From wk at gnupg.org Mon Sep 1 08:16:56 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 01 Sep 2014 08:16:56 +0200 Subject: Smart Card 4096 Key Question In-Reply-To: <5403933B.4070702@internexusconnect.net> (Tristan Santore's message of "Sun, 31 Aug 2014 22:27:23 +0100") References: <5403933B.4070702@internexusconnect.net> Message-ID: <87tx4rrhk7.fsf@vigenere.g10code.de> On Sun, 31 Aug 2014 23:27, tristan.santore at internexusconnect.net said: > Yes the card can have a 4096bit Auth, Sign and Encryption key. You have Correct. > to generate them on a machine though, not on card. The cards generate them just fine. Note that this is only true for the ZeitControl as currenty distributed. Thus the warning note you see if you use a different key size than 2048 bit. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Sep 1 08:21:41 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 01 Sep 2014 08:21:41 +0200 Subject: Difference between clearsign and detached signatures? In-Reply-To: <54034750.7000302@iam.tj> (TJ's message of "Sun, 31 Aug 2014 17:03:28 +0100") References: <53FFA4F0.9010908@iam.tj> <1745243.JDdNhTkNpi@thufir.ingo-kloecker.de> <54024C05.8070709@iam.tj> <3217931.txkpfM8Dcy@thufir.ingo-kloecker.de> <54034750.7000302@iam.tj> Message-ID: <87ppffrhca.fsf@vigenere.g10code.de> On Sun, 31 Aug 2014 18:03, gnupg at iam.tj said: > to see how to do is set the keyring file to use. There doesn't appear to be > any function that provides for setting an existing key ring; the best I could > find is gpgme_op_import_keys() which talks about: The keyring is an internal propery of GnuPG and thus we can't provide an API in GPGME. What we do instead is to allow swicthing GnuPG's home directory via gpgme_set_engine_info. > In my scenario I simply need to tell the crypto engine to use the "/etc/apt/trusted.gpg" Do you want to use gpgme as a API for gpgv ? It might be useful to consider a new gpgme_protocol for verifying keys using a redefined set of keys. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Sep 1 08:37:45 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 01 Sep 2014 08:37:45 +0200 Subject: gnupg privicy assistant - card manager. In-Reply-To: <1409493657.21352.1@Kingston2> (Paul Lewis's message of "Sun, 31 Aug 2014 15:00:57 +0100") References: <1409493657.21352.1@Kingston2> Message-ID: <87iol7rglh.fsf@vigenere.g10code.de> On Sun, 31 Aug 2014 16:00, paul.lewis at quadensemble.com said: > I'd like to use the card manager function, but whenever I invoke it the > application returns the error "Error accessing the card", and the > status bar reports "Checking for card .. " I have actually thank you for raising this issue: > gnome-keyring-daemon[5531]: unrecognized command: SCD The problem is that the gnome-keyring-dameon hijacks the inter process communication (IPC) between gpg and gpg-agent. It implements a very limited set of commands of gpg-agent but nothing more. Recent versions of GnuPG detect this and show a warning message or pop-up to tell you just this. Depending on the version of gnome-keyring-daemon, it is possible to disable the gpg-agent hijacking component. Unfortunately it is hard to convince the maintainer to disable this mis-features. > Otherwise if I run gpg --card-status with a card in the USB card reader > I get the following: You are using gpg 1.4.x which can directly talk to the card. However, latest card features are not supported by 1.4 but only by GnuPG 2.x. See the mail thread starting with this mail for details: http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028689.html > I presume, the system is misconfigured is some way. Any one got any > suggestions? You may want to bring this to the attention of your Linux distribution. The solution could be easy: The gpg-agent component needs to be disabled when build gnome-keyring-daemon: ./configure --disable-gpg-agent Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Sep 1 10:07:35 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 01 Sep 2014 10:07:35 +0200 Subject: [Announce] GPA 0.9.5 released Message-ID: <87tx4rpxvc.fsf@vigenere.g10code.de> Hello! I am pleased to announce GPA version 0.9.5. GPA is a graphical frontend for the GNU Privacy Guard (GnuPG). GPA can be used for most operations supported by GnuPG using either the OpenPGP or the S/MIME protocols. A smartcard manager and a generic user interface server features are included as well. You can find the release here: ftp://ftp.gnupg.org/gcrypt/gpa/gpa-0.9.5.tar.bz2 (716k) ftp://ftp.gnupg.org/gcrypt/gpa/gpa-0.9.5.tar.bz2.sig and soon on all ftp.gnupg.org mirrors. A binary version for Windows is currently not planned. The SHA1 checksum for this release is: ea53b934a7f5dd4e2dfb35dac2b35cafc7b54c90 gpa-0.9.5.tar.bz2 Noteworthy changes in version 0.9.5 ----------------------------------- * GPA now starts with the UI server enabled and tests on startup whether such a server is already running to open that one instead of launching a second instance. * GPA is now aware of ECC keys. * Improved detection of CMS objects (which are used by S/MIME) and detached OpenPGP signatures. * Allow import and export of X.509 certificates. Allow backup of X.509 keys. * The key creation date is now displayed in the key listing. * Armored detached signature files are now created with an ".asc" suffix and not with ".sig". * The GnuPG home directory is now detected using the gpgconf tool. * Added launch-gpa wrapper for Windows. * Fixed several bugs leading to crashs. If you want to contribute to the development of GPA, please subscribe to the gnupg-devel mailing list [1] and read the file doc/HACKING. The driving force behind the development of GPA is my company g10 Code. Maintenance and improvement of GnuPG and related software, such as GPA, takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: https://gnupg.org/donate/ Many thanks to all who contributed to GPA development, be it bug fixes, code, documentation, testing, and helping users. Shalom-Salam, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html . -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From philip.jackson at nordnet.fr Mon Sep 1 16:18:32 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Mon, 01 Sep 2014 16:18:32 +0200 Subject: Smart Card 4096 Key Question In-Reply-To: <87tx4rrhk7.fsf@vigenere.g10code.de> References: <5403933B.4070702@internexusconnect.net> <87tx4rrhk7.fsf@vigenere.g10code.de> Message-ID: <54048038.3070508@nordnet.fr> On 01/09/14 08:16, Werner Koch wrote: > On Sun, 31 Aug 2014 23:27, tristan.santore at internexusconnect.net said: > >> Yes the card can have a 4096bit Auth, Sign and Encryption key. You have > > Correct. > >> to generate them on a machine though, not on card. > > The cards generate them just fine. > > Note that this is only true for the ZeitControl as currenty distributed. > Thus the warning note you see if you use a different key size than 2048 > bit. I tried to buy an SCT3512 usb key device from Amazon.de and also from SCM in Germany. Neither will ship to an address outside Germany' I tried the shop at kernelconcepts.de for the card but I can't get into their website with Firefox under linux nor under windows - I just get a weird error page : "Fatal error: Call to a member function add_current_page() on a non-object in /var/www/osc/catalog/includes/application_top.php on line 318" It looks like security is alive and doing well in Germany. I though we had something going for us in Europe these days but apparently not. Can anyone suggest a supplier in Europe who will sell outside his frontier ? Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From tristan.santore at internexusconnect.net Mon Sep 1 20:29:04 2014 From: tristan.santore at internexusconnect.net (Tristan Santore) Date: Mon, 01 Sep 2014 19:29:04 +0100 Subject: Smart Card 4096 Key Question In-Reply-To: <54048038.3070508@nordnet.fr> References: <5403933B.4070702@internexusconnect.net> <87tx4rrhk7.fsf@vigenere.g10code.de> <54048038.3070508@nordnet.fr> Message-ID: <5404BAF0.4020507@internexusconnect.net> On 01/09/14 15:18, Philip Jackson wrote: > On 01/09/14 08:16, Werner Koch wrote: >> On Sun, 31 Aug 2014 23:27, tristan.santore at internexusconnect.net said: >> >>> Yes the card can have a 4096bit Auth, Sign and Encryption key. You have >> Correct. >> >>> to generate them on a machine though, not on card. >> The cards generate them just fine. >> >> Note that this is only true for the ZeitControl as currenty distributed. >> Thus the warning note you see if you use a different key size than 2048 >> bit. > I tried to buy an SCT3512 usb key device from Amazon.de and also from SCM in > Germany. Neither will ship to an address outside Germany' > > I tried the shop at kernelconcepts.de for the card but I can't get into their > website with Firefox under linux nor under windows - I just get a weird error page : > > "Fatal error: Call to a member function add_current_page() on a non-object in > /var/www/osc/catalog/includes/application_top.php on line 318" > > It looks like security is alive and doing well in Germany. I though we had > something going for us in Europe these days but apparently not. > > Can anyone suggest a supplier in Europe who will sell outside his frontier ? > > Philip > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Johnathan, How far into the shopping process ? My cart fills fine here. That is regarding kernel concepts. Don'y they also do a card reader ? Anyway, I tried loads of places within the UK, not much luck, then just bought an Omnikey, but my pinpad never worked until somebody made a patch. Seems to work fine now. Although 2.0.19 broke it I think or fixed it. I cannot recall, which one broke and then which fixed it again. ;-D Maybe you could contact a supplier and ask them how much they would want, if they order one for you. However, then they will charge you RRP as a bare minimum, probably more, as you asked them for it. Regards, Tristan P.S: Maybe choose another model ? Which is more widely available ? -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore at internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore at fedoraproject.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Mon Sep 1 21:42:40 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Sep 2014 15:42:40 -0400 Subject: Hal Finney Message-ID: <5404CC30.3020309@sixdemonbag.org> Hal Finney, one of the original PGP hackers and a pivotal figure in twenty-plus years of PGP development and evolution of the OpenPGP spec, died this past weekend of complications from amyotrophic lateral sclerosis (ALS, or "Lou Gehrig's Disease"). Although he had minimal involvement in the Free Software community, he was a pivotal figure within the larger PGP community. I knew Hal, though not well. In my brief experiences with him he was witty, funny, and unfailingly kind. My thoughts are with his family. The world is diminished with his absence. http://www.nytimes.com/2014/08/31/business/hal-finney-cryptographer-and-bitcoin-pioneer-dies-at-58.html From paul.lewis at quadensemble.com Mon Sep 1 12:28:17 2014 From: paul.lewis at quadensemble.com (Paul Lewis) Date: Mon, 01 Sep 2014 11:28:17 +0100 Subject: gnupg privicy assistant - card manager. In-Reply-To: <87iol7rglh.fsf@vigenere.g10code.de> (from wk@gnupg.org on Mon Sep 1 07:37:45 2014) Message-ID: <1409567297.5822.0@Kingston2> On 01/09/14 07:37:45, Werner Koch wrote: > On Sun, 31 Aug 2014 16:00, paul.lewis at quadensemble.com said: > > > I'd like to use the card manager function, but whenever I invoke it > > the application returns the error "Error accessing the card", and > > the status bar reports "Checking for card .. " > > I have actually thank you for raising this issue: > My pleasure. > The problem is that the gnome-keyring-dameon hijacks the inter > process communication (IPC) between gpg and gpg-agent. It > implements a very limited set of commands of gpg-agent but nothing > more. Recent versions of GnuPG detect this and show a warning > message or pop-up to tell you just this. > > Depending on the version of gnome-keyring-daemon, it is possible to > disable the gpg-agent hijacking component. I would be interested in how to accomplish this. If you can point me to a thread or reference in the gnupg manual, that would be appreciated. > Unfortunately it is hard > to convince the maintainer to disable this mis-features. > So Gnome breaks gnupg-agent and they will not fix it? > See the mail thread starting with this mail for details: > > http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028689.html > > > I presume, the system is misconfigured is some way. Any one got any > > suggestions? > > You may want to bring this to the attention of your Linux > distribution. The solution could be easy: The gpg-agent component > needs to be disabled when build gnome-keyring-daemon: > > ./configure --disable-gpg-agent I prefer the gpg-agent UI. Anyway, Seahorse doesn't seem to know about smart cards so the whole reason I posted, to see my smart card in the card display of gpa is defeated if I disable gpg-agent. Unless I have the wrong end of the stick? Regards From travis.millburn at gmail.com Mon Sep 1 20:33:33 2014 From: travis.millburn at gmail.com (Travis Millburn) Date: Mon, 1 Sep 2014 13:33:33 -0500 Subject: Problems installing 2.0.26 on Mavericks Message-ID: Hello, I?m running into problems compiling GnuPG on my mac running OS X 10.9.4. I have Google-ed at length and read the INSTALL and README files to no avail. I?m hoping to get some help on the install, and thankful in advance for any help. I have downloaded the current version (2.0.26) and verified the checksum. I used a standard configure: $ ./configure which results in: GnuPG v2.0.26 has been configured as follows: Revision: 5b2dcdd (23341) Platform: Darwin (x86_64-apple-darwin13.3.0) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) Gpgtar: no Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) However, when I attempt to compile, I run into problems: $ sudo make In file included from ./stdint.h:66: /usr/include/inttypes.h:235:8: error: unknown type name 'intmax_t' extern intmax_t ^ /usr/include/inttypes.h:236:9: error: unknown type name 'intmax_t' imaxabs(intmax_t j); ^ /usr/include/inttypes.h:240:2: error: unknown type name 'intmax_t' intmax_t quot; ^ /usr/include/inttypes.h:241:2: error: unknown type name 'intmax_t' intmax_t rem; ^ /usr/include/inttypes.h:246:9: error: unknown type name 'intmax_t' imaxdiv(intmax_t __numer, intmax_t __denom); ^ /usr/include/inttypes.h:246:27: error: unknown type name 'intmax_t' imaxdiv(intmax_t __numer, intmax_t __denom); ^ /usr/include/inttypes.h:250:8: error: unknown type name 'intmax_t' extern intmax_t ^ /usr/include/inttypes.h:256:8: error: unknown type name 'uintmax_t'; did you mean 'uintptr_t'? extern uintmax_t ^ /usr/include/sys/_types/_uintptr_t.h:30:24: note: 'uintptr_t' declared here typedef unsigned long uintptr_t; ^ In file included from allocsa.c:21: In file included from ./allocsa.h:23: In file included from /usr/include/stdlib.h:65: In file included from /usr/include/sys/wait.h:110: In file included from /usr/include/sys/resource.h:72: In file included from ./stdint.h:66: /usr/include/inttypes.h:263:8: error: unknown type name 'intmax_t' extern intmax_t ^ /usr/include/inttypes.h:269:8: error: unknown type name 'uintmax_t'; did you mean 'uintptr_t'? extern uintmax_t ^ /usr/include/sys/_types/_uintptr_t.h:30:24: note: 'uintptr_t' declared here typedef unsigned long uintptr_t; ^ 10 errors generated. make[3]: *** [allocsa.o] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 GCC version: $ g++ --version Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1 Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn) Target: x86_64-apple-darwin13.3.0 Thread model: posix Many many thanks in advance for any help received, Travis Millburn travis.millburn at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mailing-lists at asatiifm.net Mon Sep 1 23:15:29 2014 From: mailing-lists at asatiifm.net (=?iso-8859-1?Q?Ville_M=E4=E4tt=E4?=) Date: Tue, 2 Sep 2014 00:15:29 +0300 Subject: Problems installing 2.0.26 on Mavericks In-Reply-To: References: Message-ID: <4EBA6F7D-20F4-483D-9B91-41512A8BD9C9@asatiifm.net> Hi, If you don?t have a specific reason for compiling yourself I?d look into installing from Homebrew [1] or Macports [2] and possibly then adding GPG Suite [3] without MacGPG component. I happened to run through this myself just a couple weeks ago so I wrote it up on the list [4]. [1] http://brew.sh [2] https://www.macports.org [3] https://gpgtools.org [4] http://lists.gnupg.org/pipermail/gnupg-users/2014-August/050677.html -- Ville M??tt? On 01 Sep 2014, at 21:33, Travis Millburn wrote: > I?m running into problems compiling GnuPG on my mac running OS X 10.9.4. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: Message signed with OpenPGP using GPGMail URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Sep 1 23:46:38 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 1 Sep 2014 22:46:38 +0100 Subject: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back In-Reply-To: <54003426.4030003@signal100.com> References: <20140823101653.711A12280FF@palinka.tinho.net> <53FD665F.8050103@signal100.com> <53FDAFF8.30702@gmail.com> <54003426.4030003@signal100.com> Message-ID: <214785248.20140901224638@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 29 August 2014 at 9:04:54 AM, in , Mark Rousell wrote: > Social interaction inevitably involves some extent of > information sharing, and always has, but that doesn't > mean that privacy (and all the nuanced concepts that > are contained within that word) has somehow evaporated > the first time you communicate with someone, or travel > somewhere, etc. I think one of the major problems with social networks is the published and permanent record left behind by interactions that are experienced in a similar way to casual conversations. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Why is the universe here? Well, where else would it be? -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQE6UhXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pPFMD/1io/C/rW9dIqYoRCVXi58xV9XFyVnERs1BX DbBlga1W6QtTju48MllBrtBtDPCThpJjWNvDPX9VtCSPdjOA2BZ9FycMSwg5GJO4 UuzjK4SQ4d6XC1eZ1b66AquWLIGniO3NX0p9gZFLQvRqp+AVIO7dJZv7lJ2cY0qu wwVWH2SP =oHUw -----END PGP SIGNATURE----- From mailing-lists at asatiifm.net Mon Sep 1 23:04:56 2014 From: mailing-lists at asatiifm.net (=?iso-8859-1?Q?Ville_M=E4=E4tt=E4?=) Date: Tue, 2 Sep 2014 00:04:56 +0300 Subject: Smart Card 4096 Key Question In-Reply-To: <54048038.3070508@nordnet.fr> References: <5403933B.4070702@internexusconnect.net> <87tx4rrhk7.fsf@vigenere.g10code.de> <54048038.3070508@nordnet.fr> Message-ID: <6415F0BA-AC1F-45C1-B465-3ECD5D4F9AB1@asatiifm.net> I bought my SCR3500 and SCR335 V2 from Identive / Chipdrive [1]. I had a problem adding VAT number to the order myself but at least they ship (and kindly handled fixing the bill afterwards). Though, they only seem to have an SCT3511 there, not a 3512. [1] http://www.chipdrive.de -- Ville M??tt? On 01 Sep 2014, at 17:18, Philip Jackson wrote: > I tried to buy an SCT3512 usb key device from Amazon.de and also from SCM in > Germany. Neither will ship to an address outside Germany' -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dkg at fifthhorseman.net Tue Sep 2 02:01:23 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 01 Sep 2014 20:01:23 -0400 Subject: [Announce] GPA 0.9.5 released In-Reply-To: <87tx4rpxvc.fsf@vigenere.g10code.de> References: <87tx4rpxvc.fsf@vigenere.g10code.de> Message-ID: <540508D3.8070304@fifthhorseman.net> On 09/01/2014 04:07 AM, Werner Koch wrote: > I am pleased to announce GPA version 0.9.5. Thanks for the updated release, Werner! I noticed a couple things from a brief review of 0.9.5: keyserver helpers and gpg 2.1 ----------------------------- GPA's configure.ac suggests that gpgkeys_ldap needs to exist. But in the gpg 2.1 branch, the keys helpers have all be removed in favor of dirmngr. Is gpa supposed to be compatible with the 2.1 branch of gpg? misbehavior when no gpg-agent is available ------------------------------------------ As reported here: https://bugs.debian.org/760237#203 if no gpg-agent is available, i see the following two dialogs from a new account: > ------------------------------------------------------------------ > The GPGME library returned an unexpected error. The error was: > > Unknown option > > This is probably a bug in GPA. > GPA will now try to recover from this error. > [ Close ] > ------------------------------------------------------------------ > > > > ------------------------------------------------------------------ > You do not have a private key yet. Do you want to generate one now > (recommended) or do it later? > > [ Generate key now ] [ Do it later ] > ------------------------------------------------------------------ > > This last dialog box just stays up, no matter what buttons i click. I guess GPA should probably detect the absence of an agent, and either warn the user of its absence or start one up automatically. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Tue Sep 2 03:29:36 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 1 Sep 2014 21:29:36 -0400 Subject: [PATCH] GPA: add a File|Close option to the card manager Message-ID: <1409621376-9174-1-git-send-email-dkg@fifthhorseman.net> All the other windows have a File|Close option, but the card manager only has File|Quit. As a result, a user who tries to close the card manager from the menubar will most likely shut down all of GPA, which may not be their intent. --- src/cardman.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/cardman.c b/src/cardman.c index c752442..844a44a 100644 --- a/src/cardman.c +++ b/src/cardman.c @@ -624,6 +624,15 @@ watcher_cb (void *opaque, const char *filename, const char *reason) } +/* Handle menu item "File/Close". */ +static void +file_close (GtkAction *action, gpointer param) +{ + GpaCardManager *cardman = param; + gtk_widget_destroy (GTK_WIDGET (cardman)); +} + + /* Construct the card manager menu and toolbar widgets and return them. */ static void @@ -638,6 +647,8 @@ cardman_action_new (GpaCardManager *cardman, GtkWidget **menubar, { "Card", NULL, N_("_Card"), NULL }, /* File menu. */ + { "FileClose", GTK_STOCK_CLOSE, NULL, NULL, + N_("Close the window"), G_CALLBACK (file_close) }, { "FileQuit", GTK_STOCK_QUIT, NULL, NULL, N_("Quit the program"), G_CALLBACK (gtk_main_quit) }, @@ -652,6 +663,7 @@ cardman_action_new (GpaCardManager *cardman, GtkWidget **menubar, "" " " " " + " " " " " " " " -- 2.1.0 From vedaal at nym.hush.com Tue Sep 2 04:39:00 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 01 Sep 2014 22:39:00 -0400 Subject: Hal Finney In-Reply-To: <5404CC30.3020309@sixdemonbag.org> Message-ID: <20140902023901.2214560864@smtp.hushmail.com> On 9/1/2014 at 3:46 PM, "Robert J. Hansen" wrote: >I knew Hal, though not well. In my brief experiences with him he >was >witty, funny, and unfailingly kind. ===== Back when I first started in PGP, and asked many silly questions that exposed my ignorance, Hal Finney was one of the few who answered me kindly and patiently. >My thoughts are with his family. The world is diminished with his >absence. ===== Appealing to the science-fiction tendencies latent in many of the cryptographic community, maybe the cryo-preservation will someday be found to work, and the world will have him back again ... with Profound Respect, vedaal From htd+ml at fritha.org Tue Sep 2 07:57:21 2014 From: htd+ml at fritha.org (Heinz Diehl) Date: Tue, 2 Sep 2014 07:57:21 +0200 Subject: Smartcard and PIN cache Message-ID: <20140902055721.GA24232@fritha.org> Hi, when decrypting a file with gpg2 in combination with a GnuPG v2.0 smartcard, my PIN, once entered, is cached a long time. Removing the smartcard or the reader deletes the cache, of course. Although I've read a bunch of documents and searched the net, I haven't managed yet to find out how I can disable PIN caching *completely* in this case. I'm aware of the "Signature PIN" option, and it's set to "forced", but this does of course not affect decryption. Is it possbile to disable PIN caching entirely when using a smartcard, and if so, how can I do this? Thanks, Heinz. From wk at gnupg.org Tue Sep 2 08:51:15 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 02 Sep 2014 08:51:15 +0200 Subject: [Announce] GPA 0.9.5 released In-Reply-To: <540508D3.8070304@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 01 Sep 2014 20:01:23 -0400") References: <87tx4rpxvc.fsf@vigenere.g10code.de> <540508D3.8070304@fifthhorseman.net> Message-ID: <87k35mms64.fsf@vigenere.g10code.de> On Tue, 2 Sep 2014 02:01, dkg at fifthhorseman.net said: > GPA's configure.ac suggests that gpgkeys_ldap needs to exist. But in > the gpg 2.1 branch, the keys helpers have all be removed in favor of > dirmngr. Is gpa supposed to be compatible with the 2.1 branch of gpg? Frankly, I have mostly tested it with 2.1. > I guess GPA should probably detect the absence of an agent, and either > warn the user of its absence or start one up automatically. With 2.1 the default is anyway to start the agent automatically. I'll add a warning dialog explaining that the agent is required. For the smartcard support we need the agent anyway and can't fall back to the 1.4 smartcard solution. I do not think that the use of 1.4 is appropriate with GPA and I doubt that it will work. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 2 08:56:00 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 02 Sep 2014 08:56:00 +0200 Subject: [PATCH] GPA: add a File|Close option to the card manager In-Reply-To: <1409621376-9174-1-git-send-email-dkg@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 1 Sep 2014 21:29:36 -0400") References: <1409621376-9174-1-git-send-email-dkg@fifthhorseman.net> Message-ID: <87fvgamry7.fsf@vigenere.g10code.de> On Tue, 2 Sep 2014 03:29, dkg at fifthhorseman.net said: > All the other windows have a File|Close option, but the card manager > only has File|Quit. As a result, a user who tries to close the card > manager from the menubar will most likely shut down all of GPA, which > may not be their intent. Pushed. Thanks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 2 09:01:58 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 02 Sep 2014 09:01:58 +0200 Subject: Smartcard and PIN cache In-Reply-To: <20140902055721.GA24232@fritha.org> (Heinz Diehl's message of "Tue, 2 Sep 2014 07:57:21 +0200") References: <20140902055721.GA24232@fritha.org> Message-ID: <87bnqymro9.fsf@vigenere.g10code.de> On Tue, 2 Sep 2014 07:57, htd+ml at fritha.org said: > Is it possbile to disable PIN caching entirely when using a smartcard, > and if so, how can I do this? There is no PIN caching at all. The card itself does what you call "caching": As soon as you send a VERIFY command to the card (with the PIN) the card enters a state which allows operation requiring this VERIFY command until a reset or power-down. This is detailed in the specs. There is no command to explicitly do that. You may run "gpgconf --reload scdaemon" to power down the card. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 2 09:09:57 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 02 Sep 2014 09:09:57 +0200 Subject: gnupg privicy assistant - card manager. In-Reply-To: <1409567297.5822.0@Kingston2> (Paul Lewis's message of "Mon, 01 Sep 2014 11:28:17 +0100") References: <1409567297.5822.0@Kingston2> Message-ID: <877g1mmray.fsf@vigenere.g10code.de> On Mon, 1 Sep 2014 12:28, paul.lewis at quadensemble.com said: > I would be interested in how to accomplish this. If you can point me to > a thread or reference in the gnupg manual, that would be appreciated. Simon Josefsson posted this at gnupg-devel: mkdir ~/.config/autostart/ cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart/ echo 'Hidden=true' >> ~/.config/autostart/gnome-keyring-gpg.desktop As far as I know, there is no GUI to do this in modern GNOME. It used to be possible through gnome-session-properties, but there is no way to do the same with gnome-tweak-tool. > So Gnome breaks gnupg-agent and they will not fix it? Seems so. >> ./configure --disable-gpg-agent > > I prefer the gpg-agent UI. Anyway, Seahorse doesn't seem to know about > smart cards so the whole reason I posted, to see my smart card in the > card display of gpa is defeated if I disable gpg-agent. The configure above was for gnome-keyring-daemon. It disables the so-called gpg support over there and makes gpg-agent work. However, it is easier to use Simon's way as shown above. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From htd+ml at fritha.org Tue Sep 2 11:21:03 2014 From: htd+ml at fritha.org (Heinz Diehl) Date: Tue, 2 Sep 2014 11:21:03 +0200 Subject: Smartcard and PIN cache In-Reply-To: <87bnqymro9.fsf@vigenere.g10code.de> References: <20140902055721.GA24232@fritha.org> <87bnqymro9.fsf@vigenere.g10code.de> Message-ID: <20140902092103.GB1755@fritha.org> On 02.09.2014, Werner Koch wrote: > There is no command to explicitly do that. You may run "gpgconf > --reload scdaemon" to power down the card. Thanks a lot for explaining this to me. Now it is clear. From philip.jackson at nordnet.fr Tue Sep 2 15:14:54 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Tue, 02 Sep 2014 15:14:54 +0200 Subject: Smart Card 4096 Key Question In-Reply-To: <6415F0BA-AC1F-45C1-B465-3ECD5D4F9AB1@asatiifm.net> References: <5403933B.4070702@internexusconnect.net> <87tx4rrhk7.fsf@vigenere.g10code.de> <54048038.3070508@nordnet.fr> <6415F0BA-AC1F-45C1-B465-3ECD5D4F9AB1@asatiifm.net> Message-ID: <5405C2CE.70200@nordnet.fr> On 01/09/14 23:04, Ville M??tt? wrote: > I bought my SCR3500 and SCR335 V2 from Identive / Chipdrive [1]. I had a problem adding VAT number to the order myself but at least they ship (and kindly handled fixing the bill afterwards). Though, they only seem to have an SCT3511 there, not a 3512. > > [1] http://www.chipdrive.de > Thanks to all who have responded with offers of help. I've had email correspondence from scm's web shop (scm-pc-card.de) and they do send worldwide. Their webshop is not sophisticated enough to be able to calculate post and packing costs for dispatches outside Germany (not even for France which is next door and the scm3512 reader only weighs 8g and doesn't appear more fragile than a usb memory stick). But they have rapidly rectified the situation and sent me a pro-forma invoice which I have paid online. So, I hope, my problem is now resolved. It is however, some years since I last encountered so much kerfuffle for such a small purchase on the net. I point out too, that scm-pc-card did reply promptly to my emails. A similar query sent to a French company remains unanswered. Regards, Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From herbert.burnswell at gmail.com Tue Sep 2 20:30:00 2014 From: herbert.burnswell at gmail.com (Herb Burnswell) Date: Tue, 2 Sep 2014 11:30:00 -0700 Subject: default user and recipient In-Reply-To: References: Message-ID: Hello Herb ! Herb Burnswell wrote: > I am new to pgp and would like to understand the minimum flags that I > should be using for my encryption/decryption needs. I just want to encrypt > files for decryption by one other person. We have exchanged public keys. > I have read in several places that I can run: > gpg -e filename > In ~/.gnupg/gpg.conf file, I set: > default-recipient-self > which I assume means that the default key (I only have one) is used for > both encryption and decryption. However, I receive: In GPG.CONF: default-key 0xCFAF704C default-recipient-self encrypt-to 0xCFAF704C means that the default key for signature is defined; and the message or file will be encrypted always to it too, for your personal use, otherwise you couldn't read your own message. If you got the public key of the other person, you need to tell GNUPG what you want; two ways for that: Add "-r person" on the command line or default-recipient person (in GPG.CONF) --------- Hi Laurent Thank you for your reply. I have updated my gpg.conf and imported the pub key from the receiving user. I am planning on putting my encryption/decryption into a script. However, when I run: # gpg -r -e I receive: There is no assurance this key belongs to the named user It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) Everything works fine upon replying 'y' but obviously this will not work in a script. Any idea of how to not have this check? Thanks, Herb On Sat, Aug 30, 2014 at 9:53 PM, Laurent Jumet wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > > Hello Herb ! > > Herb Burnswell wrote: > > > I am new to pgp and would like to understand the minimum flags that I > > should be using for my encryption/decryption needs. I just want to > encrypt > > files for decryption by one other person. We have exchanged public keys. > > I have read in several places that I can run: > > gpg -e filename > > In ~/.gnupg/gpg.conf file, I set: > > default-recipient-self > > which I assume means that the default key (I only have one) is used for > > both encryption and decryption. However, I receive: > > In GPG.CONF: > default-key 0xCFAF704C > default-recipient-self > encrypt-to 0xCFAF704C > means that the default key for signature is defined; and the message or > file will be encrypted always to it too, for your personal use, otherwise > you > couldn't read your own message. > > If you got the public key of the other person, you need to tell GNUPG > what > you want; two ways for that: > Add "-r person" on the command line > or > default-recipient person (in GPG.CONF) > > > - -- > Laurent Jumet > KeyID: 0xCFAF704C > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iHAEAREDADEFAlQCrc8qGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB > RjcwNEMuYXNjAAoJEPUdbaDPr3BMD1cAmJywZb9anCm1GfzapKmtrl3RyF4Amwar > 9PHKn6j3dXUPHnW9e1ZOxJll > =uYDX > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Sep 2 21:10:17 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 02 Sep 2014 15:10:17 -0400 Subject: default user and recipient In-Reply-To: References: Message-ID: <54061619.60407@sixdemonbag.org> > Everything works fine upon replying 'y' but obviously this will not work > in a script. Any idea of how to not have this check? If you're absolutely certain you want to disable that warning (and please think twice about it before you do, as it's there for a reason), then you may add: trust-model always ... to your gpg.conf file. Please take note of what it says in the manpage about this option, though: "You generally won't use this unless you are using some external validation scheme." From 2014-667rhzu3dc-lists-groups at riseup.net Tue Sep 2 21:31:43 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 2 Sep 2014 20:31:43 +0100 Subject: default user and recipient In-Reply-To: References: Message-ID: <763835417.20140902203143@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 2 September 2014 at 7:30:00 PM, in , Herb Burnswell wrote: > There is no assurance this key belongs to the named > user > It is NOT certain that the key belongs to the person > named in the user ID. If you *really* know what you > are doing, you may answer the next question with yes. > Use this key anyway? (y/N) > Everything works fine upon replying 'y' but obviously > this will not work in a script. Any idea of how to not > have this check? One way is to sign the key with a non-exportable (aka local) signature. Another way is to include "--trust-model always" in your command line. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Pain is inevitable, but misery is optional. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQGGyVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pPLcD/02waYsz6Sjq+a9mdSWO4ZvvxgrssGvx7rge NpALZKt1AgPxO2YHVfSmFXlTHxByunpYXjLn2jozWJUHooWJAI0cKfZFXcxBaEdO je0pElzZ+GzRV/PvLyLvJAwR51jkhQkFNQlIcrOuU3q2fNZE8m71EEi6xXIznZbq S9j2Arkh =KpFM -----END PGP SIGNATURE----- From mailinglists at gusnan.se Tue Sep 2 23:58:02 2014 From: mailinglists at gusnan.se (Andreas =?UTF-8?B?UsO2bm5xdWlzdA==?=) Date: Tue, 2 Sep 2014 23:58:02 +0200 Subject: [PATCH] GPA: Add Keywords to desktop file Message-ID: <20140902235802.5aa935d4@debian-workstation.lan> Just a tiny patch to add keywords to the desktop file. --- gpa.desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/gpa.desktop b/gpa.desktop index 789ce7c..a541a09 100644 --- a/gpa.desktop +++ b/gpa.desktop @@ -10,3 +10,4 @@ Icon=gpa Terminal=false Type=Application Categories=GTK;Application;Security;Utility; +Keywords=keyring;encryption;security;sign; -- 2.1.0 From parker131992 at gmail.com Fri Sep 5 01:13:51 2014 From: parker131992 at gmail.com (Parker Boxell) Date: Thu, 4 Sep 2014 19:13:51 -0400 Subject: passphrase recovery Message-ID: Hello, I am contacting you because I need help recovering my passphrase. is there any way to accomplish this? Basically my laptop screen broke now and I need to decrypt my word file that has my product keys but I cannot remember for the life of me what it is and have spent countless tries on the two phrases i think it is, and I am unable to change my passphrase due to the fact I no longer know it. here are my details. User Name:Parker Kane Boxell Key ID 5E2A6915 Fingerprint 6887 7FCA 1BCB 8851 1A66 26CA 7C98 3024 5E2A 6915 Expires at: never expires owner trust: ultimate kay validity: fully valid key type: RSA-2048 bits Created at: 2014-06-02 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tristan.santore at internexusconnect.net Fri Sep 5 11:14:53 2014 From: tristan.santore at internexusconnect.net (Tristan Santore) Date: Fri, 05 Sep 2014 10:14:53 +0100 Subject: passphrase recovery In-Reply-To: References: Message-ID: <54097F0D.1050708@internexusconnect.net> On 05/09/14 00:13, Parker Boxell wrote: > Hello, I am contacting you because I need help recovering my > passphrase. is there any way to accomplish this? Basically my laptop > screen broke now and I need to decrypt my word file that has my > product keys but I cannot remember for the life of me what it is and > have spent countless tries on the two phrases i think it is, and I am > unable to change my passphrase due to the fact I no longer know it. > here are my details. > > User Name:Parker Kane Boxell > > Key ID 5E2A6915 > Fingerprint 6887 7FCA 1BCB 8851 1A66 26CA 7C98 3024 5E2A 6915 > Expires at: never expires > owner trust: ultimate > kay validity: fully valid > key type: RSA-2048 bits > Created at: 2014-06-02 > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users The whole point of using crypto is, to make it virtually impossible to retrieve your password for your key. Unless you can think of a keyword or something else that made up your pin/password, I would say it is virtually impossible, unless you made a fundamental mistake, such as using a very short password. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore at internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore at fedoraproject.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From mac3iii at gmail.com Fri Sep 5 14:51:17 2014 From: mac3iii at gmail.com (Murphy) Date: Fri, 05 Sep 2014 08:51:17 -0400 Subject: Installing GPA Message-ID: <5409B1C5.1030702@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Making the switch to Linux (Ubuntu 14.04 LTS) has opened up whole new vistas in Gnupg. Installing the newest GPA was a bit of a challenge but well worth it. With Gnupg-2.0.26 installed I was never able to get GPA fully working. Errors such as: relocation error: gpa: symbol gpgme_op_spawn, version GPGME_1.1 not defined in file libgpgme.so.11 with link time reference, Unknown option, gpg-agent: no agent running, Certificate not recognized, etc, etc, etc. Finally I installed Gnupg-2.1.0-beta783 on top of Gnupg-2.0.26 and GPA came to life. The gpg-agent runs, all certificates are recognized (where did all those expired ones come from???), and all error messages are gone. I vote beta783 version is ready for production!! Anybody know what would happen if I delete all those old expired certificates? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlQJscUACgkQUVKxkWZz2Q1UfwP+NCNuI5oZshmcEEVMXvvyTzst 2kDS0WFf7X2PpEYIp24r278Cd2PRwb317+euSrDJu3ksS1Tm/TC+cD6sHh37FdM+ VBjSm9UfUz6yfmaYS6M9dDRbdt471i+pQSO6kOoM4/B8nwvGWYZXOtrJkE0+JytR 5dyh66d/zI1uQdwBu4c= =zhGO -----END PGP SIGNATURE----- From wk at gnupg.org Sat Sep 6 10:27:41 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 06 Sep 2014 10:27:41 +0200 Subject: Installing GPA In-Reply-To: <5409B1C5.1030702@gmail.com> (Murphy's message of "Fri, 05 Sep 2014 08:51:17 -0400") References: <5409B1C5.1030702@gmail.com> Message-ID: <8761h1b1c2.fsf@vigenere.g10code.de> On Fri, 5 Sep 2014 14:51, mac3iii at gmail.com said: > vistas in Gnupg. Installing the newest GPA was a bit of a challenge > but well worth it. With Gnupg-2.0.26 installed I was never able to You mean GPA 0.9.5? > get GPA fully working. Errors such as: relocation error: gpa: symbol > gpgme_op_spawn, version GPGME_1.1 not defined in file libgpgme.so.11 GPA 0.9.5 requires gpgme version 1.5.0 but you better use 1.5.1. Now it seems that you build agains that gpgme versions but your shared library setup is not correct and thus GPA uses at runtime gpgme 1.4.x version. THis leads to the the error. In case you installed gpgme to /usr/local you should add "/usr/local/lib" to your /etc/ld.so.conf and run ldconfig. To diagnose the problem you may run "ldd gpa | grep libgpgme". This will be a symlink. If you follow that symlink (on a Linux machine) it should show libgpgme.so.11.13.x or libgpgme.so.11.12.x. > gpg-agent runs, all certificates are recognized (where did all those > expired ones come from???), and all error messages are gone. I can't tell you - are these X.509 certificates? > I vote beta783 version is ready for production!! Unfortunately I am still aware of a couple of bugs. Despite that I am using 2.1 for years. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mac3iii at gmail.com Sat Sep 6 15:11:33 2014 From: mac3iii at gmail.com (Murphy) Date: Sat, 06 Sep 2014 09:11:33 -0400 Subject: Installing GPA In-Reply-To: <8761h1b1c2.fsf@vigenere.g10code.de> References: <8761h1b1c2.fsf@vigenere.g10code.de> Message-ID: <540B0805.2070200@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > You mean GPA 0.9.5? Yes, GPA-0.9.5. > In case you installed gpgme to /usr/local you should add > "/usr/local/lib" to your /etc/ld.so.conf and run ldconfig. Done! Thank you. > To diagnose the problem you may run "ldd gpa | grep libgpgme". Everything seems to be in order now. The result is: libgpgme.so.11 => /usr/local/lib/libgpgme.so.11 > I can't tell you - are these X.509 certificates? Yes, X.509 certificates (14 expired out of 15). An example is: Issuer ...: /CN=7R-CA 1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation und .... I tried to delete a few of them using gpa 0.9.5 but kept getting the error message: GPGME library returned an unexpected error at gpakeydeleteop.c:208. The error was: No public key These do not show up with the gpg2 -k command on my machine. In case none of us has said so lately, thank you, Werner, for your immeasurable contributions to individual security and dignity throughout the world. Sandy (Murphy) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlQLCAUACgkQUVKxkWZz2Q0iIwP9FBvJNWqi2Wr88JRbr0TQaoha rxHHctZNDBYPyGIZ6Z8tUQ7FSZqbISiwHcrSt/ZraJSYEd6ZCjhiSQQAMKLN2bF5 Vtuo12/VRhFUriQXXbVQRIn1yRZ7L1sv5lQST2sl51Szt/YFtXn6dYRTcRosyiAM a1KPTSlvNx6hxAET1+g= =4gZV -----END PGP SIGNATURE----- From pete at heypete.com Sat Sep 6 23:40:03 2014 From: pete at heypete.com (Pete Stephenson) Date: Sat, 06 Sep 2014 23:40:03 +0200 Subject: Is it possible to sign a message with multiple digest algorithms? Message-ID: <540B7F33.3000708@heypete.com> Hi all, Is it possible to sign a message (or certify a key) with multiple digest algorithms? For example, one might wish to sign a message with both SHA256 and RIPEMD160. If so, how would one go about doing this? I would imagine that, if possible, the command would be similar to "gpg --armor --digest-algo SHA256 RIPEMD160 --clearsign" but this fails. If it is possible, how does GPG handle multiple signatures? That is, is it required that all signatures must be valid for the message to be considered valid, or is the message considered valid so long as one (out of many) signatures is valid? The former behavior would be useful to ensure message long-term message integrity, in case one of the digest algorithms were found to be weak. The latter behavior would be useful when using digest algorithms without wide support (e.g. one might use SHA1 and SHA512, so as to support older clients while providing greater security for modern ones). Cheers! -Pete From vedaal at nym.hush.com Sun Sep 7 03:40:00 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Sat, 06 Sep 2014 21:40:00 -0400 Subject: Is it possible to sign a message with multiple digest algorithms? In-Reply-To: <540B7F33.3000708@heypete.com> Message-ID: <20140907014000.A2BFFC0103@smtp.hushmail.com> On 9/6/2014 at 6:46 PM, "Pete Stephenson" wrote: > >Hi all, > >Is it possible to sign a message (or certify a key) with multiple >digest >algorithms? > >For example, one might wish to sign a message with both SHA256 and >RIPEMD160. > >If so, how would one go about doing this? > >I would imagine that, if possible, the command would be similar to >"gpg >--armor --digest-algo SHA256 RIPEMD160 --clearsign" but this fails. > >If it is possible, how does GPG handle multiple signatures? ===== It can be done if a separate signing subkey is used for each different digest. vedaal From dkg at fifthhorseman.net Sun Sep 7 07:10:54 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 07 Sep 2014 01:10:54 -0400 Subject: Is it possible to sign a message with multiple digest algorithms? In-Reply-To: <20140907014000.A2BFFC0103@smtp.hushmail.com> References: <20140907014000.A2BFFC0103@smtp.hushmail.com> Message-ID: <540BE8DE.5060606@fifthhorseman.net> On 09/06/2014 09:40 PM, vedaal at nym.hush.com wrote: > On 9/6/2014 at 6:46 PM, "Pete Stephenson" wrote: >> Is it possible to sign a message (or certify a key) with multiple >> digest algorithms? >> >> For example, one might wish to sign a message with both SHA256 and >> RIPEMD160. > It can be done if a separate signing subkey is used for each different digest. It should also be possible from a file format point of view to just produce two signatures (or two certifications) that differ only in the digest algorithm. Presumably, if you're doing certifications (OpenPGP identity assertions) you might prefer to mark the stronger digest more recent than the weaker one (the finest resolution in the signature timestamps is 1 second, but that should be ok for most uses). This is because most implementations only consider the most recent valid certification; so an implementation that knows how to interpret the stronger digest should prefer it, while one that only knows how to do the older digests should just ignore the more recent digest which it can't confirm and stick with the weaker one. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From eva_suarez22 at hotmail.com Tue Sep 9 12:48:27 2014 From: eva_suarez22 at hotmail.com (Eva Suarez) Date: Tue, 9 Sep 2014 12:48:27 +0200 Subject: Problems using gnupg Message-ID: Hi! I'm trying to develop a script in python that decrypt a file with the extension .zip.pgp, and I found that I have to use gnupg. But I'm having trouble, because I don't understand why the log say de process was ok, but I can find de decrypted file. The log is the following: status: decryption ok stderr: [GNUPG:] ENC_TO XXXXXXXXXX [GNUPG:] ENC_TO XXXXXXXXXXXXXXX [GNUPG:] USERID_HINT XXXXXXXX user [GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXX XXXXXXXXXXXXXX [GNUPG:] GOOD_PASSPHRASE gpg: encrypted with RSA key, ID XXXXXXXX [GNUPG:] NO_SECKEY XXXXXXXXXXXXXX gpg: encrypted with 2048-bit RSA key, ID 4XXXXX, created 2014-05-12 user " [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 2 9 [GNUPG:] PLAINTEXT XXXXXX file.zip [GNUPG:] PLAINTEXT_LENGTH 40384 [GNUPG:] DECRYPTION_OKAY [GNUPG:] GOODMDC [GNUPG:] END_DECRYPTION Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From buctysc at 163.com Tue Sep 9 13:06:52 2014 From: buctysc at 163.com (=?utf-8?B?YnVjdHlzYw==?=) Date: Tue, 9 Sep 2014 19:06:52 +0800 Subject: 'gpgme_op_export_keys' has not been declared Message-ID: OS: CENTOS 6.5 lang : node 0.10.31 headers: #include iostream #include node.h #include v8.h #include node_buffer.h #include locale.h #include stdlib.h #include errno.h #include gpgme.h #include cstring when i compile this c++ file I catch a error ?'gpgme_op_export_keys' has not been declared?, and i have no idea how to fix it -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernhard at intevation.de Wed Sep 10 09:14:32 2014 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 10 Sep 2014 09:14:32 +0200 Subject: Problems using gnupg In-Reply-To: References: Message-ID: <201409100914.33975.bernhard@intevation.de> Hi Eva, On Tuesday 09 September 2014 at 12:48:27, Eva Suarez wrote: > I'm trying to develop a script in python that decrypt a file with the > extension .zip.pgp, and I found that I have to use gnupg. which gpgme python wrapper are you using? pyme or pygpgme? You probably should use one of them, see http://wiki.gnupg.org/APIs > But I'm having trouble, because I don't understand why the log say de > process was ok, but I can find de decrypted file. The log is the following: Can you decrypt on the command line? Note that there must be a way your private certificate is unlocked, the standard procedure may be to use an empty passphrase. > [GNUPG:] NO_SECKEY XXXXXXXXXXXXXX > gpg: encrypted with 2048-bit RSA key, ID 4XXXXX, created 2014-05-12 > user " > [GNUPG:] BEGIN_DECRYPTION > [GNUPG:] DECRYPTION_INFO 2 9 > [GNUPG:] PLAINTEXT XXXXXX file.zip > [GNUPG:] PLAINTEXT_LENGTH 40384 > [GNUPG:] DECRYPTION_OKAY > [GNUPG:] GOODMDC > [GNUPG:] END_DECRYPTION Best, Bernhard -- www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member) Intevation GmbH, Osnabr?ck, Germany; Amtsgericht Osnabr?ck, HRB 18998 Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part. URL: From sudhir at sudhirkhanger.com Wed Sep 10 09:50:01 2014 From: sudhir at sudhirkhanger.com (Sudhir Khanger) Date: Wed, 10 Sep 2014 13:20:01 +0530 Subject: ssh-add -l like command in gpg Message-ID: <2891974.EKGjS7JQLj@fedora> Hello, Is there a way to tell if a GPG key's passphrase is cached or not? Just like ssh-add -l prints all the keys that are in current keychain ready to be used. -- Regards, Sudhir Khanger, http://sudhirkhanger.com http://github.com/donniezazen Fingerprint: 49DD C204 6035 CD92 6949 3BFD EE67 D28C 9F14 497B From wk at gnupg.org Wed Sep 10 11:25:41 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Sep 2014 11:25:41 +0200 Subject: ssh-add -l like command in gpg In-Reply-To: <2891974.EKGjS7JQLj@fedora> (Sudhir Khanger's message of "Wed, 10 Sep 2014 13:20:01 +0530") References: <2891974.EKGjS7JQLj@fedora> Message-ID: <87oaun3jze.fsf@vigenere.g10code.de> On Wed, 10 Sep 2014 09:50, sudhir at sudhirkhanger.com said: > Is there a way to tell if a GPG key's passphrase is cached or not? Just like This can't work because it creates a race condition. It is well possible that key's passphrase expires from the cache after an info function told you that the passphrase for the key is currently cached. "ssh-add -l" is different in that it only tells you which keys are availabale but not which have a cached passphrase. This is the same as running "gpg -K". Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Wed Sep 10 14:36:24 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 10 Sep 2014 14:36:24 +0200 Subject: ssh-add -l like command in gpg In-Reply-To: <2891974.EKGjS7JQLj@fedora> References: <2891974.EKGjS7JQLj@fedora> Message-ID: <8110680.E3LOmOHyc7@inno> Am Mi 10.09.2014, 13:20:01 schrieb Sudhir Khanger: > Hello, > > Is there a way to tell if a GPG key's passphrase is cached or not? > Just like ssh-add -l prints all the keys that are in current keychain > ready to be used. I am working on a Python script which does that as preparation for its main task. You could probably easily adapt it to your needs. Of course, it does not (cannot) solve the race condition Werner mentioned). The general approach is to read the fingerprints of all available secret mainkeys and subkeys gpg --with-colons --fingerprint --fingerprint --list-secret-keys and check for each entry whether gpg-agent knows the fingerprint: gpg-connect-agent "GET_PASSPHRASE --data --no-ask "\ "4F7E9F723D197D667842AE115F048E6F0E4B4494 t1 t2 t3" /bye Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Sep 10 15:35:46 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Sep 2014 15:35:46 +0200 Subject: ssh-add -l like command in gpg In-Reply-To: <8110680.E3LOmOHyc7@inno> (Hauke Laging's message of "Wed, 10 Sep 2014 14:36:24 +0200") References: <2891974.EKGjS7JQLj@fedora> <8110680.E3LOmOHyc7@inno> Message-ID: <87ha0fvbrh.fsf@vigenere.g10code.de> On Wed, 10 Sep 2014 14:36, mailinglisten at hauke-laging.de said: > gpg-connect-agent "GET_PASSPHRASE --data --no-ask "\ > "4F7E9F723D197D667842AE115F048E6F0E4B4494 t1 t2 t3" /bye Note that this won't anymore with 2.1. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Wed Sep 10 15:47:11 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 10 Sep 2014 15:47:11 +0200 Subject: ssh-add -l like command in gpg In-Reply-To: <87ha0fvbrh.fsf@vigenere.g10code.de> References: <2891974.EKGjS7JQLj@fedora> <8110680.E3LOmOHyc7@inno> <87ha0fvbrh.fsf@vigenere.g10code.de> Message-ID: <1574012.HZjIyMoRo6@inno> Am Mi 10.09.2014, 15:35:46 schrieb Werner Koch: > On Wed, 10 Sep 2014 14:36, mailinglisten at hauke-laging.de said: > > gpg-connect-agent "GET_PASSPHRASE --data --no-ask "\ > > "4F7E9F723D197D667842AE115F048E6F0E4B4494 t1 t2 t3" /bye > > Note that this won't anymore with 2.1. Not at all or just not this way? I think there really should be a way for syncing the passphrase cache within a certificate. If that is not possible externally then gpg/gpg- agent should provide an internal solution. Users don't understand why they have to enter the same passphrase twice. And indeed it doesn't make sense that they have to. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Sep 10 16:30:23 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Sep 2014 16:30:23 +0200 Subject: ssh-add -l like command in gpg In-Reply-To: <1574012.HZjIyMoRo6@inno> (Hauke Laging's message of "Wed, 10 Sep 2014 15:47:11 +0200") References: <2891974.EKGjS7JQLj@fedora> <8110680.E3LOmOHyc7@inno> <87ha0fvbrh.fsf@vigenere.g10code.de> <1574012.HZjIyMoRo6@inno> Message-ID: <877g1bv98g.fsf@vigenere.g10code.de> On Wed, 10 Sep 2014 15:47, mailinglisten at hauke-laging.de said: >> Note that this won't anymore with 2.1. > > Not at all or just not this way? No at all. gpg 2 1. does not use GET_PASSPHRASE. > Users don't understand why they have to enter the same passphrase twice. > And indeed it doesn't make sense that they have to. This is on my shortlist. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From sudhir at sudhirkhanger.com Wed Sep 10 21:08:18 2014 From: sudhir at sudhirkhanger.com (Sudhir Khanger) Date: Thu, 11 Sep 2014 00:38:18 +0530 Subject: ssh-add -l like command in gpg In-Reply-To: <87oaun3jze.fsf@vigenere.g10code.de> References: <2891974.EKGjS7JQLj@fedora> <87oaun3jze.fsf@vigenere.g10code.de> Message-ID: <4151187.la5bWyoMy7@fedora> On Wednesday, September 10, 2014 11:25:41 AM Werner Koch wrote: > "ssh-add -l" is different in that it only tells you which keys are > availabale but not which have a cached passphrase. This is the same as > running "gpg -K". As long as ssh-add -l shows a ssh key, it doesn't ask for passphrase, at least that has been my experience. gpg -K shows list of secret keys which does ask for passphrase. -- Regards, Sudhir Khanger, http://sudhirkhanger.com http://github.com/donniezazen Fingerprint: 49DD C204 6035 CD92 6949 3BFD EE67 D28C 9F14 497B From wk at gnupg.org Thu Sep 11 11:57:06 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 11 Sep 2014 11:57:06 +0200 Subject: ssh-add -l like command in gpg In-Reply-To: <4151187.la5bWyoMy7@fedora> (Sudhir Khanger's message of "Thu, 11 Sep 2014 00:38:18 +0530") References: <2891974.EKGjS7JQLj@fedora> <87oaun3jze.fsf@vigenere.g10code.de> <4151187.la5bWyoMy7@fedora> Message-ID: <87y4tqtr7x.fsf@vigenere.g10code.de> On Wed, 10 Sep 2014 21:08, sudhir at sudhirkhanger.com said: > that has been my experience. gpg -K shows list of secret keys which does ask > for passphrase. Nope. "gpg -list-secret-key" (aka "gpg -K") shows all keys for which the corresponding private (aka secret) key exists. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From emunch at utmi.in Fri Sep 12 15:03:53 2014 From: emunch at utmi.in (Sam M) Date: Fri, 12 Sep 2014 18:33:53 +0530 Subject: Automated Batch Subkey Creation Message-ID: Hello. I'm new to the list. I have some familiarity with GPG and have a particular requirement. I really hope someone can point me to where I can get more information on this or let me know if this is not possible. I have to automate the following task. The result I am looking to get is a master key pair with four sub-keys, one for encryption, two for signing and one for authentication. Each sub-key also has to have a revocation key. I have to do this in an automatic manner. In addition to this, I need to separate out one signing key and the authentication key into separate files. I have to do this in batch mode since human intervention is not possible. At this point, I have understood how to make a master key with one sub-key in batch mode. The GPG command and the batch file are fromhttps:// www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html . How can I automate the creation of a sub-key? Thanks in advance. Sam ------ cat >foo < From wk at gnupg.org Fri Sep 12 17:15:59 2014 From: wk at gnupg.org (Werner Koch) Date: Fri, 12 Sep 2014 17:15:59 +0200 Subject: Automated Batch Subkey Creation In-Reply-To: (Sam M.'s message of "Fri, 12 Sep 2014 18:33:53 +0530") References: Message-ID: <87ppf0rhsg.fsf@vigenere.g10code.de> On Fri, 12 Sep 2014 15:03, emunch at utmi.in said: > How can I automate the creation of a sub-key? You use gpg --command-fd N --status-fd M --with-colons --key-edit MAINKEY and write a state machine to reply on the requests from --status-fd with data on --commands-fd. You may also use gpgme's support for this. If you need a example, you may want to check out the GPA code. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From emunch at utmi.in Sat Sep 13 08:24:43 2014 From: emunch at utmi.in (Sam M) Date: Sat, 13 Sep 2014 11:54:43 +0530 Subject: Automated Batch Subkey Creation In-Reply-To: <87ppf0rhsg.fsf@vigenere.g10code.de> References: <87ppf0rhsg.fsf@vigenere.g10code.de> Message-ID: Hello Werner. Thanks for your help. Where can I find the GPA code? Examples would be very helpful. On 12 September 2014 20:45, Werner Koch wrote: > On Fri, 12 Sep 2014 15:03, emunch at utmi.in said: > > > How can I automate the creation of a sub-key? > > You use > > gpg --command-fd N --status-fd M --with-colons --key-edit MAINKEY > > and write a state machine to reply on the requests from --status-fd with > data on --commands-fd. You may also use gpgme's support for this. If > you need a example, you may want to check out the GPA code. > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Sat Sep 13 12:32:24 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 13 Sep 2014 12:32:24 +0200 Subject: Automated Batch Subkey Creation In-Reply-To: (Sam M.'s message of "Sat, 13 Sep 2014 11:54:43 +0530") References: <87ppf0rhsg.fsf@vigenere.g10code.de> Message-ID: <87wq97olon.fsf@vigenere.g10code.de> On Sat, 13 Sep 2014 08:24, emunch at utmi.in said: > Where can I find the GPA code? Examples would be very helpful. ftp://ftp.gnupg.org/gcrypt/gpa/ or at http://git.gnupg.org Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From emunch at utmi.in Sat Sep 13 13:23:09 2014 From: emunch at utmi.in (Sam M) Date: Sat, 13 Sep 2014 16:53:09 +0530 Subject: Automated Batch Subkey Creation In-Reply-To: <87wq97olon.fsf@vigenere.g10code.de> References: <87ppf0rhsg.fsf@vigenere.g10code.de> <87wq97olon.fsf@vigenere.g10code.de> Message-ID: Werner, I'm not a programmer, so I don't know much about source code. But I had downloaded the code for GPA. And to try and find an example, I did a grep on the option command-fd. I didn''t find anything. I would be grateful if you could point out the example you're referring to, or just give me one. Thanks. On 13 September 2014 16:02, Werner Koch wrote: > On Sat, 13 Sep 2014 08:24, emunch at utmi.in said: > > > Where can I find the GPA code? Examples would be very helpful. > > ftp://ftp.gnupg.org/gcrypt/gpa/ > > or at http://git.gnupg.org > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Sat Sep 13 15:12:42 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 13 Sep 2014 15:12:42 +0200 Subject: Automated Batch Subkey Creation In-Reply-To: (Sam M.'s message of "Sat, 13 Sep 2014 16:53:09 +0530") References: <87ppf0rhsg.fsf@vigenere.g10code.de> <87wq97olon.fsf@vigenere.g10code.de> Message-ID: <8738bvoe9h.fsf@vigenere.g10code.de> On Sat, 13 Sep 2014 13:23, emunch at utmi.in said: > I'm not a programmer, so I don't know much about source code. But I had Then I suggest to hire one for the task you are planning to do. Unattended subkey generation is definitely nothing an average computer user would do. > I would be grateful if you could point out the example you're referring to, > or just give me one. It requires that you have the skills to transform that into a different program but as you stated you are not a programmer. Anyway: gpa/src/gpgmeedit.c implements the state machine which is used by GPA to perform advanced operations on a key (i.e. a limited GUI equivalent of "gpg --edit-key"). There are some comments explaining how this works. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Sat Sep 13 15:19:36 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sat, 13 Sep 2014 15:19:36 +0200 Subject: Automated Batch Subkey Creation In-Reply-To: References: <87wq97olon.fsf@vigenere.g10code.de> Message-ID: <9165039.3MGhes33ai@inno> Am Sa 13.09.2014, 16:53:09 schrieb Sam M: > Werner, > > I'm not a programmer, so I don't know much about source code. But I > had downloaded the code for GPA. And to try and find an example, I > did a grep on the option command-fd. I didn''t find anything. > > I would be grateful if you could point out the example you're > referring to, or just give me one. Try this (shell code, bash): echo addkey$'\n'8$'\n'e$'\n'q$'\n'${subkeylength}$'\n'"$expire_period"\ $'\n'save$'\n' | LC_ALL= LANGUAGE=en gpg --expert --batch --display-charset utf-8 \ --passphrase "$PASSPHRASE" --command-fd 0 --edit-key $short_id Adapt the input after "8" to the capability flags you need. I use that in my (German) script for creating offline mainkeys: http://www.openpgp-schulungen.de/scripte/keygeneration/#download Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Sat Sep 13 16:20:42 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 13 Sep 2014 16:20:42 +0200 Subject: Automated Batch Subkey Creation In-Reply-To: <9165039.3MGhes33ai@inno> (Hauke Laging's message of "Sat, 13 Sep 2014 15:19:36 +0200") References: <87wq97olon.fsf@vigenere.g10code.de> <9165039.3MGhes33ai@inno> Message-ID: <87wq97mwjp.fsf@vigenere.g10code.de> On Sat, 13 Sep 2014 15:19, mailinglisten at hauke-laging.de said: > Try this (shell code, bash): That is of course version and configure option specific because it uses canned commands. If it works for you, fine but you should be aware of that restriction. Now, is adding a subkey a regular business of gpg users? If we can assume that it is used as often as --export-secret-subkeys, I am willing to add a --quick-gen-subkey command for 2.1. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Sat Sep 13 16:38:23 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sat, 13 Sep 2014 16:38:23 +0200 Subject: Automated Batch Subkey Creation In-Reply-To: <87wq97mwjp.fsf@vigenere.g10code.de> References: <9165039.3MGhes33ai@inno> <87wq97mwjp.fsf@vigenere.g10code.de> Message-ID: <2120077.XEixOQeP0X@inno> Am Sa 13.09.2014, 16:20:42 schrieb Werner Koch: > On Sat, 13 Sep 2014 15:19, mailinglisten at hauke-laging.de said: > > Try this (shell code, bash): > That is of course version and configure option specific because it > uses canned commands. If it works for you, fine but you should be > aware of that restriction. Since more or less the first version of the script there is this line: # TODO: [...] # - status-fd/command-fd driver handler (statt echo addkey$'\n'...) ;-) > Now, is adding a subkey a regular business of gpg users? That's not the point here. The question is: Is adding subkeys in batch mode regular business? I have pointed askers here once or twice to my script. How many may be out there if it's asked once every six months? I have no idea. > If we can > assume that it is used as often as --export-secret-subkeys, I am > willing to add a --quick-gen-subkey command for 2.1. This is not about subkeys only. Maybe the former questions referred to UIDs. It might be easier and a suitable solution to either provide a script with GnuPG which does that (both for subkeys and for UIDs) or put some example code in the man page (like there is already shell code in the gpg-agent man page) or the DETAILS file. If you have not written such a script yet: I have to do that anyway. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From ricul77 at gmail.com Sat Sep 13 22:02:31 2014 From: ricul77 at gmail.com (Richard Ulrich) Date: Sat, 13 Sep 2014 22:02:31 +0200 Subject: setting env vars for gpg-agent Message-ID: <1410638551.5961.6.camel@quadulrich> After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. Since then I have to launch evolution from the terminal to have gnupg correctly work with it. But even if I launch firefox from the terminal, it doesn't seem to get the settings for enigform. Where would be a better place for that. The gnupg docs suggest ~/.xsession. But that file didn't exist on my machine, and since unity is not based on X11 I doubth that it is read at all. In fact, I just copied the relevant lines from my .bashrc to .xsession and it didn't work neither for evolution nor for firefox. Also ~/.profile doesn't seem to be the right place, as it just calls .bashrc These are my lines in .bashrc: # If the agent is not already running, start it if ! ps aux | grep -q [e]nable-ssh-support; then /usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info" > /dev/null fi; #And then read info back eval $(cat $HOME/.gpg-agent-info) > /dev/null And here is the documentation I was referring to: https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html So, where should I put those lines for that firefox receives the correct env vars? Rgds Richard From wk at gnupg.org Sun Sep 14 11:31:33 2014 From: wk at gnupg.org (Werner Koch) Date: Sun, 14 Sep 2014 11:31:33 +0200 Subject: setting env vars for gpg-agent In-Reply-To: <1410638551.5961.6.camel@quadulrich> (Richard Ulrich's message of "Sat, 13 Sep 2014 22:02:31 +0200") References: <1410638551.5961.6.camel@quadulrich> Message-ID: <8738bumtu2.fsf@vigenere.g10code.de> On Sat, 13 Sep 2014 22:02, ricul77 at gmail.com said: > After gpg-agent stopped to work for ssh auth from OpenPGP smartcard > after some ubuntu upgrade a while back, I launch it and set the env > variables in ~/.bashrc. I suggest to lauch gpg-agent on the fly: Add use-standard-socket to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I use this in my ~/.bashrc : --8<---------------cut here---------------start------------->8--- # If running interactively, then: if [ "$PS1" ]; then # Setup information required by GnuPG and ssh. We use the standard # socket in GnuPG's homedir, thus there is no need for an # environment variable. We reset any left over envvar. # SSH_AGENT_PID should not be set either because it is only used to # kill ssh-agent (option -k) but we don't want this to kill # gpg-agent. Because ssh does not know about GnuPG's homedir we # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs # to be set to the current TTY. The extra test is used to avoid # setting SSH_AUTH_SOCK if gpg-agent has been started with the # shell on the command line (often used for testing). unset GPG_AGENT_INFO unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh" fi fi export GPG_TTY=$(tty) --8<---------------cut here---------------end--------------->8--- If you want to use gpg-agent's ssh-agent implementaion, you need to make sure that gpg-agent is started (becuase ssh does not know how to start gpg-agent). You may do this with "gpg-connect-agent /bye" This works since 2.0.16 released 4 years ago. Recent veNote that if you have ~/.gnupg on some remote file system, this may not work. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bonneau at sanboa.info Sun Sep 14 23:05:08 2014 From: bonneau at sanboa.info (bonneau at sanboa.info) Date: Sun, 14 Sep 2014 23:05:08 +0200 Subject: Help about GnuPG 1.4.9 Message-ID: Hello, I'm a completly new possible user of macgpg. I want to use it but somme security questions don't be resolved : I've a Mac with Mac OS 10.5.8 Intel Core 2 duo with AppleMail 3.6 and want to download the free software. I've falled on this site : http://macgpg.sourceforge.net/fr/index.html which lets download this : GNU Privacy Guard - pour Mac OS X 10.1 (et suivantes) Pour Mac OS X 10.4.x et plus nouveau GnuPG v2.x, now a separate project. 1.4.9, MD5: 36d9eb482a98774521bfd7bb73e4ad06 I've choosen 1.4.9 The link is : http://sourceforge.net/projects/macgpg/files/GnuPG%20for%20OS%20X/1.4.9/GnuPG1.4.9.dmg/download?use_mirror=garr&download= But after, I've read : Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation. on : https://www.gnupg.org/download/integrity_check.html and that's the problem for me : how can I know if the software downloaded is secure or not ? I followed the advices : gpg --verify 1.4.9 sha1sum 1.4.9 etc., on Terminal.app but never appeared the good suite MD5 of numbers and letters ! history: 'openssl md5 [nomDeFichier]'Last login: Sun Aug 16 17:52:58 on console Ordinateur-839:~ alain1$ 'openssl md5 [/Users/alain1/Desktop/ GnuPG1.4.9.dmg ]'-bash: openssl md5 [/Users/alain1/Desktop/ GnuPG1.4.9.dmg ]: No such file or directory Ordinateur-839:~ alain1$ 'openssl md5 [GnuPG1.4.9]' -bash: openssl md5 [GnuPG1.4.9]: command not found Ordinateur-839:~ alain1$ openssl md5 [/Users/alain1/Desktop/ GnuPG1.4.9.dmg]' > 'openssl md5 [/Volumes/GnuPG\ Mac\ OS\ X\ 1.4.9/GnuPG\ for\ Mac\ OS \ X\ 1.4.9.mpkg ]' > openssl md5 <1.4.9> > sha1sum /Volumes/GnuPG\ Mac\ OS\ X\ 1.4.9/GnuPG\ for\ Mac\ OS\ X\ 1.4.9.mpkg > sha1sum 1.4.9 > sha1sum/Volumes/GnuPG\ Mac\ OS\ X\ 1.4.9 > sha1sum /Users/alain1/Desktop/GnuPG1.4.9.dmg > sha1sum <1.4.9> > sha1sum GnuPG1.4.9.dmg > openssl md5 > openssl md5 GnuPG Mac OS X 1.4.9 > openssl md5 [GnuPG Mac OS X 1.4.9] > gpg --verify /Volumes/GnuPG\ Mac\ OS\ X\ 1.4.9 > gpg --verify 1.4.9 > openssl md5 > 'openssl md5 [/Users/alain1/Desktop/GnuPG1.4.9.dmg]' > openssl md5 [/Users/alain1/Desktop/GnuPG1.4.9.dmg] > sha1sum /Volumes/GnuPG\ Mac\ OS\ X\ 1.4.9 > sha1sum GnuPG1.4.9.dmg > sha1sum GnuPG Mac OS X 1.4.9 > sha1sum 1.4.9 Thus, my second question : With which application can I check that the software downloaded is secure (writing "openssl md5?") or In which Web site can I download a secure GnuPG1.4.9.dmg ? Does it compulsorily begin with https ? Third question : Have I to put the software into the folder "applications" to install it ? Last question: This software does it work on AppleMail 3.6 ? Thanks for your answers. And excuse me for my unknowledge of softwares... Leon65 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pastedGraphic.png Type: image/png Size: 3897 bytes Desc: not available URL: From mailinglisten at hauke-laging.de Mon Sep 15 03:05:18 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 15 Sep 2014 03:05:18 +0200 Subject: encrypting to expired certificates Message-ID: <3797526.FaRLMEmID1@inno> Hello, after filing a bug report for my mail client because it does not allow me to encrypt to an expired certificate (neither does Enigmail) I was surprised to notice that I didn't manage to encrypt to an expired certificate with gpg in the console (2.0.22). Is this not possible (what about gpgme?) or am I just not aware of how to get that done? I would consider not being able to encrypt to an expired key a severe security flaw because it may force the sender to send the message unencrypted. It is OK to warn the user but it must be possible to override this warning. Expiration is not a security problem (let alone a severe one). It does not even work with --encrypt-to. And the man page says about this command: "No trust checking is performed for these user ids and even disabled keys can be used." Non-valid keys are OK, disabled keys are OK but the least severe case expiration is not OK? Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From nicholas.cole at gmail.com Mon Sep 15 10:48:47 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 15 Sep 2014 09:48:47 +0100 Subject: encrypting to expired certificates In-Reply-To: <3797526.FaRLMEmID1@inno> References: <3797526.FaRLMEmID1@inno> Message-ID: On Monday, 15 September 2014, Hauke Laging wrote: > Hello, > > after filing a bug report for my mail client because it does not allow > me to encrypt to an expired certificate (neither does Enigmail) I was > surprised to notice that I didn't manage to encrypt to an expired > certificate with gpg in the console (2.0.22). > > Is this not possible (what about gpgme?) or am I just not aware of how > to get that done? > > I would consider not being able to encrypt to an expired key a severe > security flaw because it may force the sender to send the message > unencrypted. It is OK to warn the user but it must be possible to > override this warning. Expiration is not a security problem (let alone a > severe one). > > It does not even work with --encrypt-to. And the man page says about > this command: > > "No trust checking is performed for these user ids and even disabled > keys can be used." > > Non-valid keys are OK, disabled keys are OK but the least severe case > expiration is not OK? > > > Hauke > Opportunistic encryption with a fall-back mode to plain text, which seems to be your model, is dangerous. Yes, it is always dangerous to have a protocol that sends in plain text if encryption is impossible. However, I don't think the fault is with GPG. If a key has an expiry date, GPG can be very very certain that that key should not be used after a particular date. In fact, I don't think that user interfaces should ever have encouraged people to encrypt to 'not valid' keys at all, but if they key itself says that it should not be used, then it really should not be used. You can't make assumptions for the reason a key has an expiry date. It could be that after that date it would be insecure to send encrypted data to that key. I think that implementations should respect the expiry dates on keys. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at heypete.com Mon Sep 15 11:32:59 2014 From: pete at heypete.com (Pete Stephenson) Date: Mon, 15 Sep 2014 11:32:59 +0200 Subject: Help about GnuPG 1.4.9 In-Reply-To: References: Message-ID: <5416B24B.10105@heypete.com> On 9/14/2014 11:05 PM, bonneau at sanboa.info wrote: > Hello, > > I'm a completly new possible user of macgpg. > I want to use it but somme security questions don't be resolved : > I've a Mac with Mac OS 10.5.8 Intel Core 2 duo with AppleMail 3.6 and > want to download the free software. Welcome! Hopefully we can get you straightened out! > I've falled on this site : http://macgpg.sourceforge.net/fr/index.html > which lets download this : > /GNU Privacy Guard/ - pour Mac OS X 10.1 (et suivantes) > > * Pour Mac OS X 10.4.x et plus nouveau > o GnuPG v2.x > , > now a separate project. > o 1.4.9 > , > MD5: 36d9eb482a98774521bfd7bb73e4ad06 > > I've choosen 1.4.9 GnuPG 1.4.9 is a bit out of date. https://gpgtools.org/ should have a more recent version, but it seems that it will only work back to Mac OS X 10.6, not 10.5. Can you upgrade to a newer version of Mac OS X? 10.5 is quite old and reached end-of-life in 2011. You might find http://support.gpgtools.org/discussions/problems/10783-gpgtools-for-mac-osx-1058 to be of some interest. > But after, I've read : *Never use a GnuPG version you just downloaded > to check the integrity of the source* - use an existing GnuPG installation. > on : https://www.gnupg.org/download/integrity_check.html > and that's the problem for me : > _how can I know if the software downloaded is secure or not ?_ > > I followed the advices : > > gpg --verify 1.4.9 > > sha1sum 1.4.9 > > etc., on Terminal.app It's possible that Mac OS X 10.5 does not have gpg, openssl, or sha1sum installed. I'm not familiar with systems that old. However, it appears that the system does have a means of calculating MD5 checksums. You should be able to run the following command from a terminal: /sbin/md5 /Users/alain1/Desktop/GnuPG1.4.9.dmg Alternatively, if the Mac has GPG installed already (I know that newer versions of Mac OS X do, but I'm not sure about 10.5), you can run the following from the terminal: gpg --print-md MD5 /Users/alain1/Desktop/GnuPG1.4.9.dmg > but never appeared the good suite MD5 of numbers and letters ! > history: > 'openssl md5 [nomDeFichier]'Last login: Sun Aug 16 17:52:58 on console > Ordinateur-839:~ alain1$ 'openssl md5 > [/Users/alain1/Desktop/GnuPG1.4.9.dmg ]'-bash: openssl md5 > [/Users/alain1/Desktop/GnuPG1.4.9.dmg ]: No such file or directory > Ordinateur-839:~ alain1$ 'openssl md5 [GnuPG1.4.9]' > -bash: openssl md5 [GnuPG1.4.9]: command not found > Ordinateur-839:~ alain1$ openssl md5 [/Users/alain1/Desktop/GnuPG1.4.9.dmg]' What happens if you run the command without the square brackets ([]) or the single quotes (')? For example, openssl md5 /Users/alain1/Desktop/GnuPG1.4.9.dmg > Thus, my second question : > _With which application can I check that the software downloaded is > secure (writing "openssl md5?")_ OpenSSL is installed in newer Mac OS X systems, but might not be installed on 10.5. If it's not installed, you could install it but that's typically not a trivial thing to do. Check if it's installed by running: openssl version from the terminal. As for your other questions, I'm not sure. Hopefully someone else can answer. Cheers! -Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Mon Sep 15 14:10:32 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 15 Sep 2014 14:10:32 +0200 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> Message-ID: <1989429.3DbLCdLgrM@inno> Am Mo 15.09.2014, 09:48:47 schrieb Nicholas Cole: > Opportunistic encryption with a fall-back mode to plain text, which > seems to be your model, is dangerous. Yes, it is always dangerous to > have a protocol that sends in plain text if encryption is impossible. This is not about opportunistic encryption (which I do not use BTW). It is about being capable at all to encrypt in a certain situation. [quote order changed] > If a key has an expiry > date, GPG can be very very certain that that key should not be used > You can't make assumptions for the reason a key has an expiry date. Do you think these two statements are consistent? I don't object to "a key should not be used", BTW. I object to "a key must not be used" / "a key cannot be used". Those are very strong assumptions which are hardly ever justified. In particular this is not a decision for a low level tool like GnuPG. A low level tool (usually directly used by experts) shall give the GUIs the information they need (in this case: the key is invalid because it is expired) and let them decide what to do. There is a whole section "Doing things one usually doesn't want to do." in gpg's man page... > It could be that after that date it would be insecure to send > encrypted data to that key. How is that possible without anything encrypted to this key before the expiration date becoming insecure, too? If a key has become insecure then it is to be revoked. > I think that implementations should respect the expiry dates on keys. I agree with that. I just disagree with translating "respect" to "not allow any override at all" (for this problem only, allowing overrides for all other kinds of worse problems...). > In fact, I don't think that user interfaces > should ever have encouraged people to encrypt to 'not valid' keys at > all, I don't think that any UI (I know) encourages people to do that. Allowing (after a warning and confirmation) is not encouraging. > but if they key itself says that it should not be used, then it > really should not be used. I agree. But expiration does not necessarily mean "don't use at all". Expiration is not the same as revocation. This is not affected by the fact that revocation may be impossible (private key lost and compromised). The RfC is quite clear about revocations. It is not about expirations. http://tools.ietf.org/html/rfc4880#section-5.2.3.3 Expiration is a good feature. Handling expired keys in this way discourages using expiration dates, though. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From martin-gnupg-users at dkyb.de Mon Sep 15 15:12:31 2014 From: martin-gnupg-users at dkyb.de (Martin Behrendt) Date: Mon, 15 Sep 2014 15:12:31 +0200 Subject: encrypting to expired certificates In-Reply-To: <1989429.3DbLCdLgrM@inno> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> Message-ID: <5416E5BF.3070402@dkyb.de> Am 15.09.2014 um 14:10 schrieb Hauke Laging: > > I agree. But expiration does not necessarily mean "don't use at all". > Expiration is not the same as revocation. This is not affected by the > fact that revocation may be impossible (private key lost and > compromised). > > The RfC is quite clear about revocations. It is not about expirations. > > http://tools.ietf.org/html/rfc4880#section-5.2.3.3 > > > Expiration is a good feature. Handling expired keys in this way > discourages using expiration dates, though. 2 arbitrary use cases: 1. One uses the expiration date as a reminder, to think about maybe updating it to new standards or what so ever. In this case, a warning when using an expired case is enough. 2. One lives in an hostile environment and it is possible that someone can retrieve his private-key/pass-phrase and prevents him from revoking the key. In this case preventing someone from sending you information which might harm your well being is a good thing.* Since the sender can't know how you use the expiration date I guess the more conservative approach is the safer one if you consider extreme cases like scenario 2. Greetings Martin *This is probably highly theoretical, I don't know. From nicholas.cole at gmail.com Mon Sep 15 15:33:55 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 15 Sep 2014 14:33:55 +0100 Subject: encrypting to expired certificates In-Reply-To: <1989429.3DbLCdLgrM@inno> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> Message-ID: On Mon, Sep 15, 2014 at 1:10 PM, Hauke Laging wrote: >> If a key has an expiry >> date, GPG can be very very certain that that key should not be used > >> You can't make assumptions for the reason a key has an expiry date. > > Do you think these two statements are consistent? >> It could be that after that date it would be insecure to send >> encrypted data to that key. > > How is that possible without anything encrypted to this key before the > expiration date becoming insecure, too? If a key has become insecure > then it is to be revoked. I don't know. If a key says on it "You can use this key for these email addresses up until this date" I think that tools SHOULD NOT use the key beyond that date or for other email addresses. I think in the case of the expiry date, I'd see a strong case for MUST NOT. The expiry date is there exactly so that users do not have to explicitly revoke keys. Or do you think one should be able to encrypt to revoked keys too? I do see a difference with merely NOT VALID keys, because those keys might be checked using some external trust system, though it is bad practice 99% o the time, I suspect. I can't see any justification for encrypting to a key past its expiry date. Either your correspondent is in a position to update the key, or he/she isn't. In the latter case, the key should not be used. From dshaw at jabberwocky.com Mon Sep 15 15:47:21 2014 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 15 Sep 2014 09:47:21 -0400 Subject: encrypting to expired certificates In-Reply-To: <3797526.FaRLMEmID1@inno> References: <3797526.FaRLMEmID1@inno> Message-ID: <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> On Sep 14, 2014, at 9:05 PM, Hauke Laging wrote: > Hello, > > after filing a bug report for my mail client because it does not allow > me to encrypt to an expired certificate (neither does Enigmail) I was > surprised to notice that I didn't manage to encrypt to an expired > certificate with gpg in the console (2.0.22). > > Is this not possible (what about gpgme?) or am I just not aware of how > to get that done? > > I would consider not being able to encrypt to an expired key a severe > security flaw because it may force the sender to send the message > unencrypted. It is OK to warn the user but it must be possible to > override this warning. Expiration is not a security problem (let alone a > severe one). I disagree with this. Expiration is the way the key owner (the person who knows best whether the key should be used or not) tells the world, "Do not use this key after this date". If someone encrypts to the key anyway, they are going against the key owner's statement. I'm sure people can come up with particular scenarios where it is either okay or very not okay to use a key after it is expired, but either way, the key owner gave a date. Who are we to disregard that? David From mailinglisten at hauke-laging.de Mon Sep 15 16:03:02 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 15 Sep 2014 16:03:02 +0200 Subject: encrypting to expired certificates In-Reply-To: <5416E5BF.3070402@dkyb.de> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <5416E5BF.3070402@dkyb.de> Message-ID: <2237468.jXgbTBelIV@inno> Am Mo 15.09.2014, 15:12:31 schrieb Martin Behrendt: > 2 arbitrary use cases: > > 1. One uses the expiration date as a reminder, to think about maybe > updating it to new standards or what so ever. In this case, a warning > when using an expired case is enough. > > 2. One lives in an hostile environment and it is possible that someone > can retrieve his private-key/pass-phrase and prevents him from > revoking the key. In this case preventing someone from sending you > information which might harm your well being is a good thing.* Some time ago one of the well-known users of this list wrote: "Secure communication with noobs is impossible. Period." (or similar) I have quoted this (offline) quite often. If you are communicating in a hostile environment then you must know a lot about email security and you must restrict your communication to people of this kind. It at least improbable that capable users under this circumstances have not etablished rules which cover this case. As security is more important than availablility someone it that situation would make sure that he can revoke the certificate (or that someone else can). And, of course, as the expiration date will not happen to match the compromise date he would tell his contacts about the problem and not just hope they will not feel like sending something before... You could try to create an even stranger scenario in which this is not possible but that would not affect the points that rules have been made and that such people would act very conservative (i.e. they need not be forced to) but another quote comes to my mind: Rob has pointed out several times recently that "PGP" means PRETTY GOOD privacy not PERFECT privacy. It is OK that GnuPG is usable for quite high levels but those "1 in 1,000" cases can obviously not (and are not) the base for default settings ? and impossibility is much harder than a default setting. > Since the sender can't know how you use the expiration date I guess > the more conservative approach is the safer one if you consider > extreme cases like scenario 2. Of course, the sender can know that. In most cases he doesn't, though. But he can make a much better guess than we. Do you think it is not safe enough to warn the user? Does this have to be enforeced because of whatever? Only this protection but nothing else? Shall the software tell the user "In all other cases you know better than me but in this one I know better than you"? Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Mon Sep 15 18:13:22 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 15 Sep 2014 18:13:22 +0200 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> Message-ID: <1572758.Tlj9dXj9AN@inno> Am Mo 15.09.2014, 14:33:55 schrieb Nicholas Cole: > The > expiry date is there exactly so that users do not have to explicitly > revoke keys. I doubt that this is the common interpretation of this feature. One of the effects of expiration is that you can recognize (non- compromised) dead keys. > Or do you think one should be able to encrypt to > revoked keys too? That is already easily possible: You can delete the revocation signature. That's it. There are even cases in which I would consider that. If a revocation signature says that the key has been replaced then there is no reason to consider it unsafe. If I cannot verify the new key then it might be a good idea to use the revoked one. However, that is not the point. As a revocation is a MUCH stronger statement than an expiration (key revocations are hardly superseded but it is normal that the key validity period is extended) you cannot reasonably argue that the same behaviour should be applied to both. But the general rule applies here, too: A low level tool has to tell the user or higher level application what they need to know and has to let THEM decide how to react. A low level tool should provide every action that is possible. Not in the meaning that every possible action should be implemented but in that that nothing is absolutely prevented. > I can't see any justification for encrypting to a key past its expiry > date. Either your correspondent is in a position to update the key, > or he/she isn't. In the latter case, the key should not be used. OK, reality check. The reason for this thread is that a friend has sent an encrypted email to me yesterday. I could not reply to that because his certificate has expired (two weeks ago, one year after creation, because I set this expiration date). I have created his certificate. That is an offline mainkey and he is probably not capable (or willing) to extend the validity period. He is not going to replace the key. It is not considered compromised. We(?) even talked on the phone today. It is far from a serious assessment of the situation to claim that the key owner want me not to use this key any more. And this situation is far less strange than the other ones offered in this thread. If you set an expiration date (no matter whether with GnuPG or the well- known GUIs) then the software does not tell you that senders were not allowed / not capable to use this key after that date. It says something about "How long shall it be valid?". Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Mon Sep 15 18:38:37 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 12:38:37 -0400 Subject: encrypting to expired certificates In-Reply-To: <2237468.jXgbTBelIV@inno> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <5416E5BF.3070402@dkyb.de> <2237468.jXgbTBelIV@inno> Message-ID: <5417160D.7040208@sixdemonbag.org> > Some time ago one of the well-known users of this list wrote: > > "Secure communication with noobs is impossible. Period." (or > similar) Wasn't me: I think a statement like that is arrogant even by my standards. It implies the speaker can accomplish this task, and if the history of communications security tells us anything it's to be deeply skeptical of anyone making such a claim. For that matter, what does "secure" mean, anyway? Most people would say it means "an adversary can't intercept the communication or modify it." Fine. Who's the adversary? If your adversary is a smart 12-year-old, a good way to establish secure communication is to walk into your nearest bar and tell the bouncers to be on the lookout for 12-year-olds trying to get inside. If the adversary is an outfit with a lot of professional experience at intercepting communications, then you're completely screwed and there's nothing you can do about it. I really wish we could get over our obsession with the word "secure". In twenty years of talking about PGP/GnuPG, I have yet to see it add one iota of meaning to any conversation. From nicholas.cole at gmail.com Mon Sep 15 18:47:15 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 15 Sep 2014 17:47:15 +0100 Subject: encrypting to expired certificates In-Reply-To: <1572758.Tlj9dXj9AN@inno> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> Message-ID: On Mon, Sep 15, 2014 at 5:13 PM, Hauke Laging wrote: [snip] > I have created his certificate. That is an offline mainkey and he is > probably not capable (or willing) to extend the validity period. He is > not going to replace the key. It is not considered compromised. We(?) > even talked on the phone today. > > It is far from a serious assessment of the situation to claim that the > key owner want me not to use this key any more. And this situation is > far less strange than the other ones offered in this thread. > > If you set an expiration date (no matter whether with GnuPG or the well- > known GUIs) then the software does not tell you that senders were not > allowed / not capable to use this key after that date. It says something > about "How long shall it be valid?". Respectfully, Hauke, we just disagree on this. But your last comment raises a crucial point that I think has bugged OpenPGP for far too long: the software we use for OpenPGP has actually been far too liberal about letting people use "not valid" keys. This has taken pressure off the writers of user interfaces to find ways of encouraging users to use the software properly, and at the same time the web of trust has been shrouded in far too much mystique and mystery! If a user sets up a key and sets the flag on the key that explicitly means, "Do not use it after this point" I think the software should enforce that. I can see that it creates a (small?) potential for a DoS attack, and I can see that there might be cases you want to override it in special circumstances. As it happens though, it isn't exactly a strong protection for someone willing to delete revocation signatures and so on to make things work. The work-around is simple: wind your computer clock back and you'll be fine in this case. N. From rjh at sixdemonbag.org Mon Sep 15 19:19:10 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 13:19:10 -0400 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> Message-ID: <54171F8E.20701@sixdemonbag.org> > Respectfully, Hauke, we just disagree on this. But your last > comment raises a crucial point that I think has bugged OpenPGP for > far too long: the software we use for OpenPGP has actually been far > too liberal about letting people use "not valid" keys. If by "too liberal" you mean "it's possible to do it," then I don't see how to avoid it. You'd need a trusted timestamp on the certificate and a trusted timestamp on the machine using the certificates, and trusted timestamps are a hard, *hard* problem. Yes, OpenPGP is quite permissive about letting people encrypt to expired certificates, but I think that's more a factor of it being incredibly hard to prevent it than it is any neglect on the part of the OpenPGP authors. From nicholas.cole at gmail.com Mon Sep 15 19:25:47 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 15 Sep 2014 18:25:47 +0100 Subject: encrypting to expired certificates In-Reply-To: <54171F8E.20701@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> <54171F8E.20701@sixdemonbag.org> Message-ID: On Mon, Sep 15, 2014 at 6:19 PM, Robert J. Hansen wrote: >> Respectfully, Hauke, we just disagree on this. But your last >> comment raises a crucial point that I think has bugged OpenPGP for >> far too long: the software we use for OpenPGP has actually been far >> too liberal about letting people use "not valid" keys. > > If by "too liberal" you mean "it's possible to do it," then I don't see > how to avoid it. You'd need a trusted timestamp on the certificate and > a trusted timestamp on the machine using the certificates, and trusted > timestamps are a hard, *hard* problem. > > Yes, OpenPGP is quite permissive about letting people encrypt to expired > certificates, but I think that's more a factor of it being incredibly > hard to prevent it than it is any neglect on the part of the OpenPGP > authors. Sorry. I've confused too issues. Yes, it is hard to enforce expiry dates in a 'secure' way. I wasn't meaning to suggest it was something openpgp should try to do. I don't think we should make it easy to ignore them, that's all. No the other issue I was pointing to was that many users (probably) never bother to certify the keys of the people they communicate with and just ignore the fact that the keys are invalid. Because it is easy (though unwise) to use PGP/GPG in this way, I don't think developers have really paid enough attention to encouraging users to certify the keys they are trying to use or to use keys that are in a web of trust (nb. a web of trust not The Web Of Trust). Instead, we've actually had endless threads about when to 'sign' keys (only if three passports produced that have been certified by unicorns etc) that are probably very off-putting to new users. From rjh at sixdemonbag.org Mon Sep 15 20:17:53 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 14:17:53 -0400 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> <54171F8E.20701@sixdemonbag.org> Message-ID: <54172D51.7080104@sixdemonbag.org> > Sorry. I've confused too issues. Yes, it is hard to enforce expiry > dates in a 'secure' way. I wasn't meaning to suggest it was > something openpgp should try to do. I don't think we should make it > easy to ignore them, that's all. Well, I still respectfully disagree, because -- oh, that's a rant. Then again, when has something being a rant ever stopped me? Okay: hang tight for some heresy. I've been using PGP and GnuPG for over twenty years now, and in those twenty years I've reached only a handful of beliefs. I love the math because you don't need to believe math: the theorem either works or it doesn't. Belief is a harder thing, and because of that it's wise to be very careful before forming beliefs. Here's my belief: anyone who advocates PGP/GnuPG, with or without supporting tools like Enigmail, to average end-users is committing professional malpractice. If they don't recognize they're doing it, they should take that as a sign they don't understand GnuPG/OpenPGP anywhere near as well as they think they do. GnuPG is not a communications security solution. It is a communications security *toolbox*, and an incomplete toolbox at that. GnuPG provides mechanism and only mechanism. GnuPG does not provide policy, and precious few of the tools supporting GnuPG fill in that gap. Enigmail doesn't. GPA doesn't. Pretty much nothing does. For that reason, recommending these tools to end-users is professional malpractice because end-users do not have the skills or experience to wisely determine policy. (I don't, either. If I were drafting policy I would need, at the least, assistance from HR [to tell me about human-factor concerns], Legal [to tell me about regulatory concerns], and IT [because they'd be the ones supporting the thing]. I doubt that anyone on this list, up to and including Werner, is capable of drafting a competent and effective policy for an entire organization on their own) Whew. That was a good beginning to a rant. Let me take a deep breath here... Policy -- who signs what, whose certificates are trusted and why, whether persona certifications should carry different semantic meaning than generic certifications, whether signatures should carry expiration dates, whether those expiration dates should be respected -- is, in a word, *IMPORTANT*. Further, policy will vary from person to person to person and organization to organization. This is one of the reasons why the "should we use inline or PGP/MIME?" question will never be conclusively answered. That's not a technical question, it's a policy question that people insist on treating like a technical question. Technical questions have only one answer: policy questions can only truly be answered with a, "well, it depends..." Here's something else about policy: putting together good policy is *HARD*. I've sat in on policy meetings before to provide technical advice, and let me tell you, I'd much rather be debugging Win32 binaries using gdb and a broken keyboard. Policy is driven by human factors as much as, or more than, by technical factors and that means your average geek is completely adrift in this space. Once you've got a usage policy, your next three questions become monitoring, remediation, and enforcement. How do you monitor usage to ensure it complies with policy? When something falls out of spec, what's the process to bring it back into spec? When you find who's responsible for it falling out of spec, what happens to them? These questions, too, get discussed and resolved in policy meetings. So, put it all together and here's what you need, at a minimum, to effectively use GnuPG: 1. Cryptographic tools. GnuPG provides these. 2. Usage policy. You're on your own. 3. Monitoring policy. You're on your own. 4. Remediation policy. You're on your own. 5. Enforcement policy. You're on your own. ... So, yeah. Whenever I see someone talk about how "we need to improve GnuPG's adoption numbers!", I roll my eyes. Invariably they talk about how we need to make GnuPG "easier to use". But that's not the problem and it's never been the problem. The problem is *policy*. Werner has, IMO wisely, decided that GnuPG will not make policy for the user. I think that's the absolutely correct decision to make. GnuPG should not be telling me what my usage, monitoring, remediation or enforcement policies should be. But the total absence of policy has led to the vast majority of GnuPG users *not even knowing that it's absent*. As a result, we as a community drastically understate (or in many cases don't even state!) the difficulty, expense, and necessity of policy. So, to tie all this back to your original remarks, Nicholas, I disagree that we need to do something about making it harder to encrypt to expired certificates. That's a policy decision, and as such it's outside the scope of GnuPG. But if you want to start waving the banner of, "POLICY! GET SOME!", well, the line starts behind me. :) From nicholas.cole at gmail.com Mon Sep 15 20:43:13 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 15 Sep 2014 19:43:13 +0100 Subject: encrypting to expired certificates In-Reply-To: <54172D51.7080104@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> <54171F8E.20701@sixdemonbag.org> <54172D51.7080104@sixdemonbag.org> Message-ID: On Monday, 15 September 2014, Robert J. Hansen wrote: > > Sorry. I've confused too issues. Yes, it is hard to enforce expiry > > dates in a 'secure' way. I wasn't meaning to suggest it was > > something openpgp should try to do. I don't think we should make it > > easy to ignore them, that's all. > > Well, I still respectfully disagree, because -- oh, that's a rant. > > Then again, when has something being a rant ever stopped me? > > Okay: hang tight for some heresy. > > (Snip) > But if you want to start waving the banner of, "POLICY! GET SOME!", > well, the line starts behind me. :) > I enjoyed that rant so much that I don't even mind that you have misinterpreted what I said and attributed to me ideas I don't hold: for which I'm prepared to take 50% of the blame! Just for the record: all I've ever said in this thead is that I don't think there is a compelling case to add an option to gpg to ignore expiration dates. That's all. Although, gosh! It already lets users do so many silly things perhaps one more doesn't matter. Your rant was a good one. I agree with much of it. Frankly, as a community we haven't developed the tools and culture that might have assisted users to develop good policy and good practice. I also despair a little. PGP made more sense, in some ways, in the early 1990s when most home and business computers were offline most of the time. Maybe not been then. Nowadays, I'm not at all sure I would trust openpgp to protect me if I were really worried about my privacy being under any kind of targeted attack: frankly I can't think of an OS platform I really trust to be secure, and if you can't trust the platform then a bets are off. Even Apple, who have every incentive to do so and control of both hw and sw, can't manage to keep their platforms secure. Of course, an air gap might help, but that really is a very major hassle and I don't have cause. I'm interested in the user interface problems that OpenPGP presents. That's kept my interest in it alive for all these years. I don't have any high hopes it will ever be widely adopted though: for most people, most of the time, there is limited benefit, if any. Nicholas. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Mon Sep 15 21:06:17 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 15 Sep 2014 21:06:17 +0200 Subject: encrypting to expired certificates In-Reply-To: <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> Message-ID: <5740197.zZZLHD6fs4@inno> Am Mo 15.09.2014, 09:47:21 schrieb David Shaw: > I disagree with this. Expiration is the way the key owner (the person > who knows best whether the key should be used or not) tells the > world, "Do not use this key after this date". Where do you take that from? Neither the RfC uses this description nor GnuPG nor any GUI I know. It is OK (not meaning: being safe from getting criticized by the key owner for sending clear text instead) if you treat the expiration date this way. But it is absolutely not OK to enforce this really not obvious interpretation on others. > If someone encrypts to > the key anyway, they are going against the key owner's statement. No. As nearly everything in the OpenPGP environment the definition of this statement is much too vague to justify this assessment. Even if you get a contrary statement in person ("No problem, I just forgot to extend the validity period in time, use this key") you CANNOT do that. This behaviour makes using offline mainkeys (which should be strongly encouraged) more difficult. > either way, the key owner gave a date. Who are we to disregard that? a) It seems that nobody wants it disregarded. Regarding this information means: Tell the user about it. Narrowing "regard" to "prevent" is the second non-obvious interpretation. b) As I have explained above there is no reason to assume that the average user understands "expire" the way you do. Indeed, he gave a "date", not a prohibition. c) Because "we" disregard it everywhere else. GnuPG (and other very important parts of the OpenPGP environment) does not care about the key owner's statements in any other point in this absolute way. "In general, you do not want to use this option as it allows you to violate the OpenPGP standard." Quote from the man page. --cipher-algo --digest-algo --compress-algo --force-mdc All made to override a key owner's statements (clearly RfC-backed statements in these cases). And, of course, the keyserver no-modify flag. Not GnuPG's fault, of course. In other words: OpenPGP users are used to their statements being (easily) ignored. d) It does not make any sense to "forbid" someone the use of a key if you cannot forbid him to send the information without any encryption instead. But it often makes sense to use an expired key for encryption. It does not make sense to assume that a key owner would prefer a clear text message over one encrypted for an expired key. It is a strange decision (to say it politely) to enforce a non-obvious interpretation which has a clear alternative (revocation) and does not make sense. e) Today those users who want to make a strong statement can do that: They can revoke their certificate. They cannot do that in advance but that is not a problem (I would support future revocations in the next OpenPGP version though). In your interpretation those who just want to give a hint cannot do that. There are two distinct features. Why should they not be treated differently though they are obviously used differently and understood differently? f) There is no change in security by reaching the expiration date. If there was one then nobody should encrypt information to a key if he wants this information to be secure after the expiration date, too. This is a pure formality which makes more sense with signatures than with encryption. Formality does not have priority over security. g) I can show real-world damage. Can you show (similar) real-world advantage? (I.e. not just some unclear formality.) The probably greatest point about OpenPGP is that it is so flexible. You can use it on the one side with users who hardly understand what they are doing using opportunistic encryption and on the other side you can use it for highly secure communication. The difference is about how to use GnuPG (and, as Rob just explained, policy which is not GnuPG's business). Due to this flexibility OpenPGP usually does not prevent users from doing stupid and dangerous things. If it does so in just one point and this point is even harder to justify than many things which are not done then this is a bug. You cannot explain the behaviour of GnuPG with a single rule. You need an exception for this case. And that is taste not logic. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From ricul77 at gmail.com Mon Sep 15 21:17:39 2014 From: ricul77 at gmail.com (Richard Ulrich) Date: Mon, 15 Sep 2014 21:17:39 +0200 Subject: setting env vars for gpg-agent In-Reply-To: <8738bumtu2.fsf@vigenere.g10code.de> References: <1410638551.5961.6.camel@quadulrich> <8738bumtu2.fsf@vigenere.g10code.de> Message-ID: <1410808659.11203.5.camel@quadulrich> Hi Werner, So, I replaced my content in .bashrc with yours, but the behavior is still exactly the same. * ssh smartcard auth works accross different terminals. (so the agent must be functional) * evolution signiging works only if started from the terminal, even if I comment out the line : "if [ "$PS1" ]; then" * enigform in firefox doesn't sign the headers. I did not understand the last paragraph with "gpg-connect-agent /bye". But since the ssh part is working, I don't think that's necessary. Rgds Richard Am Sonntag, den 14.09.2014, 11:31 +0200 schrieb Werner Koch: > On Sat, 13 Sep 2014 22:02, ricul77 at gmail.com said: > > After gpg-agent stopped to work for ssh auth from OpenPGP smartcard > > after some ubuntu upgrade a while back, I launch it and set the env > > variables in ~/.bashrc. > > I suggest to lauch gpg-agent on the fly: Add > > use-standard-socket > > to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I > use this in my ~/.bashrc : > > --8<---------------cut here---------------start------------->8--- > # If running interactively, then: > if [ "$PS1" ]; then > > # Setup information required by GnuPG and ssh. We use the standard > # socket in GnuPG's homedir, thus there is no need for an > # environment variable. We reset any left over envvar. > # SSH_AGENT_PID should not be set either because it is only used to > # kill ssh-agent (option -k) but we don't want this to kill > # gpg-agent. Because ssh does not know about GnuPG's homedir we > # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs > # to be set to the current TTY. The extra test is used to avoid > # setting SSH_AUTH_SOCK if gpg-agent has been started with the > # shell on the command line (often used for testing). > unset GPG_AGENT_INFO > unset SSH_AGENT_PID > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh" > fi > fi > > export GPG_TTY=$(tty) > --8<---------------cut here---------------end--------------->8--- > > If you want to use gpg-agent's ssh-agent implementaion, you need to make > sure that gpg-agent is started (becuase ssh does not know how to start > gpg-agent). You may do this with "gpg-connect-agent /bye" > > This works since 2.0.16 released 4 years ago. Recent veNote that if you > have ~/.gnupg on some remote file system, this may not work. > > > > Salam-Shalom, > > Werner > > From dougb at dougbarton.us Mon Sep 15 21:22:58 2014 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 15 Sep 2014 12:22:58 -0700 Subject: encrypting to expired certificates In-Reply-To: <5740197.zZZLHD6fs4@inno> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> Message-ID: <54173C92.2000709@dougbarton.us> On 9/15/14 12:06 PM, Hauke Laging wrote: > Am Mo 15.09.2014, 09:47:21 schrieb David Shaw: > >> >I disagree with this. Expiration is the way the key owner (the person >> >who knows best whether the key should be used or not) tells the >> >world, "Do not use this key after this date". >> > Where do you take that from? Neither the RfC uses this description nor > GnuPG nor any GUI I know. Hauke, Is this perhaps a language issue? The common English meaning of the word "expire" is that after the date listed the thing that expired is no longer valid/good/useable/etc. As far as I can tell, everyone on this list who responded to you had the same understanding, which is that after the expiration date the key is no longer valid. (A view I share, FWIW.) Meanwhile, you're presenting the options for an expired key as "use the key, or send plain text." There is a third, and I daresay significantly more preferable option, which is to use OOB communication to ascertain how the other party would like you to proceed. Imagine this scenario ... Alice sets an expiration date on her key because she knows that after that expiration date her key is: 1. Likely to be compromised 2. Certain to be compromised 3. No longer in her control 4. Is actually now in Mallory's control 5. Other You have no way to know which of those scenarios is the case. Further (assuming that you took the step of refreshing Alice's key) you have no way to know why she did not update the expiry date. In this situation, it is certainly NOT safe to use that key for encryption, and in fact "Don't send the message at all" is almost certainly the right answer, unless you can determine in some OOB manner what Alice wants you to do. So FWIW, I think that GnuPG is doing the right thing here, and you may wish to reconsider your perspective on the issue. hth, Doug From rjh at sixdemonbag.org Mon Sep 15 21:30:23 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 15:30:23 -0400 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> <54171F8E.20701@sixdemonbag.org> <54172D51.7080104@sixdemonbag.org> Message-ID: <54173E4F.30401@sixdemonbag.org> > I enjoyed that rant so much that I don't even mind that you have > misinterpreted what I said and attributed to me ideas I don't hold: > for which I'm prepared to take 50% of the blame! Okay, I apparently misread. I'm sorry about that. It really annoys me when people misread me, and I suspect you feel likewise. > [F]rankly I can't think of an OS platform I really trust to be > secure, and if you can't trust the platform then a bets are off. > Even Apple, who have every incentive to do so and control of both hw > and sw, can't manage to keep their platforms secure. There's an old saw about a drunken man who's leaning up against a streetlamp while looking around for his keys. A passer-by halfway down the block finds the keys and takes them to the drunk. "Why were you looking for them under the streetlamp if you lost them down the block?" the passer-by asks. The drunk answers, "I may have lost 'em down the block, but the streetlamp I need to lean against is right here!" I often think that's how many of us treat GnuPG. Securing communications is *hard*. Tool development, which is only one part of the equation, is easily-definable and quite tractable. And rather than say, "okay, the easily-definable and quite tractable part is done to an acceptable level, now let's tackle the hard stuff," we instead have a tendency to shout "No! 3DES shouldn't be a mandatory cipher! It's weak! And oh God we're using 2048-bit keys by default and that's a disaster! And we don't support larger than 4096-bit keys! And..." Rather than tackle the Herculean problem of pulling the weeds from the garden, we insist on gilding all the lilies... and then gilding them again and again and again, because "there's still so much work to do." All the while, the weeds keep growing. So, yeah. Violent agreement here. I see a community that's obsessed with gilding the lily again and again, and that has been very resistant to suggestions that we need to broaden our perspective. From rjh at sixdemonbag.org Mon Sep 15 21:56:04 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 15:56:04 -0400 Subject: encrypting to expired certificates In-Reply-To: <5740197.zZZLHD6fs4@inno> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> Message-ID: <54174454.6060705@sixdemonbag.org> > Where do you take that from? >From the plain meaning of the word, "expiration." There's a half-finished liter of milk in my fridge that's now a week past its expiration date. (Yes, yes, I'm going to throw it out once I get home...) If you want, feel free to come by. I'll pour you a glass of milk. After all, an expiration date doesn't mean "don't use this," right? It's only a number that's to be interpreted according to however someone wants. > But it is absolutely not OK to enforce this really not obvious > interpretation on others. As has already been explained elsewhere, this cannot be enforced. It is not GnuPG's job to set policy: if you really need the ability to encrypt to expired certificates, go right ahead and do it. However, there is something to be said for making people go through an additional couple of hoops before shooting themselves in the foot. > In other words: OpenPGP users are used to their statements being > (easily) ignored. In the cases you made, I think GnuPG would be improved by removing those options. This argument really isn't a winner. From ricul77 at gmail.com Mon Sep 15 22:07:53 2014 From: ricul77 at gmail.com (Richard Ulrich) Date: Mon, 15 Sep 2014 22:07:53 +0200 Subject: setting env vars for gpg-agent In-Reply-To: <1410808659.11203.5.camel@quadulrich> References: <1410638551.5961.6.camel@quadulrich> <8738bumtu2.fsf@vigenere.g10code.de> <1410808659.11203.5.camel@quadulrich> Message-ID: <1410811673.11203.16.camel@quadulrich> Hi Werner, I just discovered that signing deb packages is not as smooth as before. * If I have an active gpg-agent session, it fails with the following error: clearsign failed: Allgemeiner Fehler * If I reinsert the card, I get thw following : gpg: GPG-Agent ist in dieser Sitzung nicht vorhanden Geben Sie die PIN ein: Then I have to enter the pin twice in the terminal. In all other instances so far it was always in the graphical pinentry dialog. I can verify, that gpg-agent is still running, and still working for ssh. But for regular gpg operation I discovered also other problems: $ gpg -d mhs_paraeasy_ch.txt.gpg gpg: Anonymer Empf?nger; Versuch mit geheimem Schl?ssel 0xxxxxx ? Bitte entfernen Sie die Karte und legen stattdessen die Karte mit folgender Seriennummer ein: D27xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dr?cken Sie 'Eingabe' wenn fertig; oder dr?cken Sie 'c' um abzubrechen: All this worked with the previous content in .bashrc. Rgds Richard Am Montag, den 15.09.2014, 21:17 +0200 schrieb Richard Ulrich: > Hi Werner, > > So, I replaced my content in .bashrc with yours, but the behavior is > still exactly the same. > * ssh smartcard auth works accross different terminals. (so the agent > must be functional) > * evolution signiging works only if started from the terminal, even if I > comment out the line : "if [ "$PS1" ]; then" > * enigform in firefox doesn't sign the headers. > > I did not understand the last paragraph with "gpg-connect-agent /bye". > But since the ssh part is working, I don't think that's necessary. > > Rgds > Richard > > Am Sonntag, den 14.09.2014, 11:31 +0200 schrieb Werner Koch: > > On Sat, 13 Sep 2014 22:02, ricul77 at gmail.com said: > > > After gpg-agent stopped to work for ssh auth from OpenPGP smartcard > > > after some ubuntu upgrade a while back, I launch it and set the env > > > variables in ~/.bashrc. > > > > I suggest to lauch gpg-agent on the fly: Add > > > > use-standard-socket > > > > to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I > > use this in my ~/.bashrc : > > > > --8<---------------cut here---------------start------------->8--- > > # If running interactively, then: > > if [ "$PS1" ]; then > > > > # Setup information required by GnuPG and ssh. We use the standard > > # socket in GnuPG's homedir, thus there is no need for an > > # environment variable. We reset any left over envvar. > > # SSH_AGENT_PID should not be set either because it is only used to > > # kill ssh-agent (option -k) but we don't want this to kill > > # gpg-agent. Because ssh does not know about GnuPG's homedir we > > # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs > > # to be set to the current TTY. The extra test is used to avoid > > # setting SSH_AUTH_SOCK if gpg-agent has been started with the > > # shell on the command line (often used for testing). > > unset GPG_AGENT_INFO > > unset SSH_AGENT_PID > > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > > export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh" > > fi > > fi > > > > export GPG_TTY=$(tty) > > --8<---------------cut here---------------end--------------->8--- > > > > If you want to use gpg-agent's ssh-agent implementaion, you need to make > > sure that gpg-agent is started (becuase ssh does not know how to start > > gpg-agent). You may do this with "gpg-connect-agent /bye" > > > > This works since 2.0.16 released 4 years ago. Recent veNote that if you > > have ~/.gnupg on some remote file system, this may not work. > > > > > > > > Salam-Shalom, > > > > Werner > > > > > From dshaw at jabberwocky.com Mon Sep 15 22:16:07 2014 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 15 Sep 2014 16:16:07 -0400 Subject: encrypting to expired certificates In-Reply-To: <5740197.zZZLHD6fs4@inno> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> Message-ID: <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> On Sep 15, 2014, at 3:06 PM, Hauke Laging wrote: > Am Mo 15.09.2014, 09:47:21 schrieb David Shaw: > >> I disagree with this. Expiration is the way the key owner (the person >> who knows best whether the key should be used or not) tells the >> world, "Do not use this key after this date". > > Where do you take that from? Neither the RfC uses this description nor > GnuPG nor any GUI I know. It is OK (not meaning: being safe from getting > criticized by the key owner for sending clear text instead) if you treat > the expiration date this way. But it is absolutely not OK to enforce > this really not obvious interpretation on others. I suspect that the word "expired" was expected to be clear on its own in the RFC. If there was some non-common meaning of expired, the term would have been explicitly defined. RFCs don't seek to confuse things. 5.2.3.6 defines it as "the validity period of the key". In other words, after that specified time has elapsed, the key is not valid. Are you arguing that in other places we allow people to use non-valid keys, so why not here as well? I don't agree with that, but I do understand it. ("valid" being a fairly weakly defined term without, yes, policy). In any event, the choice being presented here between "use an expired key" vs "send in plain text" strikes me as misleading. There is a third case, which is "Stop. Something is wrong. Figure it out before proceeding." David From 2014-667rhzu3dc-lists-groups at riseup.net Mon Sep 15 22:18:15 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 15 Sep 2014 21:18:15 +0100 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> Message-ID: <1851084278.20140915211815@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 15 September 2014 at 9:48:47 AM, in , Nicholas Cole wrote: > Opportunistic encryption with a fall-back mode to plain > text, which seems to be your model, is dangerous. Yes, > it is always dangerous to have a protocol that sends in > plain text if encryption is impossible. I would characterise the use of "Opportunistic encryption" somewhat differently:- 1. Plaintext is expected. and 2. If encryption is possible I'll use it, but that's a bonus. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Life is far too important a thing ever to talk seriously about -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQXSZxXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pnVsD/0psQRGyGcZcaHK+IhhNDknlsfdN4JTilJCq vCAZbszBN2jEFM6t32sCdJYz5gDmOVnS2Z6UwqnBUNwT2jjU0Co7ayjDXsr7emdw X9KtBUwQzYbUknD/k0RRjOhntMPJZIs80DyieZxSag9SAnaxET0Uf4Znh6ECKxcg OZX+WBkh =yw+0 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Sep 15 22:23:08 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 16:23:08 -0400 Subject: encrypting to expired certificates In-Reply-To: <54173E4F.30401@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> <54171F8E.20701@sixdemonbag.org> <54172D51.7080104@sixdemonbag.org> <54173E4F.30401@sixdemonbag.org> Message-ID: <54174AAC.6000102@sixdemonbag.org> > Rather than tackle the Herculean problem of pulling the weeds from > the garden, we insist on gilding all the lilies... Sorry, that's idiomatic English. For the non-English speakers: "gilding the lily" means to foolishly try to improve on something that's already magnificent. "Gilding" means to paint something with gold. A lily is already a beautiful flower: gilding the lily will not make it more beautiful -- it will only waste your time and your labor. Not to be confused with gelding the filly, which, if you're doing, well, as I said, you're probably quite confused... From vedaal at nym.hush.com Mon Sep 15 22:33:23 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 15 Sep 2014 16:33:23 -0400 Subject: encrypting to expired certificates In-Reply-To: <54174454.6060705@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> Message-ID: <20140915203323.ABE21A00C7@smtp.hushmail.com> On 9/15/2014 at 3:57 PM, "Robert J. Hansen" wrote: > if you really need the >ability to >encrypt to expired certificates, go right ahead and do it. >However, >there is something to be said for making people go through an >additional >couple of hoops before shooting themselves in the foot. ===== GnuPG tries to be very accommodating to almost all types of users, and has succeeded admirably in this case. I always wondered why anyone would ever really 'need' an expiration date, and how they would know in advance that they would need it to expire in the exact time they listed when the key was generated. A simple way to work around it, is to designate another one of the person's most trusted keys, as the 'revoker' key, or to generate a revocation certificate right after the key was made, and that way, if there is any future reason to not want people to encrypt to that key, to just revoke it then. But, if for whatever reason, one didn't do so, and lost the key or forgot the passphrase, and wanted the key to eventually 'pass on', then one could insure for its painless expiration, by making a timely expiration date ... Now, suppose someone got into the habit of routinely making an 'expiration' date, but still has the the secret key and passphrase, and didn't yet generate a newer encryption key, then it's nice for him to know that GnuPG allows for the possibility for people to still encrypt to that key, until he makes other arrangements, and that GnuPG is prudently set up so that it 'shouldn't be 'too easy' to do, so that one will think twice it one 'really' needs to do it. vedaal From 2014-667rhzu3dc-lists-groups at riseup.net Mon Sep 15 22:48:05 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 15 Sep 2014 21:48:05 +0100 Subject: encrypting to expired certificates In-Reply-To: <5740197.zZZLHD6fs4@inno> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> Message-ID: <625068313.20140915214805@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 15 September 2014 at 8:06:17 PM, in , Hauke Laging wrote: >(I would support future revocations in > the next OpenPGP version though). How would this "future revocation" differ from an expiry date? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net ETHERNET(n): device used to catch the Ether bunny -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQXUJVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pwdcEAL704IYOWIqV6W8eBdAHvxmc88mO20CaND6s IypPoa+j/hm9id9LYNqv4SYLtu6BprC1wfEvp36srJ5urY8mweTrg0p9ZWyIchCg ilnwXu9pH3V1BdzDZaCgaKnfhUDNr9ZtbD2dWhNkI82hxR7Vt1LgvShePv7WLgpM jKuNRir7 =Bevw -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Mon Sep 15 22:52:58 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 15 Sep 2014 16:52:58 -0400 Subject: encrypting to expired certificates In-Reply-To: <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> Message-ID: <541751AA.4060708@fifthhorseman.net> On 09/15/2014 04:16 PM, David Shaw wrote: > There is a third case, which is "Stop. Something is wrong. Figure it out before proceeding." I think Hauke is explaining that he is already in this third case; he figured out what was wrong (his peer doesn't have the means to update the cert's expiration date right now, but does not believe the key is compromised), and is now trying to get to the "proceeding" part. But the obvious path to proceed is to go ahead and use the key anyway, which gnupg isn't letting him do (without, say, a reset of the system clock or libfaketime or something). I agree with Hauke here that GnuPG should not be this strict for this circumstance, particularly because it is not setting strong policy elsewhere. I consider encrypting to a key with no certifications on it at least as problematic as encrypting to a key whose well-certified cert has recently expired. GnuPG lets you encrypt to the former, but not the latter. There are reasonable policy use cases (e.g. opportunistic encryption) that suggest that both mechanisms should be available (though they should both produce a warning under default policy for sure). --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Mon Sep 15 23:01:12 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 15 Sep 2014 23:01:12 +0200 Subject: encrypting to expired certificates In-Reply-To: <54171F8E.20701@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <54171F8E.20701@sixdemonbag.org> Message-ID: <1700896.NCMGdhh64n@inno> Am Mo 15.09.2014, 13:19:10 schrieb Robert J. Hansen: > Yes, OpenPGP is quite permissive about letting people encrypt to > expired certificates, Did you really mean that? I am not aware of any way how to do that within GnuPG (i.e. without faking the time which would affect a signature). This thread started with my question whether that was possible and except for this remark by you nobody has even indicated that it could be done. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Sep 15 23:16:52 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 15 Sep 2014 22:16:52 +0100 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <1989429.3DbLCdLgrM@inno> <1572758.Tlj9dXj9AN@inno> <54171F8E.20701@sixdemonbag.org> <54172D51.7080104@sixdemonbag.org> Message-ID: <788604773.20140915221652@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 15 September 2014 at 7:43:13 PM, in , Nicholas Cole wrote: > Even Apple, who have every incentive to > do so and control of both hw and sw, can't manage to > keep their platforms secure. In what way does Apple have any more incentive than anybody else to secure their platforms? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Don't talk unless you can improve on the silence -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQXV1VXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pq1QEAMEfdgluVoBSyaLAkDJKRzk0oN2qK0vSAaxC N2zdpXoT7QNM6FMmkh48TwqgrgO3QJ8lgr7ZRJQTIGCohPwWhXKEstMiGG1ATMvY qqVqsJ9MZMNcUMQ9KqSD/j8oDzHUCk3tPlchE1jzSm724CNvxp76spsuCfXSWFqr /QF0eFN7 =og0G -----END PGP SIGNATURE----- From wk at gnupg.org Mon Sep 15 23:26:06 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Sep 2014 23:26:06 +0200 Subject: encrypting to expired certificates In-Reply-To: <54173C92.2000709@dougbarton.us> (Doug Barton's message of "Mon, 15 Sep 2014 12:22:58 -0700") References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54173C92.2000709@dougbarton.us> Message-ID: <87fvfslgnl.fsf@vigenere.g10code.de> On Mon, 15 Sep 2014 21:22, dougb at dougbarton.us said: > Imagine this scenario ... Alice sets an expiration date on her key > because she knows that after that expiration date her key is: > 0. Deleted to achieve some forward secrecy. Actually the sematics of an expired (sub)key may come from the 1999 or so idea of adding features to mitigate the effect of the UK RIP act (or whatever it is called now). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dougb at dougbarton.us Mon Sep 15 23:53:43 2014 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 15 Sep 2014 14:53:43 -0700 Subject: encrypting to expired certificates In-Reply-To: <87fvfslgnl.