> 
> 
> Given that, what's the best way for me to test my 30,000 possible
> passphrases? I'd prefer to ask gnupg directly via some API (I'm fine
> writing a small C program if I know the relevant functions to use)
> rather than trying to script around the text ui (and it's 1-second
> delay after input).
> 
> 
> Any suggestions?
> 
> 
> -will
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

http://www.gnupg.org/related_software/libraries.en.html

see
gpgme
libgcrypt


From rjh at sixdemonbag.org  Thu Oct  7 21:25:37 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 07 Oct 2010 15:25:37 -0400
Subject: What's the best way to test a long list of passphrases?
In-Reply-To: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
References: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
Message-ID: <4CAE1EB1.8070105@sixdemonbag.org>

On 10/7/2010 11:28 AM, Will McDonald wrote:
> Given that, what's the best way for me to test my 30,000 possible
> passphrases?

At one per second, it'll take about nine hours.  Your fastest solution
involves spend the rest of today polishing the script, and letting it
run overnight.  Slow and stupid wins.

The smart and fast way involves doing the s2k computations yourself and
checking prospective keys one after another, but even then this will be
slow.  The s2k computation involves a lot of iterated hashing in order
to slow down brute force attempts like this.  You'll waste more time
writing code than you'll gain by a faster algorithm.

Basically, if you do things the slow and stupid way you'll be done by
morning.  If you do things the smart and fast way you might be finished
by the end of the week.  You can view this as an instance of "worse is
better."

Good luck!


From l_elcocks at hotmail.co.uk  Fri Oct  8 01:24:17 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Fri, 8 Oct 2010 00:24:17 +0100
Subject: batch file automation -Nearly There!
Message-ID: <SNT115-W1047DB47EF43B64E6D0F6ADF6F0@phx.gbl>


 

SETLOCAL
PATH=C:\Program Files (x86)\GNU\GnuPG;%PATH%
>"%TMP%\~encryptlist.txt" DIR /B "C:\outgoingdropfolder"
PUSHD "C:\outgoingdropfolder"
FOR /F "delims=" %%F IN ('MORE ^< "%TMP%\~encryptlist.txt"') DO (
IF EXIST %%F (
ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -o "C:\encryptedfiles\%F.pgp"
IF ERRORLEVEL == 0 DEL "%%F"
)
)
POPD
DEL "%TMP%\~encryptlist.txt"
ENDLOCAL

 

above is the script im using to try and automate GPG (bingos is not my real password) the above is working sort off

 

let me explain what i want it to do

 

a User can drop any type of file, called anything they like into the dropfolder, when the batch runs, i want the file (or files) to be encrypted (all with the same encryption and signing key) and then outputted to the folder called encrypted files, the file names must be the same as they were when they went in, except obviousley the new pgp extension. (i require the output to be a PGP extension)

 

This is what happens when i run the above batch.

 

I drop a file called lee.txt (10mb) into dropfolder, run the batch, the file dissapears from drop folder, and appears in the encypted files folder with the file name f.PGP ? and is only 1kb in size ?

 

the encryptlist.txt appears to be working fine. Im hoping that it will be able to handle more than one file ( I asume that is what the encrypt list is for ?

) however im unable to confirm as the files are becoming over written when they get to encrypted folder. If i drop 2 files at the same time then the encrypted list does pick up 2 different file names.

 

I can confirm that encyption and signing is working as it should, i can suucesfully decypt and verify signature using PGP, (but like i said, the file is empty)

 

Hope ive explained clearly enough, thanks to all that have helped me get to this stage. 

 

Lee 

 

 

 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101008/a7001610/attachment.htm>

From rjh at sixdemonbag.org  Fri Oct  8 02:02:02 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 07 Oct 2010 20:02:02 -0400
Subject: What's the best way to test a long list of passphrases?
In-Reply-To: <4CAE52E9.8040301@ateb.com>
References: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
	<4CAE1EB1.8070105@sixdemonbag.org> <4CAE52E9.8040301@ateb.com>
Message-ID: <4CAE5F7A.3040601@sixdemonbag.org>

On 10/7/2010 7:08 PM, Reid Thompson wrote:
> given that -- split the file into 5? chunks and kick off 5? copies of
> the script

Given the amount of time required to write a multithreaded application
that intelligently divides up work units across cores, versus the eight
hours for a single-threaded, single-cored version...

There's an old rule of thumb about not using more hammer than you need
for a given nail.  Tacks get tackhammers and railroad spikes get
sledgehammers, but it's foolish to drive tacks with sledges or spikes
with tackhammers.

This is a tack problem.  Use a tackhammer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101007/dba3d8a6/attachment.bin>

From reid.thompson at ateb.com  Fri Oct  8 01:08:25 2010
From: reid.thompson at ateb.com (Reid Thompson)
Date: Thu, 07 Oct 2010 19:08:25 -0400
Subject: What's the best way to test a long list of passphrases?
In-Reply-To: <4CAE1EB1.8070105@sixdemonbag.org>
References: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
	<4CAE1EB1.8070105@sixdemonbag.org>
Message-ID: <4CAE52E9.8040301@ateb.com>

  On 10/7/2010 3:25 PM, Robert J. Hansen wrote:
> On 10/7/2010 11:28 AM, Will McDonald wrote:
>> Given that, what's the best way for me to test my 30,000 possible
>> passphrases?
> At one per second, it'll take about nine hours.  Your fastest solution
> involves spend the rest of today polishing the script, and letting it
> run overnight.  Slow and stupid wins.
>
> The smart and fast way involves doing the s2k computations yourself and
> checking prospective keys one after another, but even then this will be
> slow.  The s2k computation involves a lot of iterated hashing in order
> to slow down brute force attempts like this.  You'll waste more time
> writing code than you'll gain by a faster algorithm.
>
> Basically, if you do things the slow and stupid way you'll be done by
> morning.  If you do things the smart and fast way you might be finished
> by the end of the week.  You can view this as an instance of "worse is
> better."
>
> Good luck!
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
given that -- split the file into 5? chunks and kick off 5? copies of the script


From email at sven-radde.de  Fri Oct  8 06:42:28 2010
From: email at sven-radde.de (Sven Radde)
Date: Fri, 08 Oct 2010 06:42:28 +0200
Subject: What's the best way to test a long list of passphrases?
In-Reply-To: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
References: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
Message-ID: <4CAEA134.3090401@sven-radde.de>

Hi!

Am -10.01.-28163 20:59, schrieb Will McDonald:
> what's the best way for me to test my 30,000 possible
> passphrases?

No idea whether it's the best way for you, but there is a small tool
called "rephrase" which might do the job:
<http://roguedaemon.net/rephrase/README.html>

cu, Sven


From roam at ringlet.net  Fri Oct  8 09:41:22 2010
From: roam at ringlet.net (Peter Pentchev)
Date: Fri, 8 Oct 2010 10:41:22 +0300
Subject: batch file automation -Nearly There!
In-Reply-To: <SNT115-W1047DB47EF43B64E6D0F6ADF6F0@phx.gbl>
References: <SNT115-W1047DB47EF43B64E6D0F6ADF6F0@phx.gbl>
Message-ID: <20101008074122.GA3822@straylight.ringlet.net>

On Fri, Oct 08, 2010 at 12:24:17AM +0100, Lee Elcocks wrote:
[snip]
> ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -o "C:\encryptedfiles\%F.pgp"

Erm... on this line, where are you telling GPG to actually encrypt the %F file?

G'luck,
Peter

-- 
Peter Pentchev	roam at space.bg    roam at ringlet.net    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This sentence contains exactly threee erors.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20101008/6acf43b6/attachment-0001.pgp>

From peter at digitalbrains.com  Fri Oct  8 10:21:51 2010
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 08 Oct 2010 10:21:51 +0200
Subject: batch file automation -Nearly There!
In-Reply-To: <20101008074122.GA3822@straylight.ringlet.net>
References: <SNT115-W1047DB47EF43B64E6D0F6ADF6F0@phx.gbl>
	<20101008074122.GA3822@straylight.ringlet.net>
Message-ID: <4CAED49F.2060807@digitalbrains.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On -10/01/37 20:59, Peter Pentchev wrote:
> On Fri, Oct 08, 2010 at 12:24:17AM +0100, Lee Elcocks wrote:
> [snip]
>> ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -o "C:\encryptedfiles\%F.pgp"
> 
> Erm... on this line, where are you telling GPG to actually encrypt the %F file?

It's been a while since I've written any sort of Windows batch scripting, but
looking at the rest of the statements, it seems the output should be specified
as %%F.pgp, not %F.pgp, and that is why you end up with a file called f.pgp (the
% is dropped as an escape char). The fact you don't specify an input file causes
the f.pgp file not to contain anything useful.

So probably it should read

ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -o
"C:\encryptedfiles\%%F.pgp" %%F

Furthermore, it is almost always a better idea to drop the passphrase from the
key than to specify the passphrase in some file. In this specific case,
depending on your OS, the "echo bingos" might even show up in the process list
for any user of the machine to read. At least the secret keyring should be
protected by file permissions so only you and the superuser can read it.

Best to avoid a false sense of security by having a passphrase on a key and that
passphrase in plain text on your disk, and just remove the passphrase
altogether. That's usually the price to pay for automated signing. Only much
more elaborate setups can provide extra security in such a case.

Then again, I'm not a security expert.

You could create a signing key especially for this purpose and label it
"(Automated Signing Key)" for clarity. And another signing key that is
passphrase protected and use that when you yourself explicitly sign some document.

Good luck,

Peter.

- -- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
(new, larger key created on Nov 12, 2009)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMrtSYAAoJEJaeAY/ebNyh27cH/jYuLBhINoviX9O2pNIZRZNy
yFrFeCAyttgmdq3GY+tGzdebOhnARZAKwh0sK4QZPFg8ho+cUhNetPJcGHKvQMEx
GzbhjC++exvUW8leogNw6kcMZ6zVTCbeoEBzlZHUi8uP9gOo9ZsrujeWNwOBV5cw
f4iDqxXvlsl1sghgkxISt0SRHY1nHKk21apHuTNnKO+Z9esGgXTE+4YPpNQ6QGug
p9X9Urvn13PaGfK68rEt9U3HZMjHm37mYBnak2vvtv2lBYFfF4IM+CKAUoeh7SER
RwioXnNWQqRRmnrFGGmKQgWbwKqDCgptRP8QZAvLQ9upwP7+Hxu+ut+m3z2GPig=
=OQNc
-----END PGP SIGNATURE-----


From l_elcocks at hotmail.co.uk  Fri Oct  8 10:29:04 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Fri, 8 Oct 2010 09:29:04 +0100
Subject: batch file automation -Nearly There!
In-Reply-To: <1efcc9ab60bd1435c8afef937a8323b7@rip.ax.lt>
References: <1efcc9ab60bd1435c8afef937a8323b7@rip.ax.lt>
Message-ID: <SNT115-W5A7533A9C52C7F4EC7D8EDF500@phx.gbl>


Hi, I have the signing key as the default key in the config file, do i still have to use both in the command, the encyption and signing is working perfectly, just the output of the file name (and size) that i cannot get to work.

 

Im really sorry, ell explain what i need the script to be able to do

 

User can drop any files into drop folder for example lee.txt and the out put of the file will be lee.txt.pgp

also if their was more than one file in their, lee.txt and test.xls the out put would be lee.txt.pgp and test.xls.pgp

 

So with that , will the below script work?
 
> To: l_elcocks at hotmail.co.uk
> Subject: Re: batch file automation -Nearly There!
> From: null at example.com
> Date: Fri, 8 Oct 2010 02:16:49 +0200
> 
> -r = Recipient = Key to Encrypt
> -u = Signator = Key to Sign
> Use Both!
> In batch Variable needs Double Percent (%%)
> 
> 
> 
> SETLOCAL
> PATH=C:\Program Files (x86)\GNU\GnuPG;%PATH%
> > "%TMP%\~encryptlist.txt" DIR /B "C:\OutgoingDropFolder"
> PUSHD "C:\outgoingdropfolder"
> FOR /F "delims=" %%F IN ('MORE ^< "%TMP%\~encryptlist.txt"') DO (
> IF EXIST %%F (
> ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -u PGPTOKEY -o "C:\EncryptedFiles\%%F.pgp"
> IF ERRORLEVEL == 0 DEL "%%F"
> )
> )
> POPD
> DEL "%TMP%\~encryptlist.txt"
> ENDLOCAL
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101008/0f56535f/attachment.htm>

From alphazo at gmail.com  Fri Oct  8 11:58:43 2010
From: alphazo at gmail.com (Alphazo)
Date: Fri, 8 Oct 2010 11:58:43 +0200
Subject: Is there a way to specify which smartcard reader to use?
Message-ID: <AANLkTi=SZ1eZYThkfX4JY3ujKqwDSh2F-de0cUpdXLH0@mail.gmail.com>

Hello,

I have two USB dongle plugged in at the same time. One is the crypto
stick (OpenPGP card 2.0 + CCID reader) and the other one is a PKCS#11
token. I don't use any udev rule for the crypto stick as the latest ccid
lib supports it out of the box. Now I'm unable to do a gpg --card-status
with both token inserted.

gpg: detected reader `Feitian SCR301 00 00'
gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 01 00'
Ins?rez la carte et tapez entr?e ou entrez 'c' pour annuler:

Is there a way to specify which reader to use for that command?

For information, pcsc_scan reports the two readers correctly:

PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau at free.fr>
<ludovic.rousseau at free.fr>
Compiled with PC/SC lite version: 1.6.4
Scanning present readers...
0: Feitian SCR301 00 00
1: German Privacy Foundation Crypto Stick v1.2 01 00

Fri Oct  8 10:34:55 2010
 Reader 0: Feitian SCR301 00 00
  Card state: Card inserted,
  ATR: 3B 9F 95 81 31 FE 9F 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 C6

ATR: 3B 9F 95 81 31 FE 9F 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 C6
+ TS = 3B --> Direct Convention
+ T0 = 9F, Y(1): 1001, K: 15 (historical bytes)
  TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
    125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 9F --> Block Waiting Integer: 9 - Character Waiting Integer: 15
+ Historical bytes: 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10
  Category indicator byte: 00 (compact TLV data object)
    Tag: 6, len: 5 (pre-issuing data)
      Data: 46 53 05 30 06
    Tag: 7, len: 1 (card capabilities)
      Selection methods: DF
        - DF selection by full DF name
        - DF selection by partial DF name
        - DF selection by file identifier
        - Implicit DF selection
        - Short EF identifier supported
        - Record number supported
        - Record identifier supported
    Tag: 0, len: 0 (unknown)
    Tag: 0, len: 0 (unknown)
    Tag: 0, len: 0 (unknown)
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 81 (Proprietary)
      SW: 6110 (0x10 bytes of response still available.)
+ TCK = C6 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 9F 95 81 31 FE 9F 00 65 46 53 05 30 06 71 DF 00 00 00 81 61 10 C6
3B 9F 95 81 31 FE 9F 00 65 46 53 05 .. 06 71 DF 00 00 00 .. .. .. ..
    Feitian PKI (http://www.ftsafe.com/products/PKI-Card.html)
    FTCOS/PK-01C

Fri Oct  8 10:34:55 2010
 Reader 1: German Privacy Foundation Crypto Stick v1.2 01 00
  Card state: Card inserted,
  ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C

ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
  TC(1) = FF --> Extra guard time: 255 (special value)
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5
  TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes
following
-----
  TA(4) = 03 --> Clock stop: not supported - Class accepted by the card:
(3G) A 5V B 3V
+ Historical bytes: 00 31 C5 73 C0 01 40 00 90 00
  Category indicator byte: 00 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: C5
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET DATA command
        - Card without MF
    Tag: 7, len: 3 (card capabilities)
      Selection methods: C0
        - DF selection by full DF name
        - DF selection by partial DF name
      Data coding byte: 01
        - Behaviour of write functions: one-time write
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 2
      Command chaining, length fields and logical channels: 40
        - Extended Lc and Le fields
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 1
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)
+ TCK = 0C (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
    GnuPG card V2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101008/076f3e6f/attachment.htm>

From gnupg.20.miller_2555 at spamgourmet.com  Thu Oct  7 22:38:00 2010
From: gnupg.20.miller_2555 at spamgourmet.com (gnupg.20.miller_2555 at spamgourmet.com)
Date: Thu, 7 Oct 2010 16:38:00 -0400
Subject: Selecting subkeys in batch mode
Message-ID: <AANLkTimmFHbLAyH1cZphZYGRzOsgFMYNiwb5gw-j-uyT@mail.gmail.com>

Hi -

    I have a public key with two encryption subkeys (see note below). I am
attempting to clobber together a bash script to select a given subkey and
use that subkey for encryption. Using the following sample key and sample
script, `afile` is encrypted with subkey CCCCCCCC (and not the expected
BBBBBBBB subkey). Note that no matter what subkey register slot I provide to
`--edit-key` in the sample script, `gpg` always encrypts using the CCCCCCCC
subkey. How can I selectively use a given encryption subkey in a
noninteractive session?

    Sample public key:
        pub   4096R/AAAAAAAA 2009-08-11 [expires: 2020-12-31]
        uid                  Name (Comment) <email>
        sub   4096g/BBBBBBBB 2009-12-25 [expires: 2010-12-31]
        sub   4096R/CCCCCCCC 2010-09-25 [expires: 2010-11-30]

    Sample script:
        #!/bin/bash
        gpg --quiet --batch  --edit-key AAAAAAAA "key 1";  # Select subkey
BBBBBBBB (I also tried a value of "key 2")
        cat afile | gpg --quiet --batch  --hidden-recipient AAAAAAAA
--passphrase-file sfile --sign --encrypt -  > newfile;

Note: It was not my decision to use two encryption subkeys, but I've been
requested to use each under certain circumstances. Also, anyone the copies/
pastes the above code should avoid the use of the `--passphrase-file` option
as I am only using this in testing.

Many thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101007/250dd3be/attachment.htm>

From reid.thompson at ateb.com  Fri Oct  8 14:32:58 2010
From: reid.thompson at ateb.com (Reid Thompson)
Date: Fri, 08 Oct 2010 08:32:58 -0400
Subject: What's the best way to test a long list of passphrases?
In-Reply-To: <4CAE5F7A.3040601@sixdemonbag.org>
References: <AANLkTi=KnG-Kv1aL_sV_RqbWBF8thUPR8wn5d_oG49C8@mail.gmail.com>
	<4CAE1EB1.8070105@sixdemonbag.org> <4CAE52E9.8040301@ateb.com>
	<4CAE5F7A.3040601@sixdemonbag.org>
Message-ID: <1286541178.11676.3.camel@raker.ateb.com>

On Thu, 2010-10-07 at 20:02 -0400, Robert J. Hansen wrote:
> On 10/7/2010 7:08 PM, Reid Thompson wrote:
> > given that -- split the file into 5? chunks and kick off 5? copies of
> > the script
> 
> Given the amount of time required to write a multithreaded application
> that intelligently divides up work units across cores, versus the eight
> hours for a single-threaded, single-cored version...
> 
> There's an old rule of thumb about not using more hammer than you need
> for a given nail.  Tacks get tackhammers and railroad spikes get
> sledgehammers, but it's foolish to drive tacks with sledges or spikes
> with tackhammers.
> 
> This is a tack problem.  Use a tackhammer.
> 

sorry -- my assumption was that he'd already generated the 30k entry
passphrase file

n = wc -l passphrasefile
split -l n  passphrase file -> aaa aab aac aad aae

kick off a script for each aaX

5 tackhammers


From mwood at IUPUI.Edu  Fri Oct  8 16:16:13 2010
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Fri, 8 Oct 2010 10:16:13 -0400
Subject: Seahorse
In-Reply-To: <4CADF715.6090502@sixdemonbag.org>
References: <29902685.post@talk.nabble.com> <4CADF715.6090502@sixdemonbag.org>
Message-ID: <20101008141613.GC1944@IUPUI.Edu>

If you ever decide to promote that alternate interface, the approach I
would try is to sneak it in by actually making it an alternative:  put
the traditional interface on one tab and the "simplified" interface on
another, and let users live with them for a while.  People may start
out conservative, but some of them will become curious and try the
alternative.

Cost, from the user's point of view: a small dab of complexity (the
tab panel) and a small slice of screen real-estate (the tabs).

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Balance your desire for bells and whistles with the reality that only a 
little more than 2 percent of world population has broadband.
	-- Ledford and Tyler, _Google Analytics 2.0_
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20101008/9f1d6de4/attachment.pgp>

From faramir.cl at gmail.com  Fri Oct  8 23:21:30 2010
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 08 Oct 2010 17:21:30 -0400
Subject: Seahorse
In-Reply-To: <4CADF715.6090502@sixdemonbag.org>
References: <29902685.post@talk.nabble.com> <4CADF715.6090502@sixdemonbag.org>
Message-ID: <4CAF8B5A.7000909@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 07-10-2010 12:36, Robert J. Hansen escribi?:
> On 10/6/2010 11:21 PM, drpartha wrote:
>> Why cant interface designers make things a little less enigmatic  :{

   I think GPGShell interface is awesome, BUT it is not opensource (it's
free as beer, not as freedom), and only runs on windows... there should
be something like that for linux... maybe there is.

   Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMr4tZAAoJEMV4f6PvczxAvyEIAK5owWm6Odj/I76gGPg20SPH
unxn/S49nVPE1C6W6zp1fLnjklInB3uMsbdk8BXpKXZMwUWehyzEj6c96hmNtXx0
2H6OSR5C8DswtLtC+vHMJoZkIO8p6bdBdkMCRS7kuH/9e4jN1yiieKbgtk2ozKBA
wKyOPKhrPu840ammZBaL184FHQetkMy6Z+R7aMPh49VRVn/M21/4+8X7S+py2Tg8
JWHkMGM5qajXU8ORSrlX8QLWW8CbHnWIsYwOOGA2wgz00KrheNrbO7b5S1oGH7M5
lJE8miZszWblOHKi6VhUoHmhDx4jUA6OiK6IqNrQySaJ1XPugyjR1RYP/QdRDN8=
=VHnT
-----END PGP SIGNATURE-----


From l_elcocks at hotmail.co.uk  Fri Oct  8 23:26:18 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Fri, 8 Oct 2010 22:26:18 +0100
Subject: gnu automatic decryption
Message-ID: <SNT115-W57EEC94935521193C9B111DF500@phx.gbl>


SETLOCAL
PATH=C:\Program Files (x86)\GNU\GnuPG;%PATH%
>"%TMP%\~decryptlist.txt" DIR /B "C:\decrypt_here"
PUSHD "C:\decrypt_here"
FOR /F "delims=" %%F IN ('MORE ^< "%TMP%\~decryptlist.txt"') DO (
IF EXIST %%F (
ECHO bingos| GPG --batch --yes --passphrase-fd 0 --decrypt-files *.pgp -o "C:\decryptedfiles\%%F" %%F

IF ERRORLEVEL == 0 DEL "%%F"
)
)
POPD
DEL "%TMP%\~decryptlist.txt"
ENDLOCAL

 

Hello 

 

Ive have managed to get encryption working nicely, now im trying to automate the decryption, this is what happens when i run the above.

 

Files are droped into the decrypt here folder, batch is run, the files decrypt, but stay in the same folder?? they do not get output to the decryptedfiles folder??

 

where has it gone wrong?

 

Many thanks
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101008/4a380695/attachment.htm>

From John at Mozilla-Enigmail.org  Sat Oct  9 05:51:01 2010
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Fri, 08 Oct 2010 22:51:01 -0500
Subject: batch file automation -Nearly There!
In-Reply-To: <SNT115-W5A7533A9C52C7F4EC7D8EDF500@phx.gbl>
References: <1efcc9ab60bd1435c8afef937a8323b7@rip.ax.lt>
	<SNT115-W5A7533A9C52C7F4EC7D8EDF500@phx.gbl>
Message-ID: <4CAFE6A5.7060204@Mozilla-Enigmail.org>

Lee Elcocks wrote:
> Hi, I have the signing key as the default key in the config file, do i
> still have to use both in the command, the encyption and signing is
> working perfectly, just the output of the file name (and size) that i
> cannot get to work.

If the signing key is specified with default-key in gpg.conf, you are not
required to list it as the signing key on the command line. The same would apply
with default-recipient-self and the recipient on the command line. However,
doing so better documents what your batch file is doing.

>  
<snip>
>> In batch Variable needs Double Percent (%%)
>>
>> SETLOCAL
>> PATH=C:\Program Files (x86)\GNU\GnuPG;%PATH%
>> > "%TMP%\~encryptlist.txt" DIR /B "C:\OutgoingDropFolder"
>> PUSHD "C:\outgoingdropfolder"
>> FOR /F "delims=" %%F IN ('MORE ^< "%TMP%\~encryptlist.txt"') DO (
>> IF EXIST %%F (
>> ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -u PGPTOKEY
> -o "C:\EncryptedFiles\%%F.pgp"
>> IF ERRORLEVEL == 0 DEL "%%F"
>> )
>> )
>> POPD
>> DEL "%TMP%\~encryptlist.txt"
>> ENDLOCAL

Your command isn't giving gpg anything to encrypt

ECHO bingos| GPG --batch -se --passphrase-fd 0 -r PGPTOKEY -u PGPTOKEY
-o "C:\EncryptedFiles\%%F.pgp" "%%F"

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 502 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101008/4fc49460/attachment.pgp>

From tiago at forked.de  Sun Oct 10 10:27:11 2010
From: tiago at forked.de (Tiago de Paula Peixoto)
Date: Sun, 10 Oct 2010 10:27:11 +0200
Subject: Problem with Gemalto USB Shell Token V2
Message-ID: <i8rtd0$ujm$1@dough.gmane.org>

Hi there,

I've been trying to get a Gemalto USB Shell Token V2 + OpenPGP card v2
to work with gnupg 2.0.16, but with no success.

The command "gpg --card-status" appears to work, but "gpg --card-edit"
fails as follows:

    $ gpg --card-edit

    scdaemon[25465]: reading public key failed: Missing item in object
    scdaemon[25465]: reading public key failed: Missing item in object
    scdaemon[25465]: reading public key failed: Missing item in object
    Application ID ...: <removed id number>
    Version ..........: 2.0
    Manufacturer .....: ZeitControl
    Serial number ....: 00000700
    Name of cardholder: [not set]
    Language prefs ...: de
    Sex ..............: unspecified
    URL of public key : [not set]
    Login data .......: [not set]
    Signature PIN ....: forced
    Key attributes ...: 2048R 2048R 2048R
    Max. PIN lengths .: 32 32 32
    PIN retry counter : 3 0 3
    Signature counter : 0
    Signature key ....: [none]
    Encryption key....: [none]
    Authentication key: [none]
    General key info..: [none]

    gpg/card> scdaemon[25465]: updating slot 0 status: 0x0000->0x0007 (0->1)
    scdaemon[25465]: sending signal 12 to client 25465


    gpg: OpenPGP card not available: Broken pipe

    gpg/card>


Any attempt to run edit commands results in the same "Broken pipe"
message. This seems to be the same problem reported in

    http://old.nabble.com/Problem-with-Smart-Card-scdaemon-td29148413.html

But in my case the problem persists, even after reboot. There has been
a post a while back, which claimed this reader was supported by gnupg
with PC/SC:

    http://lists.gnupg.org/pipermail/gnupg-users/2009-October/037519.html


Does anybody know what might be the problem?

Any help is greatly appreciated.

Cheers,
Tiago

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101010/53f27781/attachment.pgp>

From toby at theinsurancesurgery.co.uk  Mon Oct 11 11:56:33 2010
From: toby at theinsurancesurgery.co.uk (sunegtheoverlord)
Date: Mon, 11 Oct 2010 02:56:33 -0700 (PDT)
Subject: Encrytped email attachments
Message-ID: <29932548.post@talk.nabble.com>


Hello,

Is it possible to encrypt email attachments with GnuPG? I've read you have
to install some extra libraries but i don't know what i'm supposed to be
doing?

any help would be appreciated.

S
-- 
View this message in context: http://old.nabble.com/Encrytped-email-attachments-tp29932548p29932548.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From tiago at forked.de  Mon Oct 11 15:28:06 2010
From: tiago at forked.de (Tiago de Paula Peixoto)
Date: Mon, 11 Oct 2010 15:28:06 +0200
Subject: Problem with Gemalto USB Shell Token V2
In-Reply-To: <20101011124739.GA17108@jurassic>
References: <20101011124739.GA17108@jurassic>
Message-ID: <4CB310E6.9060500@forked.de>

Hi Mukund,

On 10/11/2010 02:47 PM, Mukund Sivaraman wrote:
> Hi Tiago
> 
> I just purchased OpenPGP cards and Gemalto USB Shell Token V2 readers
> (see <https://www.mukund.org/>).  They work perfectly for me.
>
> I'll explain what I use to access them. Maybe you can adapt it to your
> own use.

[...]

> I have all this working on my stock Fedora 13 install with the
> following versions of packages:
> 
> gnupg-1.4.10-2.fc13.x86_64

Ok, so I was trying with gnupg 2.0.16... I switched now to 1.4.10, and
it seems to be working fine. So it seems to be a bug with 2.0.16... I'll
try to submit a bug report.

Thank you for the tip!

Cheers,
Tiago

--
Tiago de Paula Peixoto <tiago at forked.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101011/e0e0fc71/attachment.pgp>

From rjh at sixdemonbag.org  Mon Oct 11 16:32:21 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Oct 2010 10:32:21 -0400
Subject: Seahorse
In-Reply-To: <20101008141613.GC1944@IUPUI.Edu>
References: <29902685.post@talk.nabble.com> <4CADF715.6090502@sixdemonbag.org>
	<20101008141613.GC1944@IUPUI.Edu>
Message-ID: <4CB31FF5.5090408@sixdemonbag.org>

On 10/8/2010 10:16 AM, Mark H. Wood wrote:
> If you ever decide to promote that alternate interface, the approach I
> would try is to sneak it in by actually making it an alternative

This is one of the things we were specifically warned against in HCI.
Give people two interfaces and the new interface will never supplant the
old.  When new users encounter problems and ask for help, the first
thing the old-timer will do is say, "well, first, go back to the old
interface, that's the one I know the best."  The newcomer will do so and
won't switch back afterwards, both out of a spirit of "all the experts
use the old interface" and "nobody can help me with this new interface,
so I'd better use the old."

If you want people to use a new interface, you have to start by getting
rid of the old... and the PGP 5.0-style UI is simply never going to be
gotten rid of.

Kind of sad, really.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101011/08fb5f00/attachment-0001.bin>

From ben at adversary.org  Mon Oct 11 17:04:16 2010
From: ben at adversary.org (Ben McGinnes)
Date: Tue, 12 Oct 2010 02:04:16 +1100
Subject: Encrytped email attachments
In-Reply-To: <29932548.post@talk.nabble.com>
References: <29932548.post@talk.nabble.com>
Message-ID: <4CB32770.6040806@adversary.org>

On 11/10/10 8:56 PM, sunegtheoverlord wrote:
> 
> Hello,
> 
> Is it possible to encrypt email attachments with GnuPG? I've read you have
> to install some extra libraries but i don't know what i'm supposed to be
> doing?
> 
> any help would be appreciated.

Messages sent in OpenPGP/MIME format (with content type set to
"multipart/encrypted" and "application/pgp-encrypted") encrypt the
attachments automatically.  Messages sent with the body of the message
encrypted with ASCII armouring inline will not.

Most email clients which support OpenPGP/GPG either natively or via a
plug-in do the former automatically.  I use Thunderbird with Enigmail
and it will encrypt an attachment to an encrypted email without any
additional configuration or installation of libraries.


Regards,
Ben

-- 
Ben McGinnes  http://www.adversary.org/  Twitter: benmcginnes
    Systems Administrator, Writer, ICT Consultant
Encrypted email preferred - primary OpenPGP/GPG key: 0xA04AE313
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371AC5BFA04AE313

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101012/6e15ba5f/attachment.pgp>

From expires2010 at ymail.com  Tue Oct 12 01:42:11 2010
From: expires2010 at ymail.com (MFPA)
Date: Tue, 12 Oct 2010 00:42:11 +0100
Subject: Encrytped email attachments
In-Reply-To: <29932548.post@talk.nabble.com>
References: <29932548.post@talk.nabble.com>
Message-ID: <3710490589.20101012004211@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 11 October 2010 at 10:56:33 AM, in
<mid:29932548.post at talk.nabble.com>, sunegtheoverlord wrote:



> Hello,

> Is it possible to encrypt email attachments with GnuPG?
> I've read you have to install some extra libraries but
> i don't know what i'm supposed to be doing?

