Questions from a newbie
Hi All I need to travel a lot and send emails/proposals on the go. Mostly I just carry my docs on a pendrive, rarely also carrying a laptop. So even though I have known PGP for quite a long time and I tried my hand at it, also at thawte, I never took it seriously since PGP needs to be installed and all. Now I found GnuPG and liked it - its small and can be carried on the pendrive easily. I have a few questions: 1. While creating the key, I noticed RSA is sign only. Does it mean an RSA key cannot be used to encrypt? Why so - even RSA is now in public domain I believe. PGP (the free version) also allows RSA keys. The algorithm used instead by GnuPG is DSA and Elgamal' which I havent heard of and dont know if they are equally secure. Are these compatible with PGP? 2. What happens if I loose the pendrive? They would not know the password but they would have the secret key. Does it make it easier for them to hack the messages I have already received, and possibly the encrypted files I have stored on the same pendrive? 3. Is there a wipe function or a wipe software also available from Gnu similar to the one offered by PGP? I need one that can be run from a pendrive without installation. Regards Hardeep Singh Give your resume visibility. Get a home for it. Resume Central. http://RC.Hardeep.name ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
sshd authentication problem with gpg-agent and OpenPGP card
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I recently found a problem when using OpenPGP cards with gpg-agent in combination with ssh/sshd. Technical details follows: - --- snip --- gpg-agent --version gpg-agent (GnuPG) 2.0.0 - --- snip --- rpm -qf `which ssh-add` openssh-3.9p1-12.10 - --- snip --- ssh-add -l 1024 fingerprint_in_hex cardno:my_card_no (RSA) 1024 fingerprint_in_hex ~/id_dsa (DSA) 1024 fingerprint_in_hex ~/other_id_dsa (DSA) 1024 fingerprint_in_hex ~/other2_id_dsa (DSA) - --- snip --- (on the remote machine) # rpm -qf `which sshd` openssh-3.9p1-12.10 - --- snip --- OK. Connecting to the remote via: ssh -i ~/.ssh/id_dsa remote_host works perfectly (no card involved) but: ssh - remote_host tries to use the card and results in: - --- snip --- debug2: key: cardno:my_card (0x8095498) debug2: key: ~/.ssh/id_dsa (0x80999b0) debug2: key: ~/.ssh/other_id_dsa (0x8098d98) debug2: key: ~/.ssh/other2_id_dsa (0x8098d98) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: cardno:my_card_no debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Connection closed by remote_host - --- snip --- and the log on the remote machine explains this abrupt connection loss: - --- snip --- Dec 5 09:47:19 floyd sshd[4666]: fatal: buffer_get_bignum2: negative numbers not supported Dec 5 09:55:13 floyd sshd[4893]: fatal: buffer_get_bignum2: negative numbers not supported - --- snip --- The last snippet shows whats going on in gpg-agent: - --- snip --- [client at fd 4 connected] 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 für fd 7 gestartet 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) started 4 - 2006-12-05 10:10:37 gpg-agent[10191]: new connection to SCdaemon established (reusing) [client at fd 5 connected] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - GETATTR $AUTHKEYID 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - S $AUTHKEYID OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - GETATTR SERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - S SERIALNO my_serial_info 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - READKEY OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - [ xx xx...(all bytes skipped) ] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - GETATTR $DISPSERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - S $DISPSERIALNO the_displayable_serialno 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) ready 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - RESTART 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: - OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 für fd 7 beendet - --- snip --- So gpg-agent in conjunction with this ssh version might deliver invalid data to the waiting ssh daemon. I found nothing particular on the mentioned bignum package in sshd though... :-( Anybody knows whats going on with OpenPGP card authentication? Werner? :-) Salut, Jörg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFdTik/PQgU9f6RRIRArT4AJ4wXZaBiR8oZWhlvAcZXSOP8VdUcwCgzbs/ aUdw1ByhBJlE8e3C9KeiGsE= =JwLw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions from a newbie
