Re: Printing Keys and using OCR.
On Wed, May 16, 2007 at 10:24:51PM -0500, Ryan Malayter wrote: On 5/16/07, Peter Todd [EMAIL PROTECTED] wrote: Then only that passphrase needs to be securely stored and the secret key can be stored with standard backup procedures. I believe the originally posted question centered around long-term key storage, for which magnetic and optical media are inadequate. Popular media would require continual maintenance, such as burning to new discs every 5-10 years, or upgrading the tape format to LTO-1600 in 2013. Whether or not the private key is protected by a strong pass phrase doesn't really matter; how to store and recover a key from paper is the challenge. Yes, but my point is that a private key is used in association with data. So we can simply store the encrypted private key along with the data it is supposed to be used with and store on paper nothing but a relatively short (compared to the whole private key) passphrase. Having the private key stored better than the data it is to be used with is pointless. If the data is gone, generally the key isn't very usefull either. Of course this is assuming the symetric encryption is sufficiently secure... Also note that a key used for *signing* rather than encryption poses problems, but even then if you have enough faith in the symetrical encryption, and why not, then I see nothing wrong with distributing the private key alongside the data it is signing. -- http://petertodd.ca signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Confusion] distinction between the 2 versions 1.4.6 2.0.3
shirish wrote: Please lemme know how to proceed further. We can also take this off-list if you feel to be more appropriate. I don't know how the list would look at this. This is the gnupg-users mailing list and we are discussing the basics of how to use gnupg so I think this is appropriate for the list. shirish wrote: I have substituted my keyid with the general keyid. Don't know if its safe to give out my keyid or not? ... 065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFGS9kHlQ1T+3KaixcRAuLBAKCNg5XnShCZyrB7XqGvGKRqzQg6UgCeNl62 g4YUxHsw5GcyYhDVYPgnTyc= =LbiK -END PGP SIGNATURE- So you've got firepg working with GnuPG v2.0.3 under Linux? There's no need to keep your key ID secret, your key ID is embedded at the end of the fingerprint above that you've made public so you cant keep it secret now anyway. Also, your public key has already been uploaded to a keyserver, so it's public now too. That's good. It looks like on the firepg forum you posted that you are using a nightly build. Nightly builds are generally not for beginners and frequently have many bugs. You're apparently still learning the basics of command line switches, so you should definitely be using only a release version. If it says your secret key is not available, check that your keys are available with the following command: gpg --list-secret-keys I think it should list your key with the ID 729A8B17 If it doesn't then what error does it give? Are you doing this on Windows or Ubuntu? Did you say you were trying to copy your private key from Linux to Windows? I don't know where you should put your secring.gpg file in windows. Try searching your hard drive for trustdb.gpg or pubring.gpg or gpg.conf. You should probably put your secring.gpg file in the same folder as the trustdb.gpg file. Or look in the documentation for where the files are supposed to go. If for some reason there is already a secring.gpg file on your Windows box that's different than the one on your Linux box, then don't overwrite it, just rename it to something like secring.gpg.win before putting the secring.gpg file from your Linux box into the folder on your Windows box. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG for a small company -- Questions before I start
On Wed, May 16, 2007 at 08:08:02PM +0800, Jim Berland wrote: Hello everybody, I am going to try to set up GPG for our small company (about 15 people) and would like to ask you guys for some help. Following I will write down my thoughts on this, that I had so far. Comments would be highly appreciated since I do not want to start this before I don't feel confident and have a complete plan. First, you should elaborate what is the purpose of the exercise. The business goal. There is no point of deploying crypto policy in an organization just for the sake of it, because people will see this as a unnecessary and pointless exercise. To have an internal Web-of-Trust there should be a main key (for the company itself) signing the employee's keys and collecting their signatures. When I did similar things the setup was as follows: * there is one well-guarded organization key (org key) * every person involved has a key signed by the org key * people keys have designated-revoker set to org key * all OpenPGP software installation have: ** mandatory encrypt-to org key ** ultimate trust for the org key If you don't want people to sign keys, issue them encryption-only keypairs. But this is quite generic setup and we could help you more if we knew what you're trying to accomplish. Alex -- JID: [EMAIL PROTECTED] PGP: 0x46399138 od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze -- Czerski signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR.
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 David Shaw wrote: Most of the storage media in use today do not have particularly good long-term (measured in years to decades) retention of data. If and when the CD-R and/or tape cassette and/or hard drive the secret key is stored on becomes unusable, the paper copy can be used to restore the secret key. If you have the passphrase but the secret key that it encrypted was on that bad CD-R, you have nothing Aren't optical discs supposed to last for many decades if stored properly and almost never used? - -- Windows NT 5.1.2600 | Thunderbird 2.0.0.0 | Enigmail 0.95.0 | GPG 1.4.7 Key ID: 0x60A78FCB - available on major keyservers and upon request Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRkxhkPiOA0Bgp4/LAQNk3QgA5OVwjwAKGcm6hFf1uc2F+YTOJn6L+xDt uy45TxnA9TJkgGi44jqUdpOP9EbjHpTAvKi0P0pXQ5+LF6AY+8EPA4BhwrYb+fuc 7XLLpxonw7ANxsOSBE8yNOCD9G/K5uwQc4Ot+sbj18hgd7qW6wJdcAQWw+JYu4jL nD5Y3svWNevSOoYKEIbrl93F55H/IyD3AfQY/M7KPf+A9fBVlEOTUtVMI8Qtewif igKVK5UnobnBGSsIqMVDLD0VVUN2NkYMEiWnVJju1Jxt7sLwD8TsTo6+sIM9Pmda 88MEtOMkTYV0Doxlz4u/8F8pAvdk1VcKhXEJ0SjRbehWo/nPGQLBlA== =4ZkO -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR.