> any help would be appreciated.


All you need to do is encrypt the files before attaching them to the
email; I've not heard of a requirement to install anything extra.


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

The One with The Answer is seldom asked The Question
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTLOg5qipC46tDG5pAQrOegQAnM/Vq+3ccwaQZHE0UEXdZ6cJFttkzbLY
ru7jfEcGY5XwPuntClAY8oXcWrG8OPgWoofB7/U2D5A1fFHMeINpBETWw3hizgrh
ye7hkNQchTDOaIzWS1BidIk1AvBxfyO/0obnZnRy7sUlvhhRe+cBc8kgEppYYomQ
h9YVNoNMUuw=
=xQRF
-----END PGP SIGNATURE-----



From mailinglisten at hauke-laging.de  Tue Oct 12 03:25:03 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Tue, 12 Oct 2010 03:25:03 +0200
Subject: Confirmation for cached passphrases useful?
Message-ID: <201010120325.04067.mailinglisten@hauke-laging.de>

Hello,

I just had the idea that it might be a good countermeasure against malicious 
software not to use a cached passphrase without any user interaction (and thus 
without user notice). A good compromise would be to open a dialog which does 
not ask for the passphrase but just for the confirmation that it's OK to use 
the passphrase. The dialog could mention the process accessing gpg-agent.


CU

Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101012/7014fa58/attachment.pgp>

From dkg at fifthhorseman.net  Tue Oct 12 04:20:00 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 11 Oct 2010 22:20:00 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010120325.04067.mailinglisten@hauke-laging.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
Message-ID: <4CB3C5D0.50004@fifthhorseman.net>

On 10/11/2010 09:25 PM, Hauke Laging wrote:
> I just had the idea that it might be a good countermeasure against malicious 
> software not to use a cached passphrase without any user interaction (and thus 
> without user notice). A good compromise would be to open a dialog which does 
> not ask for the passphrase but just for the confirmation that it's OK to use 
> the passphrase. The dialog could mention the process accessing gpg-agent.

I agree this would be useful, with a few notes:

 0) clients that have full access to the X session (or terminal, or
whatever mechanism is used for the prompting) can probably auto-accept
the prompt.  So malicious clients with this access wouldn't actually be
prevented from unauthorized access.  However, not all clients
necessarily have this level of access, so it can still be useful from
security perspective.

 1) gpg-agent might not be able to determine useful information about
requesting processes in some configurations, and on some operating systems.

 2) users should be able to specify which passphrases (or secret keys?)
they want to trigger a prompt for (some might not need or want a prompt).

 3) it would be nice for the prompting facility to be flexible enough to
support alternate prompt techniques (possibly differing from the
pinentry used to supply passphrases in the first place).  For example,
it would be nice if a prompt could only be accepted by some physical
response from the system (assuming the malicious client doesn't have
superuser access, in which case all bets are off anyway), even if the
alert for the prompt shows up via the windowing system or the console.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101011/edea7e2b/attachment.pgp>

From rjh at sixdemonbag.org  Tue Oct 12 04:20:39 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Oct 2010 22:20:39 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010120325.04067.mailinglisten@hauke-laging.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
Message-ID: <4CB3C5F7.5060903@sixdemonbag.org>

On 10/11/2010 9:25 PM, Hauke Laging wrote:
> I just had the idea that it might be a good countermeasure against 
> malicious software not to use a cached passphrase without any user 
> interaction (and thus without user notice).

The most obvious way I see to circumvent this involves throwing a
trampoline on the UI library and bypassing this code entirely. It's a
two-hour hack, assuming you already have root access to the system.  It
might make users *feel* more secure, but it doesn't actually help
overall system security -- IMO, at least.  YMMV.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101011/2df9cabd/attachment.bin>

From dkg at fifthhorseman.net  Tue Oct 12 04:44:41 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 11 Oct 2010 22:44:41 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3C5F7.5060903@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
Message-ID: <4CB3CB99.6020908@fifthhorseman.net>

On 10/11/2010 10:20 PM, Robert J. Hansen wrote:
> On 10/11/2010 9:25 PM, Hauke Laging wrote:
>> I just had the idea that it might be a good countermeasure against 
>> malicious software not to use a cached passphrase without any user 
>> interaction (and thus without user notice).
> 
> The most obvious way I see to circumvent this involves throwing a
> trampoline on the UI library and bypassing this code entirely. It's a
> two-hour hack, assuming you already have root access to the system.

If you already have root access on the system, then yes -- all bets are
off.  but that's the case anyway when the malicious attacker has root
access.

> It
> might make users *feel* more secure, but it doesn't actually help
> overall system security -- IMO, at least.  YMMV.

It would help against the situation where the malicious client does
*not* have superuser access and cannot directly override the prompting
mechanism through other mechanisms.

Many standard X11 desktops today don't have such protections in place
(e.g. one process can send a simulated mouseclick to another process
pretty easily) but that doesn't mean no one is running with a
well-isolated gpg-agent.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101011/d6f0c2b0/attachment-0001.pgp>

From larry-lists at maxqe.com  Tue Oct 12 03:56:14 2010
From: larry-lists at maxqe.com (Larry Brower)
Date: Mon, 11 Oct 2010 20:56:14 -0500
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010120325.04067.mailinglisten@hauke-laging.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
Message-ID: <4CB3C03E.6060901@maxqe.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hauke Laging wrote:
> Hello,
> 
> I just had the idea that it might be a good countermeasure against malicious 
> software not to use a cached passphrase without any user interaction (and thus 
> without user notice). A good compromise would be to open a dialog which does 
> not ask for the passphrase but just for the confirmation that it's OK to use 
> the passphrase. The dialog could mention the process accessing gpg-agent.
> 
> 
> CU
> 
> Hauke
> 

This seems like something that would get really annoying really
quickly. Why not just change settings to not cache the passphrase if
you do not like using it this way ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMs8A+AAoJEPXCUD/44PWqVHUP/i2jbdt/AsYx2IlrrNqMdtjw
8lnxlUTeOfM11vOHD1CWctJsUH1LyhihKmf+0WZZRSv7k3S1vkVcIPD6zRmee4IS
AI+3wvtlGdsF/+BlMeelCMMdaU8ys4OB4YbfQdaftAsBsO3IqZ32K1VLkMcje6Wd
YdREF/dDEzD41tJ/oQLwxW8Ek9IBTUDrA7p1HdCuzf5YfqdDF0eLvTaGXCK6mO7e
RJeSLlelQs7kgTq1KEvOAMGgpF8vye8soLN3aJcxkZnjp991Eeus6ZIhxdYRoXIz
o7sPTf8ejctUrgGrW00hVUoUMhCdKN+ELx4Ux0fIgDGzMVItYRDXrAnbTeuZ2z3x
/3gBAQbAQWWvFXQZ6CQT3uNJQVtOmTwber8DjSaSRsRxNsQbh15SeOIHEGgI73wk
xEfvoL7iirMOcVmjndGc6063nUPvhJyotvefafrOKbL3vae7C8480x1kc0uhB2Ry
U9daKonVyCPGyqAhqem1oYpPjjD2aUuyDzLM4y7t0yfKAwEqjL+vQogGfilyKYhy
U+g/OybkgQLckG5RgnEcqzlIcSWPdnl6eIxc/YF8EMxYpcXrZhXMrGkk8fDVC36R
3TM/siVhttdo7v9ekFxT3eOF/6vsKoASpP1Vz4aZXpSQ8a3/WRW5eDyQ6li4goKH
Ub+vZOmMc14HvzSAlBpt
=+JVD
-----END PGP SIGNATURE-----


From dkg at fifthhorseman.net  Tue Oct 12 05:05:45 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 11 Oct 2010 23:05:45 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3C03E.6060901@maxqe.com>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C03E.6060901@maxqe.com>
Message-ID: <4CB3D089.3010909@fifthhorseman.net>

On 10/11/2010 09:56 PM, Larry Brower wrote:
> This seems like something that would get really annoying really
> quickly. Why not just change settings to not cache the passphrase if
> you do not like using it this way ?

re-entering the passphrase each time is significantly more annoying than
confirming its use in a reasonable context.  (and re-entering the
passphrase every time the secret is used is less secure than a simple
confirmation prompt, since it trains the user to type their passphrase
over and over again)

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101011/482c8d94/attachment.pgp>

From rjh at sixdemonbag.org  Tue Oct 12 06:34:48 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 12 Oct 2010 00:34:48 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3CB99.6020908@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
Message-ID: <4CB3E568.1080704@sixdemonbag.org>

On 10/11/2010 10:44 PM, Daniel Kahn Gillmor wrote:
> It would help against the situation where the malicious client does
> *not* have superuser access and cannot directly override the prompting
> mechanism through other mechanisms.

This attack mode appears to me to be so niche that I don't see any point
in defending against it.  If my attack gives me local access I'm going
to shoot for remote.  If my attack gives me unprivileged access I'm
going to escalate it to root.  This is straight out of the malware
playbook, and malware authors have a great many ways to achieve it.

Heck, this doesn't even defend against an *unprivileged* attack.  Give
me unprivileged access to your user account I'll edit your .profile to
put a .malware/ subdirectory on your PATH and drop my trojaned GnuPG in
there.  Once the malware executes, delete the hidden subdirectory,
restore your original PATH, and send the passphrase it intercepted off
towards my C4I server.

And if we're assuming I've instead subverted an unprivileged non-user
account (like a jailed service), then this "attack" is a nonissue, so
why are we trying to solve it?

This seems like an niche solution to a problem which, as of right now,
is nonexistent.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101012/8bf94c98/attachment.bin>

From dkg at fifthhorseman.net  Tue Oct 12 07:54:00 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 12 Oct 2010 01:54:00 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3E568.1080704@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
	<4CB3E568.1080704@sixdemonbag.org>
Message-ID: <4CB3F7F8.5040607@fifthhorseman.net>

On 10/12/2010 12:34 AM, Robert J. Hansen wrote:
> Heck, this doesn't even defend against an *unprivileged* attack.  Give
> me unprivileged access to your user account I'll edit your .profile to
> put a .malware/ subdirectory on your PATH and drop my trojaned GnuPG in
> there.  Once the malware executes, delete the hidden subdirectory,
> restore your original PATH, and send the passphrase it intercepted off
> towards my C4I server.

yes, of course this isn't going to be able to protect the user from
someone with full access to their user account or their current session.

Agents like gnupg-agent and other socket-driven services are capable of
being exported over heavily-constrained connections, where only access
to the agent's socket is given to the attacker.  For example, you can
forward ssh-agent over the network to a process on a remote host, or set
up a simple socket-forwarding service within a machine to grant access
to your gnupg-agent to other user accounts.

As an example, I know people who run their web browser in a
heavily-constrained mode, e.g. under a separate user account, in a
virtual machine or VNC session.  If such a browser (or a plugin to it)
wants access to the principal user's agent, it has only one recourse,
which is to talk to the agent's socket.  (This sort of constraint is
much more effective with the ssh-agent model, where secret key material
never leaves the agent, as opposed to the traditional gpg-agent model
where the agent is only a passphrase cache; it sounds like gpg-agent is
planning to adopt the ssh-agent model as of 2.1, which is great news.)

> And if we're assuming I've instead subverted an unprivileged non-user
> account (like a jailed service), then this "attack" is a nonissue, so
> why are we trying to solve it?

If the specialized/jailed account has access to such a forwarded agent,
then an attack against it *is* an issue.  It would be good to be able to
grant gpg-agent access to the constrained service when it requests it
reasonably, and to be able to deny it when it requests access unreasonably.

> This seems like an niche solution to a problem which, as of right now,
> is nonexistent.

Conversely, people won't run well-isolated subsystems if the tools we
provide don't support reasonable separation and control in the first
place.  Do we want to build tools that support secure use?  If so,
implementing Hauke's suggestion at least in the GPG 2.1 branch is a good
idea.  And previous branches would be nice too, though the classic
gpg-agent communication model (passphrase-cache-only) is too weak for
the proposed confirmation prompt to enable well-isolated use.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101012/637e62d4/attachment.pgp>

From wk at gnupg.org  Tue Oct 12 08:26:27 2010
From: wk at gnupg.org (Werner Koch)
Date: Tue, 12 Oct 2010 08:26:27 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3CB99.6020908@fifthhorseman.net> (Daniel Kahn Gillmor's
	message of "Mon, 11 Oct 2010 22:44:41 -0400")
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
Message-ID: <87aamk53l8.fsf@vigenere.g10code.de>

On Tue, 12 Oct 2010 04:44, dkg at fifthhorseman.net said:

> (e.g. one process can send a simulated mouseclick to another process
> pretty easily) but that doesn't mean no one is running with a

The standard pinentry grabs mouse and keyboard and thus we should be
protected against this kind of attack.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From dkg at fifthhorseman.net  Tue Oct 12 09:05:56 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 12 Oct 2010 03:05:56 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87aamk53l8.fsf@vigenere.g10code.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB3C5F7.5060903@sixdemonbag.org>	<4CB3CB99.6020908@fifthhorseman.net>
	<87aamk53l8.fsf@vigenere.g10code.de>
Message-ID: <4CB408D4.5080600@fifthhorseman.net>

On 10/12/2010 02:26 AM, Werner Koch wrote:
> On Tue, 12 Oct 2010 04:44, dkg at fifthhorseman.net said:
> 
>> (e.g. one process can send a simulated mouseclick to another process
>> pretty easily) but that doesn't mean no one is running with a
> 
> The standard pinentry grabs mouse and keyboard and thus we should be
> protected against this kind of attack.

I think that grabbing mouse and kbd prevents other tools from *reading*
the kbd and mouse events.  It doesn't prevent synthesized events from
triggering those inputs (e.g. clicking "OK" on a button).

As a simple example, try:

  sleep 3 && xdotool key Return & echo GETPIN xxx | pinentry

The backgrounded process hits the enter key on a foregrounded (grabbed)
pinentry-gtk.

So while it's useful to protect passphrase entry from other snooping X11
applications, i don't think that the kbd/mouse grab approach is
sufficient protection for a simple confirmation prompt dialog box.

I'd be happy to be corrected on this if i'm wrong, of course.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101012/ae2649c2/attachment-0001.pgp>

From mailinglisten at hauke-laging.de  Tue Oct 12 11:10:31 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Tue, 12 Oct 2010 11:10:31 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3E568.1080704@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3CB99.6020908@fifthhorseman.net>
	<4CB3E568.1080704@sixdemonbag.org>
Message-ID: <201010121110.38263.mailinglisten@hauke-laging.de>

Am Dienstag 12 Oktober 2010 06:34:48 schrieb Robert J. Hansen:


> If my attack gives me unprivileged access I'm going to escalate it to root.

"going to", yes.


> This is straight out of the malware
> playbook, and malware authors have a great many ways to achieve it.

I think that it is not useful to equalize unpriviledged and root access. This 
seems to me a bit ignorant of people trying to get their systems secure. :-)


> Heck, this doesn't even defend against an *unprivileged* attack.  Give
> me unprivileged access to your user account I'll edit your .profile to
> put a .malware/ subdirectory on your PATH and drop my trojaned GnuPG in
> there.

There are ways to prevent this. E.g. I protect important and hardly ever 
changed files like ~/.gnupg/options with root priviledge (chattr immutable on 
ext3). My most threatened processes (browser, IM) are covered by AppArmor 
profiles which hevily restrict access to $HOME but not to /tmp. These cannot 
access the secret keys, of course. But due to the new design of GnuPG 2.1 this 
may change.


> This seems like an niche solution to a problem which, as of right now,
> is nonexistent.

As Daniel already pointed out: Few people do but there are possibilities to 
harden your system. It would seem strange if of all things a security software 
put a limit to such efforts. Thus gpg should offer improvements even if these 
do not make much sense ALONE (which should be mentioned in the documentation).


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101012/e6f0162f/attachment.pgp>

From mailinglisten at hauke-laging.de  Tue Oct 12 11:14:47 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Tue, 12 Oct 2010 11:14:47 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB408D4.5080600@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<87aamk53l8.fsf@vigenere.g10code.de>
	<4CB408D4.5080600@fifthhorseman.net>
Message-ID: <201010121114.48020.mailinglisten@hauke-laging.de>

Am Dienstag 12 Oktober 2010 09:05:56 schrieb Daniel Kahn Gillmor:

> I think that grabbing mouse and kbd prevents other tools from *reading*
> the kbd and mouse events.  It doesn't prevent synthesized events from
> triggering those inputs (e.g. clicking "OK" on a button).

But this may change in the future. On the one hand you are free to have X 
clients running untrustedly (which should make that impossible) on the other 
hand I read rumores about the SELinux people heading at changes to their LSM 
in order to address the (more than obvious...) X problem.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101012/3a886375/attachment.pgp>

From faramir.cl at gmail.com  Tue Oct 12 11:44:33 2010
From: faramir.cl at gmail.com (Faramir)
Date: Tue, 12 Oct 2010 06:44:33 -0300
Subject: Encrytped email attachments
In-Reply-To: <4CB32770.6040806@adversary.org>
References: <29932548.post@talk.nabble.com> <4CB32770.6040806@adversary.org>
Message-ID: <4CB42E01.30804@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 11-10-2010 12:04, Ben McGinnes escribi?:
...
> Most email clients which support OpenPGP/GPG either natively or via a
> plug-in do the former automatically.  I use Thunderbird with Enigmail
> and it will encrypt an attachment to an encrypted email without any
> additional configuration or installation of libraries.

  Well, Enigmail could be seen as an additional library. Programmers
have one definition of libraries, the rest of the world maybe have another.

  But yes, Thunderbird with Enigmail is an awesome combo.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMtC4BAAoJEMV4f6PvczxAmvYH/0tgZZLDfpyOxbbNtTl0EqfK
+X8sOyCBhFBhyKxjlFu7bRxXeKJsmkkFoxHhcJKSvxZfQyma+q9knK3BGlv7SbQS
qGkzz3MC/YSTclYUq2hKxYUUEGU+rXsSZTDEZoQxww2V5bP63lGtEQrfqOfKn1TK
vclVg/S6Bkz+bfnjm0ywp7exzRflNhZ66ofL4qHLWhc6Z2Y1h/jjpxXwouC5JKsr
44UmrRV1En94/MYc0F/XcFh4bY8zFKjFBTxM8kcu4x5NB3cN25ugZG78qQzONE4C
cH3N3UYfHZvE2afh+eCLhHWMfAldm8cCHu06YX6JBvjoFFD/qjSrxVrW2i4QoPo=
=3FE1
-----END PGP SIGNATURE-----


From muks at banu.com  Mon Oct 11 14:47:39 2010
From: muks at banu.com (Mukund Sivaraman)
Date: Mon, 11 Oct 2010 18:17:39 +0530
Subject: Problem with Gemalto USB Shell Token V2
Message-ID: <20101011124739.GA17108@jurassic>

Hi Tiago

I just purchased OpenPGP cards and Gemalto USB Shell Token V2 readers
(see <https://www.mukund.org/>).  They work perfectly for me.

I'll explain what I use to access them. Maybe you can adapt it to your
own use.

1) Start the pcscd service on your distro. This is a daemon that is
distributed in the PCSC-Lite package.  On Fedora, as root you can run:

service pcscd start && chkconfig pcscd on

2) Add the "disable-ccid" option to gpg.conf. This will make GnuPG use
PCSC-Lite to access the card, instead of the built-in CCID driver.

This in itself should be enough to get the card working properly. You
can do gpg --card-status to see the card, gpg --card-edit to edit the
card.

I have all this working on my stock Fedora 13 install with the
following versions of packages:

gnupg-1.4.10-2.fc13.x86_64
pcsc-lite-1.5.5-4.fc13.x86_64
ccid-1.3.11-1.fc13.x86_64

To configure other things such as SSH authentication keys, etc., you
will have to configure gpg-agent to start during desktop session
startup, make environment variables available to the shell (man
gpg-agent), and also perhaps disable some things if you are using
GNOME.

Good luck.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: </pipermail/attachments/20101011/17be7f3c/attachment.pgp>

From muks at banu.com  Mon Oct 11 14:17:32 2010
From: muks at banu.com (Mukund Sivaraman)
Date: Mon, 11 Oct 2010 17:47:32 +0530
Subject: OpenPGP card questions
Message-ID: <20101011121732.GA15092@jurassic>

Hi all

I just purchased 4 OpenPGP cards and am configuring one of them.
Everything is working perfectly so far.  I am using the Gemalto USB
Shell Token V2 as the reader device with PCSC-Lite.  You can see
pictures of it here: <https://www.mukund.org/>

1. There is a typo on the printed sheet supplied with the OpenPGP card.

2. When running gpg --armor --export-secret-key <card-key-id>, it
actually generates ---PGP PRIVATE KEY BLOCK--- output instead of an
error.  I had chosen not to make any backups when generating the key on
the card.  I asked about this on IRC and was told it might be a stub
containing the card ID, etc., but am looking for a more authoritative
answer (i.e., without the word `maybe') just to be sure.  :)

pgpdump says "Sym alg - Plaintext or unencrypted data(sym 0)", but this
cannot be an unencrypted key, right?  Is it a stub?  Is there any
method using which the private key can be recovered from the card?

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: </pipermail/attachments/20101011/8e3629c9/attachment.pgp>

From l_elcocks at hotmail.co.uk  Tue Oct 12 12:46:39 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Tue, 12 Oct 2010 11:46:39 +0100
Subject: Scripting
Message-ID: <SNT115-W45A85B6B8A22F3B8082DBCDF540@phx.gbl>


Hello all.

 

This is my last resort. I know that this is not the realy the correct place to pose such a question.

 

I have now succesfully set up a fully automated GPG solution, with the help of all of you on this list.

 

However my next task is to intergrate the scripts with GPG with WINSCP.

 

basically i want to do this.

 

Auto encrypted files end up in a folder called C:\encryptedfiles

 

then the WINSCP script will run and look at the files in the above folder, collect the file names into a temporary text file, and SFTP them over to a remote server.

My question is does anybody on this list have any knowledge of WINSCP scripting?

Ive had a look at the help pages on the website and cannot for the life of me figure them out! PS

I'm willing to pay!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101012/852ef483/attachment.htm>

From ben at adversary.org  Tue Oct 12 12:59:42 2010
From: ben at adversary.org (Ben McGinnes)
Date: Tue, 12 Oct 2010 21:59:42 +1100
Subject: Encrytped email attachments
In-Reply-To: <4CB42E01.30804@gmail.com>
References: <29932548.post@talk.nabble.com> <4CB32770.6040806@adversary.org>
	<4CB42E01.30804@gmail.com>
Message-ID: <4CB43F9E.1030802@adversary.org>

On 12/10/10 8:44 PM, Faramir wrote:
> 
>   Well, Enigmail could be seen as an additional library. Programmers
> have one definition of libraries, the rest of the world maybe have another.

Good point, it has been a while since I've thought of things that way.

>   But yes, Thunderbird with Enigmail is an awesome combo.

It most certainly is, especially with platform independence.  It's
particularly nice to be able to copy profile directories between systems
which will preserve plugins (I primarily use Enigmail and External
Editor) across those platforms.


Regards,
Ben

-- 
Ben McGinnes  http://www.adversary.org/  Twitter: benmcginnes
    Systems Administrator, Writer, ICT Consultant
Encrypted email preferred - primary OpenPGP/GPG key: 0xA04AE313
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371AC5BFA04AE313

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101012/636019e9/attachment.pgp>

From rjh at sixdemonbag.org  Tue Oct 12 15:25:50 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 12 Oct 2010 09:25:50 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3F7F8.5040607@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
	<4CB3E568.1080704@sixdemonbag.org>
	<4CB3F7F8.5040607@fifthhorseman.net>
Message-ID: <4CB461DE.3040307@sixdemonbag.org>

On 10/12/2010 1:54 AM, Daniel Kahn Gillmor wrote:
> yes, of course this isn't going to be able to protect the user from
> someone with full access to their user account or their current session.

These two attack modes (root and user access) cover the overwhelming
majority of instances today, so already this hypothetical attack is an
exotic.  On top of that, your imagined situation seems to involve a
compromised machine communicating with a trusted server over a socket.
If the trusted server sends back a confirmation request, what's to keep
the malware from simply saying, "OK," in response to these requests?

> Conversely, people won't run well-isolated subsystems if the tools we
> provide don't support reasonable separation and control in the first
> place.

Please do not mistake this for snark.  It's not.  I'm using an absurd
position here to try and make my objections clear, not because I'm
trying to denigrate your views.

That said: "People will also not use GnuPG as a personal flotation
device in the event of a water landing if GnuPG does not float."

GnuPG is not a personal flotation device and, unsurprisingly, doesn't
have any features related to that.  This said, if users want GnuPG to
offer pontoon functionality in 2.2 they are certainly welcome to make
their opinions known.  If more than a dozen people say, "yes, I need
GnuPG to serve as a personal flotation device," I will happily get out
of the way and encourage it to be added.

But to talk about how the people need personal flotation support in
GnuPG, without actually hearing from users who genuinely need it... I
might have great respect for the speakers and might even agree with
their opinions: but in the absence of user demand, I wouldn't think we
should do it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101012/c79e9538/attachment-0001.bin>

From l_elcocks at hotmail.co.uk  Tue Oct 12 16:00:49 2010
From: l_elcocks at hotmail.co.uk (Lee Elcocks)
Date: Tue, 12 Oct 2010 15:00:49 +0100
Subject: Scripting
In-Reply-To: <1286887546.21031.11.camel@raker.ateb.com>
References: <SNT115-W45A85B6B8A22F3B8082DBCDF540@phx.gbl>,
	<1286887546.21031.11.camel@raker.ateb.com>
Message-ID: <SNT115-W3497A85816FFC43F450F5DF540@phx.gbl>


Im really sorry, i need this in simple terms. Putty command line looks alot better though!

 

this is the script i intend to use

 

SETLOCAL
"C:\Program Files\putty"
>"%TMP%\~ftplist.txt" DIR /B "C:\encryptedfiles"
PUSHD "C:\encryptedfiles"
FOR /F "delims=" %%F IN ('MORE ^< "%TMP%\~ftplist.txt"') DO (
IF EXIST %%F (

MY PUTTY COMMAND GOES HERE ????????????????????????????????????????
IF ERRORLEVEL == 0 DEL "%%F"
)
)
POPD
DEL "%TMP%\~encryptlist.txt"
ENDLOCAL

 

I suppose what im asking is, please could you give the command, by the way does putty support SFTP with TLS authentication?

 
> Subject: Re: Scripting
> From: reid.thompson at ateb.com
> To: l_elcocks at hotmail.co.uk
> CC: reid.thompson at ateb.com
> Date: Tue, 12 Oct 2010 08:45:46 -0400
> 
> On Tue, 2010-10-12 at 11:46 +0100, Lee Elcocks wrote:
> > Hello all.
> > 
> > This is my last resort. I know that this is not the realy the correct
> > place to pose such a question.
> > 
> > I have now succesfully set up a fully automated GPG solution, with the
> > help of all of you on this list.
> > 
> > However my next task is to intergrate the scripts with GPG with
> > WINSCP.
> > 
> > basically i want to do this.
> > 
> > Auto encrypted files end up in a folder called C:\encryptedfiles
> > 
> > then the WINSCP script will run and look at the files in the above
> > folder, collect the file names into a temporary text file, and SFTP
> > them over to a remote server.
> > My question is does anybody on this list have any knowledge of WINSCP
> > scripting?
> > Ive had a look at the help pages on the website and cannot for the
> > life of me figure them out! PS
> > I'm willing to pay!
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> use the putty tools... pscp.exe ... with an ssh passwordless keypair
> schedule a task to call a bat file with something like this....
> 
> \path\to\pscp.exe -q -i \path\to\private-key.ppk \path\to\pattern_match_for_files remote_host_userid at remote_host.domain.com:/path/to/folder/to/put/files/in
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101012/5eb9d00d/attachment.htm>

From vedaal at nym.hush.com  Tue Oct 12 16:29:07 2010
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 12 Oct 2010 10:29:07 -0400
Subject: Encrytped email attachments 
Message-ID: <20101012142907.60F3E16593D@smtp.hushmail.com>

There is a workaround to encrypt any e-mail attachment and send it 
inline as part of the encrypted email message:

gpg --enarmor 'attachment file'

or

gpg -e -a 'attachment file'

and then paste the ascii armored text inline, and then encrypt the 
message.

It has the minor advantage of getting through some e-mail clients 
and systems that don't allow attachments.

vedaal



From wk at gnupg.org  Tue Oct 12 20:46:35 2010
From: wk at gnupg.org (Werner Koch)
Date: Tue, 12 Oct 2010 20:46:35 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB408D4.5080600@fifthhorseman.net> (Daniel Kahn Gillmor's
	message of "Tue, 12 Oct 2010 03:05:56 -0400")
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
	<87aamk53l8.fsf@vigenere.g10code.de>
	<4CB408D4.5080600@fifthhorseman.net>
Message-ID: <87sk0b45bo.fsf@vigenere.g10code.de>

On Tue, 12 Oct 2010 09:05, dkg at fifthhorseman.net said:

> the kbd and mouse events.  It doesn't prevent synthesized events from
> triggering those inputs (e.g. clicking "OK" on a button).

You are right.  However it is the only protection we can use on X; it
might be helpful in some cases, but as you showed not in this one.
Anyway, if you are already have these permissions you can attack the
keys with all kind of simple tricks.  Thus it is mood.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Tue Oct 12 20:48:42 2010
From: wk at gnupg.org (Werner Koch)
Date: Tue, 12 Oct 2010 20:48:42 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010121110.38263.mailinglisten@hauke-laging.de> (Hauke
	Laging's message of "Tue, 12 Oct 2010 11:10:31 +0200")
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3CB99.6020908@fifthhorseman.net>
	<4CB3E568.1080704@sixdemonbag.org>
	<201010121110.38263.mailinglisten@hauke-laging.de>
Message-ID: <87ocaz4585.fsf@vigenere.g10code.de>

On Tue, 12 Oct 2010 11:10, mailinglisten at hauke-laging.de said:

> There are ways to prevent this. E.g. I protect important and hardly ever 
> changed files like ~/.gnupg/options with root priviledge (chattr immutable on 

It doesn't help - you need to protect gpg.conf and gpg.conf-2 and
gpg.conf-2.0 and so on.  BTW, ~/.gnupg/options is deprecated for ages.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From cathy.smith at pnl.gov  Tue Oct 12 22:03:42 2010
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Tue, 12 Oct 2010 13:03:42 -0700
Subject: Problem with Gemalto USB Shell Token V2
In-Reply-To: <20101011124739.GA17108@jurassic>
References: <20101011124739.GA17108@jurassic>
Message-ID: <70086D201BD484439914C36F5C8BF16101A3DC54D1E1@EMAIL04.pnl.gov>

Does anyone have the Gemalto USB working with Red Hat 5.5?



Cathy

---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory

Phone:? 509.375.2687
Fax:??? ????509.375.2330
Email:?    cathy.smith at pnl.gov



-----Original Message-----
From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Mukund Sivaraman
Sent: Monday, October 11, 2010 5:48 AM
To: tiago at forked.de
Cc: gnupg-users at gnupg.org
Subject: Re: Problem with Gemalto USB Shell Token V2

Hi Tiago

I just purchased OpenPGP cards and Gemalto USB Shell Token V2 readers (see <https://www.mukund.org/>).  They work perfectly for me.

I'll explain what I use to access them. Maybe you can adapt it to your own use.

1) Start the pcscd service on your distro. This is a daemon that is distributed in the PCSC-Lite package.  On Fedora, as root you can run:

service pcscd start && chkconfig pcscd on

2) Add the "disable-ccid" option to gpg.conf. This will make GnuPG use PCSC-Lite to access the card, instead of the built-in CCID driver.

This in itself should be enough to get the card working properly. You can do gpg --card-status to see the card, gpg --card-edit to edit the card.

I have all this working on my stock Fedora 13 install with the following versions of packages:

gnupg-1.4.10-2.fc13.x86_64
pcsc-lite-1.5.5-4.fc13.x86_64
ccid-1.3.11-1.fc13.x86_64

To configure other things such as SSH authentication keys, etc., you will have to configure gpg-agent to start during desktop session startup, make environment variables available to the shell (man gpg-agent), and also perhaps disable some things if you are using GNOME.