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54173C92.2000709@dougbarton.us> <87fvfslgnl.fsf@vigenere.g10code.de> Message-ID: <54175FE7.6080306@dougbarton.us> On 9/15/14 2:26 PM, Werner Koch wrote: > On Mon, 15 Sep 2014 21:22, dougb at dougbarton.us said: > >> Imagine this scenario ... Alice sets an expiration date on her key >> because she knows that after that expiration date her key is: >> > > 0. Deleted to achieve some forward secrecy. Yeah, I'm sure there are other scenarios I was not smart enough to consider. :) > Actually the sematics of an expired (sub)key may come from the 1999 or > so idea of adding features to mitigate the effect of the UK RIP act (or > whatever it is called now). Wow, blast from the past. :) It's not clear to me how you're tying those 2 things together though. Meanwhile, I left out of my previous post my overwhelming dislike of the expiration date feature. :) Robert has a really good point about GnuPG not providing policy, and unfortunately a lot of users see the "expiration date knob" and cannot resist the urge to twist it, without understanding what it means, or why it should (or should not be) used, or in many cases even that they themselves can extend the expiration date if they choose to. Frankly I wish the option had never been added to the spec, but (thankfully) I'm not in charge. :) Doug From dougb at dougbarton.us Tue Sep 16 00:02:14 2014 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 15 Sep 2014 15:02:14 -0700 Subject: encrypting to expired certificates In-Reply-To: <541751AA.4060708@fifthhorseman.net> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> <541751AA.4060708@fifthhorseman.net> Message-ID: <541761E6.2080401@dougbarton.us> On 9/15/14 1:52 PM, Daniel Kahn Gillmor wrote: > I think Hauke is explaining that he is already in this third case; he > figured out what was wrong (his peer doesn't have the means to update > the cert's expiration date right now, but does not believe the key is > compromised), and is now trying to get to the "proceeding" part. So let's practice some argumentum ad absurdum. Let's say that I'm Hauke's correspondent, and I set an expiration date on my key because I felt there was a legitimate concern that myself, my key, or both were going to come under the control of a hostile entity. Now that worst case scenario has actually occurred, and it is no longer safe for anyone to send me encrypted communications using that key. But HALLELUJAH!, I'm safe because the software honors the spec and will not allow Hauke to encrypt to my key because it is expired. "But Doug, that's ridiculous! Hauke's correspondent already told him that it's safe." Well of course she did, because that's what the hostile entity TOLD her to say. :) Now that scenario has a lot of potential holes in it, so please don't waste electrons arguing how plausible it is or is not. The point I'm trying to make is simply that we don't know what we don't know. What we do know is that at this time Hauke's correspondent is not in control of her key, and as a result it's not safe to encrypt content to it. Doug From rjh at sixdemonbag.org Tue Sep 16 00:05:34 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 18:05:34 -0400 Subject: encrypting to expired certificates In-Reply-To: <1700896.NCMGdhh64n@inno> References: <3797526.FaRLMEmID1@inno> <54171F8E.20701@sixdemonbag.org> <1700896.NCMGdhh64n@inno> Message-ID: <541762AE.5000807@sixdemonbag.org> >> Yes, OpenPGP is quite permissive about letting people encrypt to >> expired certificates, > > Did you really mean that? I am not aware of any way how to do that > within GnuPG... Yes. Hence my choosing of the term "OpenPGP", as opposed to GnuPG. > signature). This thread started with my question whether that was > possible and except for this remark by you nobody has even indicated > that it could be done. Within the OpenPGP spec, there's nothing preventing you. From rjh at sixdemonbag.org Tue Sep 16 00:10:25 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 18:10:25 -0400 Subject: encrypting to expired certificates In-Reply-To: <541761E6.2080401@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> Message-ID: <541763D1.2000100@sixdemonbag.org> > What we do know is that at this time Hauke's correspondent is not in > control of her key, and as a result it's not safe to encrypt content > to it. Minor nit: it is not that we know Hauke's correspondent is not in control of her key -- it is that we do not know if she is. From dougb at dougbarton.us Tue Sep 16 00:24:58 2014 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 15 Sep 2014 15:24:58 -0700 Subject: encrypting to expired certificates In-Reply-To: <541763D1.2000100@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <541763D1.2000100@sixdemonbag.org> Message-ID: <5417673A.8060705@dougbarton.us> On 9/15/14 3:10 PM, Robert J. Hansen wrote: >> What we do know is that at this time Hauke's correspondent is not in >> control of her key, and as a result it's not safe to encrypt content >> to it. > > Minor nit: it is not that we know Hauke's correspondent is not in > control of her key -- it is that we do not know if she is. In dkg's version of this particular conjecture he said, "his peer doesn't have the means to update the cert's expiration date right now." I think my conclusion, "she does not currently have control of her key" is reasonable, although I admit to a bit of hyperbole in order to make my version of the conjecture seem more dramatic. :) OTOH, what scenario do you envision where not having the means to update the certificate does not translate into not having control of the key, even if on a temporary basis? I'm not saying that the key is compromised ... simply that she does not have access to all the things she needs ("secure" computer, the secret key, etc.) at this time. If you don't call that "not in control" what terminology do you think is more appropriate? Doug From rjh at sixdemonbag.org Tue Sep 16 00:45:00 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 18:45:00 -0400 Subject: encrypting to expired certificates In-Reply-To: <5417673A.8060705@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <137B9D84-2686-4582-9863-871C7FFD55C9@jabberwocky.com> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <541763D1.2000100@sixdemonbag.org> <5417673A.8060705@dougbarton.us> Message-ID: <54176BEC.7090001@sixdemonbag.org> > If you don't call that "not in control" what terminology do you > think is more appropriate? Loss of control breaks continuity of control, and CoC is the sine qua non of certificate management. "She lost control of the cert" ==> CoC is broken, do not use again even if control is re-established "I do not know if she has control of the cert" ==> CoC may be broken, do not use until CoC can be established. From mailinglisten at hauke-laging.de Tue Sep 16 00:59:55 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 16 Sep 2014 00:59:55 +0200 Subject: encrypting to expired certificates In-Reply-To: <541761E6.2080401@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> Message-ID: <2632435.VKDKWAKhLU@inno> Am Mo 15.09.2014, 15:02:14 schrieb Doug Barton: > I set an expiration date on my key because > I felt there was a legitimate concern that myself, my key, or both > were going to come under the control of a hostile entity. a) What period do you choose for that? A day, a week, a month, a year? b) What prevents this hostile entity from extending the validity period? > Now that > worst case scenario has actually occurred, and it is no longer safe > for anyone to send me encrypted communications using that key. But > HALLELUJAH!, I'm safe because the software honors the spec and will > not allow Hauke to encrypt to my key because it is expired. You are under the control of a hostile entity but you are safe? Lucky you! What would happen in real life? Someone in such a situation (personal safety at risk) would establish a policy for key usage with those contacts who send information to him of which the disclosure might cause severe problems. In other words: Even if GnuPG allowed them to use expired keys (if expiration was considered a security means under this policy) they would not consider using them. Und the other hand: Everyone who relies on expiration disabling being enforced (and seriously: Who does? Who even knew before this thread what the exact behaviour of GnuPG is? Not even I did. And I a quite sure that information which not even I have about GnuPG cannot be the base for an expectation motivated rule.) is dangerously stupid. > The point I'm > trying to make is simply that we don't know what we don't know. That does not seem like an argument to me for telling the user what is best for him. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Tue Sep 16 01:33:23 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 16 Sep 2014 01:33:23 +0200 Subject: encrypting to expired certificates In-Reply-To: <54174454.6060705@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> Message-ID: <8113389.vLy7ak8DNv@inno> Am Mo 15.09.2014, 15:56:04 schrieb Robert J. Hansen: > There's a half-finished liter of milk in my fridge that's now a week > past its expiration date. (Yes, yes, I'm going to throw it out once I > get home...) > > If you want, feel free to come by. I'll pour you a glass of milk. > After all, an expiration date doesn't mean "don't use this," right? > It's only a number that's to be interpreted according to however > someone wants. It is quite similar to the certificate case. It is (if exceeded) a warning to the user: "Think well before you use it. Don't blame me if you do." And not "I will be really upset if you use it!". For the milk we get here I guess most people would not consider it a problem if it has exceeded its expiration date by one or two days. For other food even weeks or months may not seem dangerous. But you can still access the milk without having to break additional locks. The big difference between food and keys is that you know that food becomes bad. You do not exactly know when. The milk producer cannot make the milk in your fridge good milk by printing a later date on it. For keys this is common. On the other hand I would handle certificates differently if one has expired two weeks ago and the other one two years ago. I would handle them differently if it was the first contact for one and I had regularly (and recently) used the other. > It is not GnuPG's job to set policy That's what I am asking for. > if you really need the ability to > encrypt to expired certificates, go right ahead and do it. It seems that I would have to patch the code for that. Beside the fact that this would indeed affect security I do not want a solution for me only but an improvement for the OpenPGP environment. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Tue Sep 16 02:12:51 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Sep 2014 20:12:51 -0400 Subject: encrypting to expired certificates In-Reply-To: <2632435.VKDKWAKhLU@inno> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> Message-ID: <54178083.4030102@sixdemonbag.org> > That does not seem like an argument to me for telling the user what > is best for him. Hauke, this entire argument is what I meant when I talked about gilding the lily repeatedly. If you can find half a dozen *real users* who are being *really impacted* by this, I'd love to hear about them. But so far, all the discussion is so hypothetical that it's hard for me to take it seriously. I get that you view the current situation as in need of changing. I don't agree, and I won't agree until I see six real life users whose usage of GnuPG would be made significantly better by making this change. Until then, all I can do about this 'problem' is yawn. From nicholas.cole at gmail.com Tue Sep 16 07:01:24 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Tue, 16 Sep 2014 06:01:24 +0100 Subject: encrypting to expired certificates In-Reply-To: <54178083.4030102@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> Message-ID: On Tue, Sep 16, 2014 at 1:12 AM, Robert J. Hansen wrote: >> That does not seem like an argument to me for telling the user what >> is best for him. > > Hauke, this entire argument is what I meant when I talked about gilding > the lily repeatedly. If you can find half a dozen *real users* who are > being *really impacted* by this, I'd love to hear about them. But so > far, all the discussion is so hypothetical that it's hard for me to take > it seriously. > > I get that you view the current situation as in need of changing. I > don't agree, and I won't agree until I see six real life users whose > usage of GnuPG would be made significantly better by making this change. > > Until then, all I can do about this 'problem' is yawn. ^ The six-real-user test should really be applied to all features in all software! Hauke, you make one strong case and one weak one. Yes, I agree that GnuPG already lets you override so many things, why shouldn't it let you override this? It's not exactly logical (though I think that one can reconstruct the logic). But you are on weak ground when you try to say that expiration dates are only a warning, or draw a distinction between 'strong' and 'weak' statements that a key should not be used. That maybe how you use them, and it may be that expiry dates on milk are only warnings, but I have always read an 'expiry date' on a key to mean 'Do not use after this date', just like an expiry date on an ID card. Yes, perhaps you do use them in other ways, but still. I can see you've hit a key-management problem. That is really the thing that needs fixing, and if easy tools to do that are not available, then they need to be. Robert is right, I think. A little more 'policy', at least in the sense of software assisting a shared sense of good practice, would really help. N. From peter at digitalbrains.com Tue Sep 16 12:13:36 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 12:13:36 +0200 Subject: encrypting to expired certificates In-Reply-To: <54174454.6060705@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> Message-ID: <54180D50.4050808@digitalbrains.com> On 15/09/14 21:56, Robert J. Hansen wrote: > From the plain meaning of the word, "expiration." > > There's a half-finished liter of milk in my fridge that's now a week > past its expiration date. (Yes, yes, I'm going to throw it out once > I get home...) > > If you want, feel free to come by. I'll pour you a glass of milk. > After all, an expiration date doesn't mean "don't use this," right? > It's only a number that's to be interpreted according to however > someone wants. Sure! A week might be a bit much, but if it were 3 or 4 days I'd agree. Starting from slightly before the expiration date to well past, I simply sniff it, pour out a little, look if it is curdling... and if none of those things apply, I happily pour myself some perfect moo juice. A bloody shame to throw it away. You really throw out perfectly good food? Just because someone said "well, given our process variations, even the worst piece, even the milk produced on a hot day and picked up a bit late, would still be okay for one and a half week. To cover our asses, let's say we warrant it for a week"? > In the cases you made, I think GnuPG would be improved by removing > those options. This argument really isn't a winner. Your milk argument is worse. It advocates wasting food, and food is a scarce resource. But the argument that if someone /knows/ the expired key is actually good, he or she should be free to override it, makes a lot of sense to me. Also, I see a tendency to replace: This key is valid until X with: This key is invalid after X Those are not equivalent. You might decide that is how you wish to interpret it, but I don't see that interpretation mandated anywhere, and it's certainly not the only reasonable interpretation. David Shaw wrote it as: > 5.2.3.6 defines it as "the validity period of the key". In other > words, after that specified time has elapsed, the key is not valid. I disagree. It says that something is true up to a certain point, it doesn't say it's false afterwards. Otherwise, extending the expiration date would conflict with the old expiration date in a very strict interpretation. Revocations do work like this: it's final. Also, RFC's try to be very explicit. If a term is only named, you can't draw conclusions from meaning just from a common interpretation of the name. I'm pretty darn sure a key is only ever used with a lock, not with another key. Still, we decided to name the thing "key", in straight defiance of common knowledge that you need a lock for a key to be a useful thing. But if you wish to infer meaning from a name anyway, I think an expiration date on food makes perfect sense to infer the opposite of what David is arguing. I interpret it as the date up till which the producer guarantees I can eat or drink it, providing proper storage. After that, I need to use my own nose and common sense to see if it's still okay. I think Hauke makes a pretty good case, although I disagree with the slight titbit: > That is an offline mainkey and he is probably not capable (or > willing) to extend the validity period. If he's not willing to extend the validity period, he doesn't seem to care enough, just send him plaintext already. Not capable, as in, there are more important things he needs to do first before he has time to get out his offline key, I would accept that. But not willing to extend? His problem, not mine. I won't make extra effort then either. But that doesn't diminish his other good arguments. I support inclusion of an override of the expiration date. Interpretation of key expiration is policy, not technical or mandated by RFC (AFAIK). Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Tue Sep 16 12:45:09 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 12:45:09 +0200 Subject: encrypting to expired certificates In-Reply-To: <54178083.4030102@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> Message-ID: <541814B5.1090003@digitalbrains.com> On 16/09/14 02:12, Robert J. Hansen wrote: > If you can find half a dozen *real users* who are being *really > impacted* by this, I'd love to hear about them. I wanted to encrypt a document to myself on an offline system[1]. However, that copy of my own key was expired, and it wouldn't do it. I was in a bit of a hurry, trying to get things done. Now, I had to get a USB drive, start another computer, export my updated key, and import it on the offline system. If I had --expert followed by yes to an "Are you sure?" prompt, I would have done that and updated the copy when I had more time. Together with Hauke and his correspondent with the offline main key, you now already have two actual cases, taken from real situations that actually happened. At this rate, we'll be done this week. > But so far, all the discussion is so hypothetical that it's hard for > me to take it seriously. I was slightly baffled by this comment as Hauke actually gave an example that happened in real life. That is a lot more than I usually see when people argue for or against a feature. You can't argue that these aren't real users. You can't argue it's not a real impact. You can only argue that the impact isn't that big. But that is a long shot from "so hypothetical it's hard to take seriously". I don't understand where that came from. Peter. [1] This in the interest of security. You dislike the word, so it's in a footnote to make it less offensive to you ;). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From martin-gnupg-users at dkyb.de Tue Sep 16 12:52:38 2014 From: martin-gnupg-users at dkyb.de (Martin Behrendt) Date: Tue, 16 Sep 2014 12:52:38 +0200 Subject: encrypting to expired certificates In-Reply-To: <54180D50.4050808@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> Message-ID: <54181676.5050908@dkyb.de> Am 16.09.2014 um 12:13 schrieb Peter Lebbing: > On 15/09/14 21:56, Robert J. Hansen wrote: >> From the plain meaning of the word, "expiration." >> >> There's a half-finished liter of milk in my fridge that's now a week >> past its expiration date. (Yes, yes, I'm going to throw it out once >> I get home...) >> >> If you want, feel free to come by. I'll pour you a glass of milk. >> After all, an expiration date doesn't mean "don't use this," right? >> It's only a number that's to be interpreted according to however >> someone wants. > > Sure! A week might be a bit much, but if it were 3 or 4 days I'd agree. > Starting from slightly before the expiration date to well past, I simply > sniff it, pour out a little, look if it is curdling... and if none of > those things apply, I happily pour myself some perfect moo juice. A > bloody shame to throw it away. You really throw out perfectly good food? > Just because someone said "well, given our process variations, even the > worst piece, even the milk produced on a hot day and picked up a bit > late, would still be okay for one and a half week. To cover our asses, > let's say we warrant it for a week"? > Just as a side node. The usage of this example is a little unlucky because it has so many traps based on cultural differences. I saw that discussion coming when I read it. In Germany on food products you will find the word "Expiration Date" which literally means: "Don't eat me after that date." But there is a discussion to change that because what they are actually meaning in this context is: "I won't change my shape, taste and rigidity till that date." So I guess, people with such a background are a little more open to the interpretation of that phrase. But as far as I know, in the US it says "Best before" to avoid that confusion and make clear that this product is probably still good, some time after that date. And I think the same confusion is going on with respect to the expiration date in our context. And I am all for not overloading the meaning of words, so if I read expiration date than for me this is a dead line. If you mean "best before" than I would prefer if people say it like this. Martin From emunch at utmi.in Tue Sep 16 14:08:56 2014 From: emunch at utmi.in (Sam M) Date: Tue, 16 Sep 2014 17:38:56 +0530 Subject: Multiple Subkeys for different Uses Message-ID: Hello. After generating a master key, I generated 3 subkeys, one for encryption, one for signing and one for authentication. Now, when I import the three subkeys into the same (non-default) keyring, only one is showing up in the key listing or when I try and edit the keys. Is this normal behaviour? TIA. Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Sep 16 14:21:52 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 14:21:52 +0200 Subject: encrypting to expired certificates In-Reply-To: <54181676.5050908@dkyb.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> Message-ID: <54182B60.2000304@digitalbrains.com> On 16/09/14 12:52, Martin Behrendt wrote: > But as far as I know, in the US it says "Best before" to avoid that > confusion and make clear that this product is probably still good, some > time after that date. In the Netherlands, we have both. "Expiration" means the food might be spoiled and you could get sick if you eat it. "Best before" means it might taste less, or have a different texture, simply: it won't be the same quality. So I'm aware of the difference. Milk definitely has an expiration date. I happily use it beyond that, when it looks good. It's a reasonably apt comparison because it is easy to judge if milk is still good, just like you can confirm out of band that a key is still good. I'm fully aware that normally, a key shouldn't be used beyond it's expiration. But there can be perfectly good reasons to use it anyway, unlike a revoked key. Just like you can send an e-mail encrypted to a key that doesn't bear that e-mail address in it's UID's, because you know the recipient actually has more e-mail addresses than UID's. This example was, to my surprise, mentioned in this thread as something you shouldn't be allowed to do either. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From emunch at utmi.in Tue Sep 16 14:23:19 2014 From: emunch at utmi.in (Sam M) Date: Tue, 16 Sep 2014 17:53:19 +0530 Subject: Automated Batch Subkey Creation In-Reply-To: <87wq97mwjp.fsf@vigenere.g10code.de> References: <87wq97olon.fsf@vigenere.g10code.de> <9165039.3MGhes33ai@inno> <87wq97mwjp.fsf@vigenere.g10code.de> Message-ID: Werner, Security and encryption is difficult, and users are not usually up to trying to figure out the details. As long as an external audit tells them their information is safe, they are happy. They don't want to go into the details. I have a particular use case that I have been working on for a B2B site. Thus the interest. But even in my case, once the keys have been generated and distributed, I will not need the scripting. Thanks all for your help here. I have been able to get Hauke's script working for me. Another item I wished to automate was the generation of a revocation key, both for the master key as well as subkeys. But this does not seem to be possible. I'm always asked for a passphrase. I'll post this in a separate thread. Thanks all. Sam. On 13 September 2014 19:50, Werner Koch wrote: > On Sat, 13 Sep 2014 15:19, mailinglisten at hauke-laging.de said: > > > Try this (shell code, bash): > > That is of course version and configure option specific because it uses > canned commands. If it works for you, fine but you should be aware of > that restriction. > > Now, is adding a subkey a regular business of gpg users? If we can > assume that it is used as often as --export-secret-subkeys, I am willing > to add a --quick-gen-subkey command for 2.1. > > > Shalom-Salam, > > Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Sep 16 14:24:32 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 14:24:32 +0200 Subject: Multiple Subkeys for different Uses In-Reply-To: References: Message-ID: <54182C00.3030100@digitalbrains.com> On 16/09/14 14:08, Sam M wrote: > Now, when I > import the three subkeys into the same (non-default) keyring, only one > is showing up in the key listing or when I try and edit the keys. Could you define "show up", i.e., could you give an example of you trying a command and the output it generates? HTH, Peter -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From emunch at utmi.in Tue Sep 16 14:28:51 2014 From: emunch at utmi.in (Sam M) Date: Tue, 16 Sep 2014 17:58:51 +0530 Subject: Automated Revocation Key Generation Message-ID: Hello. Am trying to generate revocation keys for master/sub keys. But I'm always asked for a password. I'm using the following - touch "revf" echo "y" >> "revf" echo "0" >> "revf" echo "No reason specified" >> "revf" echo "" >> "revf" echo "y" >> "revf" echo >> "revf" gpg2 --expert --no-default-keyring --secret-keyring $seckey --keyring $pubkey --command-fd 0 --output ${a}.gpg-revocation-certificate --armor --gen-revoke "${a}" < $revf This works, but can I automatically provide GPG with a passphrase which it asks for at the end? TIA. Sam. -------------- next part -------------- An HTML attachment was scrubbed... URL: From emunch at utmi.in Tue Sep 16 15:08:42 2014 From: emunch at utmi.in (Sam M) Date: Tue, 16 Sep 2014 18:38:42 +0530 Subject: Multiple Subkeys for different Uses In-Reply-To: <54182C00.3030100@digitalbrains.com> References: <54182C00.3030100@digitalbrains.com> Message-ID: I'll try, with the example. Commands are in Courier bold, output in Courier. My notes are in normal font. *gpg2 --expert --no-default-keyring --secret-keyring $seckey --keyring $pubkey --display-charset utf-8 --command-fd 0 --status-fd 2 --edit A6213A0EC2D5F16F* Secret key is available. pub 4096R/A6213A0EC2D5F16F created: 2014-09-15 expires: never usage: SCEA trust: unknown validity: unknown sub 2048R/8740BCECEE51D37A created: 2014-09-15 expires: never usage: SEA sub 2048R/94A665734DBA1287 created: 2014-09-15 expires: 2016-09-14 usage: E sub 2048R/BE16484BDA38CCA1 created: 2014-09-15 expires: 2016-09-14 usage: E sub 2048R/2DBE6F0BEDA58669 created: 2014-09-15 expires: 2016-09-14 usage: S sub 2048R/64335E67B5441EC7 created: 2014-09-15 expires: 2016-09-14 usage: S sub 2048R/CAD36405FD140940 created: 2014-09-15 expires: 2016-09-14 usage: A sub 2048R/1A6033CAA3C19BE3 created: 2014-09-15 expires: 2016-09-14 usage: A [ unknown] (1). Test Key (with stupid password) gpg> toggle sec 4096R/A6213A0EC2D5F16F created: 2014-09-15 expires: never ssb 2048R/8740BCECEE51D37A created: 2014-09-15 expires: never ssb 2048R/94A665734DBA1287 created: 2014-09-15 expires: never ssb 2048R/BE16484BDA38CCA1 created: 2014-09-15 expires: never ssb 2048R/2DBE6F0BEDA58669 created: 2014-09-15 expires: never ssb 2048R/64335E67B5441EC7 created: 2014-09-15 expires: never ssb 2048R/CAD36405FD140940 created: 2014-09-15 expires: never ssb 2048R/1A6033CAA3C19BE3 created: 2014-09-15 expires: never (1) Test Key (with stupid password) For each of the subkeys of interest, I did the following ("a" being the looping variable) - *echo "$passphrase" | gpg2 --expert --batch --no-default-keyring --secret-keyring $seckey --keyring $pubkey --display-charset utf-8 --passphrase-fd 0 --export-secret-subkeys --no-tty --armor --export-options export-reset-subkey-passwd ${a}! > ${master_key}.${a}.private.subkeys ; * This gives me 3 files that I want in a separate keyring (listed below with MD5) - a5fcd3e138a869d03a2b398e180ab729 A6213A0EC2D5F16F.94A665734DBA1287.private.subkeys 08d137bbdcc956a64cc3a6af8d3ce827 A6213A0EC2D5F16F.2DBE6F0BEDA58669.private.subkeys c7d6d5a023a09a51e89924ce0f9f0f3d A6213A0EC2D5F16F.CAD36405FD140940.private.subkeys I then import these subkeys - *$ gpg2 --expert --no-default-keyring --secret-keyring ${seckey}.1 --keyring ${pubkey}.1 --import A6213A0EC2D5F16F.94A665734DBA1287.private.subkeys* gpg: keyring `_keyring.sec.1' created gpg: keyring `_keyring.pub.1' created gpg: key A6213A0EC2D5F16F: secret key imported gpg: key A6213A0EC2D5F16F: public key "Test Key (with stupid password) < test02.testco at tradeboox.net>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1 *$ gpg2 --expert --no-default-keyring --secret-keyring ${seckey}.1 --keyring ${pubkey}.1 --import A6213A0EC2D5F16F.2DBE6F0BEDA58669.private.subkeys* gpg: key A6213A0EC2D5F16F: already in secret keyring gpg: Total number processed: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1 *$ gpg2 --expert --no-default-keyring --secret-keyring ${seckey}.1 --keyring ${pubkey}.1 --import A6213A0EC2D5F16F.CAD36405FD140940.private.subkeys* gpg: key A6213A0EC2D5F16F: already in secret keyring gpg: Total number processed: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1 For the listing, I am expecting to see 3 subkeys, but I'm only seeing one, the very first imported - *$ gpg2 --expert --no-default-keyring --secret-keyring $seckey.1 --keyring $pubkey.1 --list-keys* ---------------------------------------------------------------------------- pub 4096R/A6213A0EC2D5F16F 2014-09-15 uid [ unknown] Test Key (with stupid password) < test02.testco at tradeboox.net> sub 2048R/94A665734DBA1287 2014-09-15 [expires: 2016-09-14] $ gpg2 --expert --no-default-keyring --secret-keyring $seckey.1 --keyring $pubkey.1 --list-secret-keys ---------------------------------------------------------------------------- sec# 4096R/A6213A0EC2D5F16F 2014-09-15 uid Test Key (with stupid password) < test02.testco at tradeboox.net> ssb 2048R/94A665734DBA1287 2014-09-15 Am I doing something wrong? Thanks. Sam On 16 September 2014 17:54, Peter Lebbing wrote: > On 16/09/14 14:08, Sam M wrote: > > Now, when I > > import the three subkeys into the same (non-default) keyring, only one > > is showing up in the key listing or when I try and edit the keys. > > Could you define "show up", i.e., could you give an example of you > trying a command and the output it generates? > > HTH, > > Peter > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Tue Sep 16 15:58:17 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 16 Sep 2014 09:58:17 -0400 Subject: encrypting to expired certificates In-Reply-To: <541814B5.1090003@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> Message-ID: <541841F9.1050107@fifthhorseman.net> On 09/16/2014 06:45 AM, Peter Lebbing wrote: > On 16/09/14 02:12, Robert J. Hansen wrote: >> If you can find half a dozen *real users* who are being *really >> impacted* by this, I'd love to hear about them. > > I wanted to encrypt a document to myself on an offline system[1]. > However, that copy of my own key was expired, and it wouldn't do it. I > was in a bit of a hurry, trying to get things done. Now, I had to get a > USB drive, start another computer, export my updated key, and import it > on the offline system. If I had --expert followed by yes to an "Are you > sure?" prompt, I would have done that and updated the copy when I had > more time. I've been in a situation where i'm sitting with a friend, talking about a project we're hoping to work on together, and i wanted to send them confidential information about the project to read later. I know they have an OpenPGP cert, so i fire up an e-mail, only to discover that their cert is expired (they don't use it often, and hadn't noticed). I point it out to them, they blush and say "yeah, that's on my laptop, which is fine, but it's at home. I'll update the expiration date when i get home". Now i have to wait for that to happen, for them to publish the update, for it to propagate on the keyserver network, for me to fetch it, and then finally i can send the mail. A dangerous flaw? no. But it's one of the thousand papercuts that make it more difficult to use the system than it needs to be. That's three real-world use cases now. And i've got another one (this one from last week, actually): A friend asked me for an introduction to another friend about an employment issue. Both have OpenPGP keys. One of them was expired. I contacted the friend with the expired key via other (admittedly insecure) means and had a chat about the expired key, which they promised to put on their stack of things to do, but they couldn't get to right away (i don't know the details about why they couldn't drop everything else they were doing and update their expiration, but hey, people have things they need to work on, and for many people, just looking up how to extend the expiration date is a major context switch from their regular work). But the introduction seemed like it was time-sensitive, and needed to go out, so i went ahead and made the introduction in the clear, since i couldn't encrypt the message to both parties. If i could have encrypted to the expired key, i would happily have done that. Instead, I sent the message in the clear. Of course, i had some other options: i could have mailed an encrypted message to the requester with the other contact's info, and then mailed a cleartext introduction to the one with the expired key; that would have reduced some of the cleartext traffic, at the cost of a more complicated e-mail setup (and broken threading on the eventual replies between the two of them). I could have waited until whatever was blocking the expiration date got cleared up, and then made the introduction. I could have nagged hard to encourage them to update their expiration date. I could have done a little "training" about how to do it so that they were sufficiently annoyed at the interruption in their work that they just copy/pasted the commands i told them to run without thinking about it just to get me to stop. Maybe some of these choices would have been better than what i ended up doing. But again, a thousand papercuts. So that's four real-world use cases where the ability to override would have meant easier or more confidential communication. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From nicholas.cole at gmail.com Tue Sep 16 16:04:08 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Tue, 16 Sep 2014 15:04:08 +0100 Subject: encrypting to expired certificates In-Reply-To: <541841F9.1050107@fifthhorseman.net> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> Message-ID: Can anyone explain to me why one would want to continue using a key and yet not simply change the expiry date? I really find all of the examples being given to be incredibly contrived. It takes no time at all these days to change the date and distribute the new key. As I've said, if the tools to do this kind of thing easily do not exist, they need to be created. From rjh at sixdemonbag.org Tue Sep 16 16:16:29 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Sep 2014 10:16:29 -0400 Subject: encrypting to expired certificates In-Reply-To: <54180D50.4050808@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> Message-ID: <5418463D.2090602@sixdemonbag.org> > Sure! A week might be a bit much, but if it were 3 or 4 days I'd > agree. Yes, and this is reasonable. My example was against what I saw as Hauke's overly broad "expiration dates don't mean anything except what you project onto them." No, expiration dates *do* mean something, and you've agreed with me here. :) > A bloody shame to throw it away. You really throw out perfectly good > food? As a farm kid, the answer is a resounding "yes, and you should be thanking me." We raise cattle on my family farm (as well as soybeans, corn, and the like). We've never had a case of Mad Cow, but my family has decided what we'll do if we get such a steer: we'll take the financial hit involved in putting the entire herd down. Sure, 99% of the cattle would be healthy... but we're not willing to take that risk with the food supply. And I think you should be thanking your food providers that we are willing to throw out perfectly good food, simply because we cannot *prove* that it is perfectly good food. American, European and Australian food supplies are the safest in the world precisely because we throw away so much good food. Can we prove that the food is safe? No? Then we get rid of it. There's a subtlety there that I think you're missing. Just because something is good doesn't necessarily mean you can prove that it's good... but knowing you *can't* prove that it's good is still enough to tell you what to do. > But the argument that if someone /knows/ the expired key is actually > good, he or she should be free to override it, makes a lot of sense > to me. It doesn't to me. You're only looking at half the risk-versus-reward equation -- more accurately, you're only looking at the reward half. Reward: "A small number of users who currently have to jump through hoops to use expired certificates will be able to do so more easily." Risk: "A large number of users may wind up, through accident, error, or misadventure, disabling expiration checks on certificates." If you truly need to do this, then I'm just fine with making you jump through hoops if it means not providing casual users with a pistol that's conveniently pre-loaded and pre-aimed at their head. > Also, I see a tendency to replace: > > This key is valid until X > > with: > > This key is invalid after X > > Those are not equivalent. Correct, but this is sort of quibbling. The most accurate would be, "There is no assurance this certificate is valid, since we are past X in time. Therefore, I will treat it as invalid until the certificate owner makes a new assurance." While I agree that "I will treat this certificate as invalid" is a different thing from "this certificate is invalid," in practice there's not much difference. > I disagree. It says that something is true up to a certain point, it > doesn't say it's false afterwards. True but irrelevant. I have a smoke detector that uses alien technology to tell me if my house is on fire. My Zarbnulaxian smoke detector (which I picked up at a Zarbnulaxian Best Buy the last time they kidnapped me; next time I'm on Zarbnulax I'm going to grab one of their quantum computers!) doesn't detect smoke -- it determines the truth or falsity of statements, subject to a certain low .01% error rate. It will sometimes certify a true statement as being false, but it will never certify a false statement as being true. I started off by programming it to test the truth of the statement, "My apartment is on fire." As long as it tells me "The statement 'my apartment is on fire' is false", then I can be confident my house isn't on fire. Unfortunately, one night my apartment caught fire. That made the statement true, and my smoke detector sometimes certifies true statements as false... so it continued to tell me, "The statement 'my apartment is on fire' is false." I barely got out with my life (and my Zarbnulaxian technology). So in my new apartment, I set up my Zarbnulaxian smoke detector to test the truth of the statement, "My apartment is not on fire." This statement is usually true, and that means sometimes it tells me (incorrectly), "The statement 'my apartment is not on fire' is false." These false alarms are really annoying, but I also know my Zarbnulaxian smoke detector will *never* fail to detect a fire. After all, if the statement 'my apartment is not on fire' is false, the Zarbnulaxian smoke detector is incapable of erroneously reporting it as true. The same logic applies to certificates. You think that "the expiration date means the certificate is valid to a given point, not that it is invalid after." Which is true, but misses the point. The point is that the absence of a certification is, itself, enough reason to avoid using a certificate. > I need to use my own nose and common sense to see if it's still > okay. So would you be fine with a restaurant serving you expired milk, if the proprietor says "oh, hey, I used my nose and common sense, and it's okay"? When you are the only one bearing the consequences of your decisions, a lot more can be justified than when you are asking *other people* to bear the consequences of your decisions. And when you send email encrypted to an expired certificate, you are asking *your recipient* to put the confidentiality of your communication with them entirely in the hands of your judgment about whether their "I no longer certify this for use" statement should be respected. From dkg at fifthhorseman.net Tue Sep 16 16:26:31 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 16 Sep 2014 10:26:31 -0400 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> Message-ID: <54184897.1010603@fifthhorseman.net> On 09/16/2014 10:04 AM, Nicholas Cole wrote: > Can anyone explain to me why one would want to continue using a key > and yet not simply change the expiry date? I really find all of the > examples being given to be incredibly contrived. "incredibly contrived" suggests that the people who are reporting the scenarios have made them up. I did not make up either example, and i doubt that Peter or Hauke did either. They simply happened, and we experienced them and are reporting them. Do you really think any of us made them up? > It takes no time at > all these days to change the date and distribute the new key. Yes, it is trivial to update the expiration and publish it if (a) you know how, and (b) you don't have an offline master key. In fact, for updating the primary key, it is just: gpg --edit-key $PGPID expire gpg --send-key $PGPID But sometimes, it is the encryption-capable subkey that is the thing that expired. in that case, it's a little bit more complex: gpg --edit-key $PGPID gpg> key 1 gpg> expire gpg> save gpg --send-key $PGPID of course, it might be "key 2" or something else if you have more than one subkey. i've definitely seen people update their primary key's expiration date and fail to update the expiration date of their subkey, so they have a valid cert, but it still can't be used for encryption. So they have to go back and do the second step later, after a poke from someone more knowledgeable about OpenPGP who figures out why no one can encrypt messages to them. Is it getting complicated enough yet for you to believe these real-world reports? The cost is not just the time to do it, it's the time to: 0) understand what needs to be done 1) figure out the interface to do it This is non-trivial, for most people: the context switch alone from "regular work" to "thinking about key management" is expensive and distracting. And it is also scary -- people who understand a little about key management have probably heard that if you screw it up, you can screw up pretty big, in unrecoverable ways. So there are both cognitive and emotional barriers to overcome, in addition to the time it takes. > As I've > said, if the tools to do this kind of thing easily do not exist, they > need to be created. Do you know of any tools that do this easily for users who don't already think about key management daily? I don't, unfortunately. And even if they exist, some people might not have access to them. I'm all for building those friendly key-management tools, i would love to see them. But we need to also let people use the tools we have in light of real-world scenarios. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Tue Sep 16 16:31:23 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Sep 2014 10:31:23 -0400 Subject: encrypting to expired certificates In-Reply-To: <541814B5.1090003@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> Message-ID: <541849BB.3080600@sixdemonbag.org> > I wanted to encrypt a document to myself on an offline system[1]. > However, that copy of my own key was expired, and it wouldn't do it. I > was in a bit of a hurry, trying to get things done. Now, I had to get a > USB drive, start another computer, export my updated key, and import it > on the offline system. If I had --expert followed by yes to an "Are you > sure?" prompt, I would have done that and updated the copy when I had > more time. And how much impact did this really have on you? What was to prevent you from using symmetric encryption? It's not as if you don't have a secure communication channel with yourself over which a symmetric key can be negotiated. I've had the exact same situation before. My solution was to use symmetric encryption using a strong passphrase -- a few lines of "The God Forsakes Antony" by Cavafy, if memory serves.