Hardeep Singh wrote: 1. While creating the key, I noticed RSA is sign only. Does it mean an RSA key cannot be used to encrypt? No. I use a set of RSA keys to encrypt and sign data. All that it means is you need to create your set of encryption keys in a separate step from creating your signing keys. When creating DSA/Elg keys, both the signing and encryption keys are created at the same time. RSA keys are created differently. Don't really know why it's that way, but that's the way it is. The algorithm used instead by GnuPG is DSA and Elgamal' which I havent heard of and dont know if they are equally secure. The term 'Elgamal' has an unfortunate multitude of meanings. It refers to the Egyptian-American researcher Taher el Gamal, whose name has been Americanized as Elgamal. He did a lot of fundamental research into an entire family of cryptographic algorithms, which have since been called the Elgamal family. Elgamal is also used to describe a particular algorithm within the Elgamal family. The Digital Signature Algorithm, DSA, is part of the Elgamal family. So when you see DSA and Elgamal, please don't think of them as two different algorithms; think of them as two very closely related algorithms. Anyway. You were wondering if the Elgamals are equally secure to RSA. The short answer is the Elgamals are believed to be comparable to RSA. Or maybe we should say RSA is believed comparable to the Elgamals. Either way, they can be used with confidence. Are these compatible with PGP? PGP 5.0 or better, yes. 2. What happens if I loose the pendrive? They would not know the password but they would have the secret key. No, they would not. The secret key is stored in an encrypted format. The passphrase is needed to decrypt the secret key so that GnuPG can then use it. The cipher used to encrypt the secret key is of comparable strength to the cipher used to encrypt a PGP message. This means that as long as your passphrase is strong, you could publish your secret key in the _New York Times_ and still be confident that nobody would be able to read your email. 3. Is there a wipe function or a wipe software also available from Gnu similar to the one offered by PGP? I need one that can be run from a pendrive without installation. For this one, we need to know what operating system you're using. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions from a newbie
Hardeep Singh wrote: 1. While creating the key, I noticed RSA is sign only. Does it mean an RSA key cannot be used to encrypt? Why so - even RSA is now in public domain I believe. PGP (the free version) also allows RSA keys. No, it does not mean that you *can't* use RSA to encrypt. You would generate an RSA signing only key, then generate an RSA encryption subkey using the gpg --edit-key command. This way, you can have (for example) a 1024 bit RSA signing key with a 4096 bit RSA encryption key if you wish. Hardeep Singh wrote: The algorithm used instead by GnuPG is DSA and Elgamal' which I havent heard of and dont know if they are equally secure. Are these compatible with PGP? They are simply the default key types with GnuPG. The DSA key is the signing key and it can only be 1024 bits. The Elgamal key is an encryption key, and it is the size that you specify. Both DSA / Elgamal and RSA are compatible with PGP 5 and above. Hardeep Singh wrote: 2. What happens if I loose the pendrive? They would not know the password but they would have the secret key. Does it make it easier for them to hack the messages I have already received, and possibly the encrypted files I have stored on the same pendrive? Put quite simply, yes. If they have a copy of your private key, hackers only need to find your passphrase to compromise all of your previously secured communications. Using a dictionary attack on the key, they are far more likely to break the security of your emails and files. If you do ever lose your pendrive with secret keys on it, I would recommend that you revoke the keys you lost and create a new key pair. Hardeep Singh wrote: 3. Is there a wipe function or a wipe software also available from Gnu similar to the one offered by PGP? I need one that can be run from a pendrive without installation. There are several free, open source wiping programs available, but these are not entirely useful when you are using a flash memory pen drive. In order to prolong the life of flash memory, all data is written to a random sector on the drive and this is controlled by a low-level controller over which the operating system of the host PC has no control. Therefore to absolutely securely remove data from a flash drive, you would need to delete the file then run a free-space wipe of the memory. You may be interested in Mobility Email (available at http://www.mobilityemail.net) - this is an open source mail client based on Mozilla code, and has built-in OpenPGP email encryption support. It is designed to run from a removable drive, so the disk letter does not matter and you can therefore use it on multiple computer terminals. It also supports profile locking and secure wiping of the disk if you choose to enable it. This encrypts your mail profile using AES symmetrical encryption (with a user-specified passphrase), deletes the unencrypted profile from your disk, then performs a free-space wipe of the memory, ensuring excellent security even if you lose the flash disk. This is quite a time-consuming process though, and may not be necessary for every-day use - this is why we included the option so that the users decide what level of security to use. I would highly recommend that you try it and form your own opinions - it's free, open source software and is compatible with Windows and Linux running WINE. Hope this helps, Adam -- e-ignite: http://www.e-ignite.co.uk OpenPGP Key: 0x4B45F6F5 http://www.e-ignite.co.uk/pubkey.asc signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: adding passphrases to gpg-agent