Good luck.

		Mukund


From cathy.smith at pnl.gov  Wed Oct 13 07:49:44 2010
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Tue, 12 Oct 2010 22:49:44 -0700
Subject: Problem with Gemalto USB Shell Token V2
In-Reply-To: <20101013052455.GA2669@jurassic>
References: <20101011124739.GA17108@jurassic>
	<70086D201BD484439914C36F5C8BF16101A3DC54D1E1@EMAIL04.pnl.gov>
	<20101013052455.GA2669@jurassic>
Message-ID: <70086D201BD484439914C36F5C8BF16101A3DC54D291@EMAIL04.pnl.gov>

I'm running RHEL5.5:
	php-5.1.6-27
	pcsc-lite-1.4.4-4

These are Red Hat's version numbers.


Cathy

---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory

Phone:? 509.375.2687
Fax:??? ????509.375.2330
Email:?    cathy.smith at pnl.gov



-----Original Message-----
From: Mukund Sivaraman [mailto:muks at banu.com] 
Sent: Tuesday, October 12, 2010 10:25 PM
To: Smith, Cathy
Cc: gnupg-users at gnupg.org
Subject: Re: Problem with Gemalto USB Shell Token V2

On Tue, Oct 12, 2010 at 01:03:42PM -0700, Smith, Cathy wrote:
> Does anyone have the Gemalto USB working with Red Hat 5.5?

I don't know about the versions of GnuPG and PCSC-Lite on RHEL 5.5 to answer this question.  Maybe you can try it, and if it do


From dkg at fifthhorseman.net  Wed Oct 13 17:51:57 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 13 Oct 2010 11:51:57 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87sk0b45bo.fsf@vigenere.g10code.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB3C5F7.5060903@sixdemonbag.org>	<4CB3CB99.6020908@fifthhorseman.net>	<87aamk53l8.fsf@vigenere.g10code.de>	<4CB408D4.5080600@fifthhorseman.net>
	<87sk0b45bo.fsf@vigenere.g10code.de>
Message-ID: <4CB5D59D.1020003@fifthhorseman.net>

On 10/12/2010 02:46 PM, Werner Koch wrote:
> Anyway, if you are already have these permissions you can attack the
> keys with all kind of simple tricks.  Thus it is mood.

i'm not convinced it's moot, especially if i understand the model you're
advancing for the agent for 2.1 correctly.

If i run the agent locally, and forward access to it to a constrained
account, then the constrained account (which is talking to the agent)
*does not* have the ability to simulate such X11 events.

From a different perspective, i could run the agent itself in a
constrained account, and replace the prompting tool with a tool that
requires, say, an ACPI event, or a special keypress (not an X11 event)
from a designated hardware button.  in that case, malicious code with
access to the X11 session could detect that a prompt had been made, and
possibly dismiss it or hide it from the user, but could not force
acceptance of the keypress without superuser access (at which point,
game over anyway).  To take a vulnerability from a malicious use of
secret key material to a simpler denial of service attack strikes me as
a move in the right direction.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101013/40f252fe/attachment.pgp>

From andre at amorim.me  Wed Oct 13 20:45:02 2010
From: andre at amorim.me (Andre Amorim)
Date: Wed, 13 Oct 2010 19:45:02 +0100
Subject: ubuntu 10.04 and Reader SCM SPR-532
Message-ID: <AANLkTinQgeqkoiFMUKpfuTGzos9KMAJpwx5odG9E9ZZ+@mail.gmail.com>

Hi list,

I am thinking about buy a smartcard reader model SCM SPR-532 Pinpad. I
got a question: Is it full compatible with Ubuntu 10.04 LTS and
Evolution email client ? does it works straight way or require some
linux kung fu to setup?

I appreciate any advice.

Thanks
Andre Amorim


From expires2010 at ymail.com  Thu Oct 14 01:02:41 2010
From: expires2010 at ymail.com (MFPA)
Date: Thu, 14 Oct 2010 00:02:41 +0100
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3D089.3010909@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C03E.6060901@maxqe.com> <4CB3D089.3010909@fifthhorseman.net>
Message-ID: <140905051.20101014000241@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 12 October 2010 at 4:05:45 AM, in
<mid:4CB3D089.3010909 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:


> re-entering the passphrase each time is significantly
> more annoying than confirming its use in a reasonable
> context.  (and re-entering the passphrase every time
> the secret is used is less secure than a simple
> confirmation prompt, since it trains the user to type
> their passphrase over and over again)

The user can type their password once per session into a text file and
paste it every time it is requested. This reduces the annoyance factor
and does not train the user to constantly re-type the passphrase.

- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Don't talk unless you can improve on the silence
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTLY6qKipC46tDG5pAQo3wAP+Ib5WaZw6IGAiLkOCZFCXgZd0NJv2j+Qo
4ipPkPwdl+MjhnQG5iVMyc0IzFpJ5JJmK0y1pgwiSoRvZTh6mFy3U8af/YG+OIvE
cu9x4xLw7yaulurvQ8b1r27L2IQIM8/OQQAgN/UapLuLaIzj//ZhRm8GxYA3uZ2J
oSPTWL70TLw=
=Y292
-----END PGP SIGNATURE-----



From danthehat at gmail.com  Thu Oct 14 02:57:08 2010
From: danthehat at gmail.com (Dan Cowsill)
Date: Wed, 13 Oct 2010 17:57:08 -0700
Subject: Paranoid People's User Group?
Message-ID: <4CB65564.9040004@gmail.com>

Hi everyone,

Almost-but-not-quite my first post to this list.  I am very interested
in encryption technologies, and PGP in particular.  Of course, this is
only a hobby and I don't have any trade secrets or international
intrigues to protect, so that leaves me at a bit of a disadvantage when
it comes to playing around with such a fascinating piece of technology.

After some googling, I decided this would be the best place to start. 
What I'm after is a mailing list or user group that exchanges encrypted
communications with each other.  Or, if no such mailing list exists, I
wonder if I might be able to pick up a pen-pal or two that wants to use
PGP to communicate.

Thanks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101013/3225cb06/attachment.pgp>

From j-001 at ottosson.nu  Wed Oct 13 11:34:28 2010
From: j-001 at ottosson.nu (J. Ottosson)
Date: Wed, 13 Oct 2010 11:34:28 +0200
Subject: Issues importing PGP9 key to GPG1.4.10 (through enigmail)
Message-ID: <4CB57D24.1030.68F72E85@j-001.ottosson.nu>

Haudi,

I'm having some earlier unseen issues importing a key. I generated a RSA 4096 
key with AES as prefs in PGP9.

Key is successfully imported into GPG 2.0.14 using GPA (Latest GPG4WIN install).

In 2.0.14 it is shown with two self sigs using "gpg --list-sigs keyid", appears 
normal I think.

However, when trying to import the key onto a portable system with latest 
(today) versions of Tbird/enigmail (which seem to be version GPG 1.4.10) I get 
error messages stating that there are no valid User IDs and that this may be due 
to missing self signatures.

It seems the key is imported though. Am I forgetting some incompatibility issue 
here? Isn't this GPG version able to see the signatures?

(After this I'm actually starting having a number of other issues with 
Tbird/Enigmail (not chosing correct key for signing etc), but that may be due to 
the upgrade itself somehow and not GPG so I'll that out).


TIA,
J?rgen




From free10pro at gmail.com  Thu Oct 14 06:43:59 2010
From: free10pro at gmail.com (Paul Richard Ramer)
Date: Wed, 13 Oct 2010 21:43:59 -0700
Subject: Paranoid People's User Group?
In-Reply-To: <4CB65564.9040004@gmail.com>
References: <4CB65564.9040004@gmail.com>
Message-ID: <4CB68A8F.6060603@gmail.com>

On Wed, 13 Oct 2010 17:57:08 -0700, Dan Cowsill wrote:
> After some googling, I decided this would be the best place to start. 
> What I'm after is a mailing list or user group that exchanges encrypted
> communications with each other.  Or, if no such mailing list exists, I
> wonder if I might be able to pick up a pen-pal or two that wants to use
> PGP to communicate.

There is such a mailing list, which is called PGPNET.  It is part of
Yahoo! Groups and is located at
<http://tech.groups.yahoo.com/group/PGPNET/>.  All mail, with few
exceptions, is encrypted to all members of the group.


-Paul

-- 
Please use my PGP key when sending me e-mail, if you can.

PGP Key ID: 0x3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101013/2455f4c5/attachment.pgp>

From rjh at sixdemonbag.org  Thu Oct 14 06:54:25 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 14 Oct 2010 00:54:25 -0400
Subject: Paranoid People's User Group?
In-Reply-To: <4CB65564.9040004@gmail.com>
References: <4CB65564.9040004@gmail.com>
Message-ID: <4CB68D01.1040207@sixdemonbag.org>

On 10/13/2010 8:57 PM, Dan Cowsill wrote:
> Almost-but-not-quite my first post to this list.  I am very
> interested in encryption technologies, and PGP in particular.

Welcome to the community!  As a minor cultural note, PGP is a
proprietary software product put out by PGP Corporation.  GnuPG is a
compatible product available under a free/open-source license.  The two
software products each conform to what is called the OpenPGP Standard
(RFC4880).

If you're interested in PGP in particular, I'd suggest the PGP Forums or
PGP-Basics over at Yahoo! Groups.  For GnuPG and/or OpenPGP, though,
you're definitely in the right place.  :)

> Of course, this is only a hobby and I don't have any trade secrets or
> international intrigues to protect, so that leaves me at a bit of a
> disadvantage when it comes to playing around with such a fascinating
> piece of technology.

Quite the opposite!  It gives you an enormous advantage.  People who
have high-value secrets have to make very conservative choices about
what they do and how they do it.  If you don't have anything that
absolutely must remain secret, that gives you the freedom to experiment
and do crazy things and learn from what happens, without needing to
worry about your secrets getting published in the _New York Times_.

> What I'm after is a mailing list or user group that exchanges
> encrypted communications with each other.

PGPNET.  They're a rather welcoming group, all told.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101014/7bac107b/attachment.bin>

From muks at banu.com  Wed Oct 13 07:24:55 2010
From: muks at banu.com (Mukund Sivaraman)
Date: Wed, 13 Oct 2010 10:54:55 +0530
Subject: Problem with Gemalto USB Shell Token V2
In-Reply-To: <70086D201BD484439914C36F5C8BF16101A3DC54D1E1@EMAIL04.pnl.gov>
References: <20101011124739.GA17108@jurassic>
	<70086D201BD484439914C36F5C8BF16101A3DC54D1E1@EMAIL04.pnl.gov>
Message-ID: <20101013052455.GA2669@jurassic>

On Tue, Oct 12, 2010 at 01:03:42PM -0700, Smith, Cathy wrote:
> Does anyone have the Gemalto USB working with Red Hat 5.5?

I don't know about the versions of GnuPG and PCSC-Lite on RHEL 5.5 to
answer this question.  Maybe you can try it, and if it doesn't work,
try compiling the latest versions of these software and see if it works
then.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: </pipermail/attachments/20101013/073cb0f7/attachment-0001.pgp>

From Sandip.Bhaskar at easiadmin.com  Thu Oct 14 00:40:55 2010
From: Sandip.Bhaskar at easiadmin.com (Sandip Bhaskar)
Date: Wed, 13 Oct 2010 15:40:55 -0700
Subject: Version Compatibility Question
Message-ID: <9B9D9CC9DA7CE04889C2E8F462878C350798763E@EXVBE014-13.exch014.msoutlookonline.net>

Greetings,

 

Is it possible to import a public key generated using GnuPG v1.4.10
version on GnuPG v1.2.X environment?

 

Thanks in advance.

 

Regards

Sandip

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101013/bf13f5da/attachment-0001.htm>

From dkg at fifthhorseman.net  Thu Oct 14 16:18:47 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 14 Oct 2010 10:18:47 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <140905051.20101014000241@my_localhost>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C03E.6060901@maxqe.com> <4CB3D089.3010909@fifthhorseman.net>
	<140905051.20101014000241@my_localhost>
Message-ID: <4CB71147.5090805@fifthhorseman.net>

On 10/13/2010 07:02 PM, MFPA wrote:
> The user can type their password once per session into a text file and
> paste it every time it is requested. This reduces the annoyance factor
> and does not train the user to constantly re-type the passphrase.

This strikes me as the worst suggestion on this thread so far.  Please,
do not store the passphrase to your secret key in the clear in a file on
your computer, and do not suggest that other people do so.  That's even
worse than writing it on a post-it note and taping it to your monitor.

Passphrases are your last line of defense against a compromise of your
secret key material.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101014/6500cce0/attachment.pgp>

From madduck at madduck.net  Thu Oct 14 17:49:54 2010
From: madduck at madduck.net (martin f krafft)
Date: Thu, 14 Oct 2010 17:49:54 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <140905051.20101014000241@my_localhost>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C03E.6060901@maxqe.com> <4CB3D089.3010909@fifthhorseman.net>
	<140905051.20101014000241@my_localhost>
Message-ID: <20101014154954.GA28183@piper.oerlikon.madduck.net>

also sprach MFPA <expires2010 at ymail.com> [2010.10.14.0102 +0200]:
> The user can type their password once per session into a text file
> and paste it every time it is requested. This reduces the
> annoyance factor and does not train the user to constantly re-type
> the passphrase.

That's a great idea. I have started work on a Facebook applet to
automate this process, so that I can keep such vital information
with everything else that I care about.

Strangely appropriate, randomly selected quote below.

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
"we are trapped in the belly of this horrible machine,
 and the machine is bleeding to death."
                                        -- godspeed you black emperor!
 
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
URL: </pipermail/attachments/20101014/c3479c76/attachment.pgp>

From danthehat at gmail.com  Thu Oct 14 18:42:34 2010
From: danthehat at gmail.com (Dan Cowsill)
Date: Thu, 14 Oct 2010 09:42:34 -0700
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <140905051.20101014000241@my_localhost>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB3C03E.6060901@maxqe.com>
	<4CB3D089.3010909@fifthhorseman.net>
	<140905051.20101014000241@my_localhost>
Message-ID: <4CB732FA.3000508@gmail.com>

On 13/10/2010 4:02 PM, MFPA wrote:
> The user can type their password once per session into a text file and
> paste it every time it is requested. This reduces the annoyance factor
> and does not train the user to constantly re-type the passphrase.
>
I use a program called KeePass to keep track of my passwords.  It has a
linux port called KeePassX, as well.  It stores the password in an
encrypted database and when the user requests it, copies it to the
clipboard.  After 20 seconds, the clipboard is cleared.  KeePass can
also be configured to lock the workspace after a certain period of time
idle.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101014/9708cd89/attachment.pgp>

From sascha-ml-reply-to-2010-3 at silbe.org  Thu Oct 14 20:03:25 2010
From: sascha-ml-reply-to-2010-3 at silbe.org (Sascha Silbe)
Date: Thu, 14 Oct 2010 20:03:25 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB461DE.3040307@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
	<4CB3E568.1080704@sixdemonbag.org>
	<4CB3F7F8.5040607@fifthhorseman.net>
	<4CB461DE.3040307@sixdemonbag.org>
Message-ID: <1287077640-sup-8607@twin.sascha.silbe.org>

Excerpts from Robert J. Hansen's message of Tue Oct 12 15:25:50 +0200 2010:

> These two attack modes (root and user access) cover the overwhelming
> majority of instances today, so already this hypothetical attack is an
> exotic.

That most mainstream systems are painfully easy to attack doesn't imply
we should stop trying to make systems more secure.

One instance where the proposed mechanism (in conjunction with the new
version of gpg-agent that will handle the secret keys itself) would be
both useful and secure is Sugar [1] in combination with Rainbow [2].
Depending on who you believe, there are currently some hundred thousand
to over a million systems currently running this combination (on OLPC [3]
XO-1 [4]).

Sascha

[1] https://www.sugarlabs.org/
[2] http://wiki.laptop.org/go/Rainbow
[3] http://www.laptop.org/
[4] http://wiki.laptop.org/go/XO-1
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20101014/ba67b13b/attachment.pgp>

From free10pro at gmail.com  Thu Oct 14 20:32:00 2010
From: free10pro at gmail.com (Paul Richard Ramer)
Date: Thu, 14 Oct 2010 11:32:00 -0700
Subject: Paranoid People's User Group?
In-Reply-To: <20101014064559.GY8495@winter.webconquest.com>
References: <4CB65564.9040004@gmail.com> <4CB68A8F.6060603@gmail.com>
	<20101014064559.GY8495@winter.webconquest.com>
Message-ID: <4CB74CA0.2050907@gmail.com>

On Thu, 14 Oct 2010 08:45:59 +0200, Remco Rijnders wrote:
> I've looked at this before and haven't been able to tell... is there any
> way to subscribe to this group without needing to create a yahoo ID and
> email address?

No.  Yahoo! requires you to log in with a Yahoo! ID, or if you don't
have one, you must create a Yahoo! ID.


-Paul


-- 
Please use my PGP key when sending me messages.

PGP ID: 3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 694 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101014/af9d75fb/attachment.pgp>

From faramir.cl at gmail.com  Thu Oct 14 21:44:18 2010
From: faramir.cl at gmail.com (Faramir)
Date: Thu, 14 Oct 2010 16:44:18 -0300
Subject: Paranoid People's User Group?
In-Reply-To: <4CB74CA0.2050907@gmail.com>
References: <4CB65564.9040004@gmail.com>
	<4CB68A8F.6060603@gmail.com>	<20101014064559.GY8495@winter.webconquest.com>
	<4CB74CA0.2050907@gmail.com>
Message-ID: <4CB75D92.8010301@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 14-10-2010 15:32, Paul Richard Ramer escribi?:
> On Thu, 14 Oct 2010 08:45:59 +0200, Remco Rijnders wrote:
>> I've looked at this before and haven't been able to tell... is there any
>> way to subscribe to this group without needing to create a yahoo ID and
>> email address?
> 
> No.  Yahoo! requires you to log in with a Yahoo! ID, or if you don't
> have one, you must create a Yahoo! ID.

  But once you subscribe using a yahoo! Id, you can use any other email
account you want. I use a gmail address to send an receive the messages.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMt12SAAoJEMV4f6PvczxAqvgH/3y+EBkVP42fYsr7uzvsqBUG
gZEDX2XcxuSWTfKcaPXEB1nME1NK7xMQdV18MdDyWNvvf7Soank0So5ZAWTjfjJW
hUG4YDDzDvEgyrEA658EzdLowK3dmDaZbMlzRjw6ZE61QMtnbBfMR3g/+y9oC3fY
sKGzsh7VzwYEXZPBWWHL5VOCMmeqLhEnjCQee3E7XB7Mv7I5fRT9dmkvqajXZk9b
6WLIL0gu3M4Bd2gYcrYuJPRl5UhyN2ZXEmMqrhnvs57zSkogWLGppXXSls+3m4HK
O/rDGAMd6Z0atTEzyO7rVcsDyWmLy28l35AtX7fq9/L0kiaoOjGrF0EZUudLJNI=
=8mHL
-----END PGP SIGNATURE-----


From kgo at grant-olson.net  Thu Oct 14 22:31:09 2010
From: kgo at grant-olson.net (Grant Olson)
Date: Thu, 14 Oct 2010 16:31:09 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB5D59D.1020003@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB3C5F7.5060903@sixdemonbag.org>	<4CB3CB99.6020908@fifthhorseman.net>	<87aamk53l8.fsf@vigenere.g10code.de>	<4CB408D4.5080600@fifthhorseman.net>	<87sk0b45bo.fsf@vigenere.g10code.de>
	<4CB5D59D.1020003@fifthhorseman.net>
Message-ID: <4CB7688D.9010300@grant-olson.net>

On 10/13/10 11:51 AM, Daniel Kahn Gillmor wrote:
> 
> From a different perspective, i could run the agent itself in a
> constrained account, and replace the prompting tool with a tool that
> requires, say, an ACPI event, or a special keypress (not an X11 event)
> from a designated hardware button.  in that case, malicious code with
> access to the X11 session could detect that a prompt had been made, and
> possibly dismiss it or hide it from the user, but could not force
> acceptance of the keypress without superuser access (at which point,
> game over anyway).  To take a vulnerability from a malicious use of
> secret key material to a simpler denial of service attack strikes me as
> a move in the right direction.
> 

But ultimately once you start trying to fix the problem by offloading
the checks to special hardware, you might as well just key a smart card
reader with an integrated keypad.  Then you can use a simple pin.  Not
quite as convenient as hitting Y/N, but way more convenient than a
really strong password.

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101014/640b7e8d/attachment-0001.pgp>

From dkg at fifthhorseman.net  Thu Oct 14 22:54:56 2010
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 14 Oct 2010 16:54:56 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB7688D.9010300@grant-olson.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB3C5F7.5060903@sixdemonbag.org>	<4CB3CB99.6020908@fifthhorseman.net>	<87aamk53l8.fsf@vigenere.g10code.de>	<4CB408D4.5080600@fifthhorseman.net>	<87sk0b45bo.fsf@vigenere.g10code.de>	<4CB5D59D.1020003@fifthhorseman.net>
	<4CB7688D.9010300@grant-olson.net>
Message-ID: <4CB76E20.2050404@fifthhorseman.net>

On 10/14/2010 04:31 PM, Grant Olson wrote:
> But ultimately once you start trying to fix the problem by offloading
> the checks to special hardware, you might as well just key a smart card
> reader with an integrated keypad.  Then you can use a simple pin.  Not
> quite as convenient as hitting Y/N, but way more convenient than a
> really strong password.

Yes, that'd be nice, if that hardware is available and convenient for
the user.

But far more people have access to a laptop with system-handled ACPI key
combinations than have access to card readers with integrated keypads.

card readers with integrated keypads are also bulky, awkward to
transport and use in mobile context, and tend to be significantly slower
at performing secret-key operations than modern computers (laptop or
desktop).

card readers with integrated keypads are also additional points of
failure, and have a non-negligible financial cost over and above the
cost of the hardware on which to run GnuPG.

Back to the original point: a confirmation prompt for the agent has the
potential to be useful in many cases, particularly with the agent model
described for the upcoming gnupg 2.1, and to a lesser extent with
earlier versions of the agent protocol.  I'm not denying that there are
other approaches which might solve the same problem, but there are
tradeoffs to all of them which may not be suitable for any particular user.

I remain perplexed at the opposition this reasonable feature proposal
has received.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101014/25b7d342/attachment.pgp>

From faramir.cl at gmail.com  Thu Oct 14 23:00:12 2010
From: faramir.cl at gmail.com (Faramir)
Date: Thu, 14 Oct 2010 18:00:12 -0300
Subject: Paranoid People's User Group?
In-Reply-To: <20101014195806.GB26497@winter.webconquest.com>
References: <4CB65564.9040004@gmail.com> <4CB68A8F.6060603@gmail.com>
	<20101014064559.GY8495@winter.webconquest.com>
	<4CB74CA0.2050907@gmail.com> <4CB75D92.8010301@gmail.com>
	<20101014195806.GB26497@winter.webconquest.com>
Message-ID: <4CB76F5C.4030200@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 14-10-2010 16:58, Remco Rijnders escribi?:
...
> I guess it would just have been nice if there was an email address you can
> send a sign up message to, confirm your email address, and be part of the
> group, similar to how mailing lists like this one work, without requiring
> people to jump through any extra hoops they have no interest in.

  Yes, but that's how yahoo groups work, and we don't have our own
server to setup a mailing list...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMt29cAAoJEMV4f6PvczxA5REH/3/I3yiAcjvNC+Az7zW7e/cq
e5ujzo8Je53AkRcz65uxtHhZMxQ4Qa+QS0dQJT3Y38L6DeDlQKNZJg+T3Djg9DUp
PoYoVe9hBkJJ9BKn08GsZgXyIXtIZ8cfswbZG26j0yCw8BUb5p3RyqiTctX6fGwE
dWLcsR78dIs+jfHwEY82WJk2WlyVxnCV6HzsX5bF8fyGwfFXvZB9mNEeyr8LB5Ml
8oYe23uiE8EzZc0IHhCdFJaK91JFkkKX8XjjOU45Qp9cHDfltFsc067iRkuv5yLu
HT3590W42D1FRahXzYVQoDhmq+fD1IpHyeNjsdmfSLSLWZX6dkZEEbLLsA2fnVc=
=Lpsu
-----END PGP SIGNATURE-----


From expires2010 at ymail.com  Thu Oct 14 23:58:25 2010
From: expires2010 at ymail.com (MFPA)
Date: Thu, 14 Oct 2010 22:58:25 +0100
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB71147.5090805@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C03E.6060901@maxqe.com> <4CB3D089.3010909@fifthhorseman.net>
	<140905051.20101014000241@my_localhost>
	<4CB71147.5090805@fifthhorseman.net>
Message-ID: <991669021.20101014225825@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 14 October 2010 at 3:18:47 PM, in
<mid:4CB71147.5090805 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:


> This strikes me as the worst suggestion on this thread
> so far.  Please, do not store the passphrase to your
> secret key in the clear in a file on your computer, and
> do not suggest that other people do so.

It was a non-serious suggestion of a simple, albeit obviously
insecure, way to overcome the two issues you mentioned in your
previous posting (about re-typing the passphrase each time the secret
key gets used being annoying and potentially insecure). As Dan Cowsill
points out, there are "password managers" available that allow the
user to copy/paste their passphrase in much the same way but store it
in an encrypted database.


[
> That's even
> worse than writing it on a post-it note and taping it
> to your monitor.

That would depend on your threat model...


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Another person's secret is like another person's money:
you are not as careful with it as you are with your own
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTLd9IKipC46tDG5pAQo5FQP8CuVxi8krMIFKMC3IaGRhaq/D4MJj/oC7
q7o0aZImA+/6pK5j77J4vo5WmPVfCK8lVUvEY8V9J0lYVjKcTtPHYiczrVdj08Ys
qaB3ZC3pvtnGNq2v8eXoSqUwU+IbR5br7Dqwk2DO3e57fE4vaaAZqraCxAc3E0AN
AepG+OFrsGg=
=r9kT
-----END PGP SIGNATURE-----



From expires2010 at ymail.com  Fri Oct 15 00:11:19 2010
From: expires2010 at ymail.com (MFPA)
Date: Thu, 14 Oct 2010 23:11:19 +0100
Subject: Paranoid People's User Group?
In-Reply-To: <4CB76F5C.4030200@gmail.com>
References: <4CB65564.9040004@gmail.com> <4CB68A8F.6060603@gmail.com>
	<20101014064559.GY8495@winter.webconquest.com>
	<4CB74CA0.2050907@gmail.com> <4CB75D92.8010301@gmail.com>
	<20101014195806.GB26497@winter.webconquest.com>
	<4CB76F5C.4030200@gmail.com>
Message-ID: <932156140.20101014231119@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 14 October 2010 at 10:00:12 PM, in
<mid:4CB76F5C.4030200 at gmail.com>, Faramir wrote:



> El 14-10-2010 16:58, Remco Rijnders escribi?: ...
>> I guess it would just have been nice if there was an email address you can
>> send a sign up message to, confirm your email address, and be part of the
>> group, similar to how mailing lists like this one work, without requiring
>> people to jump through any extra hoops they have no interest in.

>   Yes, but that's how yahoo groups work, and we don't
> have our own server to setup a mailing list...

I've always thought it odd that they have an "unsubscribe" address but
not one to subscribe...

- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Wait. You think I'm right?
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTLeADaipC46tDG5pAQoaUgP9HzfLdDpnZ97Hgrqk2pk3RAhLC5xKQDmE
qMwbVa9Q5noT3lU+LCUYM5HX2cGfDjAI1seulVDXwbFXeeOhaf4rA6ryQzJsiKRy
62ut0tdiWwlR6ll1b3hqgXg+f4Pm3W6gKGvRzzqGq6yQv5RoCnT/WBLrHomLGrid
ADofjT0QBfg=
=1f5E
-----END PGP SIGNATURE-----



From mailinglisten at hauke-laging.de  Fri Oct 15 01:45:32 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 15 Oct 2010 01:45:32 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB3CB99.6020908@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
Message-ID: <201010150145.40416.mailinglisten@hauke-laging.de>

Am Dienstag 12 Oktober 2010 04:44:41 schrieb Daniel Kahn Gillmor:

> (e.g. one process can send a simulated mouseclick to another process
> pretty easily)

I am not familiar with X details (let alone that other one OS). Does grabbing 
the mouse prevent other processes from knowing where the click occurs? You 
could use a dialog differen from just an OK button. You could display a ten 
times ten array and the user hat to click a certain number. This is similar 
fast to clicking the OK button and easy to remember (always the same number) 
but makes abuse improbable (of course, that is not the level of probability we 
usually have when attacking gpg...).

If other processes cannot read the content of the dialog window then other 
means are possible: Use a blank area with a randomly positioned mark to click 
on.

And react to failures.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101015/7ae9160f/attachment.pgp>

From Chris.Knadle at coredump.us  Fri Oct 15 05:21:28 2010
From: Chris.Knadle at coredump.us (Chris Knadle)
Date: Thu, 14 Oct 2010 23:21:28 -0400 (EDT)
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB76E20.2050404@fifthhorseman.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org> <4CB3CB99.6020908@fifthhorseman.net>
	<87aamk53l8.fsf@vigenere.g10code.de>
	<4CB408D4.5080600@fifthhorseman.net>
	<87sk0b45bo.fsf@vigenere.g10code.de>
	<4CB5D59D.1020003@fifthhorseman.net> <4CB7688D.9010300@grant-olson.net>
	<4CB76E20.2050404@fifthhorseman.net>
Message-ID: <eb01ab0abdb64eef6c49293c1a8c7afb.squirrel@webmail.coredump.us>


On Thu, October 14, 2010 4:54 pm, Daniel Kahn Gillmor wrote:
> On 10/14/2010 04:31 PM, Grant Olson wrote:
>> But ultimately once you start trying to fix the problem by offloading
>> the checks to special hardware, you might as well just key a smart card
>> reader with an integrated keypad.  Then you can use a simple pin.  Not
>> quite as convenient as hitting Y/N, but way more convenient than a
>> really strong password.
>
> Yes, that'd be nice, if that hardware is available and convenient for
> the user.
>
> But far more people have access to a laptop with system-handled ACPI key
> combinations than have access to card readers with integrated keypads.

This reminds me of the Yubikey, which is a one-button USB stick that
registers as a keyboard, and "types" your password when you press the
button on it.  In other words, you don't necessarily need there to be a
/physical/ keypad for a device to act like it has a "keyboard".

IIRC this wasn't the particular use case meant for the Yubikey though -- I
think it was meant to be used in combination with online sites.  There
might be a similar device meant for GPG... or one could be made if it
doesn't exist yet.

Anything beats copying a password to a plaintext file, which is insane. 
Seems to beg a Spaceballs quote: "12345?  I've got the same password on my
luggage!  Oh... and change the password on my luggage."

...
> Back to the original point: a confirmation prompt for the agent has the
> potential to be useful in many cases, particularly with the agent model
> described for the upcoming gnupg 2.1, and to a lesser extent with
> earlier versions of the agent protocol.  I'm not denying that there are
> other approaches which might solve the same problem, but there are
> tradeoffs to all of them which may not be suitable for any particular
> user.
>
> I remain perplexed at the opposition this reasonable feature proposal
> has received.

I think it reminds some people of an "Are you sure?" prompt.  I realize
that's not exactly meant to be what this is for, of course, but that might
ultimately be what it "feels like" unless there's another outward purpose
for the prompt.

Now, that said, I'll just say I'm not against adding it if there's a
particular security case deemed worth defending.