On 5/17/07, Andrew Berg [EMAIL PROTECTED] wrote: Aren't optical discs supposed to last for many decades if stored properly and almost never used? Theory and practice are often far apart. The price of CD media has dropped so low that quality is often an issue. CDfreaks has many articles about this topic. Also, who is to say that a CD or DVD drive will even be available decades from now to read the discs? Could you read 8 floppy media on any equipment you have or can buy today? Could you find a paper tape machine to read data archived in the 1950s? Anything but printed characters on paper will likely require some form of archive maintenance over a decade timeframe. -- RPM ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secure text editor?
On 5/17/07, Alessandro Vesely [EMAIL PROTECTED] wrote: Not quite. That may happen as an undocumented side effect on some (or all) OS versions, and is not what the function is meant to do. The function keeps the page in memory. The OS is still free to back it up whenever it thinks it is convenient to do so. The documentation clearly states: These pages are guaranteed not to be written to the pagefile while they are locked. Assuming the documentation is accurate, VirtualLock() should be safe for security applications. -- RPM ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR.
On Thu, May 17, 2007 at 09:07:13AM -0500, Andrew Berg wrote: David Shaw wrote: Most of the storage media in use today do not have particularly good long-term (measured in years to decades) retention of data. If and when the CD-R and/or tape cassette and/or hard drive the secret key is stored on becomes unusable, the paper copy can be used to restore the secret key. If you have the passphrase but the secret key that it encrypted was on that bad CD-R, you have nothing Aren't optical discs supposed to last for many decades if stored properly and almost never used? They're certainly advertised to (I've seen some pretty incredible claims of 100 years or more), but in practice it doesn't really work out that way. The manufacturing of the media, the burn quality, the burner quality, the storage, etc, all have an impact on how long an optical disc will last. Some tests show that you're lucky to get 10 years. For paper to last 100 years is not even vaguely impressive. Paper regularly lasts many hundreds of years even under less than optimal conditions. Another bonus with paper is that ink on paper is readable by humans. Not all backup methods will be readable 50 years later, even if you have the backup, you can't easily buy a drive to read it. I doubt this will happen anytime soon with CD-R as there are just so many of them out there, but the storage industry is littered with old now-dead ways of storing data. I doubt I'll still be alive in 100 years - my key storage requirements fall somewhere in between optical disc longevity and paper longevity. I use paper because knowing that the paper will outlive me, I don't have to worry about reburning a disc every few years. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Spurious warning when using pgp compatibility modes?
Hi all, With sig-keyserver-url $URL in gpg.conf: $ gpg --pgp7 --detach-sign test You need a passphrase to unlock the secret key for [...] gpg: can't put a preferred keyserver URL into v3 signatures Now, I know that I can't do that but I don't want to be told about it every time I sign something when I've explcitly enabled --pgp7. Would it be unreasonable to ignore preferred keyserver urls when pgp[67] are used? I've been using the attached patch (minus the pgp2 part which I just added) for a while to do just this and I haven't noticed any problems. (There may be cleaner ways to do this, but this was what I got working without knowing the code too well. :) If it's not appropriate to patch this out, is there a good way to silence this without losing other info? The --quiet option doesn't do it. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Hang in there, retirement is only thirty years away! Index: g10/gpg.c === --- g10/gpg.c (revision 4504) +++ g10/gpg.c (working copy) @@ -2998,6 +2998,8 @@ xfree(s2k_digest_string); s2k_digest_string = xstrdup(md5); opt.compress_algo = COMPRESS_ALGO_ZIP; + free_strlist(opt.sig_keyserver_url); + opt.sig_keyserver_url=NULL; } } else if(PGP6) @@ -3005,12 +3007,16 @@ opt.escape_from=1; opt.force_v3_sigs=1; opt.ask_sig_expire=0; + free_strlist(opt.sig_keyserver_url); + opt.sig_keyserver_url=NULL; } else if(PGP7) { opt.escape_from=1; opt.force_v3_sigs=1; opt.ask_sig_expire=0; + free_strlist(opt.sig_keyserver_url); + opt.sig_keyserver_url=NULL; } else if(PGP8) { pgpuhq7mUXP7L.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR.
David Shaw wrote: Most of the storage media in use today do not have particularly good long-term (measured in years to decades) retention of data. If and when the CD-R and/or tape cassette and/or hard drive the secret key is stored on becomes unusable, the paper copy can be used to restore the secret key. If you have the passphrase but the secret key that it encrypted was on that bad CD-R, you have nothing Aren't optical discs supposed to last for many decades if stored properly and almost never used? Stamped aluminum disks will last a very long time. However, burnable disks might last around five years or so depending on quality. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR.
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Ryan Malayter wrote: Aren't optical discs supposed to last for many decades if stored properly and almost never used? Theory and practice are often far apart. The price of CD media has dropped so low that quality is often an issue. CDfreaks has many articles about this topic. I'll check that out. Also, who is to say that a CD or DVD drive will even be available decades from now to read the discs? Could you read 8 floppy media on any equipment you have or can buy today? Could you find a paper tape machine to read data archived in the 1950s? Anything but printed characters on paper will likely require some form of archive maintenance over a decade timeframe. The last 3 generations of optical discs (CD - DVD - HD-DVD/Blu-Ray) have been the same size. The latest generation players support the first generation. Floppies, for example, have changed in size, and each generation didn't care about supporting the previous. Even as optical discs continue to see improved formats, previous generations will be supported. I don't see DVD or even CD support to disappear for a very, very long time. Besides, it's not like one's hardware will spontaneously upgrade from out of nowhere. I do agree, though, that an electronic storage medium won't beat paper in the long run. A piece of paper (in a locked box | out in the open) is as secure as an unencrypted disc (in that same box | out in the open). And encrypting a disc isn't worth the hassle, except in certain circumstances. - -- Windows NT 5.1.2600 | Thunderbird 2.0.0.0 | Enigmail 0.95.0 | GPG 1.4.7 Key ID: 0x60A78FCB - available on major keyservers and upon request Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRkyaZPiOA0Bgp4/LAQNRrQgAipnZkYQ8WBQLZNm94/KiyvNGt1QDhInm ZfAFAtuYf8Pt2ml0wMNbPI5EvQTXJ8BOtaCVbxHTZKF5PUU7RE0C40n0shtah2Gk oDRXUHqSp/UZ+StWE7W3TcVaQgEZrXZ/bCPTDbR7wKy0jmyUGNQmbUlxcKTIY5Uv N0Li6fb1pIvw802iRRmJZMLmLIFKf6YbwoB0vQbK0ze6uAgGWV7OGEajQnpbUuXx yLzXisq4DbvwfJr3B/6cSyJFJf4i2bPauloQ7M2ELIRYU75ZzpvuBCwO9pJOuoxW eplVZNykOrgfYJicv9lkwgCU8atKeWcsfP4205bUaMbfX96oIF8o+w== =W5ua -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing Keys and using OCR.
For paper to last 100 years is not even vaguely impressive. Paper regularly lasts many hundreds of years even under less than optimal conditions. As an example, the modern paper ballot is about 2,200 years old. The reason why we know this is we keep finding them. They practically litter archaeological digs around Rome. That said, for paper to last so long it needs to be archival-quality paper. High fiber content, low acid, very enduring inks. But it's certainly possible to get 2,000+ years out of paper for under $1 per sheet. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Confusion] distinction between the 2 versions 1.4.6 2.0.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Lemme start at the clean slate with what has happened till now. For exercises, understanding usage will be using the stable 2.0.3 release version in Ubuntu till I'm not clear in all the aspects. gpg --armor --sign --encrypt -u 0x729A8B17 -r 0x729A8B17 myloveletter.txt You need a passphrase to unlock the secret key for It works also with gpg --a --s --e --u 0x729A8B17 -r 0x729A8B17 myloveletter.txt which resulted in a myloveletter.txt.asc file yippy! I was also able to decrypt it ou need a passphrase to unlock the secret key for user: shirish some phrase here [EMAIL PROTECTED] 2048-bit ELG-E key, ID some id key here, created 2007-05-05 (main key ID 729A8B17) gpg: encrypted with 2048-bit ELG-E key, ID some id key here, created 2007-05-05 shirish some phrase here [EMAIL PROTECTED] gpg: Signature made Friday 18 May 2007 12:29:23 AM IST using DSA key ID 729A8B17 gpg: Good signature from shirish some phrase here [EMAIL PROTECTED] ok the only thing I have changed in the decryption is ID key for ELG-E key as well as some phrase here instead of the actual phrase given. All in all things seem good till this point. Now tomorrow will be trying with gpg2 , one thing though :- Mr. Werner Koch had usefully provided the difference between 1.4.6 2.0.3 http://lists.gnupg.org/pipermail/gnupg-users/2007-May/031099.html Now in that 1.4.6 had been shown as using ELG-E while 2.0.3 as using ELG (I guess that's the final) hopefully shouldn't spring surprises. I am sorry if I come out as paranoid but till I don't understand how things work, I feel its best to be conservative. - -- Shirish Agarwal This email is licensed under http://creativecommons.org/licenses/by-nc/3.0/ 065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFGTKrhlQ1T+3KaixcRAsASAJ9wnHc0Tng7kZabyL+FRZeCpd378QCdHpJk SW/fIoqfaWrWcAPrg3NZvl8= =3Bdr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users