Werner Koch wrote: For example, you don't need to use ssh-add every time after starting the agent. You do it only once and gpg-agent will store the entire key on disk and no just in memeory as ssh-agent does. Is it possible to control/disable this behavior? I prefer to keep my ssh keys only on a USB disk, and not have them copied to any machine on which I happen to load them. -Alex Mauer hawke signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: adding passphrases to gpg-agent
On Tue, 5 Dec 2006 17:11, [EMAIL PROTECTED] said: Is it possible to control/disable this behavior? I prefer to keep my ssh keys only on a USB disk, and not have them copied to any machine on which I happen to load them. Make a ~/.gnupg/private-keys-v1.d/ a symlink to your USB disk. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Problem building 2.0.1
Hi all, I am having a problem with configure. It doesn't recognise that I have these libraries already installed (which I do, and all the latest versions). I'm using OSX 10.4.8... - configure: *** *** You need libgpg-error to build this program. ** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libgpg-error *** (at least version 1.4 is required.) *** configure: *** *** You need libassuan with Pth support to build this program. *** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libassuan/ *** (at least version 0.9.3 (API 1) is required). *** configure: *** *** You need libksba to build this program. *** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libksba/ *** (at least version 1.0.0 using API 1 is required). *** configure: error: *** *** Required libraries not found. Please consult the above messages *** and install them before running configure again. *** ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
encrypt the sent folder
Hi, How can I make sure that all the emails in my Sent folder are encrypted and can't be read without my private key? In other words, I want my email in my Sent folder to be encrypted even though the email sent on the wire is plain text. Encrypt to self option only works if I send an encrypted mail. I couldn't get it to work all the time. here is my gpg.conf: comment no-mangle-dos-filenames keyserver-options auto-key-retrieve verbose include-revoked include-subkeys expert default-recipient-self encrypt-to 0x34697591 default-key 0x34697591 Email client is Thunderbird/Enigmail. Mails are stored on IMAP server if it makes any difference. Thank you. -- Eray ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
Eray Aslan wrote: How can I make sure that all the emails in my Sent folder are encrypted and can't be read without my private key? In other words, I want my email in my Sent folder to be encrypted even though the email sent on the wire is plain text. This is not a task for GnuPG. This is a task for an encrypted file system. On OS X, look into using encrypted home directories (System Preferences--Security). On Windows, I've found TrueCrypt to be a pretty good solution. On Linux, look into cryptoloop. Email client is Thunderbird/Enigmail. Mails are stored on IMAP server if it makes any difference. It does. You need your IMAP server to run the encrypted file system. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
On Tue, December 5, 2006 9:03 pm, Robert J. Hansen wrote: Eray Aslan wrote: How can I make sure that all the emails in my Sent folder are encrypted and can't be read without my private key? In other words, I want my email in my Sent folder to be encrypted even though the email sent on the wire is plain text. This is not a task for GnuPG. This is a task for an encrypted file system. On OS X, look into using encrypted home directories (System Preferences--Security). On Windows, I've found TrueCrypt to be a pretty good solution. On Linux, look into cryptoloop. Surely there must be a better way. These all require admin access to the IMAP server. The software already does what I want some of the time (when I send the recipient encrypted email). I just want it to do it all the time. -- Eray ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 05/12/06 20:03, Robert J. Hansen wrote: How can I make sure that all the emails in my Sent folder are encrypted and can't be read without my private key? In other words, I want my email in my Sent folder to be encrypted even though the email sent on the wire is plain text. This is not a task for GnuPG. This is a task for an encrypted file system. Or, better, for an encryption plugin for his MUA. On OS X, look into using encrypted home directories (System Preferences--Security). On Windows, I've found TrueCrypt to be a pretty good solution. On Linux, look into cryptoloop. Email client is Thunderbird/Enigmail. Mails are stored on IMAP server if it makes any difference. It does. You need your IMAP server to run the encrypted file system. This is suitable only if he owns the server or IMAP storage is kept in a directory on which he has rw permissions(e.g.: ~/home/Maildir). - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6rc1 (GNU/Linux) iD8DBQFFdce7H+Dh0Dl5XacRA/4dAJ9j7M06Q1qJH3p56Pl+eABe3TaM0QCeIHUR wLUDzY1L0dnhTDwSlIvmuRQ= =i8GA -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem building 2.0.1