   -- Chris

--

Chris Knadle
Chris.Knadle at coredump.us



From wk at gnupg.org  Fri Oct 15 12:20:37 2010
From: wk at gnupg.org (Werner Koch)
Date: Fri, 15 Oct 2010 12:20:37 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <1287077640-sup-8607@twin.sascha.silbe.org> (Sascha Silbe's
	message of "Thu, 14 Oct 2010 20:03:25 +0200")
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
	<4CB3E568.1080704@sixdemonbag.org>
	<4CB3F7F8.5040607@fifthhorseman.net>
	<4CB461DE.3040307@sixdemonbag.org>
	<1287077640-sup-8607@twin.sascha.silbe.org>
Message-ID: <87aamf3gga.fsf@vigenere.g10code.de>

On Thu, 14 Oct 2010 20:03, sascha-ml-reply-to-2010-3 at silbe.org said:

> One instance where the proposed mechanism (in conjunction with the new
> version of gpg-agent that will handle the secret keys itself) would be

Just for the records: This is no new mechanism of the agent.  It is in
use for about 8 years now.  The change is that GPG uses this mechanism
now, in the past only GPGSM and the the ssh-agent support in gpg-agent
used it.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Fri Oct 15 12:28:33 2010
From: wk at gnupg.org (Werner Koch)
Date: Fri, 15 Oct 2010 12:28:33 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB5D59D.1020003@fifthhorseman.net> (Daniel Kahn Gillmor's
	message of "Wed, 13 Oct 2010 11:51:57 -0400")
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB3C5F7.5060903@sixdemonbag.org>
	<4CB3CB99.6020908@fifthhorseman.net>
	<87aamk53l8.fsf@vigenere.g10code.de>
	<4CB408D4.5080600@fifthhorseman.net>
	<87sk0b45bo.fsf@vigenere.g10code.de>
	<4CB5D59D.1020003@fifthhorseman.net>
Message-ID: <8762x33g32.fsf@vigenere.g10code.de>

On Wed, 13 Oct 2010 17:51, dkg at fifthhorseman.net said:

> If i run the agent locally, and forward access to it to a constrained
> account, then the constrained account (which is talking to the agent)
> *does not* have the ability to simulate such X11 events.

You mean to a different X server?  For example from a nested one to the
main X server?  Then why do you want to have this yes/no prompt, the
other X server has no access to the pinentry.

I doubt that it is possible to have a restricted account running on the
same X server.

> requires, say, an ACPI event, or a special keypress (not an X11 event)
> from a designated hardware button.  in that case, malicious code with
> access to the X11 session could detect that a prompt had been made, and

If there is malicious code running on your machine with access to
resources under your control, I can only say: game over.  No external
button will help you here.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From mailinglisten at hauke-laging.de  Fri Oct 15 12:55:22 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 15 Oct 2010 12:55:22 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <8762x33g32.fsf@vigenere.g10code.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
Message-ID: <201010151255.22939.mailinglisten@hauke-laging.de>

Am Freitag 15 Oktober 2010 12:28:33 schrieb Werner Koch:

> If there is malicious code running on your machine with access to
> resources under your control, I can only say: game over.  No external
> button will help you here.

That's why we try to restrict the access of malicious code, isn't it?

Following your pessimistic attitude there would hardly be any reason not to 
work as root.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101015/a8141f05/attachment.pgp>

From wk at gnupg.org  Fri Oct 15 18:23:02 2010
From: wk at gnupg.org (Werner Koch)
Date: Fri, 15 Oct 2010 18:23:02 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010151255.22939.mailinglisten@hauke-laging.de> (Hauke
	Laging's message of "Fri, 15 Oct 2010 12:55:22 +0200")
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
Message-ID: <87sk071l3t.fsf@vigenere.g10code.de>

On Fri, 15 Oct 2010 12:55, mailinglisten at hauke-laging.de said:

> Following your pessimistic attitude there would hardly be any reason not to 
> work as root.

Nope.  Not working under root is important to keep the system stable and
provide access restrictions to the non-malicious users.

OTOH, it is hard enough to close all remotely exploitable bugs.  Given
the constant proliferation of local privilege escalation bugs, it seems
to me not possible for the majority of systems to keep them *all*
closed.  Look only on how many admins are proud of their system's
uptimes and check for example the list of severe Linux bugs.

If you want to protect your keys, use a smartcard or a second box acting
similar to a smartcard.

Nevertheless, the confirmation prompt for a cached passphrase is not
entirely unfounded given that we have quite some feature in gpg-agent
which are more questionable (e.g. the whole passphrase quality checking
stuff).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From dougb at dougbarton.us  Fri Oct 15 19:31:04 2010
From: dougb at dougbarton.us (Doug Barton)
Date: Fri, 15 Oct 2010 10:31:04 -0700
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87sk071l3t.fsf@vigenere.g10code.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
Message-ID: <4CB88FD8.7050404@dougbarton.us>

On 10/15/2010 9:23 AM, Werner Koch wrote:
> Nevertheless, the confirmation prompt for a cached passphrase is not
> entirely unfounded

I've really been biting my tongue on this thread because it seemed like 
the right people were saying the right things already, but you're making 
me nervous now Werner. :)

The right solution to the concern expressed is to keep the time for 
gpg-agent to cache the pass phrase down to a reasonable level, where 
"reasonable" may mean different things in different environments. I 
don't remember what the default is, but I do recall thinking when I 
first installed -agent that it seemed sufficiently short to protect new 
users from themselves; but too short for my tastes, so I fixed it. :)

The other problem with the confirmation proposal is that (unless I'm 
missing something really dramatic) the intersection between plausible 
attack vectors and vulnerabilities that confirmation would actually fix 
seems so small that it does not justify even the coding/QA time to 
develop the feature, never mind the inconvenience to the user.


hth,

Doug

-- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go
http://SupersetSolutions.com/


From rjh at sixdemonbag.org  Fri Oct 15 19:42:05 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 15 Oct 2010 13:42:05 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB88FD8.7050404@dougbarton.us>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us>
Message-ID: <4CB8926D.3050705@sixdemonbag.org>

On 10/15/10 1:31 PM, Doug Barton wrote:
> The other problem with the confirmation proposal is that ... the
> intersection between plausible attack vectors and vulnerabilities
> that [this proposal] would actually fix seems [very] small.

I seem to recall saying something similar to this a few days ago.  :)

I'll go one step further: so far I haven't seen anyone present a
plausible intersection.  I've seen some hypothetical intersections, but
none that I think are plausible.

This seems like a nonsolution to a nonproblem.


From jrollins at finestructure.net  Fri Oct 15 20:49:41 2010
From: jrollins at finestructure.net (Jameson Rollins)
Date: Fri, 15 Oct 2010 14:49:41 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB8926D.3050705@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
Message-ID: <87ocavjnp6.fsf@servo.finestructure.net>

On Fri, 15 Oct 2010 13:42:05 -0400, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> On 10/15/10 1:31 PM, Doug Barton wrote:
> > The other problem with the confirmation proposal is that ... the
> > intersection between plausible attack vectors and vulnerabilities
> > that [this proposal] would actually fix seems [very] small.
> 
> I seem to recall saying something similar to this a few days ago.  :)
> 
> I'll go one step further: so far I haven't seen anyone present a
> plausible intersection.  I've seen some hypothetical intersections, but
> none that I think are plausible.

Without use confirmation in the agent, a malicious program running under
your account could access your secret key without you knowing it.  That
is clear and indisputable.  If there was no worry of this happening,
then there would also be no need to passphrase-protect your secret key.
Since everyone seems to agree that one should passphrase-protect your
secret key, then there are obviously plausible attack vectors here.

I am also strongly in favor of use confirmation in the agent, and I'm
having a hard time understanding the opposition to it.

FWIW, ssh-agent implements use confirmation, so they clearly thought
there were plausible attack vectors as well.

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/21f27119/attachment.pgp>

From rjh at sixdemonbag.org  Fri Oct 15 21:36:51 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 15 Oct 2010 15:36:51 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87ocavjnp6.fsf@servo.finestructure.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
	<87ocavjnp6.fsf@servo.finestructure.net>
Message-ID: <4CB8AD53.7050604@sixdemonbag.org>

On 10/15/10 2:49 PM, Jameson Rollins wrote:
> Without use confirmation in the agent, a malicious program running under
> your account could access your secret key without you knowing it.

This can still happen with a confirmation prompt.  Confirmation cannot
protect against malware running under your account.  If the agent pops
up a dialog box, then all I have to do is intercept the dialog box and
answer 'yes.'


From jrollins at finestructure.net  Fri Oct 15 23:04:41 2010
From: jrollins at finestructure.net (Jameson Rollins)
Date: Fri, 15 Oct 2010 17:04:41 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB8AD53.7050604@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
	<87ocavjnp6.fsf@servo.finestructure.net>
	<4CB8AD53.7050604@sixdemonbag.org>
Message-ID: <87bp6vjhg6.fsf@servo.finestructure.net>

On Fri, 15 Oct 2010 15:36:51 -0400, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> On 10/15/10 2:49 PM, Jameson Rollins wrote:
> > Without use confirmation in the agent, a malicious program running under
> > your account could access your secret key without you knowing it.
> 
> This can still happen with a confirmation prompt.  Confirmation cannot
> protect against malware running under your account.  If the agent pops
> up a dialog box, then all I have to do is intercept the dialog box and
> answer 'yes.'

Ok, then this protects against malicious programs that are not
intercepting the dialog box.  Just because a fix for one problem doesn't
solve all possible problems does not mean that it should be ignored.
Don't let the perfect be the enemy of the good.

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/6d0672af/attachment.pgp>

From rjh at sixdemonbag.org  Sat Oct 16 00:23:04 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 15 Oct 2010 18:23:04 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87bp6vjhg6.fsf@servo.finestructure.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
	<87ocavjnp6.fsf@servo.finestructure.net>
	<4CB8AD53.7050604@sixdemonbag.org>
	<87bp6vjhg6.fsf@servo.finestructure.net>
Message-ID: <4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>

> Ok, then this protects against malicious programs that are not
> intercepting the dialog box.

Which means that six months after this feature gets implemented, the malware authors will write exploits that intercept the dialog box.

Arms races are inevitable, but stupid arms races should be avoided.

> Don't let the perfect be the enemy of the good.

I'm not.  This idea isn't good.



From kgo at grant-olson.net  Sat Oct 16 00:34:58 2010
From: kgo at grant-olson.net (Grant Olson)
Date: Fri, 15 Oct 2010 18:34:58 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87bp6vjhg6.fsf@servo.finestructure.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>
	<4CB8926D.3050705@sixdemonbag.org>	<87ocavjnp6.fsf@servo.finestructure.net>	<4CB8AD53.7050604@sixdemonbag.org>
	<87bp6vjhg6.fsf@servo.finestructure.net>
Message-ID: <4CB8D712.90400@grant-olson.net>

On 10/15/10 5:04 PM, Jameson Rollins wrote:
> Don't let the perfect be the enemy of the good.
> 

But is it good?  To me this feature seems like "security theater."  It
makes you feel all warm and fuzzy and lets you sleep at night, but
doesn't provide any real protection.

Is it good to have users thinking that there's no way their box can be
compromised, because they're not getting pop-ups, when in reality they
may be completely compromised?  Do the percieved protections of this
feature come anywhere close to the actual protection provided?

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101015/9fadf7e0/attachment-0001.pgp>

From jrollins at finestructure.net  Sat Oct 16 01:04:28 2010
From: jrollins at finestructure.net (Jameson Rollins)
Date: Fri, 15 Oct 2010 19:04:28 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
	<87ocavjnp6.fsf@servo.finestructure.net>
	<4CB8AD53.7050604@sixdemonbag.org>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
Message-ID: <8739s7jbwj.fsf@servo.finestructure.net>

On Fri, 15 Oct 2010 18:23:04 -0400, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> I'm not.  This idea isn't good.

Do you use ssh-agent?  Do you think their implementation of the same
thing is not good?  If so, have you complained to them about it, or
asked why the implemented it?

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/cfd76f1c/attachment.pgp>

From mailinglisten at hauke-laging.de  Sat Oct 16 01:05:11 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sat, 16 Oct 2010 01:05:11 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
Message-ID: <201010160105.19066.mailinglisten@hauke-laging.de>

Am Samstag 16 Oktober 2010 00:23:04 schrieb Robert J. Hansen:
> > Ok, then this protects against malicious programs that are not
> > intercepting the dialog box.
> 
> Which means that six months after this feature gets implemented, the
>  malware authors will write exploits that intercept the dialog box.
> 
> Arms races are inevitable, but stupid arms races should be avoided.

This implies the strange claim that it will forever be possible to do that. As 
I already mentioned you can run X clients untrustedly today and SELinux is 
going to be extended by features for X access restriction.

But, of course, you can deny all applications that never use gpg keys access 
to both the files and the socket by means of the LSMs even today. And if an 
application gets hijacked that has to access the key files and the socket then 
an attacker can wait until the next intended operation occurs. So the user 
would not notice the abuse of his key.

The process of informing the user could be more clever than a simple "gpg-
agent access, please click OK" window. An obvious option is to allow the user 
to configure a program and allow or deny access based on the exit code; we saw 
proposals what such a check program could do here in the discussion. I just 
don't like the idea that access to the agent is "not noticed by design".

Somebody mentioned an "inconvenience for the user". I would make this 
behaviour an option (for people understanding the merits and limits) not the 
default. Thus no inconvenience for anyone.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101016/3d050589/attachment.pgp>

From rjh at sixdemonbag.org  Sat Oct 16 01:12:21 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 15 Oct 2010 19:12:21 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <8739s7jbwj.fsf@servo.finestructure.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
	<87ocavjnp6.fsf@servo.finestructure.net>
	<4CB8AD53.7050604@sixdemonbag.org>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
	<8739s7jbwj.fsf@servo.finestructure.net>
Message-ID: <89E225BD-A08D-47B5-8747-78976EB40859@sixdemonbag.org>

> Do you use ssh-agent?  Do you think their implementation of the same
> thing is not good?  If so, have you complained to them about it, or
> asked why the implemented it?

This seems to be an argument from implication of hypocrisy: as if, were I a user of ssh-agent, my opinion regarding gpg-agent could be safely dismissed on the grounds of my hypocrisy by not bringing the same issues up to the ssh-agent authors.

The answer to your questions are, "no, I do not," "I have not looked at it enough to have an informed opinion," and "I reject out of hand all argument by implication of hypocrisy."



From rjh at sixdemonbag.org  Sat Oct 16 01:14:20 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 15 Oct 2010 19:14:20 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010160105.19066.mailinglisten@hauke-laging.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
	<201010160105.19066.mailinglisten@hauke-laging.de>
Message-ID: <D25E27C6-DD3C-4B52-AA09-F0161B05817A@sixdemonbag.org>

> This implies the strange claim that it will forever be possible to do that.

It does not.  It states that at present the OS infrastructure we have makes implementing this a losing proposition.

As soon as the OS infrastructure changes enough to make this a winner, then we should revisit this decision.



From jrollins at finestructure.net  Sat Oct 16 01:26:14 2010
From: jrollins at finestructure.net (Jameson Rollins)
Date: Fri, 15 Oct 2010 19:26:14 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <201010160105.19066.mailinglisten@hauke-laging.de>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
	<201010160105.19066.mailinglisten@hauke-laging.de>
Message-ID: <87y69zhwbt.fsf@servo.finestructure.net>

On Sat, 16 Oct 2010 01:05:11 +0200, Hauke Laging <mailinglisten at hauke-laging.de> wrote:
> I just don't like the idea that access to the agent is "not noticed by
> design".

I strongly agree with this point.  Let's think about it another way:
what if the user is themselves doing something that is unintentionally
accessing the key?  They might prefer to know about it rather than have
it accessed without their knowledge.  I would say that's good enough
reason to have confirmation right there.

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/5cc4b07a/attachment.pgp>

From jrollins at finestructure.net  Sat Oct 16 01:29:50 2010
From: jrollins at finestructure.net (Jameson Rollins)
Date: Fri, 15 Oct 2010 19:29:50 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <89E225BD-A08D-47B5-8747-78976EB40859@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CB5D59D.1020003@fifthhorseman.net>
	<8762x33g32.fsf@vigenere.g10code.de>
	<201010151255.22939.mailinglisten@hauke-laging.de>
	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us> <4CB8926D.3050705@sixdemonbag.org>
	<87ocavjnp6.fsf@servo.finestructure.net>
	<4CB8AD53.7050604@sixdemonbag.org>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
	<8739s7jbwj.fsf@servo.finestructure.net>
	<89E225BD-A08D-47B5-8747-78976EB40859@sixdemonbag.org>
Message-ID: <87vd53hw5t.fsf@servo.finestructure.net>

On Fri, 15 Oct 2010 19:12:21 -0400, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> > Do you use ssh-agent?  Do you think their implementation of the same
> > thing is not good?  If so, have you complained to them about it, or
> > asked why the implemented it?
> 
> This seems to be an argument from implication of hypocrisy: as if,
> were I a user of ssh-agent, my opinion regarding gpg-agent could be
> safely dismissed on the grounds of my hypocrisy by not bringing the
> same issues up to the ssh-agent authors.

No, I was just curious why, if you were an ssh-agent user, you would be
ok with the implementation there but not for gpg-agent.  If you're not
an ssh-agent user then you have nothing to get defensive about.

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/274de39c/attachment.pgp>

From rjh at sixdemonbag.org  Sat Oct 16 01:39:26 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 15 Oct 2010 19:39:26 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87y69zhwbt.fsf@servo.finestructure.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<87bp6vjhg6.fsf@servo.finestructure.net>
	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>
	<201010160105.19066.mailinglisten@hauke-laging.de>
	<87y69zhwbt.fsf@servo.finestructure.net>
Message-ID: <20FBCAC4-413B-44A3-AE98-3AA332B435A7@sixdemonbag.org>

> I strongly agree with this point.  Let's think about it another way:
> what if the user is themselves doing something that is unintentionally
> accessing the key?

Then that's the user's own problem.  They're the one who decided to enable passphrase caching and to set a large timeout window.  They get to make their decisions, and it's foolish of us to try to protect them from it.

In fact, I would argue this "feature" would cause more problems than it claims to solve.  The number of people who would benefit from it is relatively small.  The number of people who discover their automated scripts no longer work would be large.

No choice comes without consequences.  This feature enhancement is no exception.



From ben at adversary.org  Sat Oct 16 02:07:20 2010
From: ben at adversary.org (Ben McGinnes)
Date: Sat, 16 Oct 2010 11:07:20 +1100
Subject: Paranoid People's User Group?
In-Reply-To: <932156140.20101014231119@my_localhost>
References: <4CB65564.9040004@gmail.com>
	<4CB68A8F.6060603@gmail.com>	<20101014064559.GY8495@winter.webconquest.com>	<4CB74CA0.2050907@gmail.com>
	<4CB75D92.8010301@gmail.com>	<20101014195806.GB26497@winter.webconquest.com>	<4CB76F5C.4030200@gmail.com>
	<932156140.20101014231119@my_localhost>
Message-ID: <4CB8ECB8.4030902@adversary.org>

On 15/10/10 9:11 AM, MFPA wrote:
> 
>> El 14-10-2010 16:58, Remco Rijnders escribi?: ...
>>> I guess it would just have been nice if there was an email address you can
>>> send a sign up message to, confirm your email address, and be part of the
>>> group, similar to how mailing lists like this one work, without requiring
>>> people to jump through any extra hoops they have no interest in.
> 
>>   Yes, but that's how yahoo groups work, and we don't
>> have our own server to setup a mailing list...
> 
> I've always thought it odd that they have an "unsubscribe" address but
> not one to subscribe...

They do have a subscription email address (same format as the
unsubscribe address only sans the "un").  They just encourage a web
account and many features (like group file access) require it, so they
want every email address linked to an account.

YahooGroups were originally just ordinary mailing list servers (Listserv
I think, but I can't be bothered double-checking).  When Yahoo were
really pushing them hard, they were trying to provide features beyond
those of "ordinary" mailing lists.  This would have been around nine or
ten years ago.


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101016/e588a602/attachment-0001.pgp>

From expires2010 at ymail.com  Sat Oct 16 18:05:46 2010
From: expires2010 at ymail.com (MFPA)
Date: Sat, 16 Oct 2010 17:05:46 +0100
Subject: Paranoid People's User Group?
In-Reply-To: <4CB8ECB8.4030902@adversary.org>
References: <4CB65564.9040004@gmail.com> <4CB68A8F.6060603@gmail.com>
	<20101014064559.GY8495@winter.webconquest.com>
	<4CB74CA0.2050907@gmail.com> <4CB75D92.8010301@gmail.com>
	<20101014195806.GB26497@winter.webconquest.com>
	<4CB76F5C.4030200@gmail.com>
	<932156140.20101014231119@my_localhost>
	<4CB8ECB8.4030902@adversary.org>
Message-ID: <649834295.20101016170546@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 16 October 2010 at 1:07:20 AM, in
<mid:4CB8ECB8.4030902 at adversary.org>, Ben McGinnes wrote:


> On 15/10/10 9:11 AM, MFPA wrote:

>>> El 14-10-2010 16:58, Remco Rijnders escribi?: ...
>>>> I guess it would just have been nice if there was an email address you can
>>>> send a sign up message to, confirm your email address, and be part of the
>>>> group, similar to how mailing lists like this one work, without requiring
>>>> people to jump through any extra hoops they have no interest in.

>>>   Yes, but that's how yahoo groups work, and we don't
>>> have our own server to setup a mailing list...

>> I've always thought it odd that they have an
>> "unsubscribe" address but not one to subscribe...

> They do have a subscription email address (same format
> as the unsubscribe address only sans the "un").

Makes sense. I've never seen it advertised, and unlike the unsubscribe
address it seems to be missing from the headers of the yahoogroup list
emails.




- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

Don't cry because it is over - smile because it happened
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTLnNYqipC46tDG5pAQob3gQAyhEXthyJWgCGSguPsrYWV2iwjt3sG6dG
/DgOGs0XCaX0LhtGcplTos60+rbnK2udQyMsV5yTSOFhXmGpOzpMxxPJNA85OYtC
7NYVk+npNVShnimMXckMGRRDzLeHmYeIjAAh2+kdrb3Gz+/MWsZJ7xRZCY8Yj7ig
Yy9y7AOkTUM=
=yCaM
-----END PGP SIGNATURE-----



From ben at adversary.org  Sun Oct 17 10:09:52 2010
From: ben at adversary.org (Ben McGinnes)
Date: Sun, 17 Oct 2010 19:09:52 +1100
Subject: Paranoid People's User Group?
In-Reply-To: <649834295.20101016170546@my_localhost>
References: <4CB65564.9040004@gmail.com> <4CB68A8F.6060603@gmail.com>
	<20101014064559.GY8495@winter.webconquest.com>
	<4CB74CA0.2050907@gmail.com> <4CB75D92.8010301@gmail.com>
	<20101014195806.GB26497@winter.webconquest.com>
	<4CB76F5C.4030200@gmail.com>
	<932156140.20101014231119@my_localhost>
	<4CB8ECB8.4030902@adversary.org>
	<649834295.20101016170546@my_localhost>
Message-ID: <4CBAAF50.5000601@adversary.org>

On 17/10/10 3:05 AM, MFPA wrote:
> On Saturday 16 October 2010 at 1:07:20 AM, in
> <mid:4CB8ECB8.4030902 at adversary.org>, Ben McGinnes wrote:
> 
>> They do have a subscription email address (same format
>> as the unsubscribe address only sans the "un").
> 
> Makes sense. I've never seen it advertised, and unlike the unsubscribe
> address it seems to be missing from the headers of the yahoogroup list
> emails.

My original subscription was via the email address, but I still have an
old Yahoo account from years ago and linked it.  Mainly to wade through
the group files and find who to encrypt to.


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101017/7f75cf6a/attachment.pgp>

From faramir.cl at gmail.com  Mon Oct 18 02:37:47 2010
From: faramir.cl at gmail.com (Faramir)
Date: Sun, 17 Oct 2010 21:37:47 -0300
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB88FD8.7050404@dougbarton.us>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>
	<4CB88FD8.7050404@dougbarton.us>
Message-ID: <4CBB96DB.6020202@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 15-10-2010 14:31, Doug Barton escribi?:
> On 10/15/2010 9:23 AM, Werner Koch wrote:
>> Nevertheless, the confirmation prompt for a cached passphrase is not
>> entirely unfounded
...
> The other problem with the confirmation proposal is that (unless I'm
> missing something really dramatic) the intersection between plausible
> attack vectors and vulnerabilities that confirmation would actually fix
> seems so small that it does not justify even the coding/QA time to
> develop the feature, never mind the inconvenience to the user.

  I guess as long as it can be disabled by people thinking it is
useless/too annoying, it won't cause problems...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMu5bbAAoJEMV4f6PvczxAiOEIAI0JBQ47kWOjw6tnidtBDgQJ
FmLo/Xo9sxrKVq2JhxQPtYn1zlswZiYOZubCR070Yz9mO8Bx4CbkuwAS/XbsfFav
ciUuoB5cwh+Vkhj+U4S2KWO5NCdEhTYmrgNZ9ZR66WH6qygHHt2DkPjCxmWXMALW
OKvO52LXrjCnF+I+DtY2nfBjepYGjQatAntitzUTORz33Ggq/Q2I5UmGB8DEu1q2
ezmK9Zf8q5xMMx9Vwgt7ZN/Y9bF/VUVdGg7Y9Px4e/KbCSVTbHShlMpN8M+rthD/
iLNFnA2YK8ZBJqnbuEGvzyjx/NaJUHRryGIxZZTKJvn6Hmr9xgVcOCnUDXqkpkM=
=7+qH
-----END PGP SIGNATURE-----


From faramir.cl at gmail.com  Mon Oct 18 02:43:39 2010
From: faramir.cl at gmail.com (Faramir)
Date: Sun, 17 Oct 2010 21:43:39 -0300
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CB8926D.3050705@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>
	<4CB8926D.3050705@sixdemonbag.org>
Message-ID: <4CBB983B.2060303@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 15-10-2010 14:42, Robert J. Hansen escribi?:
> On 10/15/10 1:31 PM, Doug Barton wrote:
>> The other problem with the confirmation proposal is that ... the
>> intersection between plausible attack vectors and vulnerabilities
>> that [this proposal] would actually fix seems [very] small.
> 
> I seem to recall saying something similar to this a few days ago.  :)
> 
> I'll go one step further: so far I haven't seen anyone present a
> plausible intersection.  I've seen some hypothetical intersections, but
> none that I think are plausible.
> 
> This seems like a nonsolution to a nonproblem.

  That may be true. However, remember feeling secure is part of security
too, so if that feature doesn't break anything, and make people sleep
better...

  And if one day the user finds it has been disabled somehow, the user
might become aware of some malware in the machine...

   Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMu5g7AAoJEMV4f6PvczxAdlwH/3wG+1xLsSJmuTL7vBzUuZGl
5uZq2Rm2Jvm9+Wzydrm8PBAPs5tctDmZRRE3rp4Nvc3rohvi25HDHTTJt6y5FMjp
TNrSPhUMJHviY4dGpISGdWymslGJDHyVMt7N19XW+1LTdVxwuUP4a0rEPdsPqONY
potHSz2fttIOlYqIFbjwInxeKf91G9Mh9I51qGgh54icwPjjN/hH/Bfpg1dz7ykE
hFMQAGR6x1m91Vkm19LCLkDrbZyfmvLDc9kkmGS7IQ1L8PoBmRg4zHty2B6jQ7E+
wH/7x/Ay0ye6lItCSTFvk02wWEiu2GFcnC9OVPELcLpGY1Ozx+QDzQXhad2IAkI=
=Fio8
-----END PGP SIGNATURE-----


From faramir.cl at gmail.com  Mon Oct 18 02:52:37 2010
From: faramir.cl at gmail.com (Faramir)
Date: Sun, 17 Oct 2010 21:52:37 -0300
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <87vd53hw5t.fsf@servo.finestructure.net>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>
	<4CB8926D.3050705@sixdemonbag.org>	<87ocavjnp6.fsf@servo.finestructure.net>	<4CB8AD53.7050604@sixdemonbag.org>	<87bp6vjhg6.fsf@servo.finestructure.net>	<4905BB6E-B942-4287-8658-55FAEA7BF1C4@sixdemonbag.org>	<8739s7jbwj.fsf@servo.finestructure.net>	<89E225BD-A08D-47B5-8747-78976EB40859@sixdemonbag.org>
	<87vd53hw5t.fsf@servo.finestructure.net>
Message-ID: <4CBB9A55.7010908@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 15-10-2010 20:29, Jameson Rollins escribi?:
....
> No, I was just curious why, if you were an ssh-agent user, you would be
> ok with the implementation there but not for gpg-agent.  If you're not
> an ssh-agent user then you have nothing to get defensive about.

  Lets say I buy a house, and the house has elephant proof fences. Since
it didn't made the price too expensive, I'm ok with that. And since it
doesn't bother me, I don't need to remove them. But now I buy another
house, and somebody says "hey, this house lack of elephant proof fences,
will you add them?". My answer would be "no, there are not elephants in
this country, so there is no need to spend money and time building
something I don't need".

  If a developer already added a feature to some software, well, there
is no need to complain. The thing is: should GnuPG developers spend time
in adding a new feature? I'm not a developer, so whatever they chose is
ok for me, as long as they don't break anything.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMu5pVAAoJEMV4f6PvczxA4rUH/3V9SvwiFBmdYQQFpBIkFyAp
EROf8aBPumPszHPavAR8vuize+58Vx1wrtjfEwNVYnUuAtNTAxQXrcP70x9Rrqj5
AItQyCo++3F32gLdMzO+4BKIVa5PlmOLi7eqkShCdGp7pHHWWUZLEnSDRb1LYvj4
NsgHMibDNkMNah6ntXKVvBg1omk9OeEanr1tsLv/15DfAVzEaFGhOo68Nr1+4R6A
ZvGFn2RgHlaFEfIGCwe8Dy8C1/FpWcU68UcrJwlACZtiwpqp4ip623m5Fgro3rcG
1P81FrCDTaLLSbEMxAbimu20hTGm6ZX3j2FoLip7mP4Yf8IGP43kLJlFARclhWc=
=q4c7
-----END PGP SIGNATURE-----


From dougb at dougbarton.us  Mon Oct 18 03:09:48 2010
From: dougb at dougbarton.us (Doug Barton)
Date: Sun, 17 Oct 2010 18:09:48 -0700
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CBB983B.2060303@gmail.com>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>	<4CB8926D.3050705@sixdemonbag.org>
	<4CBB983B.2060303@gmail.com>
Message-ID: <4CBB9E5C.8070107@dougbarton.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/17/2010 5:43 PM, Faramir wrote:
|
|    That may be true. However, remember feeling secure is part of security
| too, so if that feature doesn't break anything, and make people sleep
| better...

Two problems with that theory. The first is that a false sense of
security does more harm than good. The second is that there is no such
thing as a zero-cost change to software. So any proposed change has to
have benefits that outweigh the costs. Of course accurately anticipating
those costs is a whole different category of problems. :)


Doug

- -- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go
http://SupersetSolutions.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)

iQEcBAEBCAAGBQJMu55cAAoJEFzGhvEaGryErNUH/iUNcxZJCLG93g7GuaKpZK5A
Ef68JxFHHrlVqlhCsFaAWbkCgYqmJp+z5PqxUbxE7zoJojXcVNnm0GaSfuhwKVp1
nyVOZwa60C0OH+9eCE29hYh3/Bn+IbzYnBvzg23cYBcfl0wi7JbJNdxlbvRpWsB2
CeTIOhUx9auF/Bya1qrC4HIga4zcdKRJp5qL59AdiQxBJhyUIDM3d8E+g2GPYWqO
WV8ZjuC8bOLPCoCHTz9957+HQqiHRtGF33cTvNokzO7SaK0UCCZ3UXkD0RKY69CS
WpvY08K/rKoI7bHPSa0oCQuX06mosdgFAwJtfAGxaQe7j5O9hn2/EGP+Mw9MgYE=
=S7zO
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Mon Oct 18 04:47:24 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 17 Oct 2010 22:47:24 -0400
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CBB983B.2060303@gmail.com>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>
	<4CB8926D.3050705@sixdemonbag.org> <4CBB983B.2060303@gmail.com>
Message-ID: <ED556C9B-5B90-4941-A8E6-E320B51E8D40@sixdemonbag.org>


>  That may be true. However, remember feeling secure is part of security
> too, so if that feature doesn't break anything, and make people sleep
> better...

If a feeling of security comes as the result of *real security*, this is good.

If a feeling of security comes as the result of *no improvement in your situation*, this is bad.

>  And if one day the user finds it has been disabled somehow, the user
> might become aware of some malware in the machine...

By this logic every user should have a big piece of Scotch tape on the center of his or her screen.  If the piece of tape is ever missing, then you know someone's been tampering with your machine.



From faramir.cl at gmail.com  Mon Oct 18 05:28:51 2010
From: faramir.cl at gmail.com (Faramir)
Date: Mon, 18 Oct 2010 00:28:51 -0300
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CBB9E5C.8070107@dougbarton.us>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>	<4CB8926D.3050705@sixdemonbag.org>	<4CBB983B.2060303@gmail.com>
	<4CBB9E5C.8070107@dougbarton.us>
Message-ID: <4CBBBEF3.6090905@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 17-10-2010 22:09, Doug Barton escribi?:
> On 10/17/2010 5:43 PM, Faramir wrote:
> |
> |    That may be true. However, remember feeling secure is part of security
> | too, so if that feature doesn't break anything, and make people sleep
> | better...
> 
> Two problems with that theory. The first is that a false sense of
> security does more harm than good. The second is that there is no such
> thing as a zero-cost change to software. So any proposed change has to
> have benefits that outweigh the costs. Of course accurately anticipating
> those costs is a whole different category of problems. :)

  Right, I agree, we don't want those stones that keeps tigers away. But
as long as people know the feature may be ignored by malware, it
wouldn't be false sense of security, maybe it would be the solution
against false sense of insecurity (if such thing exist).

  Also, I was not saying anything about costs of adding the feature, so
my message should have said: "if there is a developer willing to add it,
and it doesn't break anything, and it can be disabled by user, I'm ok
with it". Please note I'm not requesting that feature, I just said I
would not oppose to it's addition.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMu77zAAoJEMV4f6PvczxAixsH/2eOUTAxT6NRjNkknkUPX3B9
C6smHbt7s3pQOdRGsEMwzuF6/IvcFAIs/wiO9ouKpaJed3xWjqPYL9BCOmpSfDDT
1gTfYXjE8fRAgy6z+Otj5JHSAOVHPJWGDYtYTz/JjH23R7sx6QTOXikW5Yct6McU
0gP1NWLQElp1t0SIwzldSCFFmCVX2PSU6MTD24ZTYfnWS4PwQNg8C/DHbyK+94I4
K6nr18Bi+cfHbC4sPRGuXkDAStkEW+sHn2udPCn3fNX17lQKsZbJgRUH3eEByLj2
Guwv8wD2hvM920X3Yj+5NtmVnpke+af+bKMbM6o+nHEhvNMC6QUwn5sqB/L86cY=
=YyM0
-----END PGP SIGNATURE-----


From faramir.cl at gmail.com  Mon Oct 18 05:44:18 2010
From: faramir.cl at gmail.com (Faramir)
Date: Mon, 18 Oct 2010 00:44:18 -0300
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <ED556C9B-5B90-4941-A8E6-E320B51E8D40@sixdemonbag.org>
References: <201010120325.04067.mailinglisten@hauke-laging.de>	<4CB5D59D.1020003@fifthhorseman.net>	<8762x33g32.fsf@vigenere.g10code.de>	<201010151255.22939.mailinglisten@hauke-laging.de>	<87sk071l3t.fsf@vigenere.g10code.de>	<4CB88FD8.7050404@dougbarton.us>
	<4CB8926D.3050705@sixdemonbag.org> <4CBB983B.2060303@gmail.com>
	<ED556C9B-5B90-4941-A8E6-E320B51E8D40@sixdemonbag.org>
Message-ID: <4CBBC292.80000@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 17-10-2010 23:47, Robert J. Hansen escribi?:
...
>>  And if one day the user finds it has been disabled somehow, the user
>> might become aware of some malware in the machine...
> 
> By this logic every user should have a big piece of Scotch tape on the center of his or her screen.  If the piece of tape is ever missing, then you know someone's been tampering with your machine.

  Yes, something like that. That's why I installed something supposed to
warn me if a unknown process tries to communicate with another process.
If it works as expected, I would get a warning about trojan.exe trying
to access Agent, and I would have to chose between blocking it, allowing
it, and making a rule from my decision to prevent future warnings about
the same thing.

  I'm not requesting that feature, I don't need it, but it won't bother
me if somebody decides to implement it, as long as it can be disabled.
Also, since software is always changing, many times in annoying ways
(I'm _not_ talking about GnuPG), probably soon or latter I'll have to
get used to a confirmation screen where there was none in the previous
version.

  I think I won't participate in _this_ discussion anymore, since I
already said I'm neutral about that feature, and don't have anything to
say that might be valuable to the discussion.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMu8KSAAoJEMV4f6PvczxAyxoH/RJMkGI6Z8AvO8/hdrAC1rgG
tIqlV3IIk4EamOnIEFbEV7E2K8QiY3W7kjx30i1ELe+jfStfpgG70gpuYI3ZgODw
GjaVI2eiZcjOrtkQ+ToSlyVrlf5IY196kvMgpyda+ARZQNCMcu015rhz0RIC0P/5
TZcu2z+mfwbxOr3UYSau9xzd4EI8ivjFroh+SpaysPw0JkFKtAndCmzXLOqH5eH5
VArfiqDPBjdExxzaT3iInfHrJPZCuSlfwIwNK6n252LCkruf+tdoykYEC/2CrvI7
4rQJPTmGXca+98YgRpdFXxbf7o7gGjwI/vF1+HvlS4C1o4990DyYvZ8itDKBXPM=
=mrQ+
-----END PGP SIGNATURE-----


From wk at gnupg.org  Mon Oct 18 13:33:51 2010
From: wk at gnupg.org (Werner Koch)
Date: Mon, 18 Oct 2010 13:33:51 +0200
Subject: [Announce] GnuPG 1.4.11 released
Message-ID: <87pqv7zqe8.fsf@vigenere.g10code.de>

Hello!
    
We are pleased to announce the availability of a new stable GnuPG-1
release: Version 1.4.11.  

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage.  It is a complete and free replacement of PGP and
can be used to encrypt data and to create digital signatures.  It
includes an advanced key management facility, samrtcard support and is
compliant with the OpenPGP Internet standard as described by RFC-4880.

Note that this version is from the GnuPG-1 series and thus smaller
than those from the GnuPG-2 series, easier to build and also better
portable.  In contrast to GnuPG-2 (e.g version 2.0.16) it comes with no
support for S/MIME or other tools useful for desktop environments.
Fortunately you may install both versions alongside on the same system
without any conflict.


What's New
===========

    * Bug fixes and portability changes.
    
    * Minor changes for better interoperability with GnuPG-2.


Getting the Software
====================

Please follow the instructions found at http://www.gnupg.org/download/
or read on:

GnuPG 1.4.11 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/ .  The list of mirrors can be
found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
available at ftp.gnu.org.

On the mirrors you should find the following files in the *gnupg*
directory:

  gnupg-1.4.11.tar.bz2 (3327k)
  gnupg-1.4.11.tar.bz2.sig

      GnuPG source compressed using BZIP2 and OpenPGP signature.

  gnupg-1.4.11.tar.gz (4603k)
  gnupg-1.4.11.tar.gz.sig

      GnuPG source compressed using GZIP and OpenPGP signature.

  gnupg-1.4.10-1.4.11.diff.bz2 (205k)

      A patch file to upgrade a 1.4.10 GnuPG source tree.  This patch
      does not include updates of the language files.

Select one of them. To shorten the download time, you probably want to
get the BZIP2 compressed file.  Please try another mirror if
exceptional your mirror is not yet up to date.

In the *binary* directory, you should find these files:

  gnupg-w32cli-1.4.11.exe (1588k)
  gnupg-w32cli-1.4.11.exe.sig

      GnuPG compiled for Microsoft Windows and OpenPGP signature.
      This is a command line only version; the source files are the
      same as given above.  Note, that this is a minimal installer and
      unless you are just in need for the gpg binary, you are better
      off using the full featured installer at http://www.gpg4win.org .
  

Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-1.4.11.tar.bz2 you would use this command:

     gpg --verify gnupg-1.4.11.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key using the command

     finger wk ,at' g10code.com | gpg --import

   or using a keyserver like

     gpg --recv-key 1CE0C630

   The distribution key 1CE0C630 is signed by the well known key
   5B0358A2.  If you get an key expired message, you should retrieve a
   fresh copy as the expiration date might have been prolonged.

   NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
   INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!

 * If you are not able to use an old version of GnuPG, you have to verify
   the SHA-1 checksum.  Assuming you downloaded the file
   gnupg-1.4.11.tar.bz2, you would run the sha1sum command like this:

     sha1sum gnupg-1.4.11.tar.bz2

   and check that the output matches the first line from the
   following list:

78e22f5cca88514ee71034aafff539c33f3c6676  gnupg-1.4.11.tar.bz2
bffb0c60b2e702980f7148ee3a060f29adc82331  gnupg-1.4.11.tar.gz
631b5129f918b7d30247ade8bcc27908951eaea0  gnupg-w32cli-1.4.11.exe
f17729146c18d9288005ac0d93489c333c729345  gnupg-1.4.10-1.4.11.diff.bz2


Internationalization
====================

GnuPG comes with support for 28 languages.  Due to a lot of new and
changed strings some translations are not entirely complete.  The
Chinese (Simple and Traditional), Czech, Dutch, French, German,
Norwegian, Polish, Romanian, Russian, Spanish, Swedish and Turkish
translations are close to be complete.


Support
=======

Improving GnuPG is costly, but you can help!  We are looking for
organizations that find GnuPG useful and wish to contribute back.  
You can contribute by reporting bugs, improve the software, order
extensions or support or more general by donating money to the Free
Software movement (e.g. http://www.fsfeurope.org/help/donate.en.html).

Commercial support contracts for GnuPG are available, and they help
finance continued maintenance.  g10 Code GmbH, a Duesseldorf based
company owned and headed by gpg's principal author, is currently
funding GnuPG development.  We are always looking for interesting
development projects.

A service directory is available at:

  http://www.gnupg.org/service.html


Thanks
======

We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word or answering questions on the mailing
lists.  


Happy Hacking,

  The GnuPG Team (David, Werner and the other contributors)


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 204 bytes
Desc: not available
URL: </pipermail/attachments/20101018/be6f334f/attachment.pgp>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From shavital at mac.com  Mon Oct 18 14:56:59 2010
From: shavital at mac.com (Charly Avital)
Date: Mon, 18 Oct 2010 08:56:59 -0400
Subject: [Announce] GnuPG 1.4.11 released
In-Reply-To: <87pqv7zqe8.fsf@vigenere.g10code.de>
References: <87pqv7zqe8.fsf@vigenere.g10code.de>
Message-ID: <4CBC441B.9050502@mac.com>

Werner Koch wrote the following on 10/18/10 7:33 AM:
> Hello!
>     
> We are pleased to announce the availability of a new stable GnuPG-1
> release: Version 1.4.11.  
> 

Compiled for MacOS 10.6.4 (Darwin 10.4.0).
Thanks.

Charly
MacOS 10.6.4-MacBook Intel C2Duo 2GHz-GnuPG 1.4.11-MacGPG 2.0.14
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8)
Gecko/20100802 Thunderbird/3.1.2 - Running Enigmail version 1.1.2
(20100629-1412)


From jharris at widomaker.com  Mon Oct 18 18:36:09 2010
From: jharris at widomaker.com (Jason Harris)
Date: Mon, 18 Oct 2010 12:36:09 -0400
Subject: [Announce] GnuPG 1.4.11 released
In-Reply-To: <87pqv7zqe8.fsf@vigenere.g10code.de>
References: <87pqv7zqe8.fsf@vigenere.g10code.de>
Message-ID: <20101018163609.GA99190@laptop>

On Mon, Oct 18, 2010 at 01:33:51PM +0200, Werner Koch wrote:

> We are pleased to announce the availability of a new stable GnuPG-1
> release: Version 1.4.11.  

> In the *binary* directory, you should find these files:
> 
>   gnupg-w32cli-1.4.11.exe (1588k)
>   gnupg-w32cli-1.4.11.exe.sig
> 

> 631b5129f918b7d30247ade8bcc27908951eaea0  gnupg-w32cli-1.4.11.exe

The .exe is there and matches the SHA-1, but the .sig isn't there:

  %wget ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe.sig
  --2010-10-18 12:22:53--  ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe.sig
             => `gnupg-w32cli-1.4.11.exe.sig.1'
  Resolving ftp.gnupg.org (ftp.gnupg.org)... 217.69.76.55
  Connecting to ftp.gnupg.org (ftp.gnupg.org)|217.69.76.55|:21... connected.
  Logging in as anonymous ... Logged in!
  ==> SYST ... done.    ==> PWD ... done.
  ==> TYPE I ... done.  ==> CWD (1) /gcrypt/binary ... done.
  ==> SIZE gnupg-w32cli-1.4.11.exe.sig ... done.
  ==> PASV ... done.    ==> RETR gnupg-w32cli-1.4.11.exe.sig ... 
  No such file `gnupg-w32cli-1.4.11.exe.sig'.

Also, none of the mirrors in FreeBSD's /usr/ports/Mk/bsd.sites.mk have
the .tar.bz2{,.sig} files yet.  Ever consider publishing a .torrent
with web-based seeds?  http://mktorrent.sourceforge.net/ should make
it easy to generate.

Thanks.

-- 
Jason Harris           |  PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ 
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 314 bytes
Desc: not available
URL: </pipermail/attachments/20101018/6d1eff17/attachment.pgp>

From wk at gnupg.org  Mon Oct 18 20:36:59 2010
From: wk at gnupg.org (Werner Koch)
Date: Mon, 18 Oct 2010 20:36:59 +0200
Subject: [Announce] GnuPG 1.4.11 released
In-Reply-To: <20101018163609.GA99190@laptop> (Jason Harris's message of "Mon, 
	18 Oct 2010 12:36:09 -0400")
References: <87pqv7zqe8.fsf@vigenere.g10code.de>
	<20101018163609.GA99190@laptop>
Message-ID: <87pqv7xs8k.fsf@vigenere.g10code.de>

On Mon, 18 Oct 2010 18:36, jharris at widomaker.com said:

> The .exe is there and matches the SHA-1, but the .sig isn't there:

Ooops.  Forgot to upload that one - fixed.  Sorry.

> the .tar.bz2{,.sig} files yet.  Ever consider publishing a .torrent
> with web-based seeds?  http://mktorrent.sourceforge.net/ should make

Actually, our FTP server would not have a problem to serve all requests.
The mirrors are more a historics thing but more an more folks wan't to
mirror (I recently added a rel=nofollow in case some of them intent to
bump up their page rank).

I should change the wording of the announcement.

Thanks for the hint of the mktorrent; maybe I can add this to our
webpage anyway.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From tchitwoo at us.ibm.com  Tue Oct 19 18:50:01 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 19 Oct 2010 09:50:01 -0700
Subject: Encrypting a file
Message-ID: <OF4831E737.C00D29C3-ON872577C1.005C486E-882577C1.005C7814@us.ibm.com>

I have a customer that wants me to send him my public key  and then 
encrypt a file that I am sending to him with my private key. Is this even 
possible?

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101019/6211e7e2/attachment.htm>

From dougb at dougbarton.us  Tue Oct 19 18:55:09 2010
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 19 Oct 2010 09:55:09 -0700
Subject: Encrypting a file
In-Reply-To: <OF4831E737.C00D29C3-ON872577C1.005C486E-882577C1.005C7814@us.ibm.com>
References: <OF4831E737.C00D29C3-ON872577C1.005C486E-882577C1.005C7814@us.ibm.com>
Message-ID: <4CBDCD6D.5000909@dougbarton.us>

On 10/19/2010 9:50 AM, Thomas Chitwood wrote:
>
> I have a customer that wants me to send him my public key

Perfectly valid. That's why it's called the "public" key.

> and then
> encrypt a file that I am sending to him with my private key. Is this
> even possible?

Sounds like a minor misunderstanding on his part. You sign a message 
with your private key, he verifies the signature with your public key. 
You encrypt messages TO public keys (your and his) and then you each use 
your private keys to decrypt them.

If I were in your shoes I'd simply encrypt the file to my key and his, 
and send it to him. Chances are excellent that it will all work 
according to plan.


Good luck,

Doug

-- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |		-- OK Go
http://SupersetSolutions.com/


From tchitwoo at us.ibm.com  Tue Oct 19 21:57:16 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 19 Oct 2010 12:57:16 -0700
Subject: Encrypting a file
In-Reply-To: <4CBDCD6D.5000909@dougbarton.us>
References: <OF4831E737.C00D29C3-ON872577C1.005C486E-882577C1.005C7814@us.ibm.com>
	<4CBDCD6D.5000909@dougbarton.us>
Message-ID: <OF971289DE.AF4D4897-ON872577C1.006C0FCC-882577C1.006D9CBF@us.ibm.com>

Thanks for the info Doug. I don't think I have ever encrypted a file with 
more than one key. Would the command be something like the example below?

gpg --output test.txt.gpg --encrypt --recipient 359B3EB2 DAE72D59 test.txt 
(where 359B3EB2 is their key and DAE72D59 is our key)

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118



From:
Doug Barton <dougb at dougbarton.us>
To:
gnupg-users at gnupg.org
Date:
10/19/2010 09:56 AM
Subject:
Re: Encrypting a file
Sent by:
gnupg-users-bounces at gnupg.org



On 10/19/2010 9:50 AM, Thomas Chitwood wrote:
>
> I have a customer that wants me to send him my public key

Perfectly valid. That's why it's called the "public" key.

> and then
> encrypt a file that I am sending to him with my private key. Is this
> even possible?

Sounds like a minor misunderstanding on his part. You sign a message 
with your private key, he verifies the signature with your public key. 
You encrypt messages TO public keys (your and his) and then you each use 
your private keys to decrypt them.

If I were in your shoes I'd simply encrypt the file to my key and his, 
and send it to him. Chances are excellent that it will all work 
according to plan.


Good luck,

Doug

-- 

Breadth of IT experience, and    |   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |                               -- OK Go
http://SupersetSolutions.com/

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101019/972c075e/attachment.htm>

From John at Mozilla-Enigmail.org  Tue Oct 19 22:39:35 2010
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Tue, 19 Oct 2010 15:39:35 -0500
Subject: Encrypting a file
In-Reply-To: <OF971289DE.AF4D4897-ON872577C1.006C0FCC-882577C1.006D9CBF@us.ibm.com>
References: <OF4831E737.C00D29C3-ON872577C1.005C486E-882577C1.005C7814@us.ibm.com>	<4CBDCD6D.5000909@dougbarton.us>
	<OF971289DE.AF4D4897-ON872577C1.006C0FCC-882577C1.006D9CBF@us.ibm.com>
Message-ID: <4CBE0207.6060008@Mozilla-Enigmail.org>

Thomas Chitwood wrote:
> 
> Thanks for the info Doug. I don't think I have ever encrypted a file
> with more than one key. Would the command be something like the example
> below?
> 
> gpg --output test.txt.gpg --encrypt --recipient 359B3EB2 DAE72D59
> test.txt (where 359B3EB2 is their key and DAE72D59 is our key)
> 

-e == --encrypt
-r == --recipient


gpg --output test.txt.gpg -e -r 0x359B3EB2 -r 0xDAE72D59 test.txt

Alternatively, you can set default-recipient in gpg.conf to your key

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 499 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101019/5e7eb1be/attachment.pgp>

From tchitwoo at us.ibm.com  Tue Oct 19 23:03:14 2010
From: tchitwoo at us.ibm.com (Thomas Chitwood)
Date: Tue, 19 Oct 2010 15:03:14 -0600
Subject: Encrypting a file
In-Reply-To: <4CBE0207.6060008@Mozilla-Enigmail.org>
References: <OF4831E737.C00D29C3-ON872577C1.005C486E-882577C1.005C7814@us.ibm.com>	<4CBDCD6D.5000909@dougbarton.us>
	<OF971289DE.AF4D4897-ON872577C1.006C0FCC-882577C1.006D9CBF@us.ibm.com>
	<4CBE0207.6060008@Mozilla-Enigmail.org>
Message-ID: <OFFC6976CC.87EE7E2E-ON872577C1.00739F4C-882577C1.0073A6B8@us.ibm.com>

Thanks John,

I'll give it a shot.

Tom Chitwood
MCP, MCSE, CNA
Wellpoint Account
Information Technology Services Americas
Global Services, IBM
818.234.4118



From:
John Clizbe <John at Mozilla-Enigmail.org>
To:
GnuPG Users <gnupg-users at gnupg.org>
Date:
10/19/2010 01:41 PM
Subject:
Re: Encrypting a file



Thomas Chitwood wrote:
> 
> Thanks for the info Doug. I don't think I have ever encrypted a file
> with more than one key. Would the command be something like the example
> below?
> 
> gpg --output test.txt.gpg --encrypt --recipient 359B3EB2 DAE72D59
> test.txt (where 359B3EB2 is their key and DAE72D59 is our key)
> 

-e == --encrypt
-r == --recipient


gpg --output test.txt.gpg -e -r 0x359B3EB2 -r 0xDAE72D59 test.txt

Alternatively, you can set default-recipient in gpg.conf to your key

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"



-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101019/1ebfacc5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/octet-stream
Size: 510 bytes
Desc: not available
URL: </pipermail/attachments/20101019/1ebfacc5/attachment.obj>

From rakia.bensassi at gmail.com  Wed Oct 20 12:21:13 2010
From: rakia.bensassi at gmail.com (rakia ben sassi)
Date: Wed, 20 Oct 2010 12:21:13 +0200
Subject: urgent: import public PGP Key which is my secret Key
Message-ID: <AANLkTimKEyy_POVYm2bQDHUaEwxGjqBaGGfsU1OwhPZ1@mail.gmail.com>

Hi,

I have an encrypted document (with my key) which I should decrypt.
After the generation of my key (and saving it in my email as .asc file), my
computer is formated and new reinstalled.
Now GnuPG find my key as public and I can't use it for decryption!

This key has 2 IDs; one is for a public key an the other is for the subkey
which is secret.
The document which I have is encrypted with the subkey.
When I try a decryption, I receive: "gpg: secret key not available"

How can I import my own secret key?

Do you have a solution for me please? It's very important !!!

I'm using Ubuntu 10.4 and GnuPG.


thanks for help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101020/d2bdc20c/attachment.htm>

From laurent.jumet at skynet.be  Wed Oct 20 13:55:51 2010
From: laurent.jumet at skynet.be (Laurent Jumet)
Date: Wed, 20 Oct 2010 13:55:51 +0200
Subject: urgent: import public PGP Key which is my secret Key
In-Reply-To: <AANLkTimKEyy_POVYm2bQDHUaEwxGjqBaGGfsU1OwhPZ1@mail.gmail.com>
Message-ID: <GED4CBED947@laurent.jumet.skynet.be>


Hello rakia !

rakia ben sassi <rakia.bensassi at gmail.com> wrote:

> I have an encrypted document (with my key) which I should decrypt.
> After the generation of my key (and saving it in my email as .asc file), my
> computer is formated and new reinstalled.
> Now GnuPG find my key as public and I can't use it for decryption!

> This key has 2 IDs; one is for a public key an the other is for the subkey
> which is secret.
> The document which I have is encrypted with the subkey.
> When I try a decryption, I receive: "gpg: secret key not available"

> How can I import my own secret key?

> Do you have a solution for me please? It's very important !!!

> I'm using Ubuntu 10.4 and GnuPG.

    Did you save *both* secret and public keys?
    What command did you use?

-- 
Laurent Jumet
      KeyID: 0xCFAF704C


From radix at devindo.com  Wed Oct 20 15:57:34 2010
From: radix at devindo.com (Raditya Arthapraja)
Date: Wed, 20 Oct 2010 20:57:34 +0700
Subject: GnuPG skips the passphrase when creating a keypair
Message-ID: <A6047491-D81F-46AB-9C92-AB9B7F0579AA@devindo.com>

Hi, 

I'm using MacGPG2 version 2.0.14RC2 with MacOS X 10.6.4 - Snow Leopard as the OS.

When trying to generate a keypair, MacGPG skips the step to input the paraphrase and continues to create the key.

ex:
---terminal---
me$ gpg --gen-key

Please select what kind of key you want?
1

Please specify how long the key should be valid.
0

*entered name, comment & email

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.    

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".
....
---terminal---


i've tried to edit the key using --edit-key passwd parameter, but i get an error :

---terminal---
me$ gpg --edit-key "me"

Command> passwd
This key is not protected.
Enter the new passphrase for this secret key.

gpg: problem with the agent: Not supported
---terminal---


I don't now if anybody else is experiencing this problem or not, if so has this been resolved?

Sincerely,
---
Raditya Arthapraja

From shavital at mac.com  Wed Oct 20 21:01:05 2010
From: shavital at mac.com (Charly Avital)
Date: Wed, 20 Oct 2010 15:01:05 -0400
Subject: GnuPG skips the passphrase when creating a keypair
In-Reply-To: <A6047491-D81F-46AB-9C92-AB9B7F0579AA@devindo.com>
References: <A6047491-D81F-46AB-9C92-AB9B7F0579AA@devindo.com>
Message-ID: <4CBF3C71.5090107@mac.com>

Raditya Arthapraja wrote the following on 10/20/10 9:57 AM:
> Hi, 
> 
> I'm using MacGPG2 version 2.0.14RC2 with MacOS X 10.6.4 - Snow Leopard as the OS.

Me too.

> 
> When trying to generate a keypair, MacGPG skips the step to input the paraphrase and continues to create the key.
> 
> ex:
> ---terminal---
> me$ gpg --gen-key
> 
> Please select what kind of key you want?
> 1
> 
> Please specify how long the key should be valid.
> 0
> 
> *entered name, comment & email
> 
> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
> You need a Passphrase to protect your secret key.    
> 
> You don't want a passphrase - this is probably a *bad* idea!

Did you actually skip that option?


[...]

> Enter the new passphrase for this secret key.

Here, if everything is working correctly, you should have the pinentry
window show on screen, requesting you to enter the passphrase (with a
small square that, if unmarked, will enable you to actually see what you
are typing).

Once this down, a similar pinentry window where you are requested to
type the passphrase again, for confirmation.

> 
> gpg: problem with the agent: Not supported

Did you check whether gpg-agent is running and available?

In Terminal
gpg-agent [return]
you should get:
$ gpg-agent
gpg-agent: gpg-agent running and available

Also in Terminal:
$ which gpg-agent
you should get:
/usr/local/bin/gpg-agent

If you don't get that Terminal output, could you please copy-paste what
you get?

Please note that there is a dedicated list for gpg2 users:
Macgpg2-users mailing list
Macgpg2-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/macgpg2-users

You might want to join that list and post to it.

Charly


> ---terminal---
> 
> 
> I don't now if anybody else is experiencing this problem or not, if so has this been resolved?

I just tried to generate a key, in Terminal. I didn't skip the
passphrase option, entered a passphrase, etc...key was generated.



From papillion at gmail.com  Wed Oct 20 19:36:54 2010
From: papillion at gmail.com (Anthony Papillion)
Date: Wed, 20 Oct 2010 12:36:54 -0500
Subject: Question about keyservers on Windows
Message-ID: <4CBF28B6.4010504@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone,

I'm a new member of the list but I've been using GPG for a bit now on
Linux.  I recently installed it on my Windows machine and needed to
revoke a compromised key. When I tried to send the information to the
keyserver, I got the following error:

Sending of keys failed
gpg: sending key 0078B6E4 to hkp server pool.sks-keyservers.net
gpg: system error while calling external program: No such file or directory
gpg: WARNING: unable to remove tempfile (out)
`C:\DOCUME~1\Anthony\LOCALS~1\Temp
\gpg-A57D4D\tempout.txt': No such file or directory
gpg: no handler for keyserver scheme `hkp'
gpg: keyserver send failed: keyserver error

I am using the latest version of GPG (downloaded from the site) and I
KNOW this works on Linux.

Can anyone help?

Thanks!
Anthony Papillion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQIVAwUBTL8otoeUq9QAeLbkAQKPng/7BuQBLsZtTjsOqVjMC06u+J+Ya0arIfKP
9V+V5CtaPeUdxic7tDd84lqq1iZbG5VvHQp0RPcOgymXehqQfui6ox6656i2cD+f
eFyTCNwisWw71nNjuDVALmlF037SiJHgVyKcRUot3E5VFE2IXjnuAp7F3q66F3Rd
RJSHiW8i9eZTf/WRxVDffVdVsKLiSmOCnlainIx4iWva0jazgK+JmL3iP6MHtIfg
iOaZvtnkwbjkI5utye7Eymz3mraMpVTqn+giTWbD0OCNgN54obOYmR0yW2GZpPU2
aahIqHKJRo4tmpEyOIyvfhMwEFlc9x99sxllq1GZ0X96HuY9nTBJWTVhGxC3JGRm
I4INmqWTXRRkU1G2T7gWzlhnVJYGjsjvP7TAfmZrnsm3ZV8sPwyxapDwBddm+1TT
+8hrP0SpPtGJJ/Wa5Y8QxsFHJbleV0Z6JniH9ynIMLTRa6KUQbSIfdhsawiCxN3i
4t9faE6o6ohf9B+m7xp69R2ZDKWdrvFmTpadDxhSDNp9FtGB+uKEXr6tBDU7bb+0
GsUlWeNyzUV2XJ0Nfg8DhUq652nLn8D5QBYm1fn4IGIInyIZznN1lYetNYJGK9Go
XsHYZKBWX6nPZfWqN9qgdMOhSDKFuZTNww3BV+fZ4yL5bkeiqFBnthk7I3ahZEF3
gMFVQxp9DNE=
=+kKD
-----END PGP SIGNATURE-----


From j-001 at ottosson.nu  Wed Oct 20 22:10:05 2010
From: j-001 at ottosson.nu (J. Ottosson)
Date: Wed, 20 Oct 2010 22:10:05 +0200
Subject: urgent: import public PGP Key which is my secret Key
In-Reply-To: <AANLkTimKEyy_POVYm2bQDHUaEwxGjqBaGGfsU1OwhPZ1@mail.gmail.com>
References: <AANLkTimKEyy_POVYm2bQDHUaEwxGjqBaGGfsU1OwhPZ1@mail.gmail.com>
Message-ID: <4CBF4C9D.17414.162894F8@j-001.ottosson.nu>

On 20 Oct 2010 at 12:21, rakia ben sassi wrote:

> Hi,
> 
> I have an encrypted document (with my key) which I should decrypt.
> After the generation of my key (and saving it in my email as .asc file),
> my computer is formated and new reinstalled. Now GnuPG find my key as
> public and I can't use it for decryption!
> 
> This key has 2 IDs; one is for a public key an the other is for the subkey
> which is secret. The document which I have is encrypted with the subkey.
> When I try a decryption, I receive: "gpg: secret key not available"
> 
> How can I import my own secret key?
> 
> Do you have a solution for me please? It's very important !!!
> 
> I'm using Ubuntu 10.4 and GnuPG.
> 
> 
> thanks for help!
> 

It indeed sound like you did an export of the public key only. In that case 
you're sort of f*cked.

However, there are at least theoretical chances of recovering your secret key, 
but somewhat slim. You could use a forensic tool such as EnCase to try to find 
the key (via the secret keyring) even after formatting the drive, should those 
sectors not be overwritten.

Since you most likely don't have that particular tool at hand you could probably 
find some other data recovery type of tool for that purpose. Use google. Some 
more capable tools may be offered with trial period perhaps.

EnCase could possibly be found at nasty pirate bay type of sites too, but 
obviously I wouldn't dream of suggesting such a thing to you.

But I'm quite sure there are some capable tools available the right way too, do 
a search. Possibly even some of the data recovery tools from Sandisk etc could 
be used if you're lucky.

The first thing to do though is to immediately stop using that disk, so that 
you're not writing over those sectors with new data. Chances are you already 
have done that, but if you're lucky..


/J




From faramir.cl at gmail.com  Wed Oct 20 22:05:02 2010
From: faramir.cl at gmail.com (Faramir)
Date: Wed, 20 Oct 2010 17:05:02 -0300
Subject: Question about keyservers on Windows
In-Reply-To: <4CBF28B6.4010504@gmail.com>
References: <4CBF28B6.4010504@gmail.com>
Message-ID: <4CBF4B6E.7030900@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 20-10-2010 14:36, Anthony Papillion escribi?:
> Hello Everyone,
> 
> I'm a new member of the list but I've been using GPG for a bit now on
> Linux.  I recently installed it on my Windows machine and needed to
> revoke a compromised key. When I tried to send the information to the
> keyserver, I got the following error:
> 
> Sending of keys failed
> gpg: sending key 0078B6E4 to hkp server pool.sks-keyservers.net
> gpg: system error while calling external program: No such file or directory
> gpg: WARNING: unable to remove tempfile (out)
> `C:\DOCUME~1\Anthony\LOCALS~1\Temp
> \gpg-A57D4D\tempout.txt': No such file or directory
> gpg: no handler for keyserver scheme `hkp'
> gpg: keyserver send failed: keyserver error
> 
> I am using the latest version of GPG (downloaded from the site) and I
> KNOW this works on Linux.

  What version of Windows are you using?

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMv0tuAAoJEMV4f6PvczxAswsH/Ap7L4LnKBf9VnPXprtH6iBN
eZvjIhl1CYfPTpyrTeWE5RW5qaLbPPCPkHYb/WzwGa4tTIPGBWb2JlIXjZrIvoE0
DFiwvHjd2DKx25PMMJaUyV2dN3e4pGow2jbeGwmz7fShaSEjOeqUwaqLXa/+SR3V
xcrtw61whfvLH5hSkuc9qOmCxQvwGQ9Mbwnrq9fgQ0NYMxF1BJBN9wanmTTaoHeB
i5BgO5pRy2RN8pcNSiQE/F0HHTzVyCHuuVbWOIJNljUexqviozYY4skl6ts931kC
vk6fu8JpLQot38HN8PNdAISj24ol77aAXN5m2y2KXGnRS4BkXYCvWJibV/aeTpM=
=Ugrz
-----END PGP SIGNATURE-----


From benjamin at py-soft.co.uk  Wed Oct 20 21:17:52 2010
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Wed, 20 Oct 2010 20:17:52 +0100
Subject: GnuPG skips the passphrase when creating a keypair
In-Reply-To: <A6047491-D81F-46AB-9C92-AB9B7F0579AA@devindo.com>
References: <A6047491-D81F-46AB-9C92-AB9B7F0579AA@devindo.com>
Message-ID: <5178868834502275899@unknownmsgid>

On 20 Oct 2010, at 19:09, Raditya Arthapraja <radix at devindo.com> wrote:

> I'm using MacGPG2 version 2.0.14RC2 with MacOS X 10.6.4 - Snow Leopard as the OS.
>
> When trying to generate a keypair, MacGPG skips the step to input the paraphrase and continues to create the key.

Although counter-intuitive, many MacGPG2 issues are resolved by a
reboot, as recommended as part of the install process.

Unfortunately, this is as a result of 'shoe-horning' a Unix-based
program into MacOSX.

Should your problems persist, please try the MacGPG2 list as
recommended in Charly's email.

Ben


From faramir.cl at gmail.com  Wed Oct 20 23:27:59 2010
From: faramir.cl at gmail.com (Faramir)
Date: Wed, 20 Oct 2010 18:27:59 -0300
Subject: Question about keyservers on Windows
In-Reply-To: <AANLkTi=TNQQVx7+TywGOrVdQto=bKCB4JM9R0TKHnMj-@mail.gmail.com>
References: <4CBF28B6.4010504@gmail.com>	<4CBF4B6E.7030900@gmail.com>
	<AANLkTi=TNQQVx7+TywGOrVdQto=bKCB4JM9R0TKHnMj-@mail.gmail.com>
Message-ID: <4CBF5EDF.6040900@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 20-10-2010 18:16, Anthony Papillion escribi?:
> I'm running Windows XP Professional with SP3.
...

  I never use command line if I can avoid it, so usually I use GPGShell
as a GUI for GPG. It is free, but not OpenSource. All it does is to call
GPG and give it the commands and parameters for what you want to do. I'm
using Windows XP pro SP3 too, with GPG 1.4.11, and I have not noticed
problems. What is the command you used? I don't know how to send the
keys from command line, and today I can't devote time to learn it.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMv17eAAoJEMV4f6PvczxAX6cH/jHSuAixiu5OabOGn48txCey
KJRMu3x/nDZQEgWNtGX3O8rXbtvQLlgZ4AC7TcN6Cvm+djJP9hgT9pIVjsTT7f8v
lBxEA6rCC/QE0No5NpNQNnpYE5NAz3S9hH4VGSibiHFaOb2UTj1swej1P4CrlLPu
bp9gRemupOwufRL9tkNhMawLbAY2mcve2NGEf1mDh58QSSg9MbznoH1pEmXveu5V
BTs6upoSm68l8ciyB5oBtNPx1l2UqeZ+Abjw+Ry04Wo2UxdYe2HcuA78deGA26XY
S+UcDDg7LjltkJGojlzWflUEIhNbFXVAj2VDQ7O6XpSN8E3muI1SBrm0Hbe0JXQ=
=kP2z
-----END PGP SIGNATURE-----


From papillion at gmail.com  Wed Oct 20 23:16:06 2010
From: papillion at gmail.com (Anthony Papillion)
Date: Wed, 20 Oct 2010 16:16:06 -0500
Subject: Question about keyservers on Windows
In-Reply-To: <4CBF4B6E.7030900@gmail.com>
References: <4CBF28B6.4010504@gmail.com>
	<4CBF4B6E.7030900@gmail.com>
Message-ID: <AANLkTi=TNQQVx7+TywGOrVdQto=bKCB4JM9R0TKHnMj-@mail.gmail.com>

I'm running Windows XP Professional with SP3.

On 10/20/10, Faramir <faramir.cl at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> El 20-10-2010 14:36, Anthony Papillion escribi?:
>> Hello Everyone,
>>
>> I'm a new member of the list but I've been using GPG for a bit now on
>> Linux.  I recently installed it on my Windows machine and needed to
>> revoke a compromised key. When I tried to send the information to the
>> keyserver, I got the following error:
>>
>> Sending of keys failed
>> gpg: sending key 0078B6E4 to hkp server pool.sks-keyservers.net
>> gpg: system error while calling external program: No such file or
>> directory
>> gpg: WARNING: unable to remove tempfile (out)
>> `C:\DOCUME~1\Anthony\LOCALS~1\Temp
>> \gpg-A57D4D\tempout.txt': No such file or directory
>> gpg: no handler for keyserver scheme `hkp'
>> gpg: keyserver send failed: keyserver error
>>
>> I am using the latest version of GPG (downloaded from the site) and I
>> KNOW this works on Linux.
>
>   What version of Windows are you using?
>
>   Best Regards
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBCAAGBQJMv0tuAAoJEMV4f6PvczxAswsH/Ap7L4LnKBf9VnPXprtH6iBN
> eZvjIhl1CYfPTpyrTeWE5RW5qaLbPPCPkHYb/WzwGa4tTIPGBWb2JlIXjZrIvoE0
> DFiwvHjd2DKx25PMMJaUyV2dN3e4pGow2jbeGwmz7fShaSEjOeqUwaqLXa/+SR3V
> xcrtw61whfvLH5hSkuc9qOmCxQvwGQ9Mbwnrq9fgQ0NYMxF1BJBN9wanmTTaoHeB
> i5BgO5pRy2RN8pcNSiQE/F0HHTzVyCHuuVbWOIJNljUexqviozYY4skl6ts931kC
> vk6fu8JpLQot38HN8PNdAISj24ol77aAXN5m2y2KXGnRS4BkXYCvWJibV/aeTpM=
> =Ugrz
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

-- 
Sent from my mobile device

Anthony Papillion
Lead Developer / Owner
Advanced Data Concepts - "Enabling work anywhere"
(918) 919-4624

Facebook: http://www.facebook.com/cajuntechie
My Blog:   http://www.cajuntechie.com


From John at Mozilla-Enigmail.org  Thu Oct 21 01:39:16 2010
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Wed, 20 Oct 2010 18:39:16 -0500
Subject: Question about keyservers on Windows
In-Reply-To: <4CBF28B6.4010504@gmail.com>
References: <4CBF28B6.4010504@gmail.com>
Message-ID: <4CBF7DA4.5070305@Mozilla-Enigmail.org>

Anthony Papillion wrote:
> Hello Everyone,
> 
> I'm a new member of the list but I've been using GPG for a bit now on
> Linux.  I recently installed it on my Windows machine and needed to
> revoke a compromised key. When I tried to send the information to the
> keyserver, I got the following error:
> 
> Sending of keys failed
> gpg: sending key 0078B6E4 to hkp server pool.sks-keyservers.net
> gpg: system error while calling external program: No such file or directory
> gpg: WARNING: unable to remove tempfile (out)
> `C:\DOCUME~1\Anthony\LOCALS~1\Temp
> \gpg-A57D4D\tempout.txt': No such file or directory
> gpg: no handler for keyserver scheme `hkp'
> gpg: keyserver send failed: keyserver error
> 
> I am using the latest version of GPG (downloaded from the site) and I
> KNOW this works on Linux.

Which version?

The binary installer or do you build from source?

There should be a program named gpgkeys_hkp.exe in the same directory as gpg.exe

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 499 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101020/c7cbabe0/attachment.pgp>

From danthehat at gmail.com  Thu Oct 21 18:40:11 2010
From: danthehat at gmail.com (Dan Cowsill)
Date: Thu, 21 Oct 2010 09:40:11 -0700
Subject: Changing secret key encryption algorithms
In-Reply-To: <4CBF4FF8.9020504@gmail.com>
References: <4CBF0639.60206@gmail.com> <4CBF2A38.4070601@gmail.com>
	<4CBF2BB5.3060807@gmail.com> <4CBF4FF8.9020504@gmail.com>
Message-ID: <4CC06CEB.1000204@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I was inspired by a thread on a friend's mishap with his secret key to
look into the various ways that a GnuPG secret key can be encrypted
prior to its storage on disk.

On 20/10/2010 1:24 PM, Faramir wrote:
> 
>   Well, then the private key was still protected by the passphrase, I
> think it uses CAST5 algorithm.
> 

I poked around the documentation a bit and confirmed that the default
cipher is CAST5 (GnuPG seems to prefer it when it needs a symmetric key
cipher).  After further digging, I found a way to change the symmetric
key cipher used on the secret key from the default CAST5.  You can
discover the algorithms included in your GnuPG version by using gpg
- --version, of course.

I endeavored to test this by generating a new keypair on a new user.  I
used the following command:

$ gpg --s2k-cipher-algo CAMMELIA256 --gen-key

If you've got a secret key and you want to change its cipher algo, you
can use the following command:

$ gpg --s2k-cipher-algo <name> --edit-key <keyid>

After that, you enter the passwd command in the edit key shell and
change your passphrase.  I used the same passphrase as I used during key
generation and this posed no problem.  I wonder if it is a good idea
from a cryptographic standpoint, however.  If anyone can comment on
this, it would be appreciated.

Also, it should be noted that changing the cipher algorithm used to
encrypt a secret key should in no way change or impair the ability of
that secret key to decrypt or sign documents.  It simply changes the way
in which the key is stored on the disk.  However, if you use several
different GnuPG versions with your secret key, you should probably check
gpg --version on all of them to make sure your preferred cipher is present.

After making the changes, I began digging through the documentation to
find a way to verify that the Cammelia algorithm was indeed being used
to encrypt my secret key.  I used the following command:

$ gpg --list-packets .gnupg/secring.gpg

And got this output:
...
iter+salt S2K, algo: 13, SHA1 protection ...
...

It seems the algorithms are mapped to algo ID's.  I can confirm that the
algorithm is different than than the one used on my real secret key, but
I had not been able to find any resources that map the algo ID's to
their respective names with any completeness.  I was able to find an
excellent (if dated) resource on secret keys in the process[1].

I looked at the source code for GnuPG next, poking around different
header files until I found this:

#define CIPHER_ALGO_IDEA         1
#define CIPHER_ALGO_3DES         2
#define CIPHER_ALGO_CAST5        3
#define CIPHER_ALGO_BLOWFISH     4  /* blowfish 128 bit key */
/* 5 & 6 are reserved */
#define CIPHER_ALGO_AES          7
#define CIPHER_ALGO_AES192       8
#define CIPHER_ALGO_AES256       9
#define CIPHER_ALGO_TWOFISH     10  /* twofish 256 bit */
#define CIPHER_ALGO_CAMELLIA128 11
#define CIPHER_ALGO_CAMELLIA192 12
#define CIPHER_ALGO_CAMELLIA256 13
...
#define PUBKEY_ALGO_RSA        1
#define PUBKEY_ALGO_RSA_E      2     /* RSA encrypt only */
#define PUBKEY_ALGO_RSA_S      3     /* RSA sign only */
#define PUBKEY_ALGO_ELGAMAL_E 16     /* encrypt only ElGamal (but not
for v3)*/
#define PUBKEY_ALGO_DSA       17
#define PUBKEY_ALGO_ELGAMAL   20     /* sign and encrypt elgamal */

You can use these ID values to determine what kind of cipher or public
key algorithm is being used on any piece of GnuPG data using the
- --list-packets option.

This post is purely informative and is the result of an early morning
problem solving mission.  I don't know why anyone would want to change
the secret key protection algorithm, aside from personal preference.
However, it is my view that if I have to go to this much trouble to find
information about something, I should probably make it public.

If you have any further information, want to correct or otherwise
comment on the above, feel free.

Regards,
Dan

[1]http://www.spywarewarrior.com/uiuc/ss/sec-key/sec-key.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzAbOsACgkQiSdIUo/InI0VsQCfXE6NUoOIwW4oeykFwvLOGhuj
8X0AnjICeCYEudrKvo7oEnfeKwCLbWkl
=5GKj
-----END PGP SIGNATURE-----


From danthehat at gmail.com  Thu Oct 21 18:41:28 2010
From: danthehat at gmail.com (Dan Cowsill)
Date: Thu, 21 Oct 2010 09:41:28 -0700
Subject: Security considerations: CAST-128
Message-ID: <4CC06D38.1040509@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I understand that there are *some* security considerations when using
CAST-128 (CAST5, as used in GnuPG), but this is typical of many ciphers
in use today.  In particular, a paper[1] on the linear cryptanalysis of
reduced round versions of CAST-128 (used in GPG) and CAST-256 have
produced successful known-plaintext and ciphertext-only attacks, though
I'm not sure how computationally feasible they are.  According to the
paper, successful attacks were conducted on a 4 and 6 round version of
CAST-128.

Given that resources on the subject appear to be quite scarce, I come to
you, O list.  If anyone can clarify or elaborate on the security
considerations of CAST-128, it would be greatly appreciated.

Thanks,
Dan

[1]http://www.springerlink.com/content/978-3-642-04158-7/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzAbTgACgkQiSdIUo/InI28+ACfVACyk61T5YC3BVQIIv6CwDJb
N9kAnRm8qQH8JefFhmmsmW9hJgflOZvE
=7+qZ
-----END PGP SIGNATURE-----


From expires2010 at ymail.com  Thu Oct 21 23:26:32 2010
From: expires2010 at ymail.com (MFPA)
Date: Thu, 21 Oct 2010 22:26:32 +0100
Subject: Is there a maximum length for an OpenPGP UID?
Message-ID: <1911968284.20101021222632@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


Is there a maximum length for an OpenPGP UID?



- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

It is not necessary to have enemies if you go out of your way to make friends hate you.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTMCwFKipC46tDG5pAQqJgwP/ca2FJfpUlRBJdNdFVvK/x1VYfnYgQyh4
nhAMB2j8LjECPTg1ZWctvdQrYf4PET4HW12H5h8ZgBHNTcnsfJNkxmYBMffVJhGz
sE6ai41JIlef4r6z4URJ51hAYNj+tGZVw3sumZ1rsLGxyx6U1+6LXAMFyaqf64tw
yrToHf67P7g=
=LkY5
-----END PGP SIGNATURE-----



From dshaw at jabberwocky.com  Fri Oct 22 01:28:53 2010
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 21 Oct 2010 19:28:53 -0400
Subject: Is there a maximum length for an OpenPGP UID?
In-Reply-To: <1911968284.20101021222632@my_localhost>
References: <1911968284.20101021222632@my_localhost>
Message-ID: <96D7DB18-2717-4E06-800B-C47BA48E573C@jabberwocky.com>

On Oct 21, 2010, at 5:26 PM, MFPA wrote:

> Is there a maximum length for an OpenPGP UID?

Yes, but it's huge: 4,294,967,295 characters long.  That's the OpenPGP answer.  In practice, however, using GnuPG, the maximum is 2048 characters.

David



From expires2010 at ymail.com  Fri Oct 22 02:29:34 2010
From: expires2010 at ymail.com (MFPA)
Date: Fri, 22 Oct 2010 01:29:34 +0100
Subject: Is there a maximum length for an OpenPGP UID?
In-Reply-To: <96D7DB18-2717-4E06-800B-C47BA48E573C@jabberwocky.com>
References: <1911968284.20101021222632@my_localhost>
	<96D7DB18-2717-4E06-800B-C47BA48E573C@jabberwocky.com>
Message-ID: <1844145461.20101022012934@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 22 October 2010 at 12:28:53 AM, in
<mid:96D7DB18-2717-4E06-800B-C47BA48E573C at jabberwocky.com>, David Shaw
wrote:


> On Oct 21, 2010, at 5:26 PM, MFPA wrote:

>> Is there a maximum length for an OpenPGP UID?

> Yes, but it's huge: 4,294,967,295 characters long.
> That's the OpenPGP answer.  In practice, however, using
> GnuPG, the maximum is 2048 characters.

Thank you.

Does it matter how many characters are for "real name," "comment,"
"email address," or is it just a limit to the total length?

- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

The problem is not that we're paranoid;
it's that we're not paranoid enough.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTMDa+6ipC46tDG5pAQoyVQP8CoFJAY8TpiK8JP0HvXa7C2SA8IPxdy6N
/O5MMucyI+hHS+7gtD1zJpvSc8el/jBscCfu0XQwmTUgJp6rJL8W70irgbxBFZbb
op1OGaGgyrni+1Not3J/hct0jxU1nQE237S5r6AZ4bZXXpNGyB2XyLgImLrR7ybY
rzu+l3hOOSg=
=y6vi
-----END PGP SIGNATURE-----



From aaron.toponce at gmail.com  Fri Oct 22 03:58:31 2010
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Thu, 21 Oct 2010 19:58:31 -0600
Subject: gpgkey2ssh
Message-ID: <4CC0EFC7.6040809@gmail.com>

First, there is _ZERO_ documentation for this binary. No manual, no info
page, nothing under /usr/share/doc/, segfaults pasing "-h" or "--help".
Short of digging through the source, this is unacceptable.

Second, and probably as a result, I can't get this working for the life
of me. Correct me if I'm wrong, but I should be able to add this
identity to the running SSH agent through "ssh-add", no? Here's the
steps I've taken thus far, and still failing (SSH agent is already running):

$ echo $SSH_AUTH_SOCK
/tmp/keyring-tikvU1/ssh
$ gpgkey2ssh 8086060F > /tmp/gpg-ssh-key.txt
$ gpg --armor --export-secret-keys 8086060F > /tmp/gpg-private-ssh.txt
$ ssh-add /tmp/gpg-private-ssh.txt
Enter passphrase for /tmp/gpg-private-ssh.txt

At this point, I would expect the passphrase to be the private
passphrase that is protecting my private GPG key, no? Yet, it doesn't
take. At least, this is the way you would do it for OpenSSH keys. You
would add the private key to your running SSH agent.

However, let's go a different direction. Rather than dealing with my GPG
private key, let's just add the /tmp/gpg-ssh-key.txt (the public key) to
the ~/.ssh/authorized_keys file on the remote server, and see what happens:

$ ssh-copy-id -i /tmp/gpg-ssh-key.txt user at server.tld
/usr/bin/ssh-copy-id: ERROR: No identities found

Of course it's not found, "ssh-add -l" doesn't show it listed, because
it hasn't been added to the agent. So, I get to copy it manually. So, I
do that.

Now, instead of using the SSH agent, what if I used the GPG agent
instead? So, I add "enable-ssh-support" to my ~/.gnupg/gpg-agent.conf,
and launch the agent:

$ gpg-agent --daemon
$ ssh user at server.tld
Password:

Nope, didn't add the key to the running agent. Now, I don't see a
"gpg-add", so I'm not entirely sure how to add my GPG identity to the
GPG agent, and I'm not entirely sure how the OpenSSH client will know
that it needs to find the identity in the GPG agent rather than the SSH
agent.

So, as you can see, I'm probably a bit confused. Can't blame me really,
due to the lack of documentation. The only thing I have to go off of is
a blog post:

http://goo.gl/wqAg and http://goo.gl/HA8q

So, help?

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 591 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101021/71e6fca0/attachment.pgp>

From jrollins at finestructure.net  Fri Oct 22 05:28:24 2010
From: jrollins at finestructure.net (Jameson Rollins)
Date: Thu, 21 Oct 2010 23:28:24 -0400
Subject: gpgkey2ssh
In-Reply-To: <4CC0EFC7.6040809@gmail.com>
References: <4CC0EFC7.6040809@gmail.com>
Message-ID: <87k4laaotj.fsf@servo.finestructure.net>

On Thu, 21 Oct 2010 19:58:31 -0600, Aaron Toponce <aaron.toponce at gmail.com> wrote:
> So, help?

Hi, Aaron.  You might be interested in some of the tools that come with
the Monkeysphere [0] package, which deals with a lot of OpenPGP for SSH
stuff.  It comes with the utility openpgp2ssh, which translates OpenPGP
keys to SSH keys (and is well documented).  From openpgp2ssh(1):

SYNOPSIS
     openpgp2ssh < mykey.gpg
     gpg --export $KEYID | openpgp2ssh $KEYID
     gpg --export-secret-key $KEYID | openpgp2ssh $KEYID

Monkeysphere also has a command to import an authentication-capable
OpengPGP subkey directly into an ssh-agent:

$ monkeysphere subkey-to-ssh-agent

It's available in Debian, Ubuntu, and some other distros [1].

hth.

jamie.

[0] http://web.monkeysphere.info/
[1] http://web.monkeysphere.info/download/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101021/7b48ce29/attachment.pgp>

From aaron.toponce at gmail.com  Fri Oct 22 06:03:26 2010
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Thu, 21 Oct 2010 22:03:26 -0600
Subject: gpgkey2ssh
In-Reply-To: <87k4laaotj.fsf@servo.finestructure.net>
References: <4CC0EFC7.6040809@gmail.com>
	<87k4laaotj.fsf@servo.finestructure.net>
Message-ID: <4CC10D0E.8050107@gmail.com>

On 10/21/2010 09:28 PM, Jameson Rollins wrote:
> Hi, Aaron.  You might be interested in some of the tools that come with
> the Monkeysphere [0] package, which deals with a lot of OpenPGP for SSH
> stuff.  It comes with the utility openpgp2ssh, which translates OpenPGP
> keys to SSH keys (and is well documented).  From openpgp2ssh(1):

[snip]

> It's available in Debian, Ubuntu, and some other distros [1].

Hmm. I would hope that GnuPG and OpenSSH would provide this
functionality natively. I don't know what the status is for Monkeysphere
on Red Hat-based systems (Fedora specifically), so I'll have a look at
it. But right now, I'm not keen on relying on yet another tool to make
this possible. If it's what needs to be done, then it's what needs to be
done, but I want to see if I can get it working with already
default-preinstalled tools.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 591 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101021/15db04a8/attachment.pgp>

From wk at gnupg.org  Fri Oct 22 09:40:09 2010
From: wk at gnupg.org (Werner Koch)
Date: Fri, 22 Oct 2010 09:40:09 +0200
Subject: Is there a maximum length for an OpenPGP UID?
In-Reply-To: <1844145461.20101022012934@my_localhost> (MFPA's message of "Fri, 
	22 Oct 2010 01:29:34 +0100")
References: <1911968284.20101021222632@my_localhost>
	<96D7DB18-2717-4E06-800B-C47BA48E573C@jabberwocky.com>
	<1844145461.20101022012934@my_localhost>
Message-ID: <878w1qu146.fsf@vigenere.g10code.de>

On Fri, 22 Oct 2010 02:29, expires2010 at ymail.com said:

> Does it matter how many characters are for "real name," "comment,"
> "email address," or is it just a limit to the total length?

The limit is on the total length:

  /* Cap the size of a user ID at 2k: a value absurdly large enough
     that there is no sane user ID string (which is printable text
     as of RFC2440bis) that won't fit in it, but yet small enough to
     avoid allocation problems.  A large pktlen may not be
     allocatable, and a very large pktlen could actually cause our
     allocation to wrap around in xmalloc to a small number. */

If you create a new user ID which is longer than the limit and you try
to use the key you will get an invalid packet error message.  There are
no checks on the maximum length while creating a user id.  Other
implementations of OpenPGP may have different or no such constraints.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Fri Oct 22 10:02:55 2010
From: wk at gnupg.org (Werner Koch)
Date: Fri, 22 Oct 2010 10:02:55 +0200
Subject: gpgkey2ssh
In-Reply-To: <4CC0EFC7.6040809@gmail.com> (Aaron Toponce's message of "Thu, 21
	Oct 2010 19:58:31 -0600")
References: <4CC0EFC7.6040809@gmail.com>
Message-ID: <874oceu028.fsf@vigenere.g10code.de>

On Fri, 22 Oct 2010 03:58, aaron.toponce at gmail.com said:
> First, there is _ZERO_ documentation for this binary. No manual, no info
> page, nothing under /usr/share/doc/, segfaults pasing "-h" or "--help".

Ah well, it should be removed from the package.  It used to be a kind of
debug tool but I never used it in all these years.  The plan was to
replace it with a special export option:

  gpg2 --export-options export-sexp-format --export-secret-key KEYID

but that has never been fully implemented.  The forthcoming GnuPG 2.1
makes it obsolete.

> of me. Correct me if I'm wrong, but I should be able to add this
> identity to the running SSH agent through "ssh-add", no? Here's the

No.  It the other way around.

The whole point of the ssh support is to replace ssh-agent: gpg-agent if
started with the option --enable-ssh-support implements the
ssh-agent-protocol and thus works with ssh and ssh-add.

With a running gpg-agent you can do

  ssh-add

and gpg-agent imports the key into its own private key database.  After
you have done that you may remove the private keys from .ssh/.  IF you
later run

  ssh-add -l

it will show you the ssh keys gpg-agent knows about.  To better control
this you may use the ~/.gnupg/sshcontrol file:

  `sshcontrol'
     This file is used when support for the secure shell agent protocol
     has been enabled (*note option --enable-ssh-support::). Only keys
     present in this file are used in the SSH protocol.  You should
     backup this file.

     The `ssh-add' tool may be used to add new entries to this file;
     you may also add them manually.  Comment lines, indicated by a
     leading hash mark, as well as empty lines are ignored.  An entry
     starts with optional whitespace, followed by the keygrip of the
     key given as 40 hex digits, optionally followed by the caching TTL
     in seconds and another optional field for arbitrary flags.  A
     non-zero TTL overrides the global default as set by
     `--default-cache-ttl-ssh'.

     The keygrip may be prefixed with a `!' to disable an entry entry.

     The following example lists exactly one key.  Note that keys
     available through a OpenPGP smartcard in the active smartcard
     reader are implicitly added to this list; i.e. there is no need to
     list them.

            # Key added on 2005-02-25 15:08:29
            5A6592BF45DC73BD876874A28FD4639282E29B52 0

If you want to use an existing gpg key with ssh you need a way to put it
into gpg-agent.  If you use smartcards then there is no need for this
because gpg-agent does that of its own.  *GnuPG 2.1* will make it really
easy to use an existing key for ssh:

  $ gpg2 --with-keygrip -K CD8687F6
  sec   1024D/CD8687F6 2006-01-17
        Keygrip = 21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C
  uid                  Heinrich Heine <heinrichh at duesseldorf.de>
  ssb   1024g/4ECFEF6F 2006-01-17
        Keygrip = 654EFA6F19DF08ABFEB88092BC4867D4C5A95460
  
Now you only need to put a line

21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C  0

into sshcontrol and gpg-agent offers the primary key CD8687F6 to ssh if
it asks for a list private key (check with ssh-add -l).



Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Fri Oct 22 10:10:44 2010
From: wk at gnupg.org (Werner Koch)
Date: Fri, 22 Oct 2010 10:10:44 +0200
Subject: Security considerations: CAST-128
In-Reply-To: <4CC06D38.1040509@gmail.com> (Dan Cowsill's message of "Thu, 21
	Oct 2010 09:41:28 -0700")
References: <4CC06D38.1040509@gmail.com>
Message-ID: <87zku6sl4r.fsf@vigenere.g10code.de>

On Thu, 21 Oct 2010 18:41, danthehat at gmail.com said:

> I'm not sure how computationally feasible they are.  According to the
> paper, successful attacks were conducted on a 4 and 6 round version of
> CAST-128.

You can mount attacks on all algorithms if you reduce the number of
rounds.  In particular if you reduce them from 16 to 4.  Without having
read the paper I am pretty sure that an attack on a reduced round
version of CAST has has no practical consequence.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From free10pro at gmail.com  Fri Oct 22 10:51:10 2010
From: free10pro at gmail.com (Paul Richard Ramer)
Date: Fri, 22 Oct 2010 01:51:10 -0700
Subject: Changing secret key encryption algorithms
In-Reply-To: <4CC06CEB.1000204@gmail.com>
References: <4CBF0639.60206@gmail.com>
	<4CBF2A38.4070601@gmail.com>	<4CBF2BB5.3060807@gmail.com>
	<4CBF4FF8.9020504@gmail.com> <4CC06CEB.1000204@gmail.com>
Message-ID: <4CC1507E.6070506@gmail.com>

On Thu, 21 Oct 2010 09:40:11 -0700, Dan Cowsill wrote:
> It seems the algorithms are mapped to algo ID's.  I can confirm that the
> algorithm is different than than the one used on my real secret key, but
> I had not been able to find any resources that map the algo ID's to
> their respective names with any completeness.  I was able to find an
> excellent (if dated) resource on secret keys in the process[1].

Page 62 of RFC4880 <http://www.rfc-editor.org/rfc/rfc4880.txt> specifies
the IDs of symmetric algorithms, and RFC5581
<http://www.rfc-editor.org/rfc/rfc5581.txt> specifies the IDs for the
Camellia cipher.


-Paul

-- 
Please use my PGP key when sending me e-mail, if you can.

PGP Key ID: 0x3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101022/366b6b71/attachment.pgp>

From hawke at hawkesnest.net  Fri Oct 22 18:04:18 2010
From: hawke at hawkesnest.net (Alex Mauer)
Date: Fri, 22 Oct 2010 11:04:18 -0500
Subject: gpgkey2ssh
In-Reply-To: <874oceu028.fsf__48828.4601284706$1287734756$gmane$org@vigenere.g10code.de>
References: <4CC0EFC7.6040809@gmail.com>
	<874oceu028.fsf__48828.4601284706$1287734756$gmane$org@vigenere.g10code.de>
Message-ID: <i9scm2$kip$1@dough.gmane.org>

On 10/22/2010 03:02 AM, Werner Koch wrote:
> The whole point of the ssh support is to replace ssh-agent: gpg-agent if
> started with the option --enable-ssh-support implements the
> ssh-agent-protocol and thus works with ssh and ssh-add.

> If you want to use an existing gpg key with ssh you need a way to put it
> into gpg-agent.  If you use smartcards then there is no need for this
> because gpg-agent does that of its own.

Why does it not do this on its own for non-smartcard authentication 
keys?  Shouldn?t they already be in gpg-agent?

?Alex Mauer ?hawke?



From nedko at arnaudov.name  Fri Oct 22 16:57:59 2010
From: nedko at arnaudov.name (Nedko Arnaudov)
Date: Fri, 22 Oct 2010 17:57:59 +0300
Subject: [PATCH] Issue 1238 (scdaemon often needs restarting after removing
	OpenPGP smartcard)
Message-ID: <874oce46mg.fsf@usbix.spacelabs.org>

I've been hit by this bug and I made a quick (and maybe wrong and
nasty) fix that works for me. The patch is attached to this mail and
also is available here:

http://nedko.arnaudov.name/soft/gnupg-2.0.16-Issue1238.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg-2.0.16-Issue1238.patch
Type: text/x-patch
Size: 582 bytes
Desc: not available
URL: </pipermail/attachments/20101022/c7ab9da4/attachment.bin>
-------------- next part --------------

My test case is:

1. start pcscd
2. insert the usb reader
3. start gpg-agent (it starts scdaemon)
4. gpg --card-status
[success, polling of card status starts]
5. remove the reader
[polling of card status continues, scdaemon notices card status change, 7->0]
6. gpg --card-status
[expected failure,
scdaemon logs: "PC/SC RESET failed: invalid value (0x80100011)",
stops the polling and a disconnect message can be seen in the pcscd log]
7. insert the reader
8. gpg --card-status
[failure, but should succeed because the card is available now]

I noticed that if step 6 is skipped, step 8 will succeed.