[1] > Together with Hauke and his correspondent with the offline main key, you > now already have two actual cases, taken from real situations that > actually happened. At this rate, we'll be done this week. We have one person who has had minimal impact and for whom an easy workaround exists, and we have Hauke's case. I'm not asking to see six real users who are really impacted for no reason, Peter. I'm asking because this dramatically cuts down on bikeshedding and lets us prioritize things. If encryption with Elgamal keys suddenly breaks, okay, thousands of users are affected in a critical way for which no easy mitigation exists: that's something that should be fixed immediately. But the lack of a flag to allow people to ignore the expiration date? I'm not seeing a large number of users who are facing serious impacts because of this. > I was slightly baffled by this comment as Hauke actually gave an example > that happened in real life. That is a lot more than I usually see when > people argue for or against a feature. And I am overwhelmingly against those feature requests, too. > You can't argue that these aren't real users. You can't argue it's not a > real impact. Sure I can. You weren't really impacted by it. You had easy mitigations available to you. [1] A particularly beautiful poem by the Greek poet Constantin Cavafy, inspired by the legend of Mark Antony realizing he was destined to lose the city of Alexandria when he saw Bacchus and his entourage depart the city. It's not particularly germane to this discussion, but -- well. It is beautiful, and what the hell: beauty ought be shared. :) If unexpectedly, in middle night, an unseen company be heard to pass, with music and with voices exquisite -- turn not away and uselessly lament your fortune that is giving in, your work that came to nothing, the projects of your life that proved illusory from first to last. As one prepared long since, as fits the brave, bid now farewell to the departing city, farewell to the Alexandria you love. And above all, do not deceive yourself: say not that your impression was a dream, that, it may be, your hearing played you false: to futile hopes like these never descend. As one prepared long since, as fits the brave, as most fits you who gained so great a city, approach the open window steadily, and with emotion, but without the plaints and supplications of the timorous, listen -- knowing it to be your last delight -- listen to the Elysian sounds, the exquisite instruments of the mystic company; and bid farewell to the city you are losing, farewell to the Alexandria you love. From dkg at fifthhorseman.net Tue Sep 16 16:31:36 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 16 Sep 2014 10:31:36 -0400 Subject: Automated Revocation Key Generation In-Reply-To: References: Message-ID: <541849C8.5030302@fifthhorseman.net> On 09/16/2014 08:28 AM, Sam M wrote: > > This works, but can I automatically provide GPG with a passphrase which it > asks for at the end? You probably want to look into the --batch and --passphrase-fd or --passphrase or --passphrase-file options. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Sep 16 16:29:10 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Sep 2014 16:29:10 +0200 Subject: encrypting to expired certificates In-Reply-To: <54175FE7.6080306@dougbarton.us> (Doug Barton's message of "Mon, 15 Sep 2014 14:53:43 -0700") References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54173C92.2000709@dougbarton.us> <87fvfslgnl.fsf@vigenere.g10code.de> <54175FE7.6080306@dougbarton.us> Message-ID: <87r3zbk5ah.fsf@vigenere.g10code.de> On Mon, 15 Sep 2014 23:53, dougb at dougbarton.us said: >> Actually the sematics of an expired (sub)key may come from the 1999 or >> so idea of adding features to mitigate the effect of the UK RIP act (or >> whatever it is called now). > > Wow, blast from the past. :) It's not clear to me how you're tying > those 2 things together though. Ben Laurie wrote an I-D to add forward secrecy to OpenPGP. It is possible that I did some changes to the subkey expiry mechanism as a first step to implement that (I can't remember and would need to spend time ready ChangeLogs and mails). The idea was to have rolling subkey, a fresh one each month, you keep the subkeys for the last two months online, and delete older subkeys. Then if the --show-session-key stuff won't be accepted by the bobby asking for the key for a certain message, you could claim that you have only keys for the last two months (or weeks) and that the software deletes all older stuff. Never fully implemented, though. > Frankly I wish the option had never been added to the spec, but > (thankfully) I'm not in charge. :) I like the expiration date because it somehow helps against forgotten passphrases (although it is questionable, that those who know about expiration dates will forget passphrases) and lost secret keys. But it is indeed an advanced topic. A feature request could be to remove the expiration time prompt when not in expert mode. OTOH, only experts use the command line and yes, the GUIs may do without the expiration time. I will consider this for GPA. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 16 16:41:23 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Sep 2014 16:41:23 +0200 Subject: encrypting to expired certificates In-Reply-To: <54181676.5050908@dkyb.de> (Martin Behrendt's message of "Tue, 16 Sep 2014 12:52:38 +0200") References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> Message-ID: <87mw9zk4q4.fsf@vigenere.g10code.de> On Tue, 16 Sep 2014 12:52, martin-gnupg-users at dkyb.de said: > In Germany on food products you will find the word "Expiration Date" > which literally means: "Don't eat me after that date." But there is a Actually you find "mindestens haltbar bis DATE" which literally means "at least stable/durable until DATE". It is the guarantee promise from the vendor. Which would actually support Hauke. To put this discussion to an end, he may simply do a jump to the left and put the option --faked-system-time ISODATESTRING on his command line. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From nicholas.cole at gmail.com Tue Sep 16 17:01:27 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Tue, 16 Sep 2014 16:01:27 +0100 Subject: encrypting to expired certificates In-Reply-To: <20140916142128.GF22155@straylight.m.ringlet.net> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> <20140916142128.GF22155@straylight.m.ringlet.net> Message-ID: On Tuesday, 16 September 2014, Peter Pentchev wrote: > On Tue, Sep 16, 2014 at 03:04:08PM +0100, Nicholas Cole wrote: > > Can anyone explain to me why one would want to continue using a key > > and yet not simply change the expiry date? I really find all of the > > examples being given to be incredibly contrived. > > Uhm, are you sure that you really mean to say "incredibly contrived" as > in "you guys must have tried your imagination really hard to come up > with these examples, none of which will happen in the real world", or do > you really mean "highly unlikely except in isolated use cases"? Because > what people are showing you are real use cases, ones that have happened > with real people in the real world. "Unlikely" and "isolated", yes, but > I wouldn't use "contrived" in this case. > I apologise for my poor choice of language. -------------- next part -------------- An HTML attachment was scrubbed... URL: From emunch at utmi.in Tue Sep 16 17:06:03 2014 From: emunch at utmi.in (Sam M) Date: Tue, 16 Sep 2014 20:36:03 +0530 Subject: Automated Revocation Key Generation In-Reply-To: <541849C8.5030302@fifthhorseman.net> References: <541849C8.5030302@fifthhorseman.net> Message-ID: --batch cannot be used when generating revocation keys, and --password-file and --password-fd are only usable with --batch. On 16 September 2014 20:01, Daniel Kahn Gillmor wrote: > On 09/16/2014 08:28 AM, Sam M wrote: > > > > This works, but can I automatically provide GPG with a passphrase which > it > > asks for at the end? > > You probably want to look into the --batch and --passphrase-fd or > --passphrase or --passphrase-file options. > > Regards, > > --dkg > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From roam at ringlet.net Tue Sep 16 17:04:41 2014 From: roam at ringlet.net (Peter Pentchev) Date: Tue, 16 Sep 2014 18:04:41 +0300 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> <20140916142128.GF22155@straylight.m.ringlet.net> Message-ID: <20140916150441.GG22155@straylight.m.ringlet.net> On Tue, Sep 16, 2014 at 04:01:27PM +0100, Nicholas Cole wrote: > On Tuesday, 16 September 2014, Peter Pentchev wrote: > > > On Tue, Sep 16, 2014 at 03:04:08PM +0100, Nicholas Cole wrote: > > > Can anyone explain to me why one would want to continue using a key > > > and yet not simply change the expiry date? I really find all of the > > > examples being given to be incredibly contrived. > > > > Uhm, are you sure that you really mean to say "incredibly contrived" as > > in "you guys must have tried your imagination really hard to come up > > with these examples, none of which will happen in the real world", or do > > you really mean "highly unlikely except in isolated use cases"? Because > > what people are showing you are real use cases, ones that have happened > > with real people in the real world. "Unlikely" and "isolated", yes, but > > I wouldn't use "contrived" in this case. > > > > I apologise for my poor choice of language. Uh, and come to think of it, I'm truly sorry if the above sounded a bit harsh. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From roam at ringlet.net Tue Sep 16 16:21:28 2014 From: roam at ringlet.net (Peter Pentchev) Date: Tue, 16 Sep 2014 17:21:28 +0300 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> Message-ID: <20140916142128.GF22155@straylight.m.ringlet.net> On Tue, Sep 16, 2014 at 03:04:08PM +0100, Nicholas Cole wrote: > Can anyone explain to me why one would want to continue using a key > and yet not simply change the expiry date? I really find all of the > examples being given to be incredibly contrived. Uhm, are you sure that you really mean to say "incredibly contrived" as in "you guys must have tried your imagination really hard to come up with these examples, none of which will happen in the real world", or do you really mean "highly unlikely except in isolated use cases"? Because what people are showing you are real use cases, ones that have happened with real people in the real world. "Unlikely" and "isolated", yes, but I wouldn't use "contrived" in this case. > It takes no time at > all these days to change the date and distribute the new key. As I've > said, if the tools to do this kind of thing easily do not exist, they > need to be created. The tools exist. The issue - in most of the cases here - is that sometimes people don't use all their PGP keys all the time and sometimes it may happen that a key will be unused for months and the owner will honestly not notice that (the system that the key resides on may not even have been powered up for months). G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From martin-gnupg-users at dkyb.de Tue Sep 16 17:44:10 2014 From: martin-gnupg-users at dkyb.de (Martin Behrendt) Date: Tue, 16 Sep 2014 17:44:10 +0200 Subject: encrypting to expired certificates In-Reply-To: <87mw9zk4q4.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> Message-ID: <54185ACA.9030102@dkyb.de> Am 16.09.2014 um 16:41 schrieb Werner Koch: > On Tue, 16 Sep 2014 12:52, martin-gnupg-users at dkyb.de said: > >> In Germany on food products you will find the word "Expiration Date" >> which literally means: "Don't eat me after that date." But there is a > > Actually you find "mindestens haltbar bis DATE" which literally means > "at least stable/durable until DATE". It is the guarantee promise from > the vendor. Which would actually support Hauke. > > To put this discussion to an end, he may simply do a jump to the left > and put the option --faked-system-time ISODATESTRING on his command > line. > Ups, yea you are right, my bad. But that doesn't change my point, that "expiration date" is something else than "best before" or "best used until". So if an enforced "expiration date" does not make sense, I would prefer to rename it to any of the other options and than allow sending encrypted messages to these keys. Until than you're solution should work, too. :) From dougb at dougbarton.us Tue Sep 16 17:59:58 2014 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 16 Sep 2014 08:59:58 -0700 Subject: encrypting to expired certificates In-Reply-To: <541841F9.1050107@fifthhorseman.net> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> Message-ID: <54185E7E.1050501@dougbarton.us> On 9/16/14 6:58 AM, Daniel Kahn Gillmor wrote: > I've been in a situation where i'm sitting with a friend, talking about > a project we're hoping to work on together, and i wanted to send them > confidential information about the project to read later. I know they > have an OpenPGP cert, so i fire up an e-mail, only to discover that > their cert is expired (they don't use it often, and hadn't noticed). > > I point it out to them, they blush and say "yeah, that's on my laptop, > which is fine, but it's at home. I'll update the expiration date when i > get home". I agree with Robert that symmetric encryption is your best bet, given that you're sitting right there. Meanwhile, all of the real world cases listed so far involve people who have mismanaged their keys by not updating their expiration date. I'm not sure that adding features to make that situation less painful is the right direction to move. I do like Werner's idea of moving the expiration date to the expert menu. That would give us less instances of users twisting a knob just because it's there. Doug From mailinglisten at hauke-laging.de Tue Sep 16 18:06:29 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 16 Sep 2014 18:06:29 +0200 Subject: Multiple Subkeys for different Uses In-Reply-To: References: <54182C00.3030100@digitalbrains.com> Message-ID: <10692839.eX5UhdYicT@inno> Am Di 16.09.2014, 18:38:42 schrieb Sam M: > For each of the subkeys of interest, I did the following ("a" being > the looping variable) - > --export-secret-subkeys > This gives me 3 files that I want in a separate keyring (listed below > with MD5) - > > a5fcd3e138a869d03a2b398e180ab729 > A6213A0EC2D5F16F.94A665734DBA1287.private.subkeys > 08d137bbdcc956a64cc3a6af8d3ce827 > A6213A0EC2D5F16F.2DBE6F0BEDA58669.private.subkeys > c7d6d5a023a09a51e89924ce0f9f0f3d > A6213A0EC2D5F16F.CAD36405FD140940.private.subkeys > > > I then import these subkeys - And that's the point: For some (strange...) reason it is impossible in 1.4.x and 2.0.x to import secret key parts if there are already secret key parts. You can combine those files to a single file though and import them at once. You need binary files (without --armor) and the command gpgsplit for that. Then you just combine the needed parts with cat to a ned file and import that. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From peter at digitalbrains.com Tue Sep 16 18:12:12 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 18:12:12 +0200 Subject: Multiple Subkeys for different Uses In-Reply-To: References: <54182C00.3030100@digitalbrains.com> Message-ID: <5418615C.6060504@digitalbrains.com> On 16/09/14 15:08, Sam M wrote: > Am I doing something wrong? Not really. But GnuPG currently can't update a secret key; so it listens the first time you tell it to import, which gets you one subkey. All subsequent times, it doesn't change what it already has. It would work if you did this with just the public key (I think). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From sam.mxracer at gmail.com Tue Sep 16 18:12:22 2014 From: sam.mxracer at gmail.com (Sam Gleske) Date: Tue, 16 Sep 2014 12:12:22 -0400 Subject: encrypting to expired certificates In-Reply-To: <54182B60.2000304@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <54182B60.2000304@digitalbrains.com> Message-ID: This is a resent because I accidentally mailed Peter Lebbing directly without the mailing list. Allow me to lay to rest all the confusion in this thread. On Tue, Sep 16, 2014 at 6:45 AM, Peter Lebbing wrote: > I wanted to encrypt a document to myself on an offline system[1]. > However, that copy of my own key was expired, and it wouldn't do it. I > was in a bit of a hurry, trying to get things done. Now, I had to get a > USB drive, start another computer, export my updated key, and import it > on the offline system. If I had --expert followed by yes to an "Are you > sure?" prompt, I would have done that and updated the copy when I had > more time. > Not really sure where you're going with this. It has already been *established* that if you're the key owner you can adjust the expiration date of the key. I think there's a lot of confusion around the intention of a floating expiration here. Expiring keys have the following function: Expiring local copies of public keys on other peoples' computers to force them to get a public key update from the owner. That is to say that if I have Peter Lebbing's public key and it has expired that means I must reach out to Peter Lebbing for the latest copy of the public key of the exact same fingerprint. Expiration in this context does not mean the key is forever invalid. It means that *my copy* is invalid until I get a more recent update from Peter Lebbing. That just means Peter Lebbing would have changed the expiration date of his public key and extended it. So when I get his new expiration date that is the time in which I must reach out to him next for another public key update of the same finger print. This protects both the key owner and correspondent in a couple ways. 1) If I have an expired key and I check to see what the latest key is of Peter Lebbing, he may have revoked it. In this case it forced me to go out and check and see that it was revoked so I *must* not use this key again. He can give me his new key with proper WoT validation. 2) If Peter Lebbing as a key owner loses his key and my local public key of Peter Lebbing expires then the next time I reach out to Peter Lebbing for the latest key copy he can tell me he, in fact, lost the key and give me a new one with proper WoT validation. To bring this full circle: the expiration date's purpose is to force users of any public key to periodically check with the key owner that the public key is still valid. RESOLUTION So if a key is expired I *must* not encrypt with it. I *should* instead reach out to the key owner and ask for their latest public key of the same fingerprint which would have a new adjusted expiration date. This ensures I'm not encrypting to a compromised key, a revoked key, or a key in which the owner lost the private key. If you're the owner of a key that has an expired date, you *should* extend it to allow further use of the key by your contacts. If you decide you don't want to use the key any longer then you *should* revoke the key. If you accidentally lose your key then no worries, because eventually it will expire and nobody could encrypt to it even if they wanted to. Hope this helps, SAM -- GPG FINGERPRINT 4096 KEY 8D8B F0E2 42D8 A068 572E BF3C E8F7 3234 7257 E65F https://keybase.io/samrocketman -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at nym.hush.com Tue Sep 16 18:15:12 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 16 Sep 2014 12:15:12 -0400 Subject: encrypting to expired certificates In-Reply-To: <87mw9zk4q4.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> Message-ID: <20140916161512.3F402601F0@smtp.hushmail.com> On 9/16/2014 at 10:51 AM, "Werner Koch" wrote: >To put this discussion to an end, he may simply do a jump to the >left >and put the option --faked-system-time ISODATESTRING on his command >line. ===== Does this work on GnuPG 1.4.x ? GnuPG (1.4.16) gives me the following error: gpg: Invalid option "--faked-system-time" vedaal From wk at gnupg.org Tue Sep 16 18:22:25 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Sep 2014 18:22:25 +0200 Subject: encrypting to expired certificates In-Reply-To: <54185ACA.9030102@dkyb.de> (Martin Behrendt's message of "Tue, 16 Sep 2014 17:44:10 +0200") References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <54185ACA.9030102@dkyb.de> Message-ID: <87vbonh6wu.fsf@vigenere.g10code.de> On Tue, 16 Sep 2014 17:44, martin-gnupg-users at dkyb.de said: > until". So if an enforced "expiration date" does not make sense, I would > prefer to rename it to any of the other options and than allow sending I doubt that it makes sense to add an extra option for a rare corner use case. There are more often no keys at all than expired keys. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 16 18:26:32 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Sep 2014 18:26:32 +0200 Subject: encrypting to expired certificates In-Reply-To: <54184897.1010603@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 16 Sep 2014 10:26:31 -0400") References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> <54184897.1010603@fifthhorseman.net> Message-ID: <87d2avh6pz.fsf@vigenere.g10code.de> On Tue, 16 Sep 2014 16:26, dkg at fifthhorseman.net said: > i've definitely seen people update their primary key's expiration date > and fail to update the expiration date of their subkey, so they have a > valid cert, but it still can't be used for encryption. So they have to There needs to be warning in this case. Can you please file a bug? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Tue Sep 16 18:37:38 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 16 Sep 2014 18:37:38 +0200 Subject: Automated Revocation Key Generation In-Reply-To: References: <541849C8.5030302@fifthhorseman.net> Message-ID: <2079158.8HZXrWDnbC@inno> Am Di 16.09.2014, 20:36:03 schrieb Sam M: > --batch cannot be used when generating revocation keys, and > --password-file and --password-fd are only usable with --batch. You can use the "echo ... | gpg ... --command-fd" part you know from my script in order to delete the passphrase (and add it afterwards). Without a passphrase there should not be a problem even without --batch. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From emunch at utmi.in Tue Sep 16 18:47:12 2014 From: emunch at utmi.in (Sam M) Date: Tue, 16 Sep 2014 22:17:12 +0530 Subject: Automated Revocation Key Generation In-Reply-To: <2079158.8HZXrWDnbC@inno> References: <541849C8.5030302@fifthhorseman.net> <2079158.8HZXrWDnbC@inno> Message-ID: Huh? I'm sorry, but that went WAY above my head. :) OK let me try generating keys w/o passphrase and see if it works. Thanks. On 16 September 2014 22:07, Hauke Laging wrote: > Am Di 16.09.2014, 20:36:03 schrieb Sam M: > > --batch cannot be used when generating revocation keys, and > > --password-file and --password-fd are only usable with --batch. > > You can use the "echo ... | gpg ... --command-fd" part you know from my > script in order to delete the passphrase (and add it afterwards). > Without a passphrase there should not be a problem even without --batch. > > > Hauke > -- > Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ > http://userbase.kde.org/Concepts/OpenPGP_Help_Spread > OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Sep 16 18:53:53 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 18:53:53 +0200 Subject: encrypting to expired certificates In-Reply-To: <541849BB.3080600@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541849BB.3080600@sixdemonbag.org> Message-ID: <54186B21.4050501@digitalbrains.com> On 16/09/14 16:31, Robert J. Hansen wrote: > And how much impact did this really have on you? What was to prevent > you from using symmetric encryption? It's not as if you don't have a > secure communication channel with yourself over which a symmetric key > can be negotiated. Because I was archiving the file for later use and I had no desire to come up with a good passphrase and try to remember it for I don't know how long. > You can't argue that these aren't real users. You can't argue it's not a >> real impact. > > Sure I can. You weren't really impacted by it. You had easy > mitigations available to you. Ouch, that's really selective quoting you're doing. In one day you object to people misunderstanding what you say and twist the words of another. The very next sentence handles exactly this: how large the impact is. In that context, I was clearly referring to "real" as in "existing" not as in "significant", and you know it. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dougb at dougbarton.us Tue Sep 16 19:06:47 2014 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 16 Sep 2014 10:06:47 -0700 Subject: encrypting to expired certificates In-Reply-To: <87d2avh6pz.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> <54184897.1010603@fifthhorseman.net> <87d2avh6pz.fsf@vigenere.g10code.de> Message-ID: <54186E27.5060307@dougbarton.us> On 9/16/14 9:26 AM, Werner Koch wrote: > On Tue, 16 Sep 2014 16:26, dkg at fifthhorseman.net said: > >> i've definitely seen people update their primary key's expiration date >> and fail to update the expiration date of their subkey, so they have a >> valid cert, but it still can't be used for encryption. So they have to > > There needs to be warning in this case. Can you please file a bug? FWIW, I recently experienced that myself. The combination of knobs needed to select both the primary and the encryption sub key for updating the expiration was not intuitive, and I was quite surprised to see that when I updated the expiration date the first time that the subkey was not also updated. In fact I would not have known that at all if I hadn't done 'list-keys' after I edited the key just to be sure. Doug (It's only paranoia if they're not actually out to get you) :) From peter at digitalbrains.com Tue Sep 16 19:16:07 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 19:16:07 +0200 Subject: encrypting to expired certificates In-Reply-To: <5418463D.2090602@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <5418463D.2090602@sixdemonbag.org> Message-ID: <54187057.4080008@digitalbrains.com> On 16/09/14 16:16, Robert J. Hansen wrote: > As a farm kid, the answer is a resounding "yes, and you should be > thanking me." > American, European and Australian food supplies are the safest in > the world precisely because we throw away so much good food. Can we > prove that the food is safe? No? Then we get rid of it. Utter nonsense. I'm not advocating putting an expiry date on something beyond what you can reasonably "guarantee" (in practice, milk sometimes curdles before the expiration date, even though I sure didn't leave it out of the fridge. Or fruit rots). I'm advocating that you judge what you put in your mouth based on your own common sense. This may be a cultural thing; I think they might care less about waste of scarce resources in the US, but to me it is offensive to suggest you should throw out perfectly good food or food with a few minor spots that you can cut out. I certainly wasn't raised that way. It's illegal to sell or even give out food that is past its expiry date. Once it's in my fridge, I will decide whether I will eat it or not. And that you appeal to authority and say I should take food health and safety advice from you because you were raised on a farm... well... let's just say it's a bit silly. Let's keep it at that. By the way, if stuff regularly exceeds the expiration date in your home, you should buy smaller portions, not throw out more. That's advice from someone who isn't exactly a city boy but a farm boy neither. But back on topic: It was claimed that an expiry date should be seen as a hard deadline. It was claimed that this was in the very word itself, as can be seen in food and drinks expiry dates. I strongly state that this is a very poor basis to conclude that on, because an expiry date on food is certainly not commonly and largely viewed as a hard deadline for consumption. Maybe in some cultures, but I don't see a list of cultures used during drafting the RFC among the references. > There's a subtlety there that I think you're missing. Just because > something is good doesn't necessarily mean you can prove that it's > good... but knowing you *can't* prove that it's good is still enough > to tell you what to do. I missed no such thing. I think you're missing what a super market is allowed to sell or give away and what I'm allowed to eat. > Risk: "A large number of users may wind up, through accident, > error, or misadventure, disabling expiration checks on > certificates." Yes, because GnuPG surely knows better that even if it warns the user with some capitals and asterisks and requires them to type 'yes', that still, the user is probably too dumb to be reasonable about this. I thought you yawned over this feature. It looks more like a growl. > Correct, but this is sort of quibbling. Opposing becasue of the addition of a really minor risk of misconfiguration (who said anything about it being a persistent option?), that's quibbling. > "There is no assurance this certificate is valid, since we are past X > in time. Therefore, I will treat it as invalid until the certificate > owner makes a new assurance." It's not treated as invalid. You can trivially override the validity check on the command line. It's treated as effectively temporarily revoked. > While I agree that "I will treat this certificate as invalid" is a > different thing from "this certificate is invalid," in practice > there's not much difference. You are arguing with yourself. You bring up a difference, and then refute it. I never talked about "treating" and "being". > The point is that the absence of a certification is, itself, enough > reason to avoid using a certificate. > So would you be fine with a restaurant serving you expired milk, if > the proprietor says "oh, hey, I used my nose and common sense, and > it's okay"? Here we go again. The restaurant is selling me something. I'm glad there are laws for this. However, if my neighbour handed me the drink with the same words when I come over for coffee (er, milk), then yes, I would drink it. And I never even made the point of handing it to anyone else, I made the point of using your own judgement to determine what you put in your own mouth. Let me be quite frank now. I can't quite imagine you don't see the difference yourself. I think you're purposely ignoring it for the sake of argument. > When you are the only one bearing the consequences of your decisions, > a lot more can be justified than when you are asking *other people* > to bear the consequences of your decisions. Hey, what do you know. You remembered! When it's part of your side of the argument. I honestly wrote the previous paragraph before I read this one. I started replying when you again advocated food waste and I got offended, and went from there. > And when you send email encrypted to an expired certificate, you are > asking *your recipient* to put the confidentiality of your > communication with them entirely in the hands of your judgment about > whether their "I no longer certify this for use" statement should be > respected. You are always and invariably at the mercy of what your correspondent chooses to send you. This is not somehow magically prevented by denying users to encrypt to an expired key. There is no sliding scale, there are no floodgates opened, you are just as much at the mercy of your correspondents as before. This is bikeshedding. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Tue Sep 16 19:18:06 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 19:18:06 +0200 Subject: encrypting to expired certificates In-Reply-To: <87mw9zk4q4.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> Message-ID: <541870CE.6080108@digitalbrains.com> On 16/09/14 16:41, Werner Koch wrote: > To put this discussion to an end, he may simply do a jump to the left > and put the option --faked-system-time ISODATESTRING on his command > line. Regardless of whether you personally support or oppose the possibility to override the expiry date, as it's your decision, I do want to point out that this creates an issue with encrypt-and-sign. Although a little footnote saying "hey dude, since your key expired in April, I had to sign in April" could be added. I do wonder how many people would understand that footnote, though. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dougb at dougbarton.us Tue Sep 16 19:31:00 2014 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 16 Sep 2014 10:31:00 -0700 Subject: encrypting to expired certificates In-Reply-To: <541870CE.6080108@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <541870CE.6080108@digitalbrains.com> Message-ID: <541873D4.8030606@dougbarton.us> On 9/16/14 10:18 AM, Peter Lebbing wrote: > On 16/09/14 16:41, Werner Koch wrote: >> To put this discussion to an end, he may simply do a jump to the left >> and put the option --faked-system-time ISODATESTRING on his command >> line. > > Regardless of whether you personally support or oppose the possibility > to override the expiry date, as it's your decision, I do want to point > out that this creates an issue with encrypt-and-sign. Although a little > footnote saying "hey dude, since your key expired in April, I had to > sign in April" could be added. I do wonder how many people would > understand that footnote, though. .... which further highlights that adding options to make life easier for people who don't understand what key expiry means, or how to manage it properly, is probably not a good idea. :) Doug From wk at gnupg.org Tue Sep 16 19:56:01 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Sep 2014 19:56:01 +0200 Subject: Multiple Subkeys for different Uses In-Reply-To: <10692839.eX5UhdYicT@inno> (Hauke Laging's message of "Tue, 16 Sep 2014 18:06:29 +0200") References: <54182C00.3030100@digitalbrains.com> <10692839.eX5UhdYicT@inno> Message-ID: <878uljh2ku.fsf@vigenere.g10code.de> On Tue, 16 Sep 2014 18:06, mailinglisten at hauke-laging.de said: > And that's the point: For some (strange...) reason it is impossible in > 1.4.x and 2.0.x to import secret key parts if there are already secret It is not strange but a well known problem for which there will be no solution for 2.0. The workaround is obvious. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Tue Sep 16 20:32:28 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 20:32:28 +0200 Subject: encrypting to expired certificates In-Reply-To: <5418463D.2090602@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <5418463D.2090602@sixdemonbag.org> Message-ID: <5418823C.9080107@digitalbrains.com> On 16/09/14 16:16, Robert J. Hansen wrote: >> A bloody shame to throw it away. You really throw out perfectly good food? > > As a farm kid, the answer is a resounding "yes, and you should be thanking > me." I'm sorry I keep going on, but I have got to get this off my chest. You are urging me to do something in direct defiance of how I was raised and my personal beliefs, and even urging me to thank you for that! That really is bloody facetious. You've really got nerve, man. Peter. PS: > And when you send email encrypted to an expired certificate, you are asking > *your recipient* to put the confidentiality of your communication with them > entirely in the hands of your judgment about whether their "I no longer > certify this for use" statement should be respected. I only see the statement "I certify this key until X". That is certainly what I did when I thought really well about how I wanted it to be and put an expiry date on my key. I never made the statement "I no longer certify this". -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Tue Sep 16 20:41:09 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Sep 2014 14:41:09 -0400 Subject: encrypting to expired certificates In-Reply-To: <54186B21.4050501@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541849BB.3080600@sixdemonbag.org> <54186B21.4050501@digitalbrains.com> Message-ID: <54188445.1010703@sixdemonbag.org> > Ouch, that's really selective quoting you're doing. No, I'm using the same verbiage I did before. Quoting myself: ===== "Hauke, this entire argument is what I meant when I talked about gilding the lily repeatedly. If you can find half a dozen *real users* who are being *really impacted* by this, I'd love to hear about them." ===== A "real user" is not a user that technically exists but has only ever used GnuPG once and is unlikely to do so again; a real user is one who has a significant need for GnuPG and uses it to address these needs. "Really impacted" doesn't mean an impact barely greater than epsilon; it means significant impact. My usage is consistent. If you've chosen to reinterpret my words as "existence" rather than "significance," that's on you; you've dropped my threshold from significance to "it's okay if the user and the impact are completely insignificant, just so long as they exist," which is clearly not what I meant at all. From peter at digitalbrains.com Tue Sep 16 20:51:28 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 20:51:28 +0200 Subject: encrypting to expired certificates In-Reply-To: <54188445.1010703@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541849BB.3080600@sixdemonbag.org> <54186B21.4050501@digitalbrains.com> <54188445.1010703@sixdemonbag.org> Message-ID: <541886B0.6030309@digitalbrains.com> On 16/09/14 20:41, Robert J. Hansen wrote: >> Ouch, that's really selective quoting you're doing. > > No, I'm using the same verbiage I did before. Quoting myself: No no no no, let me put that in context for you. >>> If you can find half a dozen *real users* who are >>> being *really impacted* by this, I'd love to hear about them. But so >>> far, all the discussion is so hypothetical that it's hard for me to take >>> it seriously. >> [...] >> You can't argue that these aren't real users. You can't argue it's not a >> real impact. You can only argue that the impact isn't that big. But that >> is a long shot from "so hypothetical it's hard to take seriously". I >> don't understand where that came from. > Sure I can. You weren't really impacted by it. You had easy > mitigations available to you. I was exactly asserting that you can only argue about the extent of the impact, not that there exists an impact. But you snipped that so it became: >> You can't argue that these aren't real users. You can't argue it's not a >> real impact. > > Sure I can. You weren't really impacted by it. You had easy > mitigations available to you. Which suddenly makes it look like I made a false statement, when in fact I was simply stating that something that has an arguably small impact is a long shot from something that is "so hypothetical it's hard to take seriously". Thereby discrediting my view by association to a false statement. I really hate it when you don't argue based on merits but seemingly just to sway people to your point. I always wonder if maybe your point isn't strong enough by itself. There, I've said it. Deal with it. In fact, thank me for it. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From mailinglisten at hauke-laging.de Tue Sep 16 20:53:53 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 16 Sep 2014 20:53:53 +0200 Subject: encrypting to expired certificates In-Reply-To: <541873D4.8030606@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> Message-ID: <3505303.7miehALuke@inno> Am Di 16.09.2014, 10:31:00 schrieb Doug Barton: > .... which further highlights that adding options to make life easier > for people who don't understand what key expiry means, or how to > manage it properly, is probably not a good idea. :) What I want would make life easier mostly for the contacts of those who don't manage their keys well. Furthermore it seems proven to me now that even the elite of the OpenPGP users "don't understand what key expiry means". Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From dougb at dougbarton.us Tue Sep 16 21:03:20 2014 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 16 Sep 2014 12:03:20 -0700 Subject: encrypting to expired certificates In-Reply-To: <3505303.7miehALuke@inno> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> Message-ID: <54188978.1070602@dougbarton.us> On 9/16/14 11:53 AM, Hauke Laging wrote: > Am Di 16.09.2014, 10:31:00 schrieb Doug Barton: > >> .... which further highlights that adding options to make life >> easier for people who don't understand what key expiry means, or >> how to manage it properly, is probably not a good idea. :) > > What I want would make life easier mostly for the contacts of those > who don't manage their keys well. Yes, I think we all understand that. My vote is that what you want to do is a bad idea. > Furthermore it seems proven to me now that even the elite of the > OpenPGP users "don't understand what key expiry means". I admire your determination to believe that you are the one who is right, and that everyone else is wrong. :) Doug From rjh at sixdemonbag.org Tue Sep 16 21:11:14 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Sep 2014 15:11:14 -0400 Subject: encrypting to expired certificates In-Reply-To: <3505303.7miehALuke@inno> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> Message-ID: <54188B52.9050805@sixdemonbag.org> > Furthermore it seems proven to me now that even the elite of the OpenPGP > users "don't understand what key expiry means". Or, perhaps, many people are seeing that you do not understand the meaning of, "don't use this key past this date." You look into the abyss, the abyss looks into you, and all that. In deference to Peter's hot-button issue of food expiration, I'll use a couple of other examples: * A police officer pulls me over for speeding. I give him my driver's license. "Sir," he tells me, "this expired last month." Yes, officer, but it's okay, I've actually got a current driver's license at home -- just because *that particular* expiration date has passed by doesn't mean my driving privileges have expired. Result: I still get a ticket for driving with an expired license. * My paycheck is stamped, "Expires after 90 days." On day 91 I take it to the bank to get it cashed. The bank refuses. "But there's plenty of money in my company's account," I tell them, "and my company agrees that I'm owed this money. Nothing bad will happen if you cash this check. Look, I've brought an HR representative with me: he will attest that you can cash this check." Result: the bank refuses and I have to convince my company to draft me a new, non-expired check. * My hunting license expires on a certain day. The day after the deer season ends, a game warden spots me over a freshly-killed deer. "Look," I tell the warden, "there are still plenty of deer and it's not as if there's any harm done." Result: I get a citation for poaching. * I take a prescription to the pharmacist's. "Sorry," the pharmacist says, "this says 'expires after 30 days'. I can't fill your meds." But I'm still sick and I still need them. Result: I get sent back to the doctor to get a new, non-expired prescription. ... I have to confess, I don't understand how people can reach these highly tenuous meanings of "expire" which don't actually mean "expire". From nicholas.cole at gmail.com Tue Sep 16 21:12:06 2014 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Tue, 16 Sep 2014 20:12:06 +0100 Subject: encrypting to expired certificates In-Reply-To: <54188978.1070602@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> Message-ID: I'll admit that I hadn't actually realised how hard it is to make GnuPG change the expiry dates of subkeys at the same time as changing the expiry date of the main key. What is the approved way to do this? N. From rjh at sixdemonbag.org Tue Sep 16 21:15:04 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Sep 2014 15:15:04 -0400 Subject: encrypting to expired certificates In-Reply-To: <541886B0.6030309@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541849BB.3080600@sixdemonbag.org> <54186B21.4050501@digitalbrains.com> <54188445.1010703@sixdemonbag.org> <541886B0.6030309@digitalbrains.com> Message-ID: <54188C38.1020400@sixdemonbag.org> >>> You can't argue that these aren't real users. You can't argue >>> it's not a real impact. You can only argue that the impact isn't >>> that big. But that is a long shot from "so hypothetical it's hard >>> to take seriously". I don't understand where that came from. >> >> Sure I can. You weren't really impacted by it. You had easy >> mitigations available to you. > > I was exactly asserting that you can only argue about the extent of > the impact, not that there exists an impact. Telling me that "[I] can't argue that it's not a real impact", when the meaning of "real" that I've been using has been significance, and I clearly *can* argue that it's not a real/significant impact, is an invitation for me to do just that. Your examples are not real impacts. > Which suddenly makes it look like I made a false statement, when in > fact I was simply stating that something that has an arguably small > impact is a long shot from something that is "so hypothetical it's > hard to take seriously". Not really. This 'problem' is so hypothetical it's hard to take seriously. I'm still waiting to see one single real user who has had real impact from this, and that means the problem is still hypothetical. > There, I've said it. Deal with it. In fact, thank me for it. [shrug] As soon as I let the opinions of other people I've never met start weighing heavily on my self-esteem, I'll let you know. Until then, I really don't care. From dkg at fifthhorseman.net Tue Sep 16 21:24:40 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 16 Sep 2014 15:24:40 -0400 Subject: encrypting to expired certificates In-Reply-To: <87d2avh6pz.