On Tue, 5 Dec 2006 18:45, [EMAIL PROTECTED] said: I am having a problem with configure. It doesn't recognise that I have these libraries already installed (which I do, and all the latest versions). I'm using OSX 10.4.8... You need to make sure that the correct libraries are found. For example, if you installed them to /usr/local/ you need to make sure that /usr/local/bin comes early in the path, so that an old version alreay installed does not get in the way. You find more information about the checks done in config.log. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
Eray Aslan wrote: Surely there must be a better way. These all require admin access to the IMAP server. The software already does what I want some of the time (when I send the recipient encrypted email). I just want it to do it all the time. There isn't. If you want a program that does this, you're going to need to write it yourself. It seems like it could be done in just a couple of hours of Perl. But once you do that, you're going to need to hack on Enigmail/Thunderbird in able to support text searches through encrypted data, then you're going to need to... etc., etc. It's a nontrivial amount of work. Also remember that OpenPGP is a wire protocol. The protocol is not meant for mass storage. Sure, you can use GnuPG to encrypt files, but once you start dealing with large numbers of them you're generally going to be better off using a system that's purpose-built for the task. Like, say, an encrypted filesystem. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
On Tue, Dec 05, 2006 at 02:30:22PM -0600, Robert J. Hansen wrote: Also remember that OpenPGP is a wire protocol. The protocol is not meant for mass storage. Sure, you can use GnuPG to encrypt files, but once you start dealing with large numbers of them you're generally going to be better off using a system that's purpose-built for the task. Like, say, an encrypted filesystem. I must disagree with this. OpenPGP is not solely a wire protocol. There are even parts of the specification that were added mainly for the benefit of mass storage. It's being used in storage in a number of places today. The nice thing about using OpenPGP as an archival primitive is that each encrypted file is its own file and decrypting one does not impact any others. This works well in the context of email, where each mail is its own object. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
David Shaw wrote: I must disagree with this. OpenPGP is not solely a wire protocol. I probably should have said 'primarily'. It wasn't my intent to give the impression it was exclusively a wire protocol. The nice thing about using OpenPGP as an archival primitive is that each encrypted file is its own file and decrypting one does not impact any others. This works well in the context of email, where each mail is its own object. In other ways it doesn't work very well, since each email is encrypted separately, requiring complex bignum math for each decryption. Searching through large numbers of emails could potentially be very problematic. Compare this to an encrypted filesystem, which is typically much more performance-friendly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
On Tue, Dec 05, 2006 at 02:52:56PM -0600, Robert J. Hansen wrote: David Shaw wrote: I must disagree with this. OpenPGP is not solely a wire protocol. I probably should have said 'primarily'. It wasn't my intent to give the impression it was exclusively a wire protocol. The nice thing about using OpenPGP as an archival primitive is that each encrypted file is its own file and decrypting one does not impact any others. This works well in the context of email, where each mail is its own object. In other ways it doesn't work very well, since each email is encrypted separately, requiring complex bignum math for each decryption. Searching through large numbers of emails could potentially be very problematic. Compare this to an encrypted filesystem, which is typically much more performance-friendly. Absolutely. It all depends on what the goal is. Given a compromise, many distinct files can limit the damage done to a subset (or one) of the encrypted files. A compromise of an encrypted filesystem generally compromises the whole filesystem containing all the files. On the other side, as you say, an encrypted filesystem will probably outperform multiple encrypted files. Given the original request (to store encrypted mails on a remote IMAP server), OpenPGP seems like an obvious answer as it works even when the remote IMAP server isn't under the control of the user (which is often the case). OpenPGP (and encrypted filesystems) are two good solutions to two slightly different and overlapping problems. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Christmas is upon us again.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Whether you're secular or religious, atheist or devout, I think we can all agree that the time of the year known as Christmas will soon be upon us. This is historically a time for personal reflection and charitable giving. We reflect on how fortunate we are, and we give in order to show our thanks and appreciation for that which we have received. This year, I'm grateful that we have a Free Software implementation of the OpenPGP protocol. I'm also grateful that the development process is fairly open and I'm grateful that, by and large, the people in the community are friendly. This year, I'm giving $10 to the Free Software Foundation (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of telling the developers thanks. If you feel like joining me in this, well... feel free to say thanks on-list, or to write off a note to the developers. Likewise, I hope you'll give a small donation to the charity of your choice in the name of the GNU Privacy Guard. Merry Christmas to everyone. May we have peace on Earth and goodwill to all humanity. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFde2AAAoJELcA9IL+r4EJzQAIAOJJW/1rDgO4H92MsjLHr0lj kl9hl3d1xSWrkscAuY6rDYWxrs/91H2f+CZGt8mDC6MOcJeBlb3QOs9BSmoWZG+6 dxDaSEern8mr7r7+WLeejOvDSK1bfTYT1S5KTJwy1jgs8F3xrL9RqJ4JW0acCVg5 HMYHhLfSUu4rWYJ/odGYat4qTT5CqtLYr5jFtWMEkGEpCsnDexgVmCkI4Q+8cE0p 4KMLEiUHvC8GKW/Ug8vFySkok5UBwv7iBPejQjqaKI/fvxc5/cx5D6sr42WD6HG6 keKvJD9g9b7DWJXDVXiVeBexsj8Hrbvp36oHFkwlERFNeBuAD3Lv1PY82KP2WEA= =+4hw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eray Aslan wrote: Surely there must be a better way. These all require admin access to the IMAP server. The software already does what I want some of the time (when I send the recipient encrypted email). I just want it to do it all the time. This doesn't like an entirely unreasonable feature request to make of Enigmail. Perhaps you'd want to check in with the Enigmail folks to see if the would consider adding such a feature? It has some potential to be useful but it might be icky to implement. Obviously, if you send a message unencrypted but store it encrypted, you won't really have an accurate record of your sent mail. The headers and MIME parts will be different. Some people prefer that what's in their sent mailbox be exactly equal to what was sent. (Pedants. :) I am curious though, what particular threats are you concerned about? That might help shape what options would be best to take. If you don't trust the IMAP server admins, then you should store your mail somewhere you do trust. If you are worried about someone cracking the server and getting at your sent messages then encryption on the server may be sufficient, but would involve either changes to you mail client or some other sort of access to your mailbox on the server. - -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp == Oh, I feel so deliciously white trash! Mommy, I want a mullet! -- Stewie Griffin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6rc1 (GNU/Linux) iQFDBAEBAgAtBQJFdfoRJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90 bXouYXNjAAoJEEMlk4u+rwzjIIcIAKIcq+3PoQ/WaEZ2MExTp2vimQ/ReNOpu/vB BGYVylEg0yJ2mVRtodexGZ+GCSFxaQYmXqyS+5H93AbY7SlhKByRGkCi5caHOlLQ aED3FL5SL8ANzXDWDDWABt9YL43+Rx/0/PM81X4m5ueLJUyBC0agtlxGWHlgzUha t0ENzdf/DkjSOVxDvovoHcBmBBhwJMPlQvWd50l1MYbyFWamer3BDOZke1rVKS2p 0rDTvrWfMIqDKRR8Isbfj5LRIJ2ln99GdioDnKDvB24uzUFHWmCMSj6usFggqM09 EwX0sNAZoQ6DYqRNbMPiN1le2hACv0YJllatBYLZOPaiR0Zpjoc= =JPs0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem building 2.0.1
Walter, thank you for this tip. I'm such an idiot: /usr/local/bin was not in my path -- DOH! :( However, now I'm getting the following error during make: /usr/bin/ld: Undefined symbols: _gpg_error_from_syserror collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[2]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1/kbx' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1' make: *** [all] Error 2 On 12/5/06 3:10 PM, Werner Koch [EMAIL PROTECTED] wrote: On Tue, 5 Dec 2006 18:45, [EMAIL PROTECTED] said: I am having a problem with configure. It doesn't recognise that I have these libraries already installed (which I do, and all the latest versions). I'm using OSX 10.4.8... You need to make sure that the correct libraries are found. For example, if you installed them to /usr/local/ you need to make sure that /usr/local/bin comes early in the path, so that an old version alreay installed does not get in the way. You find more information about the checks done in config.log. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Christmas is upon us again.
It's a great idea. A more direct link is: https://www.fsf.org/associate/support_freedom/donate Randy --- Robert J. Hansen [EMAIL PROTECTED] wrote: Whether you're secular or religious, atheist or devout, I think we can all agree that the time of the year known as Christmas will soon be upon us. This is historically a time for personal reflection and charitable giving. We reflect on how fortunate we are, and we give in order to show our thanks and appreciation for that which we have received. This year, I'm grateful that we have a Free Software implementation of the OpenPGP protocol. I'm also grateful that the development process is fairly open and I'm grateful that, by and large, the people in the community are friendly. This year, I'm giving $10 to the Free Software Foundation (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of telling the developers thanks. If you feel like joining me in this, well... feel free to say thanks on-list, or to write off a note to the developers. Likewise, I hope you'll give a small donation to the charity of your choice in the name of the GNU Privacy Guard. Merry Christmas to everyone. May we have peace on Earth and goodwill to all humanity. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem building 2.0.1
Werner Koch wrote the following on 12/5/06 3:10 PM: On Tue, 5 Dec 2006 18:45, [EMAIL PROTECTED] said: I am having a problem with configure. It doesn't recognise that I have these libraries already installed (which I do, and all the latest versions). I'm using OSX 10.4.8... You need to make sure that the correct libraries are found. For example, if you installed them to /usr/local/ you need to make sure that /usr/local/bin comes early in the path, so that an old version alreay installed does not get in the way. You find more information about the checks done in config.log. Salam-Shalom, Werner Hi Werner, Running Mac PPC, OS 10.4.8 (Darwin 8.8.0) 1. First attempt with ./configure: - checking for gpg-error-config... /usr/local/bin/gpg-error-config checking for GPG Error - version = 1.4... yes checking for libgcrypt-config... /usr/local/bin/libgcrypt-config checking for LIBGCRYPT - version = 1.2.0... yes checking LIBGCRYPT API version... okay checking for libassuan-config... /usr/local/bin/libassuan-config checking for LIBASSUAN - version = 0.9.3... yes checking LIBASSUAN API version... okay checking for libassuan-config... (cached) /usr/local/bin/libassuan-config checking for LIBASSUAN pth - version = 0.9.3... yes checking LIBASSUAN pth API version... okay checking for libassuan-config... (cached) /usr/local/bin/libassuan-config checking for LIBASSUAN - version = 1.0.1... yes checking LIBASSUAN API version... okay checking for ksba-config... /usr/local/bin/ksba-config checking for KSBA - version = 1.0.0... yes checking KSBA API version... okay [.] config.status: creating po/Makefile GnuPG v2.0.1 has been configured as follows: Platform: Darwin (powerpc-apple-darwin8.8.0) OpenPGP: yes S/MIME:yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) PKITS based tests: no --- But then, with make: - /usr/bin/ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 2. Second attempt with a fresh copy of the source code and./configure -- --disable-nls Same results regarding the presence of the required libraries, and for final configuration. But then, make (same final results): - /usr/bin/ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 --- 3. Trying to compile libiconv 1.11 with ./configure: config.status: creating Makefile config.status: creating lib/Makefile config.status: creating include/localcharset.h config.status: creating include/localcharset.h.inst config.status: creating config.h Then make: -- libtool: install: `4/Applications/libiconv-1.11/lib/libcharset.la' is not a directory Try `libtool --help --mode=install' for more information. make[2]: *** [install-lib] Error 1 make[1]: *** [install-lib] Error 2 make: *** [lib/localcharset.h] Error 2 - I am still digging in 'man libtool', the whole thing (dynamic, static, etc...) is too arcane *for my limited knowledge*. If you need more quotes from the outputs I can send them to you directly; I shall post to the list the final outcome (if there is one). Any ideas or suggestions? Thanks in advance, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem building 2.0.1
Werner, My version of libtool is Apple Computer, Inc. version cctools-622.5 Sorry for the omission, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypt the sent folder
Todd Zullinger wrote: Eray Aslan wrote: Surely there must be a better way. These all require admin access to the IMAP server. The software already does what I want some of the time (when I send the recipient encrypted email). I just want it to do it all the time. This doesn't like an entirely unreasonable feature request to make of Enigmail. Perhaps you'd want to check in with the Enigmail folks to see if the would consider adding such a feature? It has some potential to be useful but it might be icky to implement. I thought it was a mis-configuration on my part. Obviously, if you send a message unencrypted but store it encrypted, you won't really have an accurate record of your sent mail. The headers and MIME parts will be different. Some people prefer that what's in their sent mailbox be exactly equal to what was sent. (Pedants. :) Fair enough. I am curious though, what particular threats are you concerned about? That might help shape what options would be best to take. If you don't trust the IMAP server admins, then you should store your mail somewhere you do trust. Nope. I am the admin. If you are worried about someone cracking the server and getting at your sent messages then encryption on the server may be sufficient, but would involve either changes to you mail client or some other sort of access to your mailbox on the server. The servers in question already has encryption at the file system level with cryptsetupLUKS for Linux and truecrypt for windows boxes. But the trouble is these do not provide any defense against attacks through the network. They will happily serve the emails thru the network to the appropriate user when asked. FS encryption is only good at boot time. Once the partition is mounted, you can access the data. I can give the end users a smartcard or a usb stick. The objective is to provide a solution so that not even the admin can read the emails (say by changing the password and logging in as the user) unless he/she has the secret key. -- Eray signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users