The patch does the code to not attempt to reset if it is known that card
is not present.

My card reader is Omnikey Cardman 6121
My smartcard is OpenPGP v2
I use the proprietary driver for the reader (ifdokccid_lnx-3.6.0.tar.gz)

scdaemon still does not fully handle card insertions and removals. It
fails permanently if I attempt to access the card before it is inserted
for first time.

-- 
Nedko Arnaudov <GnuPG KeyID: 5D1B58ED>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: </pipermail/attachments/20101022/c7ab9da4/attachment.pgp>

From dshaw at jabberwocky.com  Fri Oct 22 19:46:45 2010
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 22 Oct 2010 13:46:45 -0400
Subject: Changing secret key encryption algorithms
In-Reply-To: <4CC1507E.6070506@gmail.com>
References: <4CBF0639.60206@gmail.com>
	<4CBF2A38.4070601@gmail.com>	<4CBF2BB5.3060807@gmail.com>
	<4CBF4FF8.9020504@gmail.com> <4CC06CEB.1000204@gmail.com>
	<4CC1507E.6070506@gmail.com>
Message-ID: <ACA5A058-78A0-4980-BB36-F39BC7FE738C@jabberwocky.com>

On Oct 22, 2010, at 4:51 AM, Paul Richard Ramer wrote:

> On Thu, 21 Oct 2010 09:40:11 -0700, Dan Cowsill wrote:
>> It seems the algorithms are mapped to algo ID's.  I can confirm that the
>> algorithm is different than than the one used on my real secret key, but
>> I had not been able to find any resources that map the algo ID's to
>> their respective names with any completeness.  I was able to find an
>> excellent (if dated) resource on secret keys in the process[1].
> 
> Page 62 of RFC4880 <http://www.rfc-editor.org/rfc/rfc4880.txt> specifies
> the IDs of symmetric algorithms, and RFC5581
> <http://www.rfc-editor.org/rfc/rfc5581.txt> specifies the IDs for the
> Camellia cipher.

If you ever need a handy reference for which algorithm maps to which number, just run "gpg -v --version".  It will print out which ciphers it has support for, and their algorithm numbers.

David



From jharris at widomaker.com  Sat Oct 23 22:53:23 2010
From: jharris at widomaker.com (Jason Harris)
Date: Sat, 23 Oct 2010 16:53:23 -0400
Subject: gnupg mirrors (was:  Re: [Announce] GnuPG 1.4.11 released)
In-Reply-To: <87pqv7xs8k.fsf@vigenere.g10code.de>
References: <87pqv7zqe8.fsf@vigenere.g10code.de>
	<20101018163609.GA99190@laptop>
	<87pqv7xs8k.fsf@vigenere.g10code.de>
Message-ID: <20101023205323.GA6811@laptop>

On Mon, Oct 18, 2010 at 08:36:59PM +0200, Werner Koch wrote:
> On Mon, 18 Oct 2010 18:36, jharris at widomaker.com said:

> > The .exe is there and matches the SHA-1, but the .sig isn't there:
> 
> Ooops.  Forgot to upload that one - fixed.  Sorry.

> Actually, our FTP server would not have a problem to serve all requests.
> The mirrors are more a historics thing but more an more folks wan't to
> mirror (I recently added a rel=nofollow in case some of them intent to
> bump up their page rank).
> 
> I should change the wording of the announcement.

OK, good to know.  Thanks for the fixes.

> Thanks for the hint of the mktorrent; maybe I can add this to our
> webpage anyway.

Actually, and somewhat fortunately, I didn't find any BitTorrent
trackers I like that worked automagically (without login and manual
upload of a .torrent) and with elinks/aria2c/lftp.  aria2c was happy
to ignore a non-existent tracker at localhost and do everything from
web seeds, however.  Of course, it should do equally well using a
metalink, and without the problem of exporting cryptography for
US-based users...

For now, I found the following changes in the GnuPG mirrors:

http://ftp.linux.it/pub/mirrors/gnupg/		new (listed by FreeBSD)
ftp://sunsite.cnlab-switch.ch/mirror/gnupg/	new (listed by FreeBSD)
ftp://ftp.bit.nl/mirror/gnupg/			is incomplete
ftp://ftp.demon.nl/pub/mirrors/gnupg/		no longer mirrors gpg
ftp://ftp.surfnet.nl/pub/security/gnupg/	stopped mirroring gpg in 2007
http://gd.tuwien.ac.at/privacy/gnupg/		serves files, but no listings
http://www.gnupg.ca/				mirrors website, not files

-- 
Jason Harris           |  PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 314 bytes
Desc: not available
URL: </pipermail/attachments/20101023/9aa9a4a9/attachment.pgp>

From kloecker at kde.org  Sun Oct 24 00:27:54 2010
From: kloecker at kde.org (Ingo =?utf-8?q?Kl=C3=B6cker?=)
Date: Sun, 24 Oct 2010 00:27:54 +0200
Subject: Confirmation for cached passphrases useful?
In-Reply-To: <4CBBBEF3.6090905@gmail.com>
References: <201010120325.04067.mailinglisten@hauke-laging.de>
	<4CBB9E5C.8070107@dougbarton.us> <4CBBBEF3.6090905@gmail.com>
Message-ID: <201010240027.55179@thufir.ingo-kloecker.de>

On Monday 18 October 2010, Faramir wrote:
> El 17-10-2010 22:09, Doug Barton escribi?:
> > On 10/17/2010 5:43 PM, Faramir wrote:
> > |    That may be true. However, remember feeling secure is part of
> > |    security
> > | 
> > | too, so if that feature doesn't break anything, and make people
> > | sleep better...
> > 
> > Two problems with that theory. The first is that a false sense of
> > security does more harm than good. The second is that there is no
> > such thing as a zero-cost change to software. So any proposed
> > change has to have benefits that outweigh the costs. Of course
> > accurately anticipating those costs is a whole different category
> > of problems. :)
> 
>   Right, I agree, we don't want those stones that keeps tigers away.
> But as long as people know the feature may be ignored by malware, it
> wouldn't be false sense of security, maybe it would be the solution
> against false sense of insecurity (if such thing exist).
> 
>   Also, I was not saying anything about costs of adding the feature,
> so my message should have said: "if there is a developer willing to
> add it, and it doesn't break anything, and it can be disabled by
> user, I'm ok with it". Please note I'm not requesting that feature,
> I just said I would not oppose to it's addition.

The feature might not break anything now but it will make the software 
more complex. More complex software tends to break more easily. One of 
the main design goals of gpg-agent, pinentry, etc., was to keep the code 
of those small helper applications dealing with the secret keys and the 
passphrases as simple as possible to avoid the complexity trap.

Also, it's a popular fallacy that adding a feature generates cost only 
once. Every new feature will increase the maintenance costs and thus 
generate additional cost for the whole lifetime of the software.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101024/0deb2a2f/attachment.pgp>

From osamak at gnu.org  Sun Oct 24 20:40:10 2010
From: osamak at gnu.org (Osama Khalid)
Date: Sun, 24 Oct 2010 21:40:10 +0300
Subject: "card inactive"
Message-ID: <20101024184010.GA3262@osama-laptop>

Hello,

I've been using FSFE Fellowship OpenPGP smartcard for a couple of
weeks and now I'm getting error messages.

I wonder if it's the smartcard reader (SCR335) or the smartcard
itself.

I've attached the output of:
gpg --debug 2048 --debug-ccid-driver -v --card-status

My gpg version is 1.4.10 and it is the one that comes with
Ubuntu-10.04-based systems (I use Trisquel 4.0).

I'd appreciate any hint. 

--Osama Khalid
-------------- next part --------------
$ gpg --debug 2048 --debug-ccid-driver -v --card-status
gpg: reading options from `/home/<username>/.gnupg/gpg.conf'
gpg: DBG: ccid-driver: using CCID reader 0 (ID=04E6:5115:21120811308114:0)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: reader slot 0: using ccid driver
gpg: DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: apdu_send_simple(0) failed: card inactive
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOff:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   [0007]  00 00 00
gpg: DBG: ccid-driver: RDR_to_PC_SlotStatus:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   bStatus ...........: 1
gpg: DBG: ccid-driver:   bClockStatus ......: 0x01 (stopped-L)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: using CCID reader 0 (ID=04E6:5115:21120811308114:0)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: reader slot 0: using ccid driver
gpg: DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: apdu_send_simple(0) failed: card inactive
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOff:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   [0007]  00 00 00
gpg: DBG: ccid-driver: RDR_to_PC_SlotStatus:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   bStatus ...........: 1
gpg: DBG: ccid-driver:   bClockStatus ......: 0x01 (stopped-L)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
Please insert the card and hit return or enter 'c' to cancel:
gpg: Interrupt caught ... exiting

From wk at gnupg.org  Mon Oct 25 16:29:48 2010
From: wk at gnupg.org (Werner Koch)
Date: Mon, 25 Oct 2010 16:29:48 +0200
Subject: "card inactive"
In-Reply-To: <20101024184010.GA3262@osama-laptop> (Osama Khalid's message of
	"Sun, 24 Oct 2010 21:40:10 +0300")
References: <20101024184010.GA3262@osama-laptop>
Message-ID: <87eibe1h2b.fsf@vigenere.g10code.de>

On Sun, 24 Oct 2010 20:40, osamak at gnu.org said:

> I wonder if it's the smartcard reader (SCR335) or the smartcard
> itself.

It pretty much looks like the card is broken.  If you have a chance to
try the card on another reader, please do that to be sure that there is
no other problem.  Ask the FSFE folks for a replacement.

You may also try a different card - a bancking card for example.  The
PowerOn command needs to succeed on any smartcard.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From wk at gnupg.org  Mon Oct 25 16:39:18 2010
From: wk at gnupg.org (Werner Koch)
Date: Mon, 25 Oct 2010 16:39:18 +0200
Subject: gpgkey2ssh
In-Reply-To: <i9scm2$kip$1@dough.gmane.org> (Alex Mauer's message of "Fri, 22
	Oct 2010 11:04:18 -0500")
References: <4CC0EFC7.6040809@gmail.com>
	<874oceu028.fsf__48828.4601284706$1287734756$gmane$org@vigenere.g10code.de>
	<i9scm2$kip$1@dough.gmane.org>
Message-ID: <8762wq1gmh.fsf@vigenere.g10code.de>

On Fri, 22 Oct 2010 18:04, hawke at hawkesnest.net said:

> Why does it not do this on its own for non-smartcard authentication
> keys?  Shouldn?t they already be in gpg-agent?

gpg-agent does not known about GPG or OpenPGP or X/509.  Thus there is
no chance it may known about an key stored in GPG's keyrings.

You could script something to automagically add all OpenPGP keys flagged
as authentication key into gpg-agent for ssh's use.  However you don't
want that: The ssh-agent protocol iterates over all keys the agent
returns and tries them all in turn (over the network).  Thus with tens
of keys it takes really long to setup an ssh connection.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From marcio.barbado at gmail.com  Mon Oct 25 15:23:39 2010
From: marcio.barbado at gmail.com (Marcio B. Jr.)
Date: Mon, 25 Oct 2010 11:23:39 -0200
Subject: EFF: Eight Epic Failures of Regulating Cryptography
Message-ID: <AANLkTim17w9age3kHScXw_WAES2yfwdv=PmWd_5-2V6H@mail.gmail.com>

Hello,
I think this Electronic Frontier Foundation's text may be of your interest[1].

It was written by American attorney Cindy Cohn.


[1] Eight Epic Failures of Regulating Cryptography:
http://www.eff.org/deeplinks/2010/10/eight-epic-failures-regulating-cryptography


regards,



Marcio Barbado, Jr.


From loadandenjoy at hotmail.com  Tue Oct 26 15:11:33 2010
From: loadandenjoy at hotmail.com (loadandenjoy at hotmail.com)
Date: Tue, 26 Oct 2010 13:11:33 +0000
Subject: Spam
Message-ID: <1744768710-1288098693-cardhu_decombobulator_blackberry.rim.net-643015895-@bda2601.bisx.prod.on.blackberry>

Is this an automated machine. I have requested to be off the list many times now. Please let me know if I am writing to rhe ryhg, regards
Sent on the Sprint? Now Network from my BlackBerry?

From loadandenjoy at hotmail.com  Tue Oct 26 15:02:13 2010
From: loadandenjoy at hotmail.com (loadandenjoy at hotmail.com)
Date: Tue, 26 Oct 2010 13:02:13 +0000
Subject: Gnupg-users Digest, Vol 85, Issue 25
In-Reply-To: <mailman.8244.1287948790.2574.gnupg-users@gnupg.org>
References: <mailman.8244.1287948790.2574.gnupg-users@gnupg.org>
Message-ID: <1802369222-1288098132-cardhu_decombobulator_blackberry.rim.net-833164862-@bda2601.bisx.prod.on.blackberry>

i would like to un subscribe to the digest. Thank you much. Or if you could send me the right link so I can do it
Regards
Sent on the Sprint? Now Network from my BlackBerry?

-----Original Message-----
From: gnupg-users-request at gnupg.org
Sender: gnupg-users-bounces at gnupg.org
Date: Sun, 24 Oct 2010 21:33:10 
To: <gnupg-users at gnupg.org>
Reply-To: gnupg-users at gnupg.org
Subject: Gnupg-users Digest, Vol 85, Issue 25

Send Gnupg-users mailing list submissions to
	gnupg-users at gnupg.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.gnupg.org/mailman/listinfo/gnupg-users
or, via email, send a message with subject or body 'help' to
	gnupg-users-request at gnupg.org

You can reach the person managing the list at
	gnupg-users-owner at gnupg.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Gnupg-users digest..."


Today's Topics:

   1. Re: Security considerations: CAST-128 (Werner Koch)
   2. Re: Changing secret key encryption algorithms (Paul Richard Ramer)
   3. Re: gpgkey2ssh (Alex Mauer)
   4. [PATCH] Issue 1238 (scdaemon often needs restarting after
      removing	OpenPGP smartcard) (Nedko Arnaudov)
   5. Re: Changing secret key encryption algorithms (David Shaw)
   6. gnupg mirrors (was:  Re: [Announce] GnuPG 1.4.11 released)
      (Jason Harris)
   7. Re: Confirmation for cached passphrases useful? (Ingo Kl?cker)
   8. "card inactive" (Osama Khalid)


----------------------------------------------------------------------

Message: 1
Date: Fri, 22 Oct 2010 10:10:44 +0200
From: Werner Koch <wk at gnupg.org>
To: Dan Cowsill <danthehat at gmail.com>
Cc: gnupg-users at gnupg.org
Subject: Re: Security considerations: CAST-128
Message-ID: <87zku6sl4r.fsf at vigenere.g10code.de>
Content-Type: text/plain; charset=us-ascii

On Thu, 21 Oct 2010 18:41, danthehat at gmail.com said:

> I'm not sure how computationally feasible they are.  According to the
> paper, successful attacks were conducted on a 4 and 6 round version of
> CAST-128.

You can mount attacks on all algorithms if you reduce the number of
rounds.  In particular if you reduce them from 16 to 4.  Without having
read the paper I am pretty sure that an attack on a reduced round
version of CAST has has no practical consequence.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




------------------------------

Message: 2
Date: Fri, 22 Oct 2010 01:51:10 -0700
From: Paul Richard Ramer <free10pro at gmail.com>
To: Dan Cowsill <danthehat at gmail.com>
Cc: gnupg-users at gnupg.org
Subject: Re: Changing secret key encryption algorithms
Message-ID: <4CC1507E.6070506 at gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Thu, 21 Oct 2010 09:40:11 -0700, Dan Cowsill wrote:
> It seems the algorithms are mapped to algo ID's.  I can confirm that the
> algorithm is different than than the one used on my real secret key, but
> I had not been able to find any resources that map the algo ID's to
> their respective names with any completeness.  I was able to find an
> excellent (if dated) resource on secret keys in the process[1].

Page 62 of RFC4880 <http://www.rfc-editor.org/rfc/rfc4880.txt> specifies
the IDs of symmetric algorithms, and RFC5581
<http://www.rfc-editor.org/rfc/rfc5581.txt> specifies the IDs for the
Camellia cipher.


-Paul

-- 
Please use my PGP key when sending me e-mail, if you can.

PGP Key ID: 0x3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101022/366b6b71/attachment-0001.pgp>

------------------------------

Message: 3
Date: Fri, 22 Oct 2010 11:04:18 -0500
From: Alex Mauer <hawke at hawkesnest.net>
To: gnupg-users at gnupg.org
Subject: Re: gpgkey2ssh
Message-ID: <i9scm2$kip$1 at dough.gmane.org>
Content-Type: text/plain; charset=windows-1252; format=flowed

On 10/22/2010 03:02 AM, Werner Koch wrote:
> The whole point of the ssh support is to replace ssh-agent: gpg-agent if
> started with the option --enable-ssh-support implements the
> ssh-agent-protocol and thus works with ssh and ssh-add.

> If you want to use an existing gpg key with ssh you need a way to put it
> into gpg-agent.  If you use smartcards then there is no need for this
> because gpg-agent does that of its own.

Why does it not do this on its own for non-smartcard authentication 
keys?  Shouldn?t they already be in gpg-agent?

?Alex Mauer ?hawke?




------------------------------

Message: 4
Date: Fri, 22 Oct 2010 17:57:59 +0300
From: Nedko Arnaudov <nedko at arnaudov.name>
To: gnupg-devel at gnupg.org, gnupg-users at gnupg.org
Subject: [PATCH] Issue 1238 (scdaemon often needs restarting after
	removing	OpenPGP smartcard)
Message-ID: <874oce46mg.fsf at usbix.spacelabs.org>
Content-Type: text/plain; charset="us-ascii"

I've been hit by this bug and I made a quick (and maybe wrong and
nasty) fix that works for me. The patch is attached to this mail and
also is available here:

http://nedko.arnaudov.name/soft/gnupg-2.0.16-Issue1238.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg-2.0.16-Issue1238.patch
Type: text/x-patch
Size: 582 bytes
Desc: not available
URL: </pipermail/attachments/20101022/c7ab9da4/attachment-0001.bin>
-------------- next part --------------

My test case is:

1. start pcscd
2. insert the usb reader
3. start gpg-agent (it starts scdaemon)
4. gpg --card-status
[success, polling of card status starts]
5. remove the reader
[polling of card status continues, scdaemon notices card status change, 7->0]
6. gpg --card-status
[expected failure,
scdaemon logs: "PC/SC RESET failed: invalid value (0x80100011)",
stops the polling and a disconnect message can be seen in the pcscd log]
7. insert the reader
8. gpg --card-status
[failure, but should succeed because the card is available now]

I noticed that if step 6 is skipped, step 8 will succeed.

The patch does the code to not attempt to reset if it is known that card
is not present.

My card reader is Omnikey Cardman 6121
My smartcard is OpenPGP v2
I use the proprietary driver for the reader (ifdokccid_lnx-3.6.0.tar.gz)

scdaemon still does not fully handle card insertions and removals. It
fails permanently if I attempt to access the card before it is inserted
for first time.

-- 
Nedko Arnaudov <GnuPG KeyID: 5D1B58ED>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: </pipermail/attachments/20101022/c7ab9da4/attachment-0001.pgp>

------------------------------

Message: 5
Date: Fri, 22 Oct 2010 13:46:45 -0400
From: David Shaw <dshaw at jabberwocky.com>
To: Paul Richard Ramer <free10pro at gmail.com>
Cc: gnupg-users at gnupg.org
Subject: Re: Changing secret key encryption algorithms
Message-ID: <ACA5A058-78A0-4980-BB36-F39BC7FE738C at jabberwocky.com>
Content-Type: text/plain; charset=us-ascii

On Oct 22, 2010, at 4:51 AM, Paul Richard Ramer wrote:

> On Thu, 21 Oct 2010 09:40:11 -0700, Dan Cowsill wrote:
>> It seems the algorithms are mapped to algo ID's.  I can confirm that the
>> algorithm is different than than the one used on my real secret key, but
>> I had not been able to find any resources that map the algo ID's to
>> their respective names with any completeness.  I was able to find an
>> excellent (if dated) resource on secret keys in the process[1].
> 
> Page 62 of RFC4880 <http://www.rfc-editor.org/rfc/rfc4880.txt> specifies
> the IDs of symmetric algorithms, and RFC5581
> <http://www.rfc-editor.org/rfc/rfc5581.txt> specifies the IDs for the
> Camellia cipher.

If you ever need a handy reference for which algorithm maps to which number, just run "gpg -v --version".  It will print out which ciphers it has support for, and their algorithm numbers.

David




------------------------------

Message: 6
Date: Sat, 23 Oct 2010 16:53:23 -0400
From: Jason Harris <jharris at widomaker.com>
To: gnupg-users at gnupg.org
Cc: Jason Harris <jharris at widomaker.com>
Subject: gnupg mirrors (was:  Re: [Announce] GnuPG 1.4.11 released)
Message-ID: <20101023205323.GA6811 at laptop>
Content-Type: text/plain; charset="us-ascii"

On Mon, Oct 18, 2010 at 08:36:59PM +0200, Werner Koch wrote:
> On Mon, 18 Oct 2010 18:36, jharris at widomaker.com said:

> > The .exe is there and matches the SHA-1, but the .sig isn't there:
> 
> Ooops.  Forgot to upload that one - fixed.  Sorry.

> Actually, our FTP server would not have a problem to serve all requests.
> The mirrors are more a historics thing but more an more folks wan't to
> mirror (I recently added a rel=nofollow in case some of them intent to
> bump up their page rank).
> 
> I should change the wording of the announcement.

OK, good to know.  Thanks for the fixes.

> Thanks for the hint of the mktorrent; maybe I can add this to our
> webpage anyway.

Actually, and somewhat fortunately, I didn't find any BitTorrent
trackers I like that worked automagically (without login and manual
upload of a .torrent) and with elinks/aria2c/lftp.  aria2c was happy
to ignore a non-existent tracker at localhost and do everything from
web seeds, however.  Of course, it should do equally well using a
metalink, and without the problem of exporting cryptography for
US-based users...

For now, I found the following changes in the GnuPG mirrors:

http://ftp.linux.it/pub/mirrors/gnupg/		new (listed by FreeBSD)
ftp://sunsite.cnlab-switch.ch/mirror/gnupg/	new (listed by FreeBSD)
ftp://ftp.bit.nl/mirror/gnupg/			is incomplete
ftp://ftp.demon.nl/pub/mirrors/gnupg/		no longer mirrors gpg
ftp://ftp.surfnet.nl/pub/security/gnupg/	stopped mirroring gpg in 2007
http://gd.tuwien.ac.at/privacy/gnupg/		serves files, but no listings
http://www.gnupg.ca/				mirrors website, not files

-- 
Jason Harris           |  PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 314 bytes
Desc: not available
URL: </pipermail/attachments/20101023/9aa9a4a9/attachment-0001.pgp>

------------------------------

Message: 7
Date: Sun, 24 Oct 2010 00:27:54 +0200
From: Ingo Kl?cker <kloecker at kde.org>
To: gnupg-users at gnupg.org
Subject: Re: Confirmation for cached passphrases useful?
Message-ID: <201010240027.55179 at thufir.ingo-kloecker.de>
Content-Type: text/plain; charset="utf-8"

On Monday 18 October 2010, Faramir wrote:
> El 17-10-2010 22:09, Doug Barton escribi?:
> > On 10/17/2010 5:43 PM, Faramir wrote:
> > |    That may be true. However, remember feeling secure is part of
> > |    security
> > | 
> > | too, so if that feature doesn't break anything, and make people
> > | sleep better...
> > 
> > Two problems with that theory. The first is that a false sense of
> > security does more harm than good. The second is that there is no
> > such thing as a zero-cost change to software. So any proposed
> > change has to have benefits that outweigh the costs. Of course
> > accurately anticipating those costs is a whole different category
> > of problems. :)
> 
>   Right, I agree, we don't want those stones that keeps tigers away.
> But as long as people know the feature may be ignored by malware, it
> wouldn't be false sense of security, maybe it would be the solution
> against false sense of insecurity (if such thing exist).
> 
>   Also, I was not saying anything about costs of adding the feature,
> so my message should have said: "if there is a developer willing to
> add it, and it doesn't break anything, and it can be disabled by
> user, I'm ok with it". Please note I'm not requesting that feature,
> I just said I would not oppose to it's addition.

The feature might not break anything now but it will make the software 
more complex. More complex software tends to break more easily. One of 
the main design goals of gpg-agent, pinentry, etc., was to keep the code 
of those small helper applications dealing with the secret keys and the 
passphrases as simple as possible to avoid the complexity trap.

Also, it's a popular fallacy that adding a feature generates cost only 
once. Every new feature will increase the maintenance costs and thus 
generate additional cost for the whole lifetime of the software.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101024/0deb2a2f/attachment-0001.pgp>

------------------------------

Message: 8
Date: Sun, 24 Oct 2010 21:40:10 +0300
From: Osama Khalid <osamak at gnu.org>
To: gnupg-users at gnupg.org
Subject: "card inactive"
Message-ID: <20101024184010.GA3262 at osama-laptop>
Content-Type: text/plain; charset="us-ascii"

Hello,

I've been using FSFE Fellowship OpenPGP smartcard for a couple of
weeks and now I'm getting error messages.

I wonder if it's the smartcard reader (SCR335) or the smartcard
itself.

I've attached the output of:
gpg --debug 2048 --debug-ccid-driver -v --card-status

My gpg version is 1.4.10 and it is the one that comes with
Ubuntu-10.04-based systems (I use Trisquel 4.0).

I'd appreciate any hint. 

--Osama Khalid
-------------- next part --------------
$ gpg --debug 2048 --debug-ccid-driver -v --card-status
gpg: reading options from `/home/<username>/.gnupg/gpg.conf'
gpg: DBG: ccid-driver: using CCID reader 0 (ID=04E6:5115:21120811308114:0)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: reader slot 0: using ccid driver
gpg: DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: apdu_send_simple(0) failed: card inactive
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOff:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   [0007]  00 00 00
gpg: DBG: ccid-driver: RDR_to_PC_SlotStatus:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   bStatus ...........: 1
gpg: DBG: ccid-driver:   bClockStatus ......: 0x01 (stopped-L)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: using CCID reader 0 (ID=04E6:5115:21120811308114:0)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: reader slot 0: using ccid driver
gpg: DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bStatus ...........: 65
gpg: DBG: ccid-driver:   bError ............: 254
gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC
gpg: apdu_send_simple(0) failed: card inactive
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOff:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   [0007]  00 00 00
gpg: DBG: ccid-driver: RDR_to_PC_SlotStatus:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   bStatus ...........: 1
gpg: DBG: ccid-driver:   bClockStatus ......: 0x01 (stopped-L)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0518
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.00
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock     12000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate           9600 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      307200 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000 
gpg: DBG: ccid-driver:   dwMechanical     00000000 
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       263
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0 
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
Please insert the card and hit return or enter 'c' to cancel:
gpg: Interrupt caught ... exiting

------------------------------

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


End of Gnupg-users Digest, Vol 85, Issue 25
*******************************************


From tiago at xroot.org  Tue Oct 26 16:04:51 2010
From: tiago at xroot.org (Tiago Faria)
Date: Tue, 26 Oct 2010 15:04:51 +0100
Subject: Spam
In-Reply-To: <1744768710-1288098693-cardhu_decombobulator_blackberry.rim.net-643015895-@bda2601.bisx.prod.on.blackberry>
References: <1744768710-1288098693-cardhu_decombobulator_blackberry.rim.net-643015895-@bda2601.bisx.prod.on.blackberry>
Message-ID: <20101026150451.4a46fb73@stacker>

On Tue, 26 Oct 2010 13:11:33 +0000
loadandenjoy at hotmail.com wrote:

> Is this an automated machine. I have requested to be off the list
> many times now. Please let me know if I am writing to rhe ryhg,
> regards Sent on the Sprint? Now Network from my BlackBerry?
> _______________________________________________ Gnupg-users mailing
> list Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


You don't need to request, just unsubscribe from the list:

http://lists.gnupg.org/mailman/listinfo/gnupg-users/

And yes, it is a "automated machine" that deals which such requests.

-- 
Tiago Faria 		| 		http://xroot.org

OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact
FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101026/1f6bed70/attachment.pgp>

From wk at gnupg.org  Tue Oct 26 18:32:34 2010
From: wk at gnupg.org (Werner Koch)
Date: Tue, 26 Oct 2010 18:32:34 +0200
Subject: GnuPG 2.1 beta released
Message-ID: <87ocagzzh9.fsf@vigenere.g10code.de>

Hello!
    
We just released the first *beta version* of GnuPG 2.1.  It has been
released to give you the opportunity to check out the new features.

It is marked as a beta versions and the plan is to release a couple more
betas in the next months before we can declare 2.1.0 stable enough for
general use.  In any case the 2.1 series won't replace the 2.0 series.
If you need stable and fully maintained version of GnuPG, you should in
general use 2.0.x or even 1.4.x.  Eventually we will release 2.2 as the
new stable version but that may take some time.


Noteworthy changes in version 2.1.0beta1
========================================

 * GPG does not anymore use secring.gpg but delegates all secret key
   operations to gpg-agent.  The import command moves secret keys to
   the agent.

 * The OpenPGP import command is now able to merge secret keys.

 * The G13 tool for disk encryption key management has been added.

 * If the agent's --use-standard-socket option is active, all tools
   try to start and daemonize the agent on the fly.  In the past this
   was only supported on W32; on non-W32 systems the new configure
   option --disable-standard-socket may now be used to disable this
   new default.

 * Dirmngr is now a part of this package.  Dirmngr is now also
   expected to run as a system service and the configuration
   directories are changed to the GnuPG name space.

 * Removed GPG options:
    --export-options: export-secret-subkey-passwd
    --simple-sk-checksum

 * New GPG options:
    --try-secret-key

 * Support DNS lookups for SRV, PKA and CERT on W32.

 * The default for --include-cert is now to include all certificates
   in the chain except for the root certificate.

 * Numerical values may now be used as an alternative to the
   debug-level keywords.

 * New GPGSM option --ignore-cert-extension.

 * Support for Windows CE.

 * Given sufficient permissions Dirmngr is started automagically.

 * Bug fixes.


Migration from 1.4 or 2.0
=========================

The major change in 2.1 is that gpg-agent now takes care of the
OpenPGP secret keys (those managed by GPG).  The former secring.gpg
will not be used anymore.  Newly generated keys are generated and
stored in the agent's key store (~/.gnupg/private-keys-v1.d/).  To
migrate your existing keys to the agent you should run this command

  gpg2 --import ~/.gnupg/secring.gpg

The agent will you ask for the passphrase of each key.  You may use
the Cancel button of the Pinentry to skip importing this key.  If you
want to stop the import process and you use one of the latest
pinentries, you should close the pinentry window instead of hitting
the cancel button.  Secret keys already imported are skipped by the
import command.  It is advisable to keep the secring.gpg for use with
older versions of GPG.

Note that gpg-agent now uses a fixed socket by default.  All tools
will start the gpg-agent as needed.  In general there is no more need
to set the GPG_AGENT_INFO environment variable.  The SSH_AUTH_SOCK
environment variable should be set to a fixed value.

GPG's smartcard commands --card-edit and --card-status as well as the
card related sub-commands of --edit-key are not yet supported.
However, signing and decryption with a smartcard does work.

The Dirmngr is now part of GnuPG proper.  Thus there is no more need
to install the separate dirmngr package.  The directroy layout of
Dirmngr changed to make use of the GnuPG directories; for example you
use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs.  Dirmngr
needs to be started as a system daemon.


Getting the Software
====================

GnuPG 2.1 is available at

 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta1.tar.bz2
 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta1.tar.bz2.sig

and soon on all mirrors <http://www.gnupg.org/mirrors.html>.  Note, that
GnuPG is not available at ftp.gnu.org.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * You are expected to have a trusted version of GnuPG installed, thus
   you may simply check the supplied signature.  For example to check
   the signature of the file gnupg-2.1.0.tar.bz2 you would use this
   command:

     gpg --verify gnupg-2.1.0.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key using the command

     finger wk ,at' g10code.com

   or using a key server like

     gpg --recv-key 1CE0C630

   The distribution key 1CE0C630 is signed by the well known key
   5B0358A2.  If you get an key expired message, you should retrieve a
   fresh copy as the expiration date might have been prolonged.

   NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
   INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!


Internationalization
====================

This version comes only with support for English and German.  More
languages will be added for the real release.


Documentation
=============

We are currently working on an installation guide to explain in more
detail how to configure the new features.  As of now the chapters on
gpg-agent and gpgsm include brief information on how to set up the
whole thing.  Please watch the GnuPG website for updates of the
documentation.  In the meantime you may search the GnuPG mailing list
archives or ask on the gnupg-users mailing lists for advise on how to
solve problems.  Many of the new features are around for several years
and thus enough public knowledge is already available.


Future Plans
============

Some taks we would like to do before a 2.1 release:

* Re-enable full smartcard support

* Add ECC algorithms to GPG

* Replace the pubring.gpg public key store with the keybox format.



Support
=======

Improving GnuPG is costly, but you can help!  We are looking for
organizations that find GnuPG useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or by donating
money.

Commercial support contracts for GnuPG are available, and they help
finance continued maintenance.  g10 Code GmbH, a Duesseldorf based
company owned and headed by GnuPG's principal author, is currently
funding GnuPG development.  We are always looking for interesting
development projects.

A service directory is available at:

  http://www.gnupg.org/service.html


Thanks
======

We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word or answering questions on the mailing
lists.  


Happy Hacking,

  The GnuPG Team


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From osamak at gnu.org  Tue Oct 26 21:34:44 2010
From: osamak at gnu.org (Osama Khalid)
Date: Tue, 26 Oct 2010 22:34:44 +0300
Subject: "card inactive"
In-Reply-To: <87eibe1h2b.fsf@vigenere.g10code.de>
References: <20101024184010.GA3262@osama-laptop>
	<87eibe1h2b.fsf@vigenere.g10code.de>
Message-ID: <20101026193444.GC10991@osama-laptop>

[Sent originally off-list]

On Mon, Oct 25, 2010 at 04:29:48PM +0200, Werner Koch wrote:
> You may also try a different card - a bancking card for example.
> The PowerOn command needs to succeed on any smartcard.

Are you referring to the regular ATM card? Unfortunately, it seems
that SCR335 accepts only cards with the SIM-like part.

Also, what's the PowerOn command?

Thanks for the hint!

--Osama Khalid


From expires2010 at ymail.com  Wed Oct 27 01:34:34 2010
From: expires2010 at ymail.com (MFPA)
Date: Wed, 27 Oct 2010 00:34:34 +0100
Subject: Spam
In-Reply-To: <20101026150451.4a46fb73@stacker>
References: <1744768710-1288098693-cardhu_decombobulator_blackberry.rim.net-643015895-@bda2601.bisx.prod.on.blackberry>
	<20101026150451.4a46fb73@stacker>
Message-ID: <1424676801.20101027003434@my_localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 26 October 2010 at 3:04:51 PM, in
<mid:20101026150451.4a46fb73 at stacker>, Tiago Faria wrote:


> On Tue, 26 Oct 2010 13:11:33 +0000
> loadandenjoy at hotmail.com wrote:

>> Is this an automated machine. I have requested to be
>> off the list many times now. Please let me know if I
>> am writing to rhe ryhg, regards Sent on the Sprint?
>> Now Network from my BlackBerry?
>> _______________________________________________
>> Gnupg-users mailing list Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

> You don't need to request, just unsubscribe from the
> list:

> http://lists.gnupg.org/mailman/listinfo/gnupg-users/

Or send a blank email from the subscribed address to
gnupg-users-request at gnupg.org with the subject line saying
"unsubscribe" (without quotes).


- --
Best regards

MFPA                    mailto:expires2010 at ymail.com

No man ever listened himself out of a job
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTMdlk6ipC46tDG5pAQocmQP/fqWND8lWmpsdEnHHrZSQ4PTzEKJbJzKD
L47kPi+G4aBwc7Aa9MPKaThjEddLGwzjSCxGVerir4wn4LxB13DbppdEpz9n1epj
3ou/ANPt16BSymjY0Qml1uxot39vk+jtIl9Zt+P0iSOtcYcE0w64xwoFdVuJ4BTI
VugmmddNJxo=
=S5KK
-----END PGP SIGNATURE-----



From reynt0 at cs.albany.edu  Wed Oct 27 04:25:37 2010
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 26 Oct 2010 22:25:37 -0400 (EDT)
Subject: Seahorse
Message-ID: <Pine.GSO.4.61.1010262209150.25222@dionne.cs.albany.edu>

(Sorry about the late post, am just catching up on
some skipped emails and my comment might have some
wider relevance though stimulated by the quoted email.)

On 10/11/2010, Robert J. Hansen wote:

> On 10/8/2010 10:16 AM, Mark H. Wood wrote:
>> If you ever decide to promote that alternate interface, the approach
>> I would try is to sneak it in by actually making it an alternative
>
> This is one of the things we were specifically warned against in HCI.
> Give people two interfaces and the new interface will never supplant the
> old.  When new users encounter problems and ask for help, the first
> thing the old-timer will do is say, "well, first, go back to the old
> interface, that's the one I know the best."  The newcomer will do so and
> won't switch back afterwards, both out of a spirit of "all the experts
> use the old interface" and "nobody can help me with this new interface,
> so I'd better use the old."

Unless of course the "old-timer" is flexible and up to
speed?  And maybe related, was the research upon which
that Human-Computer Interface class was based maybe
done before the "new era" of users (ie the era which
started a couple of years ago :-) ), and maybe its
applicability to the modern world needs to be re-evaluated?



From rjh at sixdemonbag.org  Wed Oct 27 05:19:14 2010
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 26 Oct 2010 23:19:14 -0400
Subject: Seahorse
In-Reply-To: <Pine.GSO.4.61.1010262209150.25222@dionne.cs.albany.edu>
References: <Pine.GSO.4.61.1010262209150.25222@dionne.cs.albany.edu>
Message-ID: <4CC79A32.3090708@sixdemonbag.org>

On 10/26/2010 10:25 PM, reynt0 wrote:
> Unless of course the "old-timer" is flexible and up to
> speed?  And maybe related, was the research upon which
> that Human-Computer Interface class was based maybe
> done before the "new era" of users (ie the era which
> started a couple of years ago :-) ), and maybe its
> applicability to the modern world needs to be re-evaluated?

Conjecture is nice.  Evidence is better.  Put together a study testing
the continued validity of the hypothesis.  If it turns out the
hypothesis is false, I and many others will certainly sit up and pay
attention.

As for me, though -- I have enough on my plate without taking on this
task.  I'm going to believe the question is settled, on the basis of
existing evidence, until such time as new contradicting evidence is
presented.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101026/afee290e/attachment-0001.bin>

From DKaraluz at TC3HEALTH.com  Tue Oct 26 22:30:57 2010
From: DKaraluz at TC3HEALTH.com (Dieter Karaluz)
Date: Tue, 26 Oct 2010 13:30:57 -0700
Subject: Help with the --batch option...
Message-ID: <0D4B946B6FDDC74481E8696C7CCA6C4208909233@cmexchange1.corp.tc3health.com>

Hi,
 
This inquiry has two questions. Please include dkaraluz at tc3health.com in
your replies. Thanks.
 
We are running GPG 1.2.0 in production. We use it to decrypt all the
files we get from our clients through a batch script executed from a
Windows service. The command execute is:
 
c:\gnupg\gpg.1.2.0.exe -r tc3health --batch --yes -o
D:\PaidClaims\Data\Incoming\NGS\HST_Header_201010_1.zip -d
D:\PaidClaims\Data\Incoming\NGS\HST_Header_101025.txt.zip.pgp
gpg: encrypted with 2048-bit ELG-E key, ID 5FC0F85B, created 2002-08-27
      "TC3Health <faxsend at tc3health.com>"
 
And the decrypt generates a zip file. No manual intervention. But I am
having an issue with the zip file generated: WinZip reports "Error:
Invalid compressed data to expand file". And that prompted me to install
GNUPG 1.4.11 to see if that version corrects the problem. Now I am
getting:

c:\gnupg\gpg.1.4.11.exe -r tc3health --batch --yes -o
D:\PaidClaims\Data\Incoming\NGS\HST_Header_201010_2.zip -d
D:\PaidClaims\Data\Incoming\NGS\HST_Header_101025.txt.zip.pgp
gpg: can't query passphrase in batch mode
gpg: encrypted with 2048-bit ELG-E key, ID 5FC0F85B, created 2002-08-27
      "TC3Health <faxsend at tc3health.com>"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available

I ran a test where I removed the --batch, and entered the passphrase
manually. The file decrypted fine, and WinZip had no problems opening
the content of the zip file. So 1.4.11 fixes whatever issue I am having
with 1.2.0. I did verify that the two zip files do not match when
compared in binary mode, so there is a change in the way the file gets
decrypted.

So here are the two questions:

1 - What do I need to do with gpg 1.4.11 so that it will decrypt pgp
files in batch mode. With hundreds of files coming in daily it is just
not practical to have someone entering the passphrase for each file.
GNUPG 1.2.0 does it fine. I did not do the original 1.2.0 installation
so I don't know what was done with 1.2.0 to make it work fine with the
--batch option.

2 - What fix was applied to 1.4.11 that solved the issue I am having in
1.2.0, and is there an option I could pass to GNUPG 1.2.0 that would
correct or work around the issue? 

Thanks,

Dieter Karaluz





From wk at gnupg.org  Wed Oct 27 10:26:27 2010
From: wk at gnupg.org (Werner Koch)
Date: Wed, 27 Oct 2010 10:26:27 +0200
Subject: Help with the --batch option...
In-Reply-To: <0D4B946B6FDDC74481E8696C7CCA6C4208909233@cmexchange1.corp.tc3health.com>
	(Dieter Karaluz's message of "Tue, 26 Oct 2010 13:30:57 -0700")
References: <0D4B946B6FDDC74481E8696C7CCA6C4208909233@cmexchange1.corp.tc3health.com>
Message-ID: <87sjzsxcr0.fsf@vigenere.g10code.de>

On Tue, 26 Oct 2010 22:30, DKaraluz at TC3HEALTH.com said:

> We are running GPG 1.2.0 in production. We use it to decrypt all the

That one is an 8 years old version and this 1.2 series entered end of
life status 5 years ago.

> 1 - What do I need to do with gpg 1.4.11 so that it will decrypt pgp
> files in batch mode. With hundreds of files coming in daily it is just

>From the command lines you posted 1.2. was not able to do this either.
It might be that we chnaged something related to batch processing but
that was a bug fix then. 

> so I don't know what was done with 1.2.0 to make it work fine with the
> --batch option.

Either no passpharse was set for the key or the option --passphrase-fd
was used.  What you can do is to remove the passphrase from the key or
use one of the options: --passphrase-fd, --passphrase-file or
--passphrase.

> 2 - What fix was applied to 1.4.11 that solved the issue I am having in
> 1.2.0, and is there an option I could pass to GNUPG 1.2.0 that would
> correct or work around the issue? 

Too many changes over the years too quickly answer this.  Likey
candidates are: 

  2010-06-18

	* parse-packet.c (skip_packet, parse_gpg_control): Take care of
	premature EOFs.  Backport from trunk.

  2009-05-05

	* parse-packet.c (parse): Remove special treatment for compressed
	new style packets.  Fixes bug#931.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From bmarwell at googlemail.com  Wed Oct 27 21:11:17 2010
From: bmarwell at googlemail.com (Benjamin Marwell)
Date: Wed, 27 Oct 2010 21:11:17 +0200
Subject: kwatchgnupg-Options
Message-ID: <AANLkTimemCkE=zzcZcyxK5Q7wo+pVG6pxjfmbddJLwVG@mail.gmail.com>

Hello everyone,

there is a bug where kwatchgnupg adds gpg2-Options to gpg.conf,
whether it is a gpg2 config file or not. gpg refuses to work with
these invalid options.

Perhaps some of the devs might want to take a look at it, as it is
very annoying.

https://bugs.kde.org/show_bug.cgi?id=226630

Thanks in advance.


From wk at gnupg.org  Thu Oct 28 11:15:05 2010
From: wk at gnupg.org (Werner Koch)
Date: Thu, 28 Oct 2010 11:15:05 +0200
Subject: Fix for GnuPG 1.4.11 on MIPS using gcc
In-Reply-To: <38c2f97697f247ffc39da188ba1edebf.squirrel@wm.kinkhorst.nl>
	(Thijs Kinkhorst's message of "Wed, 27 Oct 2010 20:31:47 +0200")
References: <1288195368.6580.1.camel@haktar.wgdd.de>
	<38c2f97697f247ffc39da188ba1edebf.squirrel@wm.kinkhorst.nl>
Message-ID: <87zktywuee.fsf_-_@vigenere.g10code.de>

Hi,

While building GnuPG 1.4.11 on MIPS a build problem was encountred.
Please try the patch below which should fix the problem.


Salam-Shalom,

   Werner


2010-10-28  Werner Koch  <wk at g10code.com>

	* longlong.h: Revert last two changes and replace by code from
	libgcrypt 1.4.6.


--- mpi/longlong.h	(revision 5466)
+++ mpi/longlong.h	(working copy)
@@ -710,12 +710,13 @@
  **************  MIPS  *****************
  ***************************************/
 #if defined (__mips__) && W_TYPE_SIZE == 32
-#if __GNUC__ > 4 || ( __GNUC__ == 4 && __GNUC_MINOR__ >= 4 )
-#define umul_ppmm(w1, w0, u, v)                                         \
+#if (__GNUC__ >= 5) || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)
+#define umul_ppmm(w1, w0, u, v) \
   do {                                                                  \
-    UDItype __ll = (UDItype)(u) * (v);                                  \
-    w1 = __ll >> 32;                                                    \
-    w0 = __ll;                                                          \
+    UDItype _r;                                                         \
+    _r = (UDItype) u * v;                                               \
+    (w1) = _r >> 32;                                                    \
+    (w0) = (USItype) _r;                                                \
   } while (0)
 #elif __GNUC__ > 2 || __GNUC_MINOR__ >= 7
 #define umul_ppmm(w1, w0, u, v)                                         \
@@ -742,14 +743,15 @@
  **************  MIPS/64  **************
  ***************************************/
 #if (defined (__mips) && __mips >= 3) && W_TYPE_SIZE == 64
-# if __GNUC__ > 4 || ( __GNUC__ == 4 && __GNUC_MINOR__ >= 4 )
+# if (__GNUC__ >= 5) || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)
+   typedef unsigned int UTItype __attribute__ ((mode (TI)));
 #  define umul_ppmm(w1, w0, u, v)                                       \
-     do {                                                               \
-       typedef unsigned int __ll_UTItype __attribute__((mode(TI)));     \
-       __ll_UTItype __ll = (__ll_UTItype)(u) * (v);                     \
-       w1 = __ll >> 64;                                                 \
-       w0 = __ll;                                                       \
-     } while (0)
+  do {                                                                  \
+    UTItype _r;                                                         \
+    _r = (UTItype) u * v;                                               \
+    (w1) = _r >> 64;                                                    \
+    (w0) = (UDItype) _r;                                                \
+  } while (0)
 # elif if __GNUC__ > 2 || __GNUC_MINOR__ >= 7
 #  define umul_ppmm(w1, w0, u, v)                                       \
      __asm__ ("dmultu %2,%3"                                            \



-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From thomas at lecavelier.name  Thu Oct 28 16:14:18 2010
From: thomas at lecavelier.name (Thomas Lecavelier)
Date: Thu, 28 Oct 2010 16:14:18 +0200
Subject: Syncing secring for mobile users
Message-ID: <E1F2B7FF-47AD-4C35-85F7-32DEF8EF48C7@lecavelier.name>

Hi,

I tried many times to use GPG on a day-to-day basis. It often starts very well: I sign every mail I sent, evangelis people asking about my strange signatures, etc. But there's a fact: I'm a computer scientist worker, so I work on many computers, but not at the same rate.
Currently, I'm at work, setting up my iMac. So I download an exported secring from one of my personnal server. But I compare it to my keyring on my laptop, and even on my phone: they *all* diverge. I'm owned.

Here my true question: what's your workflow to sync your keyring between multiple computers? I thought about having a ring for personnal usage, and a ring for pro usage, but I'm consulting both my personnal and private email on every computers. I can't think about a simple solution, so I'd be glad to have your thoughts about it :)

Thank you

-- 
Thomas "Ook? Ook!" Lecavelier
http://thomas.lecavelier.name

From papillion at gmail.com  Thu Oct 28 17:47:04 2010
From: papillion at gmail.com (Anthony Papillion)
Date: Thu, 28 Oct 2010 10:47:04 -0500
Subject: Syncing secring for mobile users
In-Reply-To: <E1F2B7FF-47AD-4C35-85F7-32DEF8EF48C7@lecavelier.name>
References: <E1F2B7FF-47AD-4C35-85F7-32DEF8EF48C7@lecavelier.name>
Message-ID: <4CC99AF8.4050402@gmail.com>



On 10/28/2010 09:14 AM, Thomas Lecavelier wrote:
> Hi,
> 
> I tried many times to use GPG on a day-to-day basis. It often starts very well: I sign every mail I sent, evangelis people asking about my strange signatures, etc. But there's a fact: I'm a computer scientist worker, so I work on many computers, but not at the same rate.
> Currently, I'm at work, setting up my iMac. So I download an exported secring from one of my personnal server. But I compare it to my keyring on my laptop, and even on my phone: they *all* diverge. I'm owned.
> 
> Here my true question: what's your workflow to sync your keyring between multiple computers? I thought about having a ring for personnal usage, and a ring for pro usage, but I'm consulting both my personnal and private email on every computers. I can't think about a simple solution, so I'd be glad to have your thoughts about it :)

Hi Thomas,

What about storing your entire secring on a removable drive and simply
pointing gpg to that drive when you need to. If you're using more than
one computer I would assume there might be some times when others have
access to that machine so maybe storing your private key on a machine
might not be the best practice. A removable drive might be the answer
for you.

To answer your question, I've not gotten my workflow quite down yet
either. It's been about 10 years since I last had to use encryption
technology and even then it was on a single, secure, machine that I had
near total control over and there were protocols in place for accessing
it. So I'm coming at this, essentially, as a new user.

Right now, once a day, I export my entire secring to a thumb drive and
then import it to my other computers. This seems to have worked for the
most part, though there have been a few glitches. I'm still in the
market for something better but that is what works for me at the moment.

Anthony


From tiago at xroot.org  Thu Oct 28 18:41:58 2010
From: tiago at xroot.org (Tiago Faria)
Date: Thu, 28 Oct 2010 17:41:58 +0100
Subject: Syncing secring for mobile users
In-Reply-To: <4CC99AF8.4050402@gmail.com>
References: <E1F2B7FF-47AD-4C35-85F7-32DEF8EF48C7@lecavelier.name>
	<4CC99AF8.4050402@gmail.com>
Message-ID: <20101028174158.1c268bcd@stacker>

On Thu, 28 Oct 2010 10:47:04 -0500
Anthony Papillion <papillion at gmail.com> wrote:

> > Here my true question: what's your workflow to sync your keyring
> > between multiple computers? I thought about having a ring for
> > personnal usage, and a ring for pro usage, but I'm consulting both
> > my personnal and private email on every computers. I can't think
> > about a simple solution, so I'd be glad to have your thoughts about
> > it :) 

For keys that I require access in more than 1 computer, I usually have
the keys stored on the OpenPGP card.

I keep it on my wallet and a backup of the keys, done every once in a
while, in a encrypted removable drive. 

I don't use it on my phone, though.

Tiago

-- 
Tiago Faria 		| 		http://xroot.org

OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact
FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101028/424dcbd0/attachment.pgp>

From mailinglisten at hauke-laging.de  Sat Oct 30 01:12:10 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sat, 30 Oct 2010 01:12:10 +0200
Subject: key not trusted when secret main key missing
Message-ID: <201010300112.17746.mailinglisten@hauke-laging.de>

Hello,

I have (had) a strange problem which I cannot even reproduce. To make it 
worse, I use version 2.0.15.

I have created a key on a secure system, exportet the public keys, the secret 
keys and the secret subkeys to three files and imported the public and subkeys 
on another system.

I could not configure this key for the use in KMail (without any error 
message). Thus I tried to make a signature. Verifying the signature led to 
this output (in German and as I cannot reproduce the problem...):

start cmd:> gpg --verify test.html.BBEA218E.sig test.html
gpg: Signatur vom Fr 29 Okt 2010 22:31:49 CEST           
gpg:                mittels RSA-Schl?ssel 0x95C20EF1     
gpg: Korrekte Signatur von "Hauke Laging (Offline-Hauptschl?ssel) ...
gpg: Beglaubigungsrichtlinie: http://www.hauke-laging.de/openpgp/policy.html                 

gpg: WARNUNG: Dieser Schl?ssel tr?gt keine vertrauensw?rdige Signatur!
gpg:          Es gibt keinen Hinweis, da? die Signatur wirklich dem 
vorgeblichen Besitzer geh?rt.
Haupt-Fingerabdruck  = AFF8 7529 66BE F70C A514  9618 650F 4F91 BBEA 218E                        
Unter-Fingerabdruck  = A65D A538 6A73 21E0 01F3  C2BF F78C 4FD6 95C2 0EF1

It says: This key has no trustworthy signature. There is no hint that the 
signature belongs to the claimed owner.

Then I read the comments in the config file which says:
"GnuPG ultimately trusts all keys in the secret keyring."

I have the secret keys ? except for the main key. I can create a signature 
with this key.

I then put both this key and the one which has signed it in the config file:

trusted-key 650F4F91BBEA218E
...

After that the warning disappeared (and KMail accepted the key). I thought 
that the reason was the missing secret main key (which would not make sense 
and would be considered by me as a bug). Just for fun I removed the "trusted-
key" entries. And even though this should be the same configuration as before 
the warning did not appear again. Thus I cannot (easily) reproduce it.

There are other keys without secret main key which do not cause this problem. 
The reason may be that my normal key is configured as default key and the 
other ones are signed by it.

However, I do not understand why the problem is "solved" now. Does gpg note 
anywhere (trustdb?) that a key was valid so that the secret main key checking 
is skipped?


CU

Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101030/383d601c/attachment-0001.pgp>

From osamak at gnu.org  Sun Oct 31 17:50:10 2010
From: osamak at gnu.org (Osama Khalid)
Date: Sun, 31 Oct 2010 19:50:10 +0300
Subject: Restoring a backup key
Message-ID: <20101031165010.GB1933@osama-laptop>

Hello,

When I generated my OpenPGP smartcard, I asked GPG to save a backup
version of the key. It did that in an
"sk_<random_letters_and_numbers>.gpg" file.

Now I'm trying to find a way to restore my secret key.

Currently, "$ gpg --list-secret-keys" has no output, but "$ gpg
--list-keys" does list the public key of my secret key.

Running "$ gpg --allow-secret-key-import --import sk_<...>.gpg"
returns in:
> gpg: key <secret_key_id>: no user ID
> gpg: Total number processed: 1
> gpg:       secret keys read: 1
And it does not import anything.

I was wondering about the correct way to do that.

Thank you!

--Osama Khalid


From mailinglisten at hauke-laging.de  Sun Oct 31 18:01:10 2010
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Sun, 31 Oct 2010 18:01:10 +0100
Subject: Restoring a backup key
In-Reply-To: <20101031165010.GB1933@osama-laptop>
References: <20101031165010.GB1933@osama-laptop>
Message-ID: <201010311801.11270.mailinglisten@hauke-laging.de>

Am Sonntag 31 Oktober 2010 17:50:10 schrieb Osama Khalid:

> Running "$ gpg --allow-secret-key-import --import sk_<...>.gpg"
> 
> returns in:
> > gpg: key <secret_key_id>: no user ID
> > gpg: Total number processed: 1
> > gpg:       secret keys read: 1

Have you imported the public key before?


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101031/e3d34c6e/attachment.pgp>

From osamak at gnu.org  Sun Oct 31 18:11:52 2010
From: osamak at gnu.org (Osama Khalid)
Date: Sun, 31 Oct 2010 20:11:52 +0300
Subject: Restoring a backup key
In-Reply-To: <201010311801.11270.mailinglisten@hauke-laging.de>
References: <20101031165010.GB1933@osama-laptop>
	<201010311801.11270.mailinglisten@hauke-laging.de>
Message-ID: <20101031171152.GC1933@osama-laptop>

On Sun, Oct 31, 2010 at 06:01:10PM +0100, Hauke Laging wrote:
> Have you imported the public key before?

Yes. I do have the public key in my kerying.

-- Osama Khalid


From jcruff at gmail.com  Sun Oct 31 19:20:50 2010
From: jcruff at gmail.com (Chris Ruff)
Date: Sun, 31 Oct 2010 14:20:50 -0400
Subject: 2.1.0beta1 - Smartcard Support?
Message-ID: <1288549250.8460.10.camel@silence.i.fourings.com>

Is it typical for smartcard support not to be in beta versions?

[techniq at silence: ~] $ gpg --card-status
gpg: invalid option "--card-status"

[techniq at silence: ~] $ gpg --version
gpg (GnuPG) 2.1.0beta1
libgcrypt 1.4.6
NOTE: THIS IS A DEVELOPMENT VERSION!
It is only intended for test purposes and should NOT be
used in a production environment or with production keys!
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, 
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB

[...configure output...]
        GnuPG v2.1.0beta1 has been configured as follows:

        Platform:  GNU/Linux (i686-pc-linux-gnu)

        OpenPGP:   yes
        S/MIME:    yes
        Agent:     yes 
        Smartcard: yes (without internal CCID driver)
        G13:       yes
        Dirmngr:   yes
        Gpgtar:    no

        Protect tool:      (default)
        LDAP wrapper:      (default)
        Default agent:     (default)
        Default pinentry:  (default)
        Default scdaemon:  (default)
        Default dirmngr:   (default)

        Use standard socket: yes
        Dirmngr auto start:  no
-- 
__________________________________
Chris Ruff
email: jcruff at gmail.com
gpg key: 0xDD55B6FC
gpg fgpr: 1BA1 71D7 ADA7 1E8B 1623
          A43D 283B 2F81 BDD5 B810


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5486 bytes
Desc: not available
URL: </pipermail/attachments/20101031/fb6bccdb/attachment.bin>

From jcruff at gmail.com  Sun Oct 31 19:26:47 2010
From: jcruff at gmail.com (Chris Ruff)
Date: Sun, 31 Oct 2010 14:26:47 -0400
Subject: Restoring a backup key
In-Reply-To: <20101031171152.GC1933@osama-laptop>
References: <20101031165010.GB1933@osama-laptop>
	<201010311801.11270.mailinglisten@hauke-laging.de>
	<20101031171152.GC1933@osama-laptop>
Message-ID: <1288549607.8460.11.camel@silence.i.fourings.com>

Can you edit the key and toggle?  Maybe the trust level needs to be set.

-- 
__________________________________
Chris Ruff
email: jcruff at gmail.com
gpg key: 0xDD55B6FC
gpg fgpr: 1BA1 71D7 ADA7 1E8B 1623
          A43D 283B 2F81 BDD5 B810


-----Original Message-----
From: Osama Khalid <osamak at gnu.org>
To: Hauke Laging <mailinglisten at hauke-laging.de>
Cc: gnupg-users at gnupg.org
Subject: Re: Restoring a backup key
Date: Sun, 31 Oct 2010 20:11:52 +0300

On Sun, Oct 31, 2010 at 06:01:10PM +0100, Hauke Laging wrote:
> Have you imported the public key before?

Yes. I do have the public key in my kerying.

-- Osama Khalid

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5486 bytes
Desc: not available
URL: </pipermail/attachments/20101031/94ad0774/attachment-0001.bin>

From osamak at gnu.org  Sun Oct 31 19:53:06 2010
From: osamak at gnu.org (Osama Khalid)
Date: Sun, 31 Oct 2010 21:53:06 +0300
Subject: Restoring a backup key
In-Reply-To: <20101031165010.GB1933@osama-laptop>
References: <20101031165010.GB1933@osama-laptop>
Message-ID: <20101031185306.GD1933@osama-laptop>

After a chat on the gnupg IRC channel, I found out that the backup gpg
made was only partial. It was for one of my secret subkeys.

$ gpg --list-keys
[...]
pub   2048R/5BFA8C2E 2010-10-01
uid                  Osama Khalid (osamak) <osamak at gnu.org>
sub   1024R/567A2834 2010-10-01
sub   2048R/D023251F 2010-10-01
$ gpg sk_<...>.gpg
sec  1024R/567A2834 2010-10-01
$

The primary secret key is not included in the "sk_<...>.gpg" file. I
wonder why gpg would suggest that "backup of card key saved to
<...>/sk_<...>.gpg".

Am I missing something here?

--Osama Khalid


From osamak at gnu.org  Sun Oct 31 20:33:45 2010
From: osamak at gnu.org (Osama Khalid)
Date: Sun, 31 Oct 2010 22:33:45 +0300
Subject: Restoring a backup key
In-Reply-To: <4CCDC0C0.8080009@tx.rr.com>
References: <20101031165010.GB1933@osama-laptop> <4CCDC0C0.8080009@tx.rr.com>
Message-ID: <20101031193345.GE1933@osama-laptop>

On Sun, Oct 31, 2010 at 02:17:20PM -0500, John Clizbe wrote:
> Try
> 	gpg --edit-key XYZ...
> 	toggle
> 	bkuptocard sk_<random_letters_and_numbers>.gpg

Thank you, John.

The thing is that the card is damaged, and I don't have the secret key
in my kerying.

toggle -> Need the secret key to do this.

--Osama Khalid


From JPClizbe at tx.rr.com  Sun Oct 31 20:17:20 2010
From: JPClizbe at tx.rr.com (John Clizbe)
Date: Sun, 31 Oct 2010 14:17:20 -0500
Subject: Restoring a backup key
In-Reply-To: <20101031165010.GB1933@osama-laptop>
References: <20101031165010.GB1933@osama-laptop>
Message-ID: <4CCDC0C0.8080009@tx.rr.com>

Osama Khalid wrote:
> Hello,
> 
> When I generated my OpenPGP smartcard, I asked GPG to save a backup
> version of the key. It did that in an
> "sk_<random_letters_and_numbers>.gpg" file.
> 
> Now I'm trying to find a way to restore my secret key.
<snip>
> 
> I was wondering about the correct way to do that.

Try
	gpg --edit-key XYZ...
	toggle
	bkuptocard sk_<random_letters_and_numbers>.gpg


-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 499 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101031/d020febd/attachment.pgp>

From fukuda at computer.org  Sat Oct 30 13:47:32 2010
From: fukuda at computer.org (Taka Fukuda)
Date: Sat, 30 Oct 2010 20:47:32 +0900
Subject: Files encrypted on another system
Message-ID: <87zktvnbqj.wl%fukuda@computer.org>

    
    Hi,
    
    I created an encrypted file on a Fedora machine, and
    lost the environment except for the encrypted file
    itself. (I remember the pass-phrase, though.)
    
    I have tried to decrypt the file, but I got
    
    fukuda at lark:~% gpg --decrypt  Sync/Diary.gpg
    gpg: encrypted with ELG-E key, ID CA21E488
    gpg: decryption failed: secret key not available
    
    Are there any ways to recover the file? 
    
    Regards,
    
-- 
--                                               Taka Fukuda
--                                    fukuda at computer.org



From fritzfs at gmail.com  Sun Oct 31 21:30:04 2010
From: fritzfs at gmail.com (Franjo Stipanovic)
Date: Sun, 31 Oct 2010 21:30:04 +0100
Subject: export public and private key in DER format
Message-ID: <AANLkTikSG+pnnASUd7wX42=g+iiDAqiwcHEb0WZ7o18J@mail.gmail.com>

Hi,

I'm trying to export my public and private key in DER format. I need to use
them in Java application and I don't wish to use bouncycastle library.

How can I do this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101031/5da65646/attachment.htm>