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541841F9.1050107@fifthhorseman.net> <54184897.1010603@fifthhorseman.net> <87d2avh6pz.fsf@vigenere.g10code.de> Message-ID: <54188E78.8080403@fifthhorseman.net> On 09/16/2014 12:26 PM, Werner Koch wrote: > On Tue, 16 Sep 2014 16:26, dkg at fifthhorseman.net said: > >> i've definitely seen people update their primary key's expiration date >> and fail to update the expiration date of their subkey, so they have a >> valid cert, but it still can't be used for encryption. So they have to > > There needs to be warning in this case. Can you please file a bug? Sure, here you go: https://bugs.g10code.com/gnupg/issue1715 Thanks, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From vedaal at nym.hush.com Tue Sep 16 21:30:53 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 16 Sep 2014 15:30:53 -0400 Subject: encrypting to expired certificates In-Reply-To: <3505303.7miehALuke@inno> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> Message-ID: <20140916193053.426BC601EC@smtp.hushmail.com> On 9/16/2014 at 2:56 PM, "Hauke Laging" wrote: >What I want would make life easier mostly for the contacts of >those who >don't manage their keys well. ===== Which is especially reasonable, since it seems that the option of '--faked-system-time' (which used to work on earlier versions of GnuPG 2.x), but doesn't work on current versions of 2.x, and never worked on 1.x, now make it especially cumbersome to encrypt to an expired key, (by requiring changing the system clock and changing it back again). As the '--faked-system-time' option is interesting, maybe re-implementing it in both 2.x and 1.x might be an easy workaround in those cases where a user has forgotten to update an expired key. With regard to the resulting sign and encrypt problem, a simple workaround would be to clearsign first, and the encrypt the clearsigned mesage with the '--faked-system-time' option . vedaal From peter at digitalbrains.com Tue Sep 16 21:30:51 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 16 Sep 2014 21:30:51 +0200 Subject: (Really OT!) encrypting to expired certificates In-Reply-To: <54188C38.1020400@sixdemonbag.org> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541849BB.3080600@sixdemonbag.org> <54186B21.4050501@digitalbrains.com> <54188445.1010703@sixdemonbag.org> <541886B0.6030309@digitalbrains.com> <54188C38.1020400@sixdemonbag.org> Message-ID: <54188FEB.9000506@digitalbrains.com> On 16/09/14 21:15, Robert J. Hansen wrote: > [shrug] As soon as I let the opinions of other people I've never met > start weighing heavily on my self-esteem, I'll let you know. Until > then, I really don't care. However, I can't help but feel angry by your dismissal of my beliefs and misrepresentation of my words. It's a flaw, I know that. But even if you are of stone, maybe you should remember that it's actual people you are conversing with who have emotions and might feel strongly about things. And really, really dislike being made out to have said things they didn't. Twist your words whicheveryway you want (is that one word?), but from context, it was completely obvious I never attacked your "real impact" statement, but attacked your "so hypothetical statement"; the former was simply a mode of expression that is not at all uncommon and certainly not something to be lambasted for. I can't believe I'm still replying. Another flaw, I know. I should be the bigger man here. But I'm past the point where I still can. So I diminish myself to the level you are currently conversing at. I really hope I can find the strength to simply ignore your next dismissal of my heartfelt words and funnily meant comments like "hot-button issue". You, sir, really like to take the piss. Again, remember, real human being here, one who is currently having a bit of a problem with repeating "This guy is not one of my friends, what do you care" to himself. Peter. PS: Wow, really throwing myself wide open here emotionally. An asshole would probably abuse that. Ah well, I don't think you would go /that/ low. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Tue Sep 16 21:54:56 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Sep 2014 21:54:56 +0200 Subject: encrypting to expired certificates In-Reply-To: <20140916193053.426BC601EC@smtp.hushmail.com> (vedaal@nym.hush.com's message of "Tue, 16 Sep 2014 15:30:53 -0400") References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> <20140916193053.426BC601EC@smtp.hushmail.com> Message-ID: <87ppeve3xr.fsf@vigenere.g10code.de> On Tue, 16 Sep 2014 21:30, vedaal at nym.hush.com said: > As the '--faked-system-time' option is interesting, maybe > re-implementing it in both 2.x and 1.x might be an easy workaround in > those cases where a user has forgotten to update an expired key. No. --faked-system-time is actually a debugging options and helpful for regression tests. It might be easier to use than pther faketime tools > With regard to the resulting sign and encrypt problem, a simple > workaround would be to clearsign first, and the encrypt the > clearsigned mesage with the '--faked-system-time' option . A much much easier to solution it to patch out the check and go ahead. After all the source code is always there. IIRC, g10/getkey.c, function merge_keys_and_subkeys . Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Tue Sep 16 22:36:26 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Sep 2014 16:36:26 -0400 Subject: (Really OT!) encrypting to expired certificates In-Reply-To: <54188FEB.9000506@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <541751AA.4060708@fifthhorseman.net> <541761E6.2080401@dougbarton.us> <2632435.VKDKWAKhLU@inno> <54178083.4030102@sixdemonbag.org> <541814B5.1090003@digitalbrains.com> <541849BB.3080600@sixdemonbag.org> <54186B21.4050501@digitalbrains.com> <54188445.1010703@sixdemonbag.org> <541886B0.6030309@digitalbrains.com> <54188C38.1020400@sixdemonbag.org> <54188FEB.9000506@digitalbrains.com> Message-ID: <54189F4A.1020104@sixdemonbag.org> > However, I can't help but feel angry by your dismissal of my beliefs I did not dismiss your beliefs, nor did I mock them. When I said "in deference to Peter's hot-button issue of food expiration," there was no perjoration or sarcasm attached to that. I said precisely, exactly, what I meant: in order to avoid tromping on something that is a sensitive subject for you, I elected to use other examples. You may wish to rethink whether that amounts to a dismissal of your beliefs or consideration of them. > But even if you are of stone, maybe you should remember that it's > actual people you are conversing with who have emotions and might > feel strongly about things. We are not our ideas. Our ideas are separate things from us, and one can be a virtuous and commendable soul even if one's notions are nonsense. A Young-Earth Creationist who volunteers to feed the hungry is still showing great personal virtue. Their idea may be flamingly wrong, but only a heartless fool would think that fact should somehow diminish their worth or value. We live in a society that encourages us to wear labels. Atheist. Agnostic. Buddhist. European. American. Black. White. Arab. There's nothing wrong with those labels, really -- but there's something wrong with letting ourselves *be defined by* our labels. And in the end, the ideas you hold are just another label. Don't let your labels define you. Especially don't let them define your self-worth. You are more, and richer, than that. We all are. Not just everyone on this mailing list, but every human being throughout the world. (Even the ones currently kidnapped on Zarbnulax.) I'm sending this to the entire list because it's something I'd like to tell the entire list. None of us are our ideas. It is normal and natural for ideas to come into violent collision. If your idea prevails, congratulations, but that doesn't make you a better human being. If your idea doesn't, I wouldn't lose any sleep over it: no one worth knowing would think that having an incorrect idea was any kind of reflection on you as a person. You certainly don't have to agree with any of this. They're just ideas, after all... From dougb at dougbarton.us Wed Sep 17 00:03:29 2014 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 16 Sep 2014 15:03:29 -0700 Subject: encrypting to expired certificates In-Reply-To: References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> Message-ID: <5418B3B1.4010106@dougbarton.us> On 9/16/14 12:12 PM, Nicholas Cole wrote: > I'll admit that I hadn't actually realised how hard it is to make > GnuPG change the expiry dates of subkeys at the same time as changing > the expiry date of the main key. What is the approved way to do this? It wasn't *that* hard, just not what I expected. :) When you get into the edit-key menu you can do 'uid *' (or specifically select the uids you want to update, if not all). Then update the expiry. Then also do 'key *' (or specifically select the subkeys you want to update). Then you can update the expiry for the subkey(s). The thing that I found unexpected is that even if you do both 'uid *' and 'key *' you can still only update the expiry for one or the other, apparently whichever one of those you executed last. hth, Doug From mailinglisten at hauke-laging.de Wed Sep 17 00:38:47 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 17 Sep 2014 00:38:47 +0200 Subject: encrypting to expired certificates In-Reply-To: <54188978.1070602@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> Message-ID: <9048603.zXDj5R2aFC@inno> Am Di 16.09.2014, 12:03:20 schrieb Doug Barton: > On 9/16/14 11:53 AM, Hauke Laging wrote: > > Am Di 16.09.2014, 10:31:00 schrieb Doug Barton: > >> .... which further highlights that adding options to make life > >> easier for people who don't understand what key expiry means, or > >> how to manage it properly, is probably not a good idea. :) > > > > What I want would make life easier mostly for the contacts of those > > who don't manage their keys well. > > Yes, I think we all understand that. I wonder why you made the above statement then. > > Furthermore it seems proven to me now that even the elite of the > > OpenPGP users "don't understand what key expiry means". > > I admire your determination to believe that you are the one who is > right, and that everyone else is wrong. :) I'm sorry if that is your impression. My impression is that we have seen that both opinions about the suitable interpretation are backed by several people. I.e. there is no concensus. And the majority of those who have commented supports my suggestion. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From dougb at dougbarton.us Wed Sep 17 01:31:07 2014 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 16 Sep 2014 16:31:07 -0700 Subject: encrypting to expired certificates In-Reply-To: <9048603.zXDj5R2aFC@inno> References: <3797526.FaRLMEmID1@inno> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> <9048603.zXDj5R2aFC@inno> Message-ID: <5418C83B.30407@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 9/16/14 3:38 PM, Hauke Laging wrote: | Am Di 16.09.2014, 12:03:20 schrieb Doug Barton: |> On 9/16/14 11:53 AM, Hauke Laging wrote: |>> Am Di 16.09.2014, 10:31:00 schrieb Doug Barton: |>>> .... which further highlights that adding options to make |>>> life easier for people who don't understand what key expiry |>>> means, or how to manage it properly, is probably not a good |>>> idea. :) |>> |>> What I want would make life easier mostly for the contacts of |>> those who don't manage their keys well. |> |> Yes, I think we all understand that. | | I wonder why you made the above statement then. Sorry I wasn't clear. I meant that what you want is clear to everyone. The fact that it's a bad idea seems to remain unclear to you. |>> Furthermore it seems proven to me now that even the elite of |>> the OpenPGP users "don't understand what key expiry means". |> |> I admire your determination to believe that you are the one who |> is right, and that everyone else is wrong. :) | | I'm sorry if that is your impression. My impression is that we have | seen that both opinions about the suitable interpretation are | backed by several people. I.e. there is no concensus. And the | majority of those who have commented supports my suggestion. Even if your last statement were correct (and I don't think it is), you should be careful drawing conclusions from it. The danger is that people with unusual views (such as that "expired" doesn't mean "expired") are more likely to comment than the proverbial "silent majority" who, if they gave any thought to the topic at all, concluded long ago that, "Of course 'expired' means 'expired,'" and moved on with their lives. Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJUGMg7AAoJEFzGhvEaGryE8XcIAL35gNduqXOpKbwtlqirXgTb c8LUlI+rEv3EoeAVW/xVuq2jFJLNpU5RPmC81rJIs6Ugw5sMqXQ+wN/4PCqDNUhf ddy8W2cZwspO72FBO67BmFpB9W+Km7lTkl79653GVtDgn1T8RRR5H8977IgFdS6Z kcuz0Al2GtPVe/peRPDu6LsXuT6XHARbMGPSm+QQ6QyWecsw/tcyyzOoIlvAhXGq U/e4T1zhSkw5s9BlaPPvpIPDeOYTCchl+U+pxIZlfkJfkvXo+BlSrzR64Df1Umqp sbaXEbtulJFiQgZpybz8YZsCpIZ8DMJkYNnthZBZJHV10WYSAdEQ5GXco77+G1k= =92bY -----END PGP SIGNATURE----- From wk at gnupg.org Wed Sep 17 03:16:29 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Sep 2014 03:16:29 +0200 Subject: encrypting to expired certificates In-Reply-To: <9048603.zXDj5R2aFC@inno> (Hauke Laging's message of "Wed, 17 Sep 2014 00:38:47 +0200") References: <3797526.FaRLMEmID1@inno> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> <9048603.zXDj5R2aFC@inno> Message-ID: <87a95zdp1u.fsf@vigenere.g10code.de> On Wed, 17 Sep 2014 00:38, mailinglisten at hauke-laging.de said: > several people. I.e. there is no concensus. And the majority of those > who have commented supports my suggestion. ... and the 2400 other subscribers are having a bag of popcorn while watching the discussion. scnr, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From 2014-667rhzu3dc-lists-groups at riseup.net Wed Sep 17 03:42:31 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 17 Sep 2014 02:42:31 +0100 Subject: encrypting to expired certificates In-Reply-To: <54187057.4080008@digitalbrains.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <5418463D.2090602@sixdemonbag.org> <54187057.4080008@digitalbrains.com> Message-ID: <376118763.20140917024231@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 16 September 2014 at 6:16:07 PM, in , Peter Lebbing wrote: > By the way, if stuff regularly exceeds the expiration > date in your home, you should buy smaller portions, not > throw out more. Depends on pricing. Where I live, it is often cheaper to buy too much and waste some. Milk is currently about 0.50 for a pint, 0.90 for two pints, 1.00 for four pints. So we typically buy it in four-pint bottles and throw out about a third of the bottle when it goes off, which is up to about three days either way from the stated use-by date. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Two wrongs don't make a right. But three lefts do. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQY5xJXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pvwwEALGhJCGnVAck1s09SAoBwtIdS4mLfSLlSHBW uIKuJ09uAOf61WWred+rdyn+yxmyOTPj45T6nlkc8nXHUdVYrc1EkB7sI3/EOA1D A4FGQH/mGFIN6T1AQZSgdv7bVba7AeyhhOAXjXBhbwt2Lud1rKWhpJ85NN+DPplB jlOE0ocQ =ZUOU -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Wed Sep 17 03:57:48 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 17 Sep 2014 02:57:48 +0100 Subject: encrypting to expired certificates In-Reply-To: <20140916161512.3F402601F0@smtp.hushmail.com> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <20140916161512.3F402601F0@smtp.hushmail.com> Message-ID: <94120420.20140917025748@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 16 September 2014 at 5:15:12 PM, in , vedaal at nym.hush.com wrote: > Does this work on GnuPG 1.4.x ? > GnuPG (1.4.16) gives me the following error: > gpg: Invalid option "--faked-system-time" 1.4.18 and 2.0.26 (on Windows) both give me that error. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Dogs look up to us. Cats look down on us. Pigs treat us as equals. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQY6qJXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pUYsEAIaV4h3o9Ka6FABYVMc9lqTl1cjiqgy+ndga lwunpIAzdpWi0kJEt5pkaaB/s1CkaALv2lfVTVd33Y6tEaocxex9NcLMelf8/NnL xVj5mnGxqoWJEw8G9RMq8FLnltTfnWN0cCrnsLvRzyQudYhg1cQ0PEpdbeTUL5y7 Y7EMvVnr =2NzT -----END PGP SIGNATURE----- From wk at gnupg.org Wed Sep 17 10:24:38 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Sep 2014 10:24:38 +0200 Subject: encrypting to expired certificates In-Reply-To: <94120420.20140917025748@my_localhost> (MFPA's message of "Wed, 17 Sep 2014 02:57:48 +0100") References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <20140916161512.3F402601F0@smtp.hushmail.com> <94120420.20140917025748@my_localhost> Message-ID: <871traejsp.fsf@vigenere.g10code.de> On Wed, 17 Sep 2014 03:57, 2014-667rhzu3dc-lists-groups at riseup.net said: >> gpg: Invalid option "--faked-system-time" > > > 1.4.18 and 2.0.26 (on Windows) both give me that error. Might be - I have not used 2.0 for years. GPGSM has this option, though. Users with very advanced requests are expected to use a very advanced version (2.1-beta) .-) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Wed Sep 17 11:21:30 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 17 Sep 2014 11:21:30 +0200 Subject: encrypting to expired certificates In-Reply-To: <87a95zdp1u.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> <9048603.zXDj5R2aFC@inno> <87a95zdp1u.fsf@vigenere.g10code.de> Message-ID: <5419529A.8050000@digitalbrains.com> On 17/09/14 03:16, Werner Koch wrote: > ... and the 2400 other subscribers are having a bag of popcorn while > watching the discussion. > > scnr, Had to look that one up. I suppose "Sorry could not resist"[1]. I don't mind. The bit best watched with a bag of popcorn wasn't very much about GnuPG though. All I really wanted was an apology for 'a resounding "[...] you should be thanking me."' and an apology for misrepresenting my words by very selectively quoting. Too bad that seemed out of reach. Peter. [1] Although "Signal to Coherent Noise Ratio" seems rather appropriate in the discussion as well. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Wed Sep 17 11:23:38 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 17 Sep 2014 11:23:38 +0200 Subject: Multiple Subkeys for different Uses In-Reply-To: References: <54182C00.3030100@digitalbrains.com> Message-ID: <5419531A.1080704@digitalbrains.com> On 16/09/14 15:08, Sam M wrote: > I'll try, with the example. I would like to point out that Sam really made it perfectly clear what his problem was, in a way that's really helpful to people wanting to help him. It was so clear cut, that I immediately homed in on the problem and forgot to actually point out how clear cut it was. People, if you experience a problem with GnuPG command line and wish people to help you, this is a great example of how to phrase the question. People often encounter the pitfall of interpreting what they see, and reporting that interpretation. But it is much better to report what the tool actually says, because it gives those vital hints to people helping. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Wed Sep 17 14:42:02 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Sep 2014 14:42:02 +0200 Subject: encrypting to expired certificates In-Reply-To: <5419529A.8050000@digitalbrains.com> (Peter Lebbing's message of "Wed, 17 Sep 2014 11:21:30 +0200") References: <3797526.FaRLMEmID1@inno> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> <9048603.zXDj5R2aFC@inno> <87a95zdp1u.fsf@vigenere.g10code.de> <5419529A.8050000@digitalbrains.com> Message-ID: <87d2auctb9.fsf@vigenere.g10code.de> On Wed, 17 Sep 2014 11:21, peter at digitalbrains.com said: > Had to look that one up. I suppose "Sorry could not resist"[1]. I don't mind. I was not aware that some of the old usenet terms are out of fashion today. > [1] Although "Signal to Coherent Noise Ratio" seems rather appropriate in the > discussion as well. Indeed Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Wed Sep 17 19:31:40 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 17 Sep 2014 13:31:40 -0400 Subject: encrypting to expired certificates In-Reply-To: <871traejsp.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <20140916161512.3F402601F0@smtp.hushmail.com> <94120420.20140917025748@my_localhost> <871traejsp.fsf@vigenere.g10code.de> Message-ID: <20140917173140.60D11C00F7@smtp.hushmail.com> On 9/17/2014 at 4:25 AM, "Werner Koch" wrote: > Users with very advanced requests are expected to use a >very advanced version (2.1-beta) .-) ===== Seems to need a 'very advanced' downloading too ;-) Could not find 2.1-beta on the GnuPG download page. Where is it available? TIA, vedaal From wk at gnupg.org Wed Sep 17 21:35:36 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Sep 2014 21:35:36 +0200 Subject: encrypting to expired certificates In-Reply-To: <20140917173140.60D11C00F7@smtp.hushmail.com> (vedaal@nym.hush.com's message of "Wed, 17 Sep 2014 13:31:40 -0400") References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <20140916161512.3F402601F0@smtp.hushmail.com> <94120420.20140917025748@my_localhost> <871traejsp.fsf@vigenere.g10code.de> <20140917173140.60D11C00F7@smtp.hushmail.com> Message-ID: <87oaueavlj.fsf@vigenere.g10code.de> On Wed, 17 Sep 2014 19:31, vedaal at nym.hush.com said: > Seems to need a 'very advanced' downloading too ;-) $ lftp ftp.gnupg.org lftp ftp.gnupg.org:~> cd gcrypt cd ok, cwd=/gcrypt lftp ftp.gnupg.org:/gcrypt> cd gnupg cd ok, cwd=/gcrypt/gnupg lftp ftp.gnupg.org:/gcrypt/gnupg> cd unstable cd ok, cwd=/gcrypt/gnupg/unstable lftp ftp.gnupg.org:/gcrypt/gnupg/unstable> ls total 0 -rw-r--r-- 1 1000 1000 265 Oct 26 2010 README -rw-r--r-- 1 1000 1000 2934302 Jun 5 17:08 gnupg-2.1.0-beta442.tar.bz2 -rw-r--r-- 1 1000 1000 286 Jun 5 17:08 gnupg-2.1.0-beta442.tar.bz2.sig -rw-r--r-- 1 1000 1000 3078612 Jul 3 11:55 gnupg-2.1.0-beta751.tar.bz2 -rw-r--r-- 1 1000 1000 287 Jul 3 11:55 gnupg-2.1.0-beta751.tar.bz2.sig -rw-r--r-- 1 1000 1000 3095003 Aug 14 17:33 gnupg-2.1.0-beta783.tar.bz2 -rw-r--r-- 1 1000 1000 287 Aug 14 17:33 gnupg-2.1.0-beta783.tar.bz2.sig -rw-r--r-- 1 1000 1000 2529923 Oct 26 2010 gnupg-2.1.0beta1.tar.bz2 -rw-r--r-- 1 1000 1000 158 Oct 26 2010 gnupg-2.1.0beta1.tar.bz2.sig -rw-r--r-- 1 1000 701 2527999 Mar 8 2011 gnupg-2.1.0beta2.tar.bz2 -rw-r--r-- 1 1000 701 287 Mar 8 2011 gnupg-2.1.0beta2.tar.bz2.sig -rw-r--r-- 1 1000 1000 2594988 Dec 20 2011 gnupg-2.1.0beta3.tar.bz2 -rw-r--r-- 1 1000 1000 287 Dec 20 2011 gnupg-2.1.0beta3.tar.bz2.sig -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From 2014-667rhzu3dc-lists-groups at riseup.net Wed Sep 17 21:54:22 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 17 Sep 2014 20:54:22 +0100 Subject: encrypting to expired certificates In-Reply-To: <5418B3B1.4010106@dougbarton.us> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> <5418B3B1.4010106@dougbarton.us> Message-ID: <1795387263.20140917205422@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 16 September 2014 at 11:03:29 PM, in , Doug Barton wrote: > When you get into the edit-key menu you can do 'uid *' > (or specifically select the uids you want to update, if > not all). Then update the expiry. Do key UIDs have an expiry date? I never noticed that. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net To know what we know, and know what we do not know, is wisdom. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQZ5yVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p2vsD/R5PsAnhYdi+uj5piOoZQ7BjYo1L2ga40jDa WZylOfdjuZ0gonS4dKkh0xFG/b62hu9/PUQnwju+A5aMLyNgjWN7HaGrhX22xC5e dRf2FyRomeAhShiKdQLjvs7JtKsiAGYPH6IBnln2fELfVyXcO62N50YC8LxXBmbO cxBailQ9 =5CUt -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Wed Sep 17 22:32:12 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 17 Sep 2014 22:32:12 +0200 Subject: encrypting to expired certificates In-Reply-To: <1795387263.20140917205422@my_localhost> References: <3797526.FaRLMEmID1@inno> <5418B3B1.4010106@dougbarton.us> <1795387263.20140917205422@my_localhost> Message-ID: <64140051.cPyQekJ2zT@inno> Am Mi 17.09.2014, 20:54:22 schrieb MFPA: > Do key UIDs have an expiry date? I never noticed that. The mainkey expiration date is implemented via the UID expiration date. This is because you need a signature and the mainkey itself doesn't have one. The mainkey expires if all UIDs have expired. Thus usually all UIDs have the same expiration date. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From MichaelQuigley at TheWay.Org Wed Sep 17 22:46:38 2014 From: MichaelQuigley at TheWay.Org (MichaelQuigley at TheWay.Org) Date: Wed, 17 Sep 2014 16:46:38 -0400 Subject: encrypting to expired certificates In-Reply-To: References: Message-ID: "Gnupg-users" wrote on 09/16/2014 09:55:18 PM: > ----- Message from Werner Koch on Wed, 17 Sep 2014 > 03:16:29 +0200 ----- > > > ... and the 2400 other subscribers are having a bag of popcorn while > watching the discussion. > That's me--although I've had to settle for pretzels and chips as I haven't had time to make popcorn. The discussion has been most entertaining and enlightening. Both sides have valid points. I believe no software will ever do everything everyone wants. (I know mine doesn't.) I, too, get passionate about my thoughts at times. Then I simply try to remind myself it's software and generally not a life-and-death matter. (Although I understand problems with encryption could be far more harmful to some folks than me.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Wed Sep 17 22:49:31 2014 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 17 Sep 2014 16:49:31 -0400 Subject: encrypting to expired certificates In-Reply-To: <1795387263.20140917205422@my_localhost> References: <3797526.FaRLMEmID1@inno> <541870CE.6080108@digitalbrains.com> <541873D4.8030606@dougbarton.us> <3505303.7miehALuke@inno> <54188978.1070602@dougbarton.us> <5418B3B1.4010106@dougbarton.us> <1795387263.20140917205422@my_localhost> Message-ID: On Sep 17, 2014, at 3:54 PM, MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi > > > On Tuesday 16 September 2014 at 11:03:29 PM, in > , Doug Barton wrote: > > > >> When you get into the edit-key menu you can do 'uid *' >> (or specifically select the uids you want to update, if >> not all). Then update the expiry. > > Do key UIDs have an expiry date? I never noticed that. Both keys and UIDs can have expiration dates in OpenPGP. Though both date fields live on the UID self-sig, they're not the same thing and aren't necessarily set to the same value. GnuPG, like most OpenPGP clients, only really implements key expiration, though it should properly honor a UID expiration if someone generates it elsewhere. David From peter at digitalbrains.com Thu Sep 18 10:53:53 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 18 Sep 2014 10:53:53 +0200 Subject: (OT) encrypting to expired certificates In-Reply-To: References: Message-ID: <541A9DA1.5090106@digitalbrains.com> On 17/09/14 22:46, MichaelQuigley at TheWay.Org wrote: > The discussion has been most entertaining and enlightening. And to think I blew a gasket because I grossly misinterpreted this sentence: > As a farm kid, the answer is a resounding "yes, and you should be > thanking me." Which I interpreted as that /I/ should throw out food that's past its expiration date. And that I should thank Robert for showing me the error of my ways, which is the part that got me fuming. And was a completely wrong interpretation! Well, people, you are welcome for the entertainment! I hope I actually made a few good points as well :). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From sudhir at sudhirkhanger.com Thu Sep 18 11:32:47 2014 From: sudhir at sudhirkhanger.com (Sudhir Khanger) Date: Thu, 18 Sep 2014 15:02:47 +0530 Subject: Keeping .gnupg folder in cloud Message-ID: What are your views on keeping .gnupg folder in cloud? I am working on a threefold backup system - a local external drive, a local nas server and a third-party cloud service like S3/CrashPlan. Backup will be fully encrypted client side. My plan is to avoid complexity by backing up everything in home folder which would include .gnupg folder by default. My threat level is non-existent. I use encryption and GPG as a matter of good internet and security practices and not because of necessity. What do you guys think? -- Regards, Sudhir Khanger. sudhirkhanger.com https://github.com/donniezazen From pete at heypete.com Thu Sep 18 12:35:13 2014 From: pete at heypete.com (Pete Stephenson) Date: Thu, 18 Sep 2014 12:35:13 +0200 Subject: Keeping .gnupg folder in cloud In-Reply-To: References: Message-ID: <541AB561.5040305@heypete.com> On 9/18/2014 11:32 AM, Sudhir Khanger wrote: > What are your views on keeping .gnupg folder in cloud? I am working on > a threefold backup system - a local external drive, a local nas server > and a third-party cloud service like S3/CrashPlan. Backup will be > fully encrypted client side. My plan is to avoid complexity by backing > up everything in home folder which would include .gnupg folder by > default. My threat level is non-existent. I use encryption and GPG as > a matter of good internet and security practices and not because of > necessity. What do you guys think? In general, I'd recommend against it, but in your specific situation I don't really see a problem. Some people have gone so far as to publicly publish (is that redundant?) their encrypted private keys[1] to the internet. Assuming that the crypto is sound and the passphrase protecting the key is strong, and your system has not been compromised (e.g. there's no keylogger), there's very little to worry about. Still, probably not a good idea. Cheers! -Pete [1] From rjh at sixdemonbag.org Thu Sep 18 16:00:10 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Sep 2014 10:00:10 -0400 Subject: (OT) encrypting to expired certificates In-Reply-To: <541A9DA1.5090106@digitalbrains.com> References: <541A9DA1.5090106@digitalbrains.com> Message-ID: <541AE56A.9010407@sixdemonbag.org> > And to think I blew a gasket because I grossly misinterpreted this sentence: To clarify: I think that the body politic should thank producers of food for being willing to throw away food (and thus, profit) in the interests of preserving the safety of the public's food supply. That's all. The reason why I find the metaphor appropriate for GnuPG is because it highlights the different responsibilities producers have versus consumers. A producer is expected to provide product (food, encrypted communications, whatever) that exceeds the standard of the consumer. Similarly, the use case of "I forgot to add a new expiration date on my own key" is different from the use case of "my correspondent forgot to add a new expiration date on his key". These two use cases revolve around policy, not mechanism. In the former, whether you want to hack up the system time to get around the expiration issue is wholly your lookout -- whatever policy one decides, I neither get to judge it nor comment on it. In the latter, I get to say, "I cannot imagine a world where this makes sense. The certificate has expired; don't use it." Again, producers are -- must be -- held to a higher standard than consumers. Peter, I hope this makes my feelings on the matter clear. It was not my intent to tell you how to run your refrigerator, or that you are somehow doing it incorrectly. From rjh at sixdemonbag.org Thu Sep 18 16:04:13 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Sep 2014 10:04:13 -0400 Subject: Keeping .gnupg folder in cloud In-Reply-To: References: Message-ID: <541AE65D.30904@sixdemonbag.org> > What are your views on keeping .gnupg folder in cloud? Potentially foolish, but not for the reason you might expect. I've often said I'm willing to publish my keyrings in the _New York Times_. I'm not being facetious. My passphrase is 128 random bits from /dev/urandom -- a bear to memorize, but it means if my private key gets published in the newspaper I have nothing to fear (except, perhaps, someone deciding to torture me to get my passphrase: an event that I find unlikely). But the .gnupg folder contains a few sensitive files, such as random_seed. If you publish your random seed, it's theoretically possible for someone to determine the internal state of your random number generator, and at that point you've got a serious risk to the confidentiality and integrity of your communications. If I recall correctly, not all platforms use random_seed. The basic lesson remains the same, though. There are files in .gnupg which probably should not be stored in the cloud. :) From wk at gnupg.org Thu Sep 18 17:13:58 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Sep 2014 17:13:58 +0200 Subject: Keeping .gnupg folder in cloud In-Reply-To: <541AE65D.30904@sixdemonbag.org> (Robert J. Hansen's message of "Thu, 18 Sep 2014 10:04:13 -0400") References: <541AE65D.30904@sixdemonbag.org> Message-ID: <87vbol6jwp.fsf@vigenere.g10code.de> On Thu, 18 Sep 2014 16:04, rjh at sixdemonbag.org said: > But the .gnupg folder contains a few sensitive files, such as > random_seed. If you publish your random seed, it's theoretically > possible for someone to determine the internal state of your random In the case of session keys, this is true. For generating public keys, I doubt that this will help: We update the internal 4800 bit RNG state with 2400 fresh random bits before the key is generated. But right, there are other files which should not be published. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From flapflap at riseup.net Thu Sep 18 17:37:29 2014 From: flapflap at riseup.net (flapflap) Date: Thu, 18 Sep 2014 15:37:29 +0000 Subject: Keeping .gnupg folder in cloud In-Reply-To: <541AE65D.30904@sixdemonbag.org> References: <541AE65D.30904@sixdemonbag.org> Message-ID: <541AFC39.20900@riseup.net> Robert J. Hansen: >> What are your views on keeping .gnupg folder in cloud? > > Potentially foolish, but not for the reason you might expect. couldn't it also be that the owner/admin of the cloud makes changes to the keyring? Like adding/removing keys. Dependent on the trust model (like trust-always) this could be a very bad idea... Or it could result in a DOS as the evil admin deleted the secret parts of some key pairs.. ~flapflap From rjh at sixdemonbag.org Thu Sep 18 18:04:37 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Sep 2014 12:04:37 -0400 Subject: Keeping .gnupg folder in cloud In-Reply-To: <541AFC39.20900@riseup.net> References: <541AE65D.30904@sixdemonbag.org> <541AFC39.20900@riseup.net> Message-ID: <541B0295.8050006@sixdemonbag.org> > couldn't it also be that the owner/admin of the cloud makes changes to > the keyring? Like adding/removing keys. Dependent on the trust model > (like trust-always) this could be a very bad idea... Or it could result > in a DOS as the evil admin deleted the secret parts of some key pairs.. The biggest risk is the gpg.conf file, actually. If the admin silently adds another "encrypt-to" and you don't notice it, then you're totally hosed. Like I have said -- there are a lot of files in .gnupg that probably should not be hosted in the cloud. From peter at digitalbrains.com Thu Sep 18 18:23:23 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 18 Sep 2014 18:23:23 +0200 Subject: Keeping .gnupg folder in cloud In-Reply-To: <541B0295.8050006@sixdemonbag.org> References: <541AE65D.30904@sixdemonbag.org> <541AFC39.20900@riseup.net> <541B0295.8050006@sixdemonbag.org> Message-ID: <541B06FB.1070407@digitalbrains.com> On 18/09/14 18:04, Robert J. Hansen wrote: > The biggest risk is the gpg.conf file, actually. If the admin > silently adds another "encrypt-to" and you don't notice it, then > you're totally hosed. The OP said: > Backup will be fully encrypted client side. So I think random_seed and all the other files are actually safe... I might be missing something, though. This all depending on the actual encryption. It would be wise to add a signature too, to prevent willful corruption of the data. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From vedaal at nym.hush.com Thu Sep 18 18:25:22 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 18 Sep 2014 12:25:22 -0400 Subject: Keeping .gnupg folder in cloud In-Reply-To: <871traejsp.fsf@vigenere.g10code.de> References: <3797526.FaRLMEmID1@inno> <006B3AE6-4371-4C9D-A018-3AB2BB9AB5B7@jabberwocky.com> <5740197.zZZLHD6fs4@inno> <54174454.6060705@sixdemonbag.org> <54180D50.4050808@digitalbrains.com> <54181676.5050908@dkyb.de> <87mw9zk4q4.fsf@vigenere.g10code.de> <20140916161512.3F402601F0@smtp.hushmail.com> <94120420.20140917025748@my_localhost> <871traejsp.fsf@vigenere.g10code.de> Message-ID: <20140918162522.8488920395@smtp.hushmail.com> On Thu Sep 18 17:13:58 CEST 2014 "Werner Koch" wrote: > But right, there are other files which should not be published. Is it possible to have .gnupg on a smart card ? vedaal From rjh at sixdemonbag.org Thu Sep 18 18:36:41 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Sep 2014 12:36:41 -0400 Subject: Keeping .gnupg folder in cloud In-Reply-To: <541B06FB.1070407@digitalbrains.com> References: <541AE65D.30904@sixdemonbag.org> <541AFC39.20900@riseup.net> <541B0295.8050006@sixdemonbag.org> <541B06FB.1070407@digitalbrains.com> Message-ID: <541B0A19.7040009@sixdemonbag.org> >> Backup will be fully encrypted client side. > > So I think random_seed and all the other files are actually safe... Oh, good point. I missed that. My apologies to the original poster! From wk at gnupg.org Thu Sep 18 18:41:21 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Sep 2014 18:41:21 +0200 Subject: New beta Message-ID: <87r3z87ufi.fsf@vigenere.g10code.de> Hi, I just uploaded a new beta: ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta834.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta834.tar.bz2.sig Noteworthy changes in version 2.1.0-beta834 (2014-09-18) -------------------------------------------------------- * gpg: Improved passphrase caching. * gpg: Switched to algorithm number 22 for EdDSA. * gpg: Removed CAST5 from the default preferences. * gpg: Order SHA-1 last in the hash preferences. * gpg: Changed default cipher for --symmetric to AES-128. * gpg: Fixed export of ECC keys and import of EdDSA keys. * dirmngr: Fixed the KS_FETCH command. * speedo: Downloads related packages and works for non-Windows. To quickly build all required software without installing it, the Speedo method may be used: make -f build-aux/speedo.mk native This method downloads all required libraries and does a native build of GnuPG to PLAY/inst/. GNU make is required and you need to set LD_LIBRARY_PATH to $(pwd)/PLAY/inst/lib. If you have all required tools and some extra source packages in ../tarballs, you may also build a Windows installer: make -f build-aux/speedo.mk w32-installer Here is the list of those extra packages atk-1.32.0.tar.bz2 cairo-1.12.16.tar.xz cairo-1.12.16.tar.xz.sha1.asc gdk-pixbuf-2.26.5.tar.xz gettext-0.18.2.1.tar.gz glib-2.34.3.tar.xz gtk+-2.24.17.tar.xz libffi-3.0.13.tar.gz libiconv-1.14.tar.gz libpng-1.4.12.tar.bz2 pango-1.29.4.tar.bz2 pixman-0.32.4.tar.gz pixman-0.32.4.tar.gz.sha1.asc pkg-config-0.23.tar.gz Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From sudhir at sudhirkhanger.com Thu Sep 18 19:31:03 2014 From: sudhir at sudhirkhanger.com (Sudhir Khanger) Date: Thu, 18 Sep 2014 23:01:03 +0530 Subject: Keeping .gnupg folder in cloud Message-ID: On Thu, Sep 18, 2014 at 7:34 PM, Robert J. Hansen wrote: > Potentially foolish Looks like there is consensus in not uploading .gnupg folder in cloud. >From what I gather it should be fine to keep local backups just prevent any data loss. -- Regards, Sudhir Khanger. sudhirkhanger.com https://github.com/donniezazen PS:- Gmail has a weird setup. It would not allow me to reply back to the mailing list email. Reply replies to person whose email you clicked reply from and reply all goes to everybody's email on the thread and not the list. From dkg at fifthhorseman.net Thu Sep 18 22:36:53 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 18 Sep 2014 16:36:53 -0400 Subject: gmail list replies [Re: Keeping .gnupg folder in cloud] In-Reply-To: References: Message-ID: <541B4265.2090303@fifthhorseman.net> On 09/18/2014 01:31 PM, Sudhir Khanger wrote: > PS:- Gmail has a weird setup. It would not allow me to reply back to > the mailing list email. Reply replies to person whose email you > clicked reply from and reply all goes to everybody's email on the > thread and not the list. You put this part of your message below your .sig, so many people might not have seen it. I don't use gmail, but perhaps one of the other people who use gmail on this list can give you pointers on how to interact with mailing lists like this one through their web interface. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From pete at heypete.com Thu Sep 18 23:10:05 2014 From: pete at heypete.com (Pete Stephenson) Date: Thu, 18 Sep 2014 23:10:05 +0200 Subject: gmail list replies [Re: Keeping .gnupg folder in cloud] In-Reply-To: <541B4265.2090303@fifthhorseman.net> References: <541B4265.2090303@fifthhorseman.net> Message-ID: On Thu, Sep 18, 2014 at 10:36 PM, Daniel Kahn Gillmor wrote: > On 09/18/2014 01:31 PM, Sudhir Khanger wrote: >> PS:- Gmail has a weird setup. It would not allow me to reply back to >> the mailing list email. Reply replies to person whose email you >> clicked reply from and reply all goes to everybody's email on the >> thread and not the list. > > You put this part of your message below your .sig, so many people might > not have seen it. > > I don't use gmail, but perhaps one of the other people who use gmail on > this list can give you pointers on how to interact with mailing lists > like this one through their web interface. I use Google Apps (in essence, Gmail for one's domain). "Reply" composes a response to the sender (but not the list). "Reply All" composes a response to the sender and CCs the list. I have not observed the behavior that Sudhir reports. Perhaps things behave differently between Gmail and Google Apps? There's some other minor differences, but for everything else the compose/reply options have always seemed to be quite similar. Cheers! -Pete -- Pete Stephenson From sudhir at sudhirkhanger.com Thu Sep 18 23:17:58 2014 From: sudhir at sudhirkhanger.com (Sudhir Khanger) Date: Fri, 19 Sep 2014 02:47:58 +0530 Subject: gmail list replies [Re: Keeping .gnupg folder in cloud] In-Reply-To: References: <541B4265.2090303@fifthhorseman.net> Message-ID: On Fri, Sep 19, 2014 at 2:40 AM, Pete Stephenson wrote: > On Thu, Sep 18, 2014 at 10:36 PM, Daniel Kahn Gillmor > wrote: >> On 09/18/2014 01:31 PM, Sudhir Khanger wrote: >>> PS:- Gmail has a weird setup. It would not allow me to reply back to >>> the mailing list email. Reply replies to person whose email you >>> clicked reply from and reply all goes to everybody's email on the >>> thread and not the list. >> >> You put this part of your message below your .sig, so many people might >> not have seen it. >> >> I don't use gmail, but perhaps one of the other people who use gmail on >> this list can give you pointers on how to interact with mailing lists >> like this one through their web interface. > > I use Google Apps (in essence, Gmail for one's domain). "Reply" > composes a response to the sender (but not the list). "Reply All" > composes a response to the sender and CCs the list. > > I have not observed the behavior that Sudhir reports. Perhaps things > behave differently between Gmail and Google Apps? There's some other > minor differences, but for everything else the compose/reply options > have always seemed to be quite similar. > > Cheers! > -Pete > > -- > Pete Stephenson > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users You are right looking more closely Reply All does send to each person in the thread and CC to the mailing list. -- Regards, Sudhir Khanger. sudhirkhanger.com https://github.com/donniezazen From 2014-667rhzu3dc-lists-groups at riseup.net Fri Sep 19 19:52:46 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 19 Sep 2014 18:52:46 +0100 Subject: New beta In-Reply-To: <87r3z87ufi.fsf@vigenere.g10code.de> References: <87r3z87ufi.fsf@vigenere.g10code.de> Message-ID: <679849602.20140919185246@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 18 September 2014 at 5:41:21 PM, in , Werner Koch wrote: > If you have all required tools and some extra source > packages in ../tarballs, you may also build a Windows > installer: > make -f build-aux/speedo.mk w32-installer Does this have to be done under Linux, or can it be done under Windows with the aid of something like MinGW or CodeBlocks? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Gypsy Dwarf Escapes Prison: Small Medium at large -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQcbXhXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5prMAD+wXCEv7vWpJpo/UVZa8c9htb3KT6JYpJfkFG asL0byfm5dcOZl1JSaZKhwNHYAVi2DgFafR7Ls5PWKTyYiEBndaWNCYUGQQKLKGE Dq6WrcC01MLiLkoRebypsoFTVhQw5Av2rIdH6AKaKPC4Ggtbi/kSHFNtjaLc+8qh 5E/FDNTr =0m/q -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Sep 19 20:14:44 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 19 Sep 2014 14:14:44 -0400 Subject: New beta In-Reply-To: <679849602.20140919185246@my_localhost> References: <87r3z87ufi.fsf@vigenere.g10code.de> <679849602.20140919185246@my_localhost> Message-ID: <541C7294.3030500@sixdemonbag.org> > Does this have to be done under Linux, or can it be done under > Windows with the aid of something like MinGW or CodeBlocks? Unfortunately, this is not something I'd recommend for anyone except a handful of MinGW experts. It's technically possible, but daunting. The approved way of building Win32 executables of GnuPG is to cross-compile from Linux. From vedaal at nym.hush.com Fri Sep 19 21:46:04 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 19 Sep 2014 15:46:04 -0400 Subject: New beta In-Reply-To: <541C7294.3030500@sixdemonbag.org> References: <87r3z87ufi.fsf@vigenere.g10code.de> <679849602.20140919185246@my_localhost> <541C7294.3030500@sixdemonbag.org> Message-ID: <20140919194604.817A660C30@smtp.hushmail.com> On 9/19/2014 at 2:18 PM, "Robert J. Hansen" wrote: > >> Does this have to be done under Linux, or can it be done under >> Windows with the aid of something like MinGW or CodeBlocks? > >Unfortunately, this is not something I'd recommend for anyone >except a >handful of MinGW experts. It's technically possible, but daunting. > >The approved way of building Win32 executables of GnuPG is to >cross-compile from Linux. ===== Can gnupg-2.1.0-beta834 be compiled on Cygwin ? I tried downloading it from the ftp link WK gave, and when trying to configure on Cygwin, got the following errors: configure: *** You need libgpg-error to build this program *** You need libassuan to build this program *** You need libska to build this program *** It is now required to build with support for the *** New Portable Threads Library (nPth). Please install *** this library first. configure: error: *** Required libraries not found. Please consult the above messages *** and install them before running configure again. Ok, Downloaded all the above libraries from the links provided, started with the first one mentioned, libgpg-error, and got as far as, config.status: creating po/Makefile libgpg-error-1.16 prepared for make Revision: 8f3187f (36657) Platform: i686-pc-cygwin Then after trying 'make', got the following: $ make make all-recursive make[1]: Entering directory `/cygdrive/c/gnupg-2.1.0-beta834/libgpg-error-1.16/l ibgpg-error-1.16' Making all in m4 make[2]: Entering directory `/cygdrive/c/gnupg-2.1.0-beta834/libgpg-error-1.16/l ibgpg-error-1.16/m4' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/cygdrive/c/gnupg-2.1.0-beta834/libgpg-error-1.16/li bgpg-error-1.16/m4' Making all in src make[2]: Entering directory `/cygdrive/c/gnupg-2.1.0-beta834/libgpg-error-1.16/l ibgpg-error-1.16/src' gawk -f ./mkerrnos.awk ./errnos.in >code-to-errno.h gawk -f ./mkerrcodes1.awk ./errnos.in >_mkerrcodes.h gcc -E _mkerrcodes.h | grep GPG_ERR_ | \ gawk -f ./mkerrcodes.awk >mkerrcodes.h rm _mkerrcodes.h gcc -I. -I. -o mkerrcodes ./mkerrcodes.c ./mkerrcodes | gawk -f ./mkerrcodes2.awk >code-from-errno.h gawk -f ./mkstrtable.awk -v textidx=2 -v nogettext=1 \ ./err-sources.h.in >err-sources-sym.h gawk -f ./mkstrtable.awk -v textidx=2 -v nogettext=1 \ ./err-codes.h.in >err-codes-sym.h gawk -f ./mkstrtable.awk -v textidx=2 -v nogettext=1 \ -v prefix=GPG_ERR_ -v namespace=errnos_ \ ./errnos.in >errnos-sym.h gcc -g -O0 -I. -I. -o mkheader ./mkheader.c gcc -g -O2 -Wall -Wpointer-arith gen-posix-lock-obj.c -o gen-posix-lock-obj gen-posix-lock-obj.c:40:3: error: #error sizeof pthread_mutex_t is not known. gen-posix-lock-obj.c: In function ?main?: gen-posix-lock-obj.c:69:21: error: ?SIZEOF_PTHREAD_MUTEX_T? undeclared (first use in this function) gen-posix-lock-obj.c:69:21: note: each undeclared identifier is reported only once for each function it appears in gen-posix-lock-obj.c:99:11: error: ?HOST_TRIPLET_STRING? undeclared (first use in this function) : recipe for target `gen-posix-lock-obj' failed make[2]: *** [gen-posix-lock-obj] Error 1 make[2]: Leaving directory `/cygdrive/c/gnupg-2.1.0-beta834/libgpg-error-1.16/li bgpg-error-1.16/src' Makefile:402: recipe for target `all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/cygdrive/c/gnupg-2.1.0-beta834/libgpg-error-1.16/li bgpg-error-1.16' Makefile:333: recipe for target `all' failed make: *** [all] Error 2 So, can it be done on Cygwin, using other steps/commands first? (btw, have not had any problems compiling, making, and installing gnupg 1.4.x on Cygwin). TIA, vedaal From wk at gnupg.org Fri Sep 19 22:01:08 2014 From: wk at gnupg.org (Werner Koch) Date: Fri, 19 Sep 2014 22:01:08 +0200 Subject: New beta In-Reply-To: <541C7294.3030500@sixdemonbag.org> (Robert J. Hansen's message of "Fri, 19 Sep 2014 14:14:44 -0400") References: <87r3z87ufi.fsf@vigenere.g10code.de> <679849602.20140919185246@my_localhost> <541C7294.3030500@sixdemonbag.org> Message-ID: <87y4tfxtvf.fsf@vigenere.g10code.de> On Fri, 19 Sep 2014 20:14, rjh at sixdemonbag.org said: > The approved way of building Win32 executables of GnuPG is to > cross-compile from Linux. and best on Debian Wheezy or Jessie. I plan to eventually add some checks into the Makefile to suggest what to install. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Fri Sep 19 22:15:15 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 19 Sep 2014 16:15:15 -0400 Subject: New beta In-Reply-To: <87y4tfxtvf.fsf@vigenere.g10code.de> References: <87r3z87ufi.fsf@vigenere.g10code.de> <679849602.20140919185246@my_localhost> <541C7294.3030500@sixdemonbag.org> <87y4tfxtvf.fsf@vigenere.g10code.de> Message-ID: <541C8ED3.9020803@sixdemonbag.org> > and best on Debian Wheezy or Jessie. I plan to eventually add some > checks into the Makefile to suggest what to install. It would be nice if it could also be checked with Fedora. CentOS/RHEL is really big in the business world, and I know a couple of shops that would like to be able to cross-compile their Windows GnuPG builds from their CentOS/RHEL boxen. However, I'm unaware of anyone who's calling this a blocker, so it's a pretty low priority. (See, folks? I apply the six-real-users-with-real-problems test even to my own requests. ;) ) From mac3iii at gmail.com Sat Sep 20 02:13:27 2014 From: mac3iii at gmail.com (Murphy) Date: Fri, 19 Sep 2014 20:13:27 -0400 Subject: New beta In-Reply-To: <20140919194604.817A660C30@smtp.hushmail.com> References: <20140919194604.817A660C30@smtp.hushmail.com> Message-ID: <541CC6A7.9040802@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In response to vedaal's question - installation of gnupg v2.1 is significantly different from v1.x and even v2.0. For my Ubuntu machine hHere is a brief summary of the steps, in order 1. Install latest libraries: npth, libgpg-error, libgcrypt, libksba, libassuan 2. Execute the following command: sudo ln -sf /dev/null /etc/xdg/autostart/gnome-keyring-gpg.desktop 3. sudo apt-get install libdb-dev, libdb++-dev, libbz2-dev 4. Install Openldap-2.4.39 using ./configure, make depend, make, sudo make install 5. sudo apt-get install gtk+-2.0 6. Install pinentry, gnupg-2.1 Of course your milage may vary, machine blow up and hard drive autowipe. But it works for me and it is definitely worth it to play with all the new elliptical curve modes: me at me:~$ gpg2 --expert --gen-key gpg (GnuPG) 2.1.0-beta834; Copyright (C) 2014 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC (10) ECC (sign only) (11) ECC (set your own capabilities) Your selection? 9 Please select which elliptic curve you want: (2) NIST P-256 (3) NIST P-384 (4) NIST P-521 (5) Brainpool P-256 (6) Brainpool P-384 (7) Brainpool P-512 Your selection? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlQcxqcACgkQUVKxkWZz2Q0UlAP+IRkpjRoJ8qwaQmExBU8DUG1+ KNRi5SXTAwdDj/EEmEoSQR54s1GLv7wxEp+Rs4idQMn/Z6titfJRv0KdeBSOG3Te V6KKqX8F2n9tB0DZucXXjzpejHEt1TcXT11c97BV6k5BhUBZ5zVcm8DWa1GhO5r6 8SszspcbBjz+xn95rLs= =ttmO -----END PGP SIGNATURE----- From wk at gnupg.org Sat Sep 20 12:53:25 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 20 Sep 2014 12:53:25 +0200 Subject: New beta In-Reply-To: <541C8ED3.9020803@sixdemonbag.org> (Robert J. Hansen's message of "Fri, 19 Sep 2014 16:15:15 -0400") References: <87r3z87ufi.fsf@vigenere.g10code.de> <679849602.20140919185246@my_localhost> <541C7294.3030500@sixdemonbag.org> <87y4tfxtvf.fsf@vigenere.g10code.de> <541C8ED3.9020803@sixdemonbag.org> Message-ID: <87d2aqy34q.fsf@vigenere.g10code.de> On Fri, 19 Sep 2014 22:15, rjh at sixdemonbag.org said: > It would be nice if it could also be checked with Fedora. CentOS/RHEL My idea was to check that the required software is available and not to check for a certain distribution. One major problem has always been that the mingw toolchain often has regressions which lead to subtle errors at runtime and sometimes even the build breaks. This is why I suggest Debian as the OS I use for development. > However, I'm unaware of anyone who's calling this a blocker, so it's a > pretty low priority. (See, folks? I apply the Note that low given that Debconf's BoF mentioned that they need to build gpg also for Windows - Fedora should have simalir requirements. GnuPG-1, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From 2014-667rhzu3dc-lists-groups at riseup.net Sat Sep 20 12:57:04 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 20 Sep 2014 11:57:04 +0100 Subject: New beta In-Reply-To: <541CC6A7.9040802@gmail.com> References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> Message-ID: <1258946889.20140920115704@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 20 September 2014 at 1:13:27 AM, in , Murphy wrote: > Of course your milage may vary, machine blow up and > hard drive autowipe. But it works for me and it is > definitely worth it to play with all the new elliptical > curve modes: If you add an ECC subkey to an RSA or DSA mainkey, does GnuPG 1.4.x or 2.0.x ignore it and revert to the next newest subkey? Or does compatibility require the RSA or ElGamel subkey to be newer than the ECC subkey? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Dollar sign - An S that's been double crossed -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQdXZdXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pL5EEAJ31z7VWceuK+GiRCvxmXZ0l/e2aLeobjTeF wviu9y4J7TR+ucNtnNS8YcVa1XjB1eptSAzmrOrtTrCw8UGMHdIPhc5aFptLPrTK rI7OGw7BsMbqr6aVUeUx69OR9OF19YGBvGt7ytqFoqRKfJz3vtndNPdoZiUjzb7A zk5z37qc =lMEz -----END PGP SIGNATURE----- From philip.jackson at nordnet.fr Sat Sep 20 15:05:31 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Sat, 20 Sep 2014 15:05:31 +0200 Subject: New beta In-Reply-To: <541CC6A7.9040802@gmail.com> References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> Message-ID: <541D7B9B.9040702@nordnet.fr> On 20/09/14 02:13, Murphy wrote: > For my Ubuntu > machine hHere is a brief summary of the steps, in order > > 1. Install latest libraries: npth, libgpg-error, libgcrypt, libksba, > libassuan > 2. Execute the following command: sudo ln -sf /dev/null > /etc/xdg/autostart/gnome-keyring-gpg.desktop > 3. sudo apt-get install libdb-dev, libdb++-dev, libbz2-dev > 4. Install Openldap-2.4.39 using ./configure, make depend, make, sudo > make install > 5. sudo apt-get install gtk+-2.0 > 6. Install pinentry, gnupg-2.1 What, please, is the reason for the step no. 2 in the above list ? Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mac3iii at gmail.com Sat Sep 20 16:23:42 2014 From: mac3iii at gmail.com (Murphy) Date: Sat, 20 Sep 2014 10:23:42 -0400 Subject: New beta Message-ID: <541D8DEE.4060901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/09/14 10:20, Murphy wrote: > What, please, is the reason for the step no. 2 in the above list ? This is a command to prevent gnome from hijacking pinentry. Without it or something like it error messages are generated during execution of the gpg2 command. I forget who suggested it but I remember that Werner endorsed it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlQdje0ACgkQUVKxkWZz2Q2jXwP+L7HTEJW5NbV1LHDmTvHJTNTz kgo6jfR7uJ8XMTJQxABfTL4BydBZ81Nnq2FEgDQv4CT9Vxfq1JyKH5MtkLLEb5GW YHM5ONzeH/omYrxoKwdopstBWY5DnjJiQPFalS0Ra3RfbUFKSKwCoCnSpE7aIHcN 9RvzpIMAX1jmvOXpIEU= =wBsG -----END PGP SIGNATURE----- From wk at gnupg.org Sat Sep 20 17:06:22 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 20 Sep 2014 17:06:22 +0200 Subject: New beta In-Reply-To: <1258946889.20140920115704@my_localhost> (MFPA's message of "Sat, 20 Sep 2014 11:57:04 +0100") References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> Message-ID: <877g0ywcup.fsf@vigenere.g10code.de> On Sat, 20 Sep 2014 12:57, 2014-667rhzu3dc-lists-groups at riseup.net said: > If you add an ECC subkey to an RSA or DSA mainkey, does GnuPG 1.4.x or > 2.0.x ignore it and revert to the next newest subkey? Or does It should do so; if not it is a bug which needs to be fixed soon. But given that 1.4 is not able to parse ECC keys the selection process can't consider an ECC key in the first place. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mac3iii at gmail.com Sun Sep 21 03:47:18 2014 From: mac3iii at gmail.com (Murphy) Date: Sat, 20 Sep 2014 21:47:18 -0400 Subject: New beta In-Reply-To: <541D8DEE.4060901@gmail.com> References: <541D8DEE.4060901@gmail.com> Message-ID: <541E2E26.9050901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am definitely having fun with Speedo. After playing around with it in a virtual box Ubuntu environment I can see the advantage. It immediately downloads and installs the required libraries as advertised and builds an executable gpg2 in PLAY/inst/. Unfortunately for me I cannot then get it to perform its duty. I execute the suggested command LD_LIBRARY_PATH=$(pwd)/PLAY/inst/lib typed exactly as written above, and then nothing happens. gpg2 continues to execute as the previously installed version. Any ideas? Ok, onward to the w32-installer. Immediately I am stumped by the simple requirement to put the source packages in ../tarballs. I admit, I am relatively new to Linux but can somebody give me a hint as to what is meant by ../? A simple command to create the required directory would be very helpful. Something I can copy and paste to make it happen. I am committed to making the w32-installer. It will happen. Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlQeLiYACgkQUVKxkWZz2Q3frAP+PG9C0EktFZge+BXrhx2GxoXu yE1VqmPXjxnG833Brh078xhg026EmJKrtkf2MNmnugcKGvuXHQAcQwjhY/oj2Zzg Ij03Nif1yDfkA01f/Tl8TTF06Ji0nAJ4vA/8hJUZ3E3N1rQqyRJI1O38JsJuq/g5 007fn5JuzNoMQLMXcb8= =Vkjf -----END PGP SIGNATURE----- From peter at digitalbrains.com Sun Sep 21 11:59:46 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 21 Sep 2014 11:59:46 +0200 Subject: New beta In-Reply-To: <877g0ywcup.fsf@vigenere.g10code.de> References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <877g0ywcup.fsf@vigenere.g10code.de> Message-ID: <541EA192.4080104@digitalbrains.com> On 20/09/14 17:06, Werner Koch wrote: > But given that 1.4 is not able to parse ECC keys the selection process can't > consider an ECC key in the first place. What is the net effect when GnuPG 1.4 encounters, for example, such a key: RSA pubkey with Certify and Sign capabilities RSA subkey with Encrypt capability, created 2014-04-01 ECC subkey with Encrypt capability, created 2014-09-21 Everything is non-expired. If I were to try to encrypt to it, would 1.4 pick the RSA subkey because it is valid and understandable to it, or would it fail to encrypt to this key because it can't parse ECC keys? Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From philip.jackson at nordnet.fr Sun Sep 21 18:03:34 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Sun, 21 Sep 2014 18:03:34 +0200 Subject: New beta In-Reply-To: <541D8DEE.4060901@gmail.com> References: <541D8DEE.4060901@gmail.com> Message-ID: <541EF6D6.8080504@nordnet.fr> On 20/09/14 16:23, Murphy wrote: >> What, please, is the reason for the step no. 2 in the above list ? > This is a command to prevent gnome from hijacking pinentry. Without > it or something like it error messages are generated during execution > of the gpg2 command. I forget who suggested it but I remember that > Werner endorsed it. What are the symptoms of gnome highjacking pinentry ? I'm using UbuntuStudio1404 - Enigmail (w.thunderbird) is working with gpg2. When I need to enter a passphrase for enigmail, it goes into the pinentry-gtk2 dialog box ok. The system monitor shows me that gnome-keyring-daemon process is running (but I don't think I'm actually doing anything with gnome keyrings) but it doesn't seem to interfere with encrypting/decrypting or signing emails or using gpg2 to verify signatures from the cli. Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mac3iii at gmail.com Sun Sep 21 21:57:39 2014 From: mac3iii at gmail.com (Murphy) Date: Sun, 21 Sep 2014 15:57:39 -0400 Subject: New beta In-Reply-To: <541EF6D6.8080504@nordnet.fr> References: <541EF6D6.8080504@nordnet.fr> Message-ID: <541F2DB3.5090503@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What are the symptoms of gnome highjacking pinentry ? Phillip, if you are encrypting/decrypting or signing emails with gpg2 and having no problems with error messages then you don't need to put in the command of step no. 2. The symptoms of a hijacking is that when gpg2 tries to put up a pinentry box gnome keyring hijacks the process and puts up its own box. Recent versions of gnupg-2.0.x will then display an error message in the terminal and bad things happen. Either you only get one attempt at changing passphrases or the whole process crashes. The process may succeed or not, it is unpredictable. If you wish to witness it first hand I recommend using virtualbox. Set up a fresh install of Ubuntu inside virtualbox (really easy and fun) and then install Gnupg-2.1.0 without the command in step 2. Then try to generate a key, if you can. The virtualbox environment is perfect for experimenting with new beta versions and playing with ECC keys and subkeys, without disturbing you regular production environment. Murphy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlQfLbMACgkQUVKxkWZz2Q25uQP9GgJikeZPNYVBYQ2Gkzr4OP7r jFMhyQyfeut5RWgx6CPovH13nJXXR2tOnJnzkCAimZr07rIZh2WQbCKF8r5cFWFs yJGG2/en9xUeZiDOzvMT5oJ6WJdHJNJzf4hLZGF4pEzgHYC596z9L9u28S7dBRws f3rAdWupaWmKSuyXB6o= =0o7W -----END PGP SIGNATURE----- From wk at gnupg.org Mon Sep 22 08:52:03 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 22 Sep 2014 08:52:03 +0200 Subject: New beta In-Reply-To: <541EA192.4080104@digitalbrains.com> (Peter Lebbing's message of "Sun, 21 Sep 2014 11:59:46 +0200") References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <877g0ywcup.fsf@vigenere.g10code.de> <541EA192.4080104@digitalbrains.com> Message-ID: <87ha00uoz0.fsf@vigenere.g10code.de> On Sun, 21 Sep 2014 11:59, peter at digitalbrains.com said: > What is the net effect when GnuPG 1.4 encounters, for example, such a key: > > RSA pubkey with Certify and Sign capabilities > RSA subkey with Encrypt capability, created 2014-04-01 > ECC subkey with Encrypt capability, created 2014-09-21 > > Everything is non-expired. If I were to try to encrypt to it, would 1.4 pick the > RSA subkey because it is valid and understandable to it, or would it fail to > encrypt to this key because it can't parse ECC keys? I did some tests: $ gpg1 -k 9613A41C pub 1024R/9613A41C 2014-09-22 uid RSA+RSA key created by gpg1 (test) sub 1024R/0CA0BC98 2014-09-22 sub 0e/A519E3EC 2014-09-22 $ ../g10/gpg2 -k 9613A41C pub rsa1024/9613A41C 2014-09-22 uid [ultimate] RSA+RSA key created by gpg1 (test) sub rsa1024/0CA0BC98 2014-09-22 sub nistp256/A519E3EC 2014-09-22 nistp256 You can't see it in this output but the ECC keys has been created a minute or so after the standard key (with gpg2 of course). The initial keyring was created by "gpg1 --export >pubring.gpg" and then gpg1 was used to create a new standard key. I redacted some diagnostics. $ fortune | ../g10/gpg2 -evar 9613A41C >x gpg: using subkey A519E3EC instead of primary key 9613A41C gpg: using PGP trust model gpg: This key belongs to us gpg: reading from '[stdin]' gpg: writing to stdout gpg: ECDH/AES256 encrypted for: "A519E3EC RSA+RSA key created by gpg1 (test)" $ ../g10/gpg2 x gpg: using subkey 0CA0BC98 instead of primary key 9613A41C gpg: using PGP trust model gpg: This key belongs to us gpg: reading from `[stdin]' gpg: writing to stdout gpg: RSA/AES256 encrypted for: "0CA0BC98 RSA+RSA key created by gpg1 (test)" The RSA key was used. $ gpg1 References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <877g0ywcup.fsf@vigenere.g10code.de> <541EA192.4080104@digitalbrains.com> <87ha00uoz0.fsf@vigenere.g10code.de> Message-ID: <541FE59D.30606@digitalbrains.com> Thank you for this clear example! Luckily, it behaves as you would hope, picking the valid subkey it can use and ignoring the one it can't. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Mon Sep 22 12:34:48 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 22 Sep 2014 12:34:48 +0200 Subject: New beta In-Reply-To: <541E2E26.9050901@gmail.com> (Murphy's message of "Sat, 20 Sep 2014 21:47:18 -0400") References: <541D8DEE.4060901@gmail.com> <541E2E26.9050901@gmail.com> Message-ID: <87d2aouenr.fsf@vigenere.g10code.de> On Sun, 21 Sep 2014 03:47, mac3iii at gmail.com said: > for me I cannot then get it to perform its duty. I execute the > suggested command > LD_LIBRARY_PATH=$(pwd)/PLAY/inst/lib > typed exactly as written above, and then nothing happens. gpg2 > continues to execute as the previously installed version. Any ideas? Weel the above is not a command but the way to set variables in the shell. Programs won't pick these variabales up unless you do either NAME=VALUE PROGRAM or for setting it for the entire session you need to mark the variable: NAME=VALUE export NAME after that all programs can access this variable. Now to run the actual binary you have to type the name of the program: PLAY/inst/bin/gpg2 assuming you are in the top build directory or you add it to your PATH PATH="$(pwd)/PLAY/inst/bin:$PATH" (An "export" command for PATH has already been done by tye shell) > admit, I am relatively new to Linux but can somebody give me a hint as > to what is meant by ../? A simple command to create the required The parent directory. I suggest that you read up a bit on Unix shell use because all build instructions are written under the assumption that is is known. Yes, I know that this is the gnupg-isers mailing liste and we should not assume that all subscribers are Unix gurus. However, in the past that seems to have been the case. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From robertc at broadcom.com Mon Sep 22 21:12:30 2014 From: robertc at broadcom.com (Bob (Robert) Cavanaugh) Date: Mon, 22 Sep 2014 19:12:30 +0000 Subject: New beta In-Reply-To: <87d2aouenr.fsf@vigenere.g10code.de> References: <541D8DEE.4060901@gmail.com> <541E2E26.9050901@gmail.com> <87d2aouenr.fsf@vigenere.g10code.de> Message-ID: <8F0B09FC6339FA439524099BFCABC11F2D35C78D@IRVEXCHMB11.corp.ad.broadcom.com> Hi Werner, This might be off topic, but the thread mentions Fedora. Can you please tell me how easy it would be to produce a GPG2 stable RPM for Fedora? Currently they only supply GPG1 as an option from Yum. I would really like to get them to produce a GPG-2 version. Thanks, Bob Cavanaugh Broadcom Corporation 16340 West Bernardo Drive San Diego CA 92127 Work: 858-521-5562 Fax: 858-385-8810 Cell: 858-361-2068 -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Werner Koch Sent: Monday, September 22, 2014 3:35 AM To: Murphy Cc: gnupg-users at gnupg.org Subject: Re: New beta On Sun, 21 Sep 2014 03:47, mac3iii at gmail.com said: > for me I cannot then get it to perform its duty. I execute the > suggested command > LD_LIBRARY_PATH=$(pwd)/PLAY/inst/lib > typed exactly as written above, and then nothing happens. gpg2 > continues to execute as the previously installed version. Any ideas? Weel the above is not a command but the way to set variables in the shell. Programs won't pick these variabales up unless you do either NAME=VALUE PROGRAM or for setting it for the entire session you need to mark the variable: NAME=VALUE export NAME after that all programs can access this variable. Now to run the actual binary you have to type the name of the program: PLAY/inst/bin/gpg2 assuming you are in the top build directory or you add it to your PATH PATH="$(pwd)/PLAY/inst/bin:$PATH" (An "export" command for PATH has already been done by tye shell) > admit, I am relatively new to Linux but can somebody give me a hint as > to what is meant by ../? A simple command to create the required The parent directory. I suggest that you read up a bit on Unix shell use because all build instructions are written under the assumption that is is known. Yes, I know that this is the gnupg-isers mailing liste and we should not assume that all subscribers are Unix gurus. However, in the past that seems to have been the case. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From christoph at grothesque.org Mon Sep 22 17:09:49 2014 From: christoph at grothesque.org (Christoph Groth) Date: Mon, 22 Sep 2014 17:09:49 +0200 Subject: gpgsm: trust a specific sender but not CA Message-ID: <87fvfjk7ya.fsf@grothesque.org> Hi, Is it possible with gpgsm to trust a specific sender while not trusting the CA? I tried putting the key?s fingerprint into trustlist.txt, but this doesn?t seem to work for individual keys. Christoph From wk at gnupg.org Tue Sep 23 09:22:35 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 23 Sep 2014 09:22:35 +0200 Subject: New beta In-Reply-To: <8F0B09FC6339FA439524099BFCABC11F2D35C78D@IRVEXCHMB11.corp.ad.broadcom.com> (Bob Cavanaugh's message of "Mon, 22 Sep 2014 19:12:30 +0000") References: <541D8DEE.4060901@gmail.com> <541E2E26.9050901@gmail.com> <87d2aouenr.fsf@vigenere.g10code.de> <8F0B09FC6339FA439524099BFCABC11F2D35C78D@IRVEXCHMB11.corp.ad.broadcom.com> Message-ID: <87bnq6ssw4.fsf@vigenere.g10code.de> On Mon, 22 Sep 2014 21:12, robertc at broadcom.com said: > This might be off topic, but the thread mentions Fedora. Can you > please tell me how easy it would be to produce a GPG2 stable RPM for > Fedora? Currently they only supply GPG1 as an option from Yum. I would > really like to get them to produce a GPG-2 version. Fedora has a gnupg2 package. If you want to try out the new 2.1 beta, you may use the Speedo system. I am pretty sure that it will work on Fedora and any other Unix system with gmake and some basic tools installed. What may not work is building a Windows version of GnuPG on Fedora. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From philip.jackson at nordnet.fr Tue Sep 23 13:24:22 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Tue, 23 Sep 2014 13:24:22 +0200 Subject: smartcards : bad link on howto page Message-ID: <54215866.4090802@nordnet.fr> I've finally received my smartcard from Kernel-concepts and I have a USB reader SCT3512 from SCM. I am trying to follow the howto on this page : https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html and I've reached step 2.3.1 CCID The file gnupg-ccid.rules downloaded ok from the link provided but the next link for the second file, gnupg-ccid is a link for the page I'm already on : https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html it just takes me to the top of the page. This file is however available on the same link as the first file. Looks like something to correct ? -Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From philip.jackson at nordnet.fr Tue Sep 23 14:37:41 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Tue, 23 Sep 2014 14:37:41 +0200 Subject: help with installing a smartcard Message-ID: <54216995.2000703@nordnet.fr> I'm using UbuntuStudio1404. Working from : https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html I completed the steps in 2.3.1 using the section "With udev (preferred installation)". I took it that the following stuff under the heading "With hotplug (deprecated in modern systems)" was a deprecated alternative. Was this the correct assumption ? In any case, when I ran the test in 3.1, clearly the system cannot see the card - I get the following : gpg --card-status gpg: selecting openpgp failed: ec=6.108 gpg: OpenPGP card not available: general error Looking into the directory /etc/udev/rules.d/, I found a README with the following - "The files in this directory are read by udev(7) and used when events are performed by the kernel. The udev daemon watches this directory with inotify so that changes to these files are automatically picked up, for this reason they must be files and not symlinks to another location as in the case in Debian." so I tried replacing the link created during section 2.3.1 of the howto webpage with a file. But the result is the same. Have I misinterpreted the steps in 2.3.1 ? -Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From pmlopes at gmail.com Tue Sep 23 14:49:32 2014 From: pmlopes at gmail.com (Paulo Lopes) Date: Tue, 23 Sep 2014 14:49:32 +0200 Subject: help with installing a smartcard In-Reply-To: <54216995.2000703@nordnet.fr> References: <54216995.2000703@nordnet.fr> Message-ID: Hi Philip, If ubuntu studio 14.04 is like ubuntu 14.04 this is what i did and works for me, btw this works for me on both ubuntu and gnomeubuntu 14.04 it might stop working with 14.10 since the init system is switching from upstart to systemd: # Install the card sudo apt-get install gnupg2 gnupg-agent pcscd pcsc-tools libccid scdaemon libpam-poldi gpgsm sudo addgroup --system pcscd sudo usermod -a -G pcscd paulo # gnome keyring messes up the system # modify: /usr/share/upstart/sessions/gpg-agent.conf ... eval "$(gpg-agent --daemon --enable-ssh-support --sh)" >/dev/null initctl set-env --global GPG_AGENT_INFO=$GPG_AGENT_INFO initctl set-env --global SSH_AGENT_PID=$SSH_AGENT_PID initctl set-env --global SSH_AUTH_SOCK=$SSH_AUTH_SOCK end script post-stop script GPG_AGENT_PID=$(echo $GPG_AGENT_INFO | cut -d : -f2) kill $GPG_AGENT_PID 2>/dev/null || true initctl unset-env --global GPG_AGENT_INFO initctl unset-env --global SSH_AGENT_PID initctl unset-env --global SSH_AUTH_SOCK end scriptEdit the file: ```/etc/X11/Xsession.options``` and disable ```ssh-agent```.## Enable gpg agent echo "gpg-agent" >> ~/.gnupg/gpg.conf## Enable ssh agent sudo nano /etc/X11/Xsession.d/90gpg-agentadd the parameter `--enable-ssh-support` should read: STARTUP="$GPGAGENT --daemon --enable-ssh-support --sh --write-env-file=$PID_FILE $STARTUP"## Disable the gnome keyring daemon for ssh and gpg cd /etc/xdg/autostart mv gnome-keyring-gpg.desktop gnome-keyring-gpg.nostart mv gnome-keyring-ssh.desktop gnome-keyring-gpg.nostart On Tue, Sep 23, 2014 at 2:37 PM, Philip Jackson wrote: > I'm using UbuntuStudio1404. > > Working from : > > https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html > > I completed the steps in 2.3.1 using the section "With udev (preferred > installation)". > > I took it that the following stuff under the heading "With hotplug > (deprecated > in modern systems)" was a deprecated alternative. Was this the correct > assumption ? > > In any case, when I ran the test in 3.1, clearly the system cannot see the > card > - I get the following : > > gpg --card-status > gpg: selecting openpgp failed: ec=6.108 > gpg: OpenPGP card not available: general error > > > Looking into the directory /etc/udev/rules.d/, I found a README with the > following - > > "The files in this directory are read by udev(7) and used when events > are performed by the kernel. The udev daemon watches this directory > with inotify so that changes to these files are automatically picked > up, for this reason they must be files and not symlinks to another > location as in the case in Debian." > > so I tried replacing the link created during section 2.3.1 of the howto > webpage > with a file. But the result is the same. > > Have I misinterpreted the steps in 2.3.1 ? > > -Philip > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- Paulo Lopes www.jetdrone.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pmlopes at gmail.com Tue Sep 23 16:14:23 2014 From: pmlopes at gmail.com (Paulo Lopes) Date: Tue, 23 Sep 2014 16:14:23 +0200 Subject: help: state machine is DEAD. Reset the card first. Message-ID: Hi everyone, For a while i've been using a gnupg card with success and today I tryed to also use it for openid authentication, so i followed the scute documentation and got it to work, until i decided to import the certificate X509 to the card... so i got my pem file and did what was on many websites: gpg2 --edit-card > admin > writecert 3 < file.crt Now ever since that moment i get this on my syslog: Sep 23 14:34:03 WLT000113 pcscd: openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first. Sep 23 14:34:03 WLT000113 pcscd: ifdwrapper.c:527:IFDTransmit() Card not transacted: 612 Sep 23 14:34:03 WLT000113 pcscd: winscard.c:1612:SCardTransmit() Card not transacted: 0x80100016 (many many times) Also now my authentication crashes all the time and scute under firefox too... I've tried to reset the card with, and after a lot of retries i got it reseted. So my question is, can i have my 3 keys + 1 cert in the card? how can i import the cert? is there other PKCS11 alternative to scute that uses the card or must i use gpgsm to add the cert to my keyring in the disk and live it it there? Best regards, Paulo -- Paulo Lopes www.jetdrone.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pmlopes at gmail.com Tue Sep 23 17:31:31 2014 From: pmlopes at gmail.com (Paulo Lopes) Date: Tue, 23 Sep 2014 17:31:31 +0200 Subject: help: state machine is DEAD. Reset the card first. In-Reply-To: <54218E90.10900@incenp.org> References: <54218E90.10900@incenp.org> Message-ID: so with the reseted card i converted the X509 to der format and imported it, gpg2 did not report any error but my syslog states: [ 4792.299961] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 6 ep 4 with no TDs queued? lots and lots of times.... Then i thought, it is saved so lets read it... readcert 3 > out.der and i get: gpg/card> readcert 3 > out.der gpg: error reading certificate from card: Not found BTW i am used ubuntu 14.04 64bit if that means anything... gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 On Tue, Sep 23, 2014 at 5:15 PM, Damien Goutte-Gattat < dgouttegattat at incenp.org> wrote: > Hi, > > On 09/23/2014 04:14 PM, Paulo Lopes wrote: > > so i got my pem file and did what was on many websites: > > > > gpg2 --edit-card > admin > writecert 3 < file.crt > > You must first encode the PEM certificate in DER format: > > $ openssl x509 -inform PEM -in file.crt -outform DER -out file.der > > Then you can import the DER-encoded certificate onto the card. > > > Damien > > -- Paulo Lopes www.jetdrone.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Sep 23 17:41:59 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 23 Sep 2014 17:41:59 +0200 Subject: help: state machine is DEAD. Reset the card first. In-Reply-To: (Paulo Lopes's message of "Tue, 23 Sep 2014 16:14:23 +0200") References: Message-ID: <878ulaqr7c.fsf@vigenere.g10code.de> On Tue, 23 Sep 2014 16:14, pmlopes at gmail.com said: > Sep 23 14:34:03 WLT000113 pcscd: openct/proto-t1.c:170:t1_transceive() T=1 > state machine is DEAD. Reset the card first. > Sep 23 14:34:03 WLT000113 pcscd: ifdwrapper.c:527:IFDTransmit() Card not > transacted: 612 "card not transacted" used to be a catch-all error of pcsclite. Please try the internal driver of scdaemon: Stop pcscd and that driver will be used. If that still does not work check the permissions of the USB device (you need write access) and add --8<---------------cut here---------------start------------->8--- debug 2048 debug-ccid-driver log-file /foo/bar/scd.log --8<---------------cut here---------------end--------------->8--- to ~/.gnupg/scdaemon.conf. Kill scdaemon ("gpgconf --kill scdaemon" or "pkill scdaemon") > So my question is, can i have my 3 keys + 1 cert in the card? how can i Yes. Please use a recent version of GnuPG because a bug concering the reading of long certificates was recently fixed. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dgouttegattat at incenp.org Tue Sep 23 17:15:28 2014 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Tue, 23 Sep 2014 17:15:28 +0200 Subject: help: state machine is DEAD. Reset the card first. In-Reply-To: References: Message-ID: <54218E90.10900@incenp.org> Hi, On 09/23/2014 04:14 PM, Paulo Lopes wrote: > so i got my pem file and did what was on many websites: > > gpg2 --edit-card > admin > writecert 3 < file.crt You must first encode the PEM certificate in DER format: $ openssl x509 -inform PEM -in file.crt -outform DER -out file.der Then you can import the DER-encoded certificate onto the card. Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From lechten at wi.uni-muenster.de Tue Sep 23 17:29:10 2014 From: lechten at wi.uni-muenster.de (Jens Lechtenboerger) Date: Tue, 23 Sep 2014 17:29:10 +0200 Subject: New beta References: <87r3z87ufi.fsf__36890.081401407$1411058903$gmane$org@vigenere.g10code.de> Message-ID: <874mvyfj95.fsf@pcwi7557.uni-muenster.de> On 2014-09-18, Werner Koch wrote: > To quickly build all required software without installing it, the > Speedo method may be used: > > make -f build-aux/speedo.mk native I get this: --8<---------------cut here---------------start------------->8--- autogen.sh: cross compiler kit not installed autogen.sh: Stop. autogen.sh: cross compiler kit not installed autogen.sh: Stop. make -f /home/lechten/local/gnupg-2.1.0-beta834/build-aux/speedo.mk UPD_SWDB=1 TARGETOS=native WHAT=release WITH_GUI=0 all download of swdb.lst failed. make[1]: Betrete Verzeichnis '/home/lechten/local/gnupg-2.1.0-beta834' /home/lechten/local/gnupg-2.1.0-beta834/build-aux/speedo.mk:203: *** Error getting GnuPG software version database. Schluss. make[1]: Verlasse Verzeichnis '/home/lechten/local/gnupg-2.1.0-beta834' make: *** [native] Fehler 2 --8<---------------cut here---------------end--------------->8--- Wget fails in getswdb.sh. A manual call shows two things: First, the certificate?s Common Name ?gnupg.org? does not match the contacted host ?www.gnupg.org?. Second, it complains about a self-signed certificate (the issuer is unknown here). Wget?s output recommends the option ?--no-check-certificate?. Also, compilation of libksba-1.3.1 fails. The following error occurs once for every entry of the struct oidtranstbl. --8<---------------cut here---------------start------------->8--- oidtranstbl.h error: missing terminating " character --8<---------------cut here---------------end--------------->8--- Somehow, the trailing Carriage Returns (0x0d) at the end of the oids in oidtranstbl.h confuse the compiler (gcc 4.4.3). If I remove them, compilation succeeds. Best wishes Jens From robertc at broadcom.com Tue Sep 23 19:08:32 2014 From: robertc at broadcom.com (Bob (Robert) Cavanaugh) Date: Tue, 23 Sep 2014 17:08:32 +0000 Subject: New beta In-Reply-To: <87bnq6ssw4.fsf@vigenere.g10code.de> References: <541D8DEE.4060901@gmail.com> <541E2E26.9050901@gmail.com> <87d2aouenr.fsf@vigenere.g10code.de> <8F0B09FC6339FA439524099BFCABC11F2D35C78D@IRVEXCHMB11.corp.ad.broadcom.com> <87bnq6ssw4.fsf@vigenere.g10code.de> Message-ID: <8F0B09FC6339FA439524099BFCABC11F2D35CCC5@IRVEXCHMB11.corp.ad.broadcom.com> Hi Werner, OK, thanks. I was using the wrong yum search string "gpg" not "gnupg". It showed up and I installed it. Looking forward to setting up the beta. Danke! Thanks, Bob Cavanaugh Broadcom Corporation 16340 West Bernardo Drive San Diego CA 92127 Work: 858-521-5562 Fax: 858-385-8810 Cell: 858-361-2068 -----Original Message----- From: Werner Koch [mailto:wk at gnupg.org] Sent: Tuesday, September 23, 2014 12:23 AM To: Bob (Robert) Cavanaugh Cc: Murphy; gnupg-users at gnupg.org Subject: Re: New beta On Mon, 22 Sep 2014 21:12, robertc at broadcom.com said: > This might be off topic, but the thread mentions Fedora. Can you > please tell me how easy it would be to produce a GPG2 stable RPM for > Fedora? Currently they only supply GPG1 as an option from Yum. I would > really like to get them to produce a GPG-2 version. Fedora has a gnupg2 package. If you want to try out the new 2.1 beta, you may use the Speedo system. I am pretty sure that it will work on Fedora and any other Unix system with gmake and some basic tools installed. What may not work is building a Windows version of GnuPG on Fedora. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 23 20:46:00 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 23 Sep 2014 20:46:00 +0200 Subject: help: state machine is DEAD. Reset the card first. In-Reply-To: (Paulo Lopes's message of "Tue, 23 Sep 2014 17:31:31 +0200") References: <54218E90.10900@incenp.org> Message-ID: <87wq8up447.fsf@vigenere.g10code.de> On Tue, 23 Sep 2014 17:31, pmlopes at gmail.com said: > gpg (GnuPG) 2.0.22 I case your certificate (DER format) is larger than 1024 bytes, you are affected by this bug: Date: Fri Jul 18 18:22:26 2014 +0200 scd: Allow for certificates > 1024 with PC/SC. * scd/pcsc-wrapper.c (handle_transmit): Enlarge buffer to 4096 too allow for larger certificates. That fix went into 2.0.26. The interal ccid-driver is not affected. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From pmlopes at gmail.com Tue Sep 23 20:57:26 2014 From: pmlopes at gmail.com (pmlopes at gmail.com) Date: Tue, 23 Sep 2014 20:57:26 +0200 Subject: help: state machine is DEAD. Reset the card first. Message-ID: I just reseted the card, i will load the keys again and see how it goes, btw i am using 2.0.22, is that too old? My main issue with this is that everything has been working fine until i imported de certificate, now even gpg agent fails to do ssh authentication, which has been working fine for months... If i reset the card, does it tottaly wipe it? So if i just copy the 3 keys back it will work as before? Also and maybe pushing my luck, is there some official ppa for ubuntu 14.04 with the latest gnupg? Sorry for the noob questions :) cheers, paulo -----Original Message----- From: Werner Koch Sent: 23/09/2014, 17:41 To: Paulo Lopes Cc: gnupg-users at gnupg.org Subject: Re: help: state machine is DEAD. Reset the card first. On Tue, 23 Sep 2014 16:14, pmlopes at gmail.com said: > Sep 23 14:34:03 WLT000113 pcscd: openct/proto-t1.c:170:t1_transceive() T=1 > state machine is DEAD. Reset the card first. > Sep 23 14:34:03 WLT000113 pcscd: ifdwrapper.c:527:IFDTransmit() Card not > transacted: 612 "card not transacted" used to be a catch-all error of pcsclite. Please try the internal driver of scdaemon: Stop pcscd and that driver will be used. If that still does not work check the permissions of the USB device (you need write access) and add --8<---------------cut here---------------start------------->8--- debug 2048 debug-ccid-driver log-file /foo/bar/scd.log --8<---------------cut here---------------end--------------->8--- to ~/.gnupg/scdaemon.conf. Kill scdaemon ("gpgconf --kill scdaemon" or "pkill scdaemon") > So my question is, can i have my 3 keys + 1 cert in the card? how can i Yes. Please use a recent version of GnuPG because a bug concering the reading of long certificates was recently fixed. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Sep 23 20:59:08 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 23 Sep 2014 20:59:08 +0200 Subject: New beta In-Reply-To: <874mvyfj95.fsf@pcwi7557.uni-muenster.de> (Jens Lechtenboerger's message of "Tue, 23 Sep 2014 17:29:10 +0200") References: <87r3z87ufi.fsf__36890.081401407$1411058903$gmane$org@vigenere.g10code.de> <874mvyfj95.fsf@pcwi7557.uni-muenster.de> Message-ID: <87lhpap3ib.fsf@vigenere.g10code.de> On Tue, 23 Sep 2014 17:29, lechten at wi.uni-muenster.de said: >> make -f build-aux/speedo.mk native > > I get this: > autogen.sh: cross compiler kit not installed You seem to be building for Windows but I wonder how you did this given that TARGETOS=native WHAT=release WITH_GUI=0 all TARGETOS is not w32. > Wget fails in getswdb.sh. A manual call shows two things: > First, the certificate?s Common Name ?gnupg.org? does not match the > contacted host ?www.gnupg.org?. That is strange. gnupg.org and www.gnupg.org are both certified: ID: 0x47DC00C7 S/N: 20FC49CE90861FC8DDB0D46275236F22 Issuer: /CN=Gandi Standard SSL CA/O=GANDI SAS/C=FR Subject: /CN=gnupg.org/OU=Gandi Standard SSL/OU=Domain Control Validated aka: (dns-name gnupg.org) aka: (dns-name www.gnupg.org) validity: 2014-03-18 00:00:00 through 2016-03-18 23:59:59 key type: 2048 bit RSA key usage: digitalSignature keyEncipherment ext key usage: serverAuth (suggested), clientAuth (suggested) policies: 1.3.6.1.4.1.6449.1.2.2.26:N:,2.23.140.1.2.1:N: fingerprint: 9E:71:3A:82:D8:87:E3:32:35:FB:62:07:59:86:7B:B6:47:DC:00:C7 May that be an old broen version of wget? > Somehow, the trailing Carriage Returns (0x0d) at the end of the oids > in oidtranstbl.h confuse the compiler (gcc 4.4.3). If I remove them, CR in a source file? Are you building on Windows? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Sep 24 09:09:01 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 24 Sep 2014 09:09:01 +0200 Subject: help: state machine is DEAD. Reset the card first. In-Reply-To: (pmlopes@gmail.com's message of "Tue, 23 Sep 2014 20:57:26 +0200") References: Message-ID: <87a95ppkaa.fsf@vigenere.g10code.de> On Tue, 23 Sep 2014 20:57, pmlopes at gmail.com said: > I just reseted the card, i will load the keys again and see how it goes, btw i am using 2.0.22, is that too old? If you want to use pcscd you will likely run into problems with larger certificates. 2.0.22 is indeed a bit old but I can't say that for sure because all distros apply important patches so that your 2.0.22 may not be identically with the upstream 2.0.22. > My main issue with this is that everything has been working fine until > i imported de certificate, now even gpg agent fails to do ssh > authentication, which has been working fine for months... That is indeed strange. > If i reset the card, does it tottaly wipe it? So if i just copy the 3 keys back it will work as before? Yes. If you created the keys off-card and imported them to the card you can do that again. If the keys have been created on-card (default for sign and ssh key) - they are lost. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From lechten at wi.uni-muenster.de Wed Sep 24 17:56:35 2014 From: lechten at wi.uni-muenster.de (Jens Lechtenboerger) Date: Wed, 24 Sep 2014 17:56:35 +0200 Subject: New beta References: <87r3z87ufi.fsf__36890.081401407$1411058903$gmane$org@vigenere.g10code.de> <874mvyfj95.fsf@pcwi7557.uni-muenster.de> <87lhpap3ib.fsf__26026.8913618804$1411498987$gmane$org@vigenere.g10code.de> Message-ID: <874mvxt3kc.fsf@pcwi7557.uni-muenster.de> On 2014-09-23, Werner Koch wrote: > On Tue, 23 Sep 2014 17:29, lechten at wi.uni-muenster.de said: > >>> make -f build-aux/speedo.mk native >> >> I get this: >> autogen.sh: cross compiler kit not installed > > You seem to be building for Windows but I wonder how you did this given that > > TARGETOS=native WHAT=release WITH_GUI=0 all > > TARGETOS is not w32. This is what happens if I extract gnupg-2.1.0-beta834.tar.bz2 and execute that command on Ubuntu 10.04.4 LTS. >> Wget fails in getswdb.sh. A manual call shows two things: >> First, the certificate?s Common Name ?gnupg.org? does not match the >> contacted host ?www.gnupg.org?. > > That is strange. gnupg.org and www.gnupg.org are both certified: > > May that be an old broen version of wget? GNU Wget 1.12, (C) 2009. If I change the urlbase in getswdb.sh to https://gnupg.org/, that version works, though. (The missing certificate was due to a configuration problem.) >> Somehow, the trailing Carriage Returns (0x0d) at the end of the oids >> in oidtranstbl.h confuse the compiler (gcc 4.4.3). If I remove them, > > CR in a source file? Are you building on Windows? No, libksba-1.3.1 on Ubuntu 10.04.4 LTS. The file is created during make by mkoidtbl.awk. In my case, /etc/dumpasn1/dumpasn1.cfg is used as input, which is DOS encoded. Once make has failed: --8<---------------cut here---------------start------------->8--- $ grep $'\r"' tests/oidtranstbl.h | wc -l 1620 --8<---------------cut here---------------end--------------->8--- Best wishes Jens From vvanderwerff at hotmail.com Wed Sep 24 17:24:43 2014 From: vvanderwerff at hotmail.com (Vera van der Werff) Date: Wed, 24 Sep 2014 15:24:43 +0000 Subject: =?utf-8?Q?Import_Certificate_into_Kleopatra/Decrypt_Message?= Message-ID: Dear Sir/Madam, Recently, I have installed GnuPG for Windows 8.1. I have made a public key (personal Open PGP keypair). I have sent the public key to one of my contacts and he had send me his public key. When I try to import his certificate in Kleopatra, the public key cannot be processed. Currently, I have the signature & encrypted file stored in my Documents. Also, I have tried to decrypt a message that he has sent me through the Plugin for Outlook (GpG Ol) - but it gave me the message that the verification cannot be processed. I have followed the guide step-by-step, but I cannot quite figure out what I am doing wrong. Could someone assist me with this? Thanks, Vera van der Werff -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at gbenet.com Wed Sep 24 21:54:03 2014 From: david at gbenet.com (david at gbenet.com) Date: Wed, 24 Sep 2014 20:54:03 +0100 Subject: Import Certificate into Kleopatra/Decrypt Message In-Reply-To: References: Message-ID: <5423215B.2040306@gbenet.com> On 24/09/14 16:24, Vera van der Werff wrote: > Dear Sir/Madam, > > Recently, I have installed GnuPG for Windows 8.1. I have made a public key (personal Open > PGP keypair). I have sent the public key to one of my contacts and he had send me his public > key. When I try to import his certificate in Kleopatra, the public key cannot be processed. > Currently, I have the signature & encrypted file stored in my Documents. > > Also, I have tried to decrypt a message that he has sent me through the Plugin for Outlook > (GpG Ol) - but it gave me the message that the verification cannot be processed. > > I have followed the guide step-by-step, but I cannot quite figure out what I am doing wrong. > Could someone assist me with this? > > Thanks, > > Vera van der Werff > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Vera, Can you send us your public key? Cheers David -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAAD8C47D.asc Type: application/pgp-keys Size: 4295 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Sep 25 08:41:02 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Sep 2014 08:41:02 +0200 Subject: New beta In-Reply-To: <874mvxt3kc.fsf@pcwi7557.uni-muenster.de> (Jens Lechtenboerger's message of "Wed, 24 Sep 2014 17:56:35 +0200") References: <87r3z87ufi.fsf__36890.081401407$1411058903$gmane$org@vigenere.g10code.de> <874mvyfj95.fsf@pcwi7557.uni-muenster.de> <87lhpap3ib.fsf__26026.8913618804$1411498987$gmane$org@vigenere.g10code.de> <874mvxt3kc.fsf@pcwi7557.uni-muenster.de> Message-ID: <877g0smcch.fsf@vigenere.g10code.de> On Wed, 24 Sep 2014 17:56, lechten at wi.uni-muenster.de said: > This is what happens if I extract gnupg-2.1.0-beta834.tar.bz2 and > execute that command on Ubuntu 10.04.4 LTS. Hmmm. The first call to gnupg's autogen.sh is ./autogen.sh --silent --print-build can you please run it to see whether you get the cross-compiler missing error and if so run it as sh -x ./autogen.sh --silent --print-build > GNU Wget 1.12, (C) 2009. If I change the urlbase in getswdb.sh to > https://gnupg.org/, that version works, though. Mine is 1.13 - maybe there is a problem with SubjectAltName in that version. As a workaround I change the urlbase. > make by mkoidtbl.awk. In my case, /etc/dumpasn1/dumpasn1.cfg is > used as input, which is DOS encoded. Okay, I'll fix it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From me at psmay.com Fri Sep 26 04:29:45 2014 From: me at psmay.com (Peter S. May) Date: Thu, 25 Sep 2014 22:29:45 -0400 Subject: Keybase Message-ID: <20140925222945.79f4e713@philo> Hiya ? So, I've just redeemed an alpha invite to a new service called Keybase (https://keybase.io) that I haven't seen mentioned yet in gnupg-users. GnuPG is pretty central to it, or at least it can be, and I'm writing mostly to get it on everyone's radar and register a couple of first impressions. I'm also curious what you might have to say about the soundness of the "proofs" used by this scheme, whether the holes I've imagined are real, and whether I've missed anything larger. What it claims to be -------------------- From the front: "Get a public key, safely, starting just with someone's social media username(s). From there, unbounded potential!" "And have you ever been invited to a key party? Yeah, we neither :-(" The front page appears to describe, in some vagueness, a system of exchanging usernames that is somehow a suitable substitute for actual offline key exchange. (I find such a claim questionable; however, I haven't taken the time to completely map it out. But let's say some person other than me signs an assertion saying "My name is Eve, public key signature is ABCDEFGH, and @psmay is my Twitter account". Let's say, for the sake of argument, that I don't treat my Twitter password with the same respect with which I treat my passphrase, and the attacker tweets the assertion. Then, let's say someone else tries to look up a public key for @psmay and finds that assertion. Private messages intended for me are now going to my doppelganger. I think this serves to suggest that the assertion itself may tend to be only as strong as a weaker link than the signature itself.) (I'm also a little more offended than I should be by the key party comment. I ran one once.) What it actually seems to be ---------------------------- Keybase, from what I've determined so far, is each of * a set of client idioms for * direct exchange and verification of "proofs", i.e. signed assertions * authoring a canonicalized JSON assertion that an online asset, either cryptographic in nature (like a bitcoin address) or not so cryptographic (such as a social networking username), belongs to a keyholder * signing said assertion * posting a signed assertion (or some sort of surrogate signature sufficient to determine that such an assertion has been signed) to demonstrate control of the asset * Examples: * Control of a Github account is demonstrated by posting a Markdown document containing the assertion and signature as a Gist * Control of a Twitter account is demonstrated by posting, as a tweet, a truncated signature and a link to a signed assertion to which that truncated signature is associated. * verifying found assertions made by another user against that user's public key * discovery and exchange of proofs by way of the central directory implemented by the website * generic sign, encrypt, decrypt, verify operations, with asserted usernames as an available substitute for key ids * a command-line program, `keybase`, that implements the client idioms in terms of GnuPG * a web application, `http://keybase.io`, the also implements the client idioms * an online directory (also part of `http://keybase.io`) for discovery and exchange of proofs (which is intended, by design, not to be strictly necessary for authoring, signing, exchanging, or verifying proofs, but merely a convenient place for these things to happen) Of particular note is that the website itself implements the client protocol, though it is not the only option (there is the command-line client, and crypto operations for the website can also be accomplished through supplied, auditable shell commands involving gpg, perl, and curl). A user may post a client-encrypted copy of a private key to be stored on the server, after which crypto operations can be executed directly in the browser in JavaScript. (They acknowledge that "Some people have strong feelings about this, for good reason." I'm among them.) The players ----------- The co-founders of Keybase are also co-founders of OkCupid. As sketchy as that might sound now, the history of OkCupid reaches farther back to a pre-social-networking social networking site called SparkMatch, a subsite of TheSpark, with roots in the fabled academic communities of Harvard and MIT. Do with that what you will. Cheers ___ Peter S. May http://psmay.com/ A0E6 3851 9ABB 112E 7303 DD91 7A2E 91FB 7885 DAFC From rjh at sixdemonbag.org Fri Sep 26 06:38:47 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 26 Sep 2014 00:38:47 -0400 Subject: Keybase In-Reply-To: <20140925222945.79f4e713@philo> References: <20140925222945.79f4e713@philo> Message-ID: <5424EDD7.9070302@sixdemonbag.org> On 9/25/2014 10:29 PM, Peter S. May wrote: > (I'm also a little more offended than I should be by the key party > comment. I ran one once.) *cough* The sender is making a rather blue joke. Normally, we talk about key SIGNING parties. A "key party" is ... rather a lot different, at least in the United States. http://en.wikipedia.org/wiki/Key_party The presence of a blue joke in their outreach materials to new users causes me to have serious doubts as to their professionalism. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3744 bytes Desc: S/MIME Cryptographic Signature URL: From rejo at zenger.nl Fri Sep 26 08:58:46 2014 From: rejo at zenger.nl (Rejo Zenger) Date: Fri, 26 Sep 2014 08:58:46 +0200 Subject: Keybase In-Reply-To: <20140925222945.79f4e713@philo> References: <20140925222945.79f4e713@philo> Message-ID: <20140926065846.GA745@broop-kidron-2.local> ++ 25/09/14 22:29 -0400 - Peter S. May: >completely map it out. But let's say some person other than me signs an >assertion saying "My name is Eve, public key signature is ABCDEFGH, and >@psmay is my Twitter account". Let's say, for the sake of argument, that >I don't treat my Twitter password with the same respect with which I >treat my passphrase, and the attacker tweets the assertion. Then, let's >say someone else tries to look up a public key for @psmay and finds that >assertion. Private messages intended for me are now going to my >doppelganger. I think this serves to suggest that the assertion itself This will not work if the one who is being forged is keeping track of the tweets that are being sent from his or her account. In my case, I would most definately noticing a tweet on my account which wasn't of myself. But then again, I have a fairly strong password on my Twitter-account as well. :) -- Rejo Zenger E rejo at zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl T @rejozenger | J rejo at zenger.nl OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4 XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 931 bytes Desc: not available URL: From david at gbenet.com Fri Sep 26 11:36:05 2014 From: david at gbenet.com (david at gbenet.com) Date: Fri, 26 Sep 2014 10:36:05 +0100 Subject: Free Software Foundation statement on the GNU Bash "shellshock" vulnerability Message-ID: <54253385.60201@gbenet.com> Free Software Foundation Free Software Foundation statement on the GNU Bash "shellshock" vulnerability /This post can be viewed online at https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability./ A major security vulnerability has been discovered in the free software shell GNU Bash. The most serious issues have already been fixed, and a complete fix is well underway. GNU/Linux distributions are working quickly to release updated packages for their users. All Bash users should upgrade immediately, and audit the list of remote network services running on their systems. Bash is the GNU Project's shell; it is part of the suite of software that makes up the GNU operating system. The GNU programs plus the kernel Linux form a commonly used complete free software operating system, called GNU/Linux. The bug, which is being referred to as "shellshock," can allow, in some circumstances, attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector, regardless of what kernel they are running. The bug probably affects many GNU/Linux users, along with those using Bash on proprietary operating systems like Apple's OS X and Microsoft Windows. Additional technical details about the issue can be found at CVE-2014-6271 and CVE-2014-7169 . GNU Bash has been widely adopted because it is a free (as in freedom), reliable, and featureful shell. This popularity means the serious bug that was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU General Public License version 3 , has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software. Software freedom is a precondition for secure computing; it guarantees everyone the ability to examine the code to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Your software freedom does not guarantee bug-free code, and neither does proprietary software: bugs happen no matter how the software is licensed. But when a bug is discovered in free software, everyone has the permission, rights, and source code to expose and fix the problem. That fix can then be immediately freely distributed to everyone who needs it. Thus, these freedoms are crucial for ethical, secure computing. Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features . Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them . Free software cannot guarantee your security, and in certain situations may appear less secure on specific vectors than some proprietary programs. As was widely agreed in the aftermath of the OpenSSL "Heartbleed" bug, the solution is not to trade one security bug for the very deep insecurity inherently created by proprietary software -- the solution is to put energy and resources into auditing and improving free programs. Development of Bash, and GNU in general, is almost exclusively a volunteer effort, and you can contribute . We are reviewing Bash development, to see if increased funding can help prevent future problems. If you or your organization use Bash and are potentially interested in supporting its development, please contact us . The patches to fix this issue can be obtained directly at http://ftp.gnu.org/gnu/bash/. Media Contacts John Sullivan Executive Director Free Software Foundation +1 (617) 542 5942 campaigns at fsf.org -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAAD8C47D.asc Type: application/pgp-keys Size: 4295 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From dsaklad at gnu.org Fri Sep 26 11:43:38 2014 From: dsaklad at gnu.org (Don Saklad) Date: Fri, 26 Sep 2014 05:43:38 -0400 Subject: Free Software Foundation statement on the GNU Bash "shellshock" vulnerability In-Reply-To: <54253385.60201@gbenet.com> (david@gbenet.com) Message-ID: <5iwq8qra2d.fsf@fencepost.gnu.org> in plain neophyte english what are those .asc 's in that message? From lechten at wi.uni-muenster.de Fri Sep 26 12:32:07 2014 From: lechten at wi.uni-muenster.de (Jens Lechtenboerger) Date: Fri, 26 Sep 2014 12:32:07 +0200 Subject: New beta References: <87r3z87ufi.fsf__36890.081401407$1411058903$gmane$org@vigenere.g10code.de> <874mvyfj95.fsf@pcwi7557.uni-muenster.de> <87lhpap3ib.fsf__26026.8913618804$1411498987$gmane$org@vigenere.g10code.de> <874mvxt3kc.fsf@pcwi7557.uni-muenster.de> <877g0smcch.fsf__42557.6488757089$1411627715$gmane$org@vigenere.g10code.de> Message-ID: <87bnq2zn88.fsf@pcwi7557.uni-muenster.de> On 2014-09-25, Werner Koch wrote: > On Wed, 24 Sep 2014 17:56, lechten at wi.uni-muenster.de said: > >> This is what happens if I extract gnupg-2.1.0-beta834.tar.bz2 and >> execute that command on Ubuntu 10.04.4 LTS. > > Hmmm. The first call to gnupg's autogen.sh is > > ./autogen.sh --silent --print-build > > can you please run it to see whether you get the cross-compiler missing > error No, I get this: i686-pc-linux-gnu Actually, with the wget workaround compilation starts and continues until the compilation error for oidtranstbl.h. If I fix that file, compilation succeeds. (Apparently, the stop message by autogen.sh is not important in my case.) Best wishes Jens From bortzmeyer at nic.fr Fri Sep 26 11:44:08 2014 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 26 Sep 2014 11:44:08 +0200 Subject: Free Software Foundation statement on the GNU Bash "shellshock" vulnerability In-Reply-To: <54253385.60201@gbenet.com> References: <54253385.60201@gbenet.com> Message-ID: <20140926094408.GA22546@nic.fr> On Fri, Sep 26, 2014 at 10:36:05AM +0100, david at gbenet.com wrote a message of 264 lines which said: > /This post can be viewed online at > https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability./ Without the dot of course https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability From ikrabbe.ask at gmail.com Fri Sep 26 12:30:39 2014 From: ikrabbe.ask at gmail.com (Ingo Krabbe) Date: Fri, 26 Sep 2014 12:30:39 +0200 Subject: Free Software Foundation statement on the GNU Bash "shellshock" In-Reply-To: <5iwq8qra2d.fsf@fencepost.gnu.org> Message-ID: <78938e6f4f4bf9317c5168f972cfcfc1@krabbe.dyndns.org> > in plain neophyte english what are those .asc 's in that message? That are ascii (therefore the asc) encoded public pgp keys and message signatures, with which this message is signed, that anyone who has a trusted pgp key of the author can check that he truly signed that message. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From peter at digitalbrains.com Fri Sep 26 14:14:46 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 26 Sep 2014 14:14:46 +0200 Subject: Keybase In-Reply-To: <20140925222945.79f4e713@philo> References: <20140925222945.79f4e713@philo> Message-ID: <542558B6.4010901@digitalbrains.com> > I haven't seen mentioned yet in gnupg-users. It came up this July, mentioned by Sam Gleske. That's the first I heard of it, and here is my reply in that thread: http://lists.gnupg.org/pipermail/gnupg-users/2014-July/050351.html (The following assumes you read that mail first) I'm worried that the documentation doesn't mention this threat model I mention there. It seems like it should point out that their scheme doesn't help in this threat model. It's important to realise it when assessing the worth of the project for you. If the creators didn't even think of it; that would make me quite sceptical of how thorough they have thought all of it through. But perhaps there is a very good reason I didn't see it mentioned anywhere yet. My 2 eurocents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From philip.jackson at nordnet.fr Fri Sep 26 15:35:53 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Fri, 26 Sep 2014 15:35:53 +0200 Subject: Free Software Foundation statement on the GNU Bash "shellshock" vulnerability In-Reply-To: <5iwq8qra2d.fsf@fencepost.gnu.org> References: <5iwq8qra2d.fsf@fencepost.gnu.org> Message-ID: <54256BB9.5040705@nordnet.fr> On 26/09/14 11:43, Don Saklad wrote: > in plain neophyte english what are those .asc 's in that message? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > the 2 attachments.asc are : 1. the sender's public key 2. the electronic signature of the message signed by the sender the two permit you to verify that the message is sent by the sender (if you already have and trust his key) and has not been modified en route. If you don't have his key, you can use the first attachment to import into your keyring. Then whether or not you trust his signature is your decision. -Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From pmlopes at gmail.com Fri Sep 26 21:19:01 2014 From: pmlopes at gmail.com (Paulo Lopes) Date: Fri, 26 Sep 2014 21:19:01 +0200 Subject: scute for fedora, is it in the reppos? Message-ID: <1411759141.7419.4.camel@jetdrone> Hi, I was thinking to jump the boat, from Ubuntu to some other distro, a bit more free, I was considering one of the two: * Debian * Fedora I am quite confortable with Debian since I've used it since ~2001 but on my laptop I'd like to have a more recent DE and Debian 8 is still a bit far away... So Fedora seems to be the best candidate with all GnuPG packages needed for my smartcard, however I don't seem to find anywhere the Scute project. Is it in the reppos? or is it part of some other package which i cannot find (since my rpm skills are quite rusty). Cheers, Paulo From tristan.santore at internexusconnect.net Fri Sep 26 21:30:59 2014 From: tristan.santore at internexusconnect.net (Tristan Santore) Date: Fri, 26 Sep 2014 20:30:59 +0100 Subject: scute for fedora, is it in the reppos? In-Reply-To: <1411759141.7419.4.camel@jetdrone> References: <1411759141.7419.4.camel@jetdrone> Message-ID: <5425BEF3.1000800@internexusconnect.net> On 26/09/14 20:19, Paulo Lopes wrote: > Hi, > > I was thinking to jump the boat, from Ubuntu to some other distro, a bit > more free, I was considering one of the two: > > * Debian > * Fedora > > I am quite confortable with Debian since I've used it since ~2001 but on > my laptop I'd like to have a more recent DE and Debian 8 is still a bit > far away... > > So Fedora seems to be the best candidate with all GnuPG packages needed > for my smartcard, however I don't seem to find anywhere the Scute > project. Is it in the reppos? or is it part of some other package which > i cannot find (since my rpm skills are quite rusty). > > Cheers, > Paulo > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users It is not packaged, but you can unpack a debian binary and abuse that. Hope that helps. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore at internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore at fedoraproject.org From pmlopes at gmail.com Fri Sep 26 22:01:27 2014 From: pmlopes at gmail.com (Paulo Lopes) Date: Fri, 26 Sep 2014 22:01:27 +0200 Subject: scute for fedora, is it in the reppos? In-Reply-To: <5425BEF3.1000800@internexusconnect.net> References: <1411759141.7419.4.camel@jetdrone> <5425BEF3.1000800@internexusconnect.net> Message-ID: <1411761687.32581.0.camel@jetdrone> On vr, 2014-09-26 at 20:30 +0100, Tristan Santore wrote: > On 26/09/14 20:19, Paulo Lopes wrote: > > Hi, > > > > I was thinking to jump the boat, from Ubuntu to some other distro, a bit > > more free, I was considering one of the two: > > > > * Debian > > * Fedora > > > > I am quite confortable with Debian since I've used it since ~2001 but on > > my laptop I'd like to have a more recent DE and Debian 8 is still a bit > > far away... > > > > So Fedora seems to be the best candidate with all GnuPG packages needed > > for my smartcard, however I don't seem to find anywhere the Scute > > project. Is it in the reppos? or is it part of some other package which > > i cannot find (since my rpm skills are quite rusty). > > > > Cheers, > > Paulo > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > It is not packaged, but you can unpack a debian binary and abuse that. Yay!!! alien to rescue :) Thanks! > > Hope that helps. > > Regards, > > Tristan > > From sudhir at sudhirkhanger.com Sat Sep 27 12:59:49 2014 From: sudhir at sudhirkhanger.com (Sudhir Khanger) Date: Sat, 27 Sep 2014 16:29:49 +0530 Subject: Kleopatra Ultimate trust CA Cert Signing Authority Message-ID: <1763498.ZUbousakxz@fedora> Hello, I am not sure if this is related to GnuPG but searching for following text takes me to, from what I understand, a GnuPG commit [1]. Kleopatra keeps asking following. Do you ultimately trust "CN=CA Cert Signing Authority OU=http:\x2fwww.cacert.org O=Root CA EMail=support at cacert.org to correctly certify user certificates? [1] http://osdir.com/ml/encryption.gpg.cvs/2006-09/msg00036.html -- Regards, Sudhir Khanger, www.sudhirkhanger.com, www.github.com/donniezazen, 5577 8CDB A059 085D 1D60 807F 8C00 45D9 F5EF C394. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From emunch at utmi.in Sat Sep 27 15:18:34 2014 From: emunch at utmi.in (Sam M) Date: Sat, 27 Sep 2014 18:48:34 +0530 Subject: Symmetric & Encrypt in One Message-ID: Hello. I'd like to encrypt a file with a password as well as multiple public keys. Is this possible? Will this command below work? echo "$PW" | gpg2 --batch --passphrase-fd 0 --symmetric --encrypt --recipient 432E170D279095 --recipient 07EAE49ADBCBE671 --always-trust --output file.gpg file Thanks. Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sat Sep 27 16:21:26 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 27 Sep 2014 15:21:26 +0100 Subject: New beta In-Reply-To: <54245AFC.3030007@gmail.com> References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <541D972C.6090408@gmail.com> <1464050595.20140924195018@my_localhost> <54231D92.10102@gmail.com> <1837764322.20140924235211@my_localhost> <542369D5.4080406@gmail.com> <305961494.20140925180648@my_localhost> <54245AFC.3030007@gmail.com> Message-ID: <1699582783.20140927152126@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 25 September 2014 at 7:12:12 PM, in , Murphy wrote: > On 09/25/2014 01:06 PM, MFPA wrote: >> Other than whether GnuPG 1.x locks up on encountering >> the unrecognised key type when trying to encrypt, or >> whether it errors out, or just uses the next >> encryption-capable subkey. I think this can only be >> tested with the public key. > Also here are the public keys for Grumpy from both gpg > and gpg2.1 Thanks. Using GnuPG 1.4.18, I succcessfully signed with and encrypted to Grumpy's key. GnuPG output for signing:- C:\Documents and Settings\Administrator\Desktop\Scribble_Pad>gpg --local-user grumpy --clearsign test.txt gpg: using character set `utf-8' gpg: can't handle public key algorithm 19 gpg: no secret subkey for public subkey 0x4EB8453C635A015B - ignoring You need a passphrase to unlock the secret key foruser: "Grumpy (RSA) " 2048-bit RSA key, ID 0x0C6C60ECF7CD83F4, created 2014-09-24 gpg: writing to `test.txt.asc' gpg: RSA/SHA512 signature from: "0x0C6C60ECF7CD83F4 Grumpy (RSA) " The file was signed with the main key after not recognising the secret subkey. Signature verified OK. GnuPG output for encryption(+signing):- C:\Documents and Settings\Administrator\Desktop\Scribble_Pad>gpg --local-user gr umpy --clearsign test.txt gpg: using character set `utf-8' gpg: can't handle public key algorithm 19 gpg: no secret subkey for public subkey 0x4EB8453C635A015B - ignoring You need a passphrase to unlock the secret key for user: "Grumpy (RSA) " 2048-bit RSA key, ID 0x0C6C60ECF7CD83F4, created 2014-09-24 File `test.txt.asc' exists. Overwrite? (y/N) y gpg: writing to `test.txt.asc' gpg: RSA/SHA512 signature from: "0x0C6C60ECF7CD83F4 Grumpy (RSA) " File was encrypted to the older, encryption-capable, RSA subkey. Decrypted OK (and the signature was good). So, it would seem that adding ECC signing subkeys to an RSA key does not completely break compatibility with GnuPG 1.4.18: the 1.4.x user can still encrypt to the non-ecc subkey and can sign with the main key. Obviously ECC signatures could not be checked with 1.4.x. Presumably, it would still work if the ECC subkey were an encryption-capable subkey. But I have not seen this in action. And I wonder whether 1.4.x could cope with RSA subkeys on an ECC main key. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Learning without thought is naught; thought without learning is dangerous. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQmx+tXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5plNQD/39jYLv3f3TumrDZ0HFDpFXTLWEDI0tAVRpy DrYXdBl+4LUIaAajw6IKC14BssCCmkswhz2CHbSnzVRrly1kc1j/AZgKrhVNnptK UyE/FH1v8rps51fY2D6Fe4XLiEGHE5MgeET9KdqYyQ5WVSOBkDVYQOt3LixBb/eB HK+Yx4Jo =bush -----END PGP SIGNATURE----- From wk at gnupg.org Sat Sep 27 16:31:38 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 27 Sep 2014 16:31:38 +0200 Subject: New beta In-Reply-To: <1699582783.20140927152126@my_localhost> (MFPA's message of "Sat, 27 Sep 2014 15:21:26 +0100") References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <541D972C.6090408@gmail.com> <1464050595.20140924195018@my_localhost> <54231D92.10102@gmail.com> <1837764322.20140924235211@my_localhost> <542369D5.4080406@gmail.com> <305961494.20140925180648@my_localhost> <54245AFC.3030007@gmail.com> <1699582783.20140927152126@my_localhost> Message-ID: <87k34pi185.fsf@vigenere.g10code.de> On Sat, 27 Sep 2014 16:21, 2014-667rhzu3dc-lists-groups at riseup.net said: > And I wonder whether 1.4.x could cope with RSA subkeys on an ECC main > key. No, it won't be able to handle such a key. It is not possible to verify the user-id and subkey binding signatures which are done by the primary key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From 2014-667rhzu3dc-lists-groups at riseup.net Sat Sep 27 17:11:09 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 27 Sep 2014 16:11:09 +0100 Subject: Symmetric & Encrypt in One In-Reply-To: References: Message-ID: <67807011.20140927161109@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 27 September 2014 at 2:18:34 PM, in , Sam M wrote: > Hello. > I'd like to encrypt a file with a password as well as > multiple public keys. Is this possible? Yes. > Will this > command below work? > echo "$PW" | gpg2 --batch --passphrase-fd 0 --symmetric > --encrypt --recipient 432E170D279095 --recipient > 07EAE49ADBCBE671 --always-trust --output file.gpg file It didn't when I tried (substituting gpg for gpg2, using keys that are on my keyring, trying various echo strings). At least, I could not decrypt it using a passphrase of "$PW" or $PW or PW or "PW". If I just try:- echo "$PW" | gpg --passphrase-fd 0 --symmetric --output file.gpg file it symmetrically encrypts but I cannot find a passphrase that works for decryption. The following works for me, using GnuPD 1.4.18 on Windows XP:- gpg --symmetric --passphrase string --encrypt --recipient 0xkeyID --output file.gpg file - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net When you're caffeinated, all is right with the world -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQm05pXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5ppLsD/RxK140ghf1FZKrBXK2Jz9ni8xYZKiWpoDjL 0dZRS3y6E1bjF5Uo5XykaSn2vsqtXyHEuzrBcTJQkGbyRhKpd+yi/GrVClsvHyf4 Mthojf7QImUEyPJUGUgQa5bKiyti/jHNKwmjhzBDA97rInH9jgkI+7hZY1DqZ0yd gDnBG09H =NPUt -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Sat Sep 27 18:00:29 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sat, 27 Sep 2014 18:00:29 +0200 Subject: Symmetric & Encrypt in One In-Reply-To: <67807011.20140927161109@my_localhost> References: <67807011.20140927161109@my_localhost> Message-ID: <4089312.dH2CvKo2sl@inno> Am Sa 27.09.2014, 16:11:09 schrieb MFPA: > If I just try:- > > echo "$PW" | gpg --passphrase-fd 0 --symmetric --output file.gpg file > > it symmetrically encrypts but I cannot find a passphrase that works > for decryption. I quote the man page for "--passphrase-fd n": "[...] Note that this passphrase is only used if the option --batch has also been given. This is different from gpg." Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sat Sep 27 18:03:38 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 27 Sep 2014 17:03:38 +0100 Subject: New beta In-Reply-To: <87k34pi185.fsf@vigenere.g10code.de> References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <541D972C.6090408@gmail.com> <1464050595.20140924195018@my_localhost> <54231D92.10102@gmail.com> <1837764322.20140924235211@my_localhost> <542369D5.4080406@gmail.com> <305961494.20140925180648@my_localhost> <54245AFC.3030007@gmail.com> <1699582783.20140927152126@my_localhost> <87k34pi185.fsf@vigenere.g10code.de> Message-ID: <314184088.20140927170338@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 27 September 2014 at 3:31:38 PM, in , Werner Koch wrote: > On Sat, 27 Sep 2014 16:21, > 2014-667rhzu3dc-lists-groups at riseup.net said: >> And I wonder whether 1.4.x could cope with RSA subkeys >> on an ECC main key. > No, it won't be able to handle such a key. It is not > possible to verify the user-id and subkey binding > signatures which are done by the primary key. I already tried to import an ECC key with 1.4.18, to see what would happen. This was an ECC main key with an ECC subkey. It imported the ECC main key, and warned me the user-id was non-selfsigned. But it would not import the ECC subkey, and the output simply told me "skipped subkey". I suppose this would be because, as you said, the subkey binding signature could not be verified. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net All generalisations are dangerous, even this one. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQm3+VXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pLb8EAL1dVRxvGOcu07oqGxP5ve4RigzBXiXkPmZk 3bk/ehg7UUgY4I3hfZrv7WauU0QKWufd8laaYJw1YLhLVD9tnq6HaxkJrC6jXEUs jK2LtE6YzpGp+Ak895qh4QVLrSFQR4Z69F9/CqXmHXbliL12ztYEeRPV8KBZ4Pen sBRLdly0 =OQ37 -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Sat Sep 27 18:51:37 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 27 Sep 2014 17:51:37 +0100 Subject: Symmetric & Encrypt in One In-Reply-To: <4089312.dH2CvKo2sl@inno> References: <67807011.20140927161109@my_localhost> <4089312.dH2CvKo2sl@inno> Message-ID: <646517298.20140927175137@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 27 September 2014 at 5:00:29 PM, in , Hauke Laging wrote: > Am Sa 27.09.2014, 16:11:09 schrieb MFPA: >> If I just try:- >> echo "$PW" | gpg --passphrase-fd 0 --symmetric >> --output file.gpg file >> it symmetrically encrypts but I cannot find a >> passphrase that works for decryption. > I quote the man page for "--passphrase-fd n": > "[...] Note that this passphrase is only used if the > option --batch has also been given. This is different > from gpg." Good spot, although it didn't work for me with or withour --batch. A spot of web searching [0] lead me to try "printf pass\npass" instead of "echo pass" because the passphrase needs to be entered twice. The following works for me:- printf pass\npass | gpg --batch --passphrase-fd 0 -a --symmetric - --output file.gpg file And, Hauke, it worked without the "--batch" as well when I tried. Maybe I just got lucky. [0] search term: echo to stdin. The fourth result was - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net We're all shipwrecked on this idea that everything has to be explained. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlQm6yZXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pJ0EEAKJJ3IUQQiZocxj8fEkiWZ5WQwcrGoueyBXV B67zhAbBkAk/nsoV9z/LIupdaRdiGylOp55Rc0cbMQ4f0SlZkLGPvXEs99BasETh f3ze/rdk8PXetU5oANXD1p1ny+V0pONoTkXY7YbTTSZ0GOmhP42fbyZeWMgFH926 q5+ufzBP =avtf -----END PGP SIGNATURE----- From matt at monaco.cx Sun Sep 28 04:28:56 2014 From: matt at monaco.cx (Matthew Monaco) Date: Sat, 27 Sep 2014 20:28:56 -0600 Subject: agent, ssh-support, loading keys Message-ID: <54277268.7080803@monaco.cx> Hello, I use the agent with ssh-support. I have one problematic scenario. When using ansible (basically a parallel ssh client) and my key hasn't been loaded into the agent already, I am asked by pinentry for my password for every connection. Even if I kill ansible, it seems that the agent/pinentry already have the requests queued up so I'm asked anyway. 1) Is this behavior intentional? Why does pinentry continue to ask me to unlock my SSH key after I've done it once? Is the ordering really strict? 2) ssh-add isn't loading my key into the agent. When I use it, pinentry isn't called and a subsequent SSH attempt will invoke pinentry. In the meantime I've simply resorted to $(ssh localhost true) prior to calling ansible in some scripts, but is there a more explicit way? Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 299 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sun Sep 28 09:57:19 2014 From: wk at gnupg.org (Werner Koch) Date: Sun, 28 Sep 2014 09:57:19 +0200 Subject: New beta In-Reply-To: <314184088.20140927170338@my_localhost> (MFPA's message of "Sat, 27 Sep 2014 17:03:38 +0100") References: <20140919194604.817A660C30@smtp.hushmail.com> <541CC6A7.9040802@gmail.com> <1258946889.20140920115704@my_localhost> <541D972C.6090408@gmail.com> <1464050595.20140924195018@my_localhost> <54231D92.10102@gmail.com> <1837764322.20140924235211@my_localhost> <542369D5.4080406@gmail.com> <305961494.20140925180648@my_localhost> <54245AFC.3030007@gmail.com> <1699582783.20140927152126@my_localhost> <87k34pi185.fsf@vigenere.g10code.de> <314184088.20140927170338@my_localhost> Message-ID: <878ul4i3ds.fsf@vigenere.g10code.de> On Sat, 27 Sep 2014 18:03, 2014-667rhzu3dc-lists-groups at riseup.net said: > But it would not import the ECC subkey, and the output simply told me > "skipped subkey". I suppose this would be because, as you said, the > subkey binding signature could not be verified. Correct. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From pmlopes at gmail.com Sun Sep 28 10:04:52 2014 From: pmlopes at gmail.com (Paulo Lopes) Date: Sun, 28 Sep 2014 10:04:52 +0200 Subject: gnupg + x509 + ssl auth on browser, what are the alternatives to scute? Message-ID: <1411891492.3757.3.camel@jetdrone> Hi, I've used Scute for X509 auth on HTTPS and it worked fine for me on Firefox, however it does not support say Chromium/Chrome since its specific for FF. On top of that scute is not packaged for Fedora which makes it less easy to setup than a Debian based distro. What alternatives are out there, if any, and how can I use them with the GnuPG card? Best regards, Paulo From shmick at riseup.net Sun Sep 28 14:32:29 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Sun, 28 Sep 2014 22:32:29 +1000 Subject: 425 Error accepting connection; connection from invalid IP. In-Reply-To: <5427C076.9070406@riseup.net> References: <87r3z87ufi.fsf@vigenere.g10code.de> <5427C076.9070406@riseup.net> Message-ID: <5427FFDD.3090408@riseup.net> shmick at riseup.net wrote: > i wanted to try the latest beta but downloading any file using Tor gave > a http 425 or 400 > > for example > > ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.3.1.tar.bz2 > > this file is blocked trying the following 2 Tor IP's but the same file > can be downloaded fine using Jondo > > 96.44.189.101 > 92.222.172.41 > > i doesn't download using the Tor browser bundle nor wget but it works > using Jondo browser and wget as proxy > > > > > > $ wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.bz2 > --2014-09-28 17:57:09-- > ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.bz2 > Connecting to 127.0.0.1:4001... connected. > Proxy request sent, awaiting response... 200 Gatewaying > Length: 2476101 (2.4M) [application/octet-stream] > Saving to: ?libgcrypt-1.6.2.tar.bz2? > > 10% [===========> > ] 268,816 9.58KB/s > eta 3m 37s > > > > > $ wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.16.tar.bz2 > --2014-09-28 17:26:03-- > ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.16.tar.bz2 > Connecting to 127.0.0.1:8118... connected. > Proxy request sent, awaiting response... 400 Invalid request received > from client > 2014-09-28 17:26:03 ERROR 400: Invalid request received from client. > From shmick at riseup.net Sun Sep 28 10:01:58 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Sun, 28 Sep 2014 18:01:58 +1000 Subject: 425 Error accepting connection; connection from invalid IP. In-Reply-To: <87r3z87ufi.fsf@vigenere.g10code.de> References: <87r3z87ufi.fsf@vigenere.g10code.de> Message-ID: <5427C076.9070406@riseup.net> i wanted to try the latest beta but downloading any file using Tor gave a http 425 or 400 for example ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.3.1.tar.bz2 this file is blocked trying the following 2 Tor IP's but the same file can be downloaded fine using Jondo 96.44.189.101 92.222.172.41 i doesn't download using the Tor browser bundle nor wget but it works using Jondo browser and wget as proxy small screngrab showing error directly downloading from link shows the 425 $ wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.bz2 --2014-09-28 17:57:09-- ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.2.tar.bz2 Connecting to 127.0.0.1:4001... connected. Proxy request sent, awaiting response... 200 Gatewaying Length: 2476101 (2.4M) [application/octet-stream] Saving to: ?libgcrypt-1.6.2.tar.bz2? 10% [===========> ] 268,816 9.58KB/s eta 3m 37s $ wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.16.tar.bz2 --2014-09-28 17:26:03-- ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.16.tar.bz2 Connecting to 127.0.0.1:8118... connected. Proxy request sent, awaiting response... 400 Invalid request received from client 2014-09-28 17:26:03 ERROR 400: Invalid request received from client. -------------- next part -------------- A non-text attachment was scrubbed... Name: gnupg.org.1.png Type: image/png Size: 63191 bytes Desc: not available URL: From emunch at utmi.in Tue Sep 30 10:31:39 2014 From: emunch at utmi.in (Sam M) Date: Tue, 30 Sep 2014 14:01:39 +0530 Subject: Keyserver on FreeIPA Message-ID: Hello. Not strictly a GPG question, but posting anyway. I need to test setting up of a private GPG keyserver integrated with a FreeIPA server. Has anyone done this and had success? I'm trying to figure out how to integrate the PGP keyserver schema into the server and am not sure if I'm on the right track. I also need to integrate the GPG public keys with the user data in the server. Thanks. Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: