Re: How to establish a company web-of-trust
* Neal Dudley [EMAIL PROTECTED] wrote: Karl Voit wrote: Our communication partners have to check the signature of our employees keys and its up to our partners that they check from time to time wether there was a change in the relationship between our employees and out company key - I guess this is the most difficult part. NO - education on using GPG will be the hardest part. I was afraid of this sentence :-) If your partners understand using GPG, you're more than half way there. I can not assume on this. I am in the automotive business and most of the employees here was studying Mechanical Engineering. So IT-knowldedge is not their primary goal and most of them do not want to learn IT although I try my best to enlight something ... :-) Given that knowledge changes things a bit. Why not generate all the keys *for* your employees - AND immediately generate revocation certificates. If someone leaves, simply send the revocation certificate to those that conversed with that employee (and submit it to your keyserver). I thought of that too. I have to admit, that I do not want to generate the keys by myself because I am lazy and we do have four bureau buildings that make physical meetings more difficult and sending keys over the Exchange server is not quite ... good :-) So I tried to generate a system where I can get the keys from the keyservers and check them (correct key-id, added revoker, ...) before signing. But we do not want to use S/MIME for several reasons and our communication partners already are using OpenPGP-messages. So this decision is already done by facts not by arguing. Although I share your point of view. If I wasn't a proponent of GPG, would I be on this list? ;) I'm impressed with the maturity of this mailing list. Most lists would have exploded into a religious war. Really says something of the caliber of the people on this list. Sorry, this is my first thread on this list :-) But usually flaming stops after some years working in the real-world-IT-business. I am even working on Windows the whole day (in the company)! =:-| (made an attempt for a flamewar? *ggg*) Absolutely. I (as the person responsible for company security) have to check every key that I am signing with the company key. I have to explain the important issues of key management to my employees (non-it people for most of the part). I do this by giving exact instructions with screenshots of every step - WinPT is helping here because it is mouse-oriented :-) ... I know that there might be some pitfalls concerning employees that sign everything or make other mistakes that can have an influence on our web-of-trust. But the alternative is worse: plain text - oh sorry ... HTML-Emails without encrypting or signing at all. And this has to be considered as the default method in companies these days :-( There are some options here. You could use the expert mode in GPG when generating their signing keys to remove the ability to certify with the signing keys to restrict users a bit more. Then they could sign documents, but not keys (if I understand that correctly). Or perhaps signing and encryption subkeys would be appropriate? That would simplify things - one primary signing key to protect. Wow, I did not knew that! I'll have a look at these options but I guess I stick to the revoker-method (also because every day there are more employees that need to use GnuPG right now and I do have a stress in making all these decisions). 100-250 emplyees will be the target. But not all of them need GPG. Only some of them need GPG? Ought to make your life a little easier. ;) Make my life *possible*! :-) Sure. But I guess that scripts is not user-friendly enough for my employees :-( Depending on what you are using with/for the MUA to implement the signing and encryption, gpg4win: collection of Windows-tools like gnupg, WinPT (key-mgt), GpGee (Windows-Explorer extension), ... So I am using WinPT and the corresponding Outlook-plugin. you could use rules to simplify this for the users. I try to do this by giving very detailed instructions with a lot of screenshots on our local intranet webserver. -- Karl Voit ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Change limits on pubkey lengths?
Since RFC4880 is now including symmetric ciphers with 256 bit key lengths like TWOFISH and CAMELLIA, is it time to change the limits in gnupg for pubkey sizes? According to some sources (RSA for example) the equivalent assymetric key size would be 15360 bits compared to a symmetric cipher using 256-bit key length. Is it really so bad to set the default to something between 2048 and 4096 and the upper limit to 16K? We know that if the session key is compromised it means one message has been exposed. If the pubkey is factored then all messages encrypted under that key pair are exposed. I know from old posts Werner has been opposed to increasing these limits but am wondering now if he reconsiders based on new chiphers in 4880 and recent events in factoring pubkeys. Sorry if this has already been discussed in the openpgp ietf or elsewhere. I didn't find any hits. Thanks to the gpg dev and user community. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPH with PHP / install
Been searching the web for the last 3 hours inconclusively and hope someone here can advise how-do-to: Trying to access Gnupg on new server with Centos5 and cPanel and PHP5. GnuPG is available in the server's root directory /root/.gnupg which is not accessible with PHP from domain/accounts on the server. I need access to gpg with PHP through accounts on my server such as: /home/first_account/.gnupg /home/other_account/.gnupg through cPanel I can also install( have) public keys for each domain/account, but cannot access gpg in the server's root directory. Any advice will be greatly appreciated, PM.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
scdaemon troubles
hi i'm using a opengpg smartcard with gpg for signing, decryption and ssh authentication. after a clean boot everything works fine... but after a suspend to disk under linux using the hibernate script and the kernel suspend option(s) i have the a strange problem ok...at first it does not work... then i kill the scdaemon: now i get the pinentry prompt but afterwards a error message agent admitted failure to sign with the key (when i do authentication) now i kill scdaemon again: now everything works as it should... haveing to kill the deamon twice is a bit strange... so my question is, does anybody have a glue what's going on or should i do some debugging myself? tia yours albert signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
length of every public key and private key?
I am very new to PGP. I know there are pubring.pge and secring.pgp which contains public keys and private keys.i just want to know the stucture of the pubbring.pge and secring.pge and the length of every public key and private key. _ 手机也能上 MSN 聊天了,快来试试吧! http://mobile.msn.com.cn/___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Change limits on pubkey lengths?
On Wed, Mar 12, 2008 at 06:08:22PM +, Anonymous wrote: Since RFC4880 is now including symmetric ciphers with 256 bit key lengths like TWOFISH and CAMELLIA, is it time to change the limits in gnupg for pubkey sizes? According to some sources (RSA for example) the equivalent assymetric key size would be 15360 bits compared to a symmetric cipher using 256-bit key length. Is it really so bad to set the default to something between 2048 and 4096 and the upper limit to 16K? Camellia is not in RFC4880. It is currently being discussed for its own RFC, though. The only 256-bit ciphers in 4880 are Twofish and AES256, and the default for RSA is already 2048. We'll accept up to 4096 (and of course accept virtually anything generated elsewhere), but when you get much past that, things get problematic: RSA 16k is unbelievably slow, and difficult to work with. It's just too big. A better answer is EC cryptography in OpenPGP, which gives you more security for each bit of space. As it happens, EC is also being discussed for its own RFC at the moment. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scdaemon troubles
On Mon, 17 Mar 2008 17:18, [EMAIL PROTECTED] said: so my question is, does anybody have a glue what's going on or should i do some debugging myself? Sometimes it just happens that the scdaemon doesn't correctly notice the removal of a card. That needs to be debugged. With hibernation this should be pretty clear: scdaemon believes that the card is present and active but because the card has been powered down, it is not active after the resume. What about killing scdaemon from the resume script or better with the suspend script? Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPH with PHP / install
PeterM wrote: I need access to gpg with PHP through accounts on my server such as: /home/first_account/.gnupg /home/other_account/.gnupg through cPanel I can also install( have) public keys for each domain/account, but cannot access gpg in the server's root directory. Any advice will be greatly appreciated, You want to use either the GNUPGHOME environment variable or --homedir command line option to tell gpg where to look for it's files. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ The only consistent feature in all of your dissatisfying relationships is you. -- Demotivators (www.despair.com) pgpmzgplDcx0c.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: length of every public key and private key?
On Mar 12, 2008, at 11:35 AM, 徐信来 wrote: I am very new to PGP. I know there are pubring.pge and secring.pgp which contains public keys and private keys. i just want to know the stucture of the pubbring.pge and secring.pge and the length of every public key and private key. http://tools.ietf.org/html/rfc4880 David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card stopped working
Sven, I think I just bumped into your problem. I've been testing Hardy, and haven't had any problems with the OpenPGP card until now. I have to investigate further, but preliminary results indicate a udev or related problem. In Gutsy, the device is created in /dev, in Hardy it is not. Hardy is still alpha, so I expect breakage. Additionally, I'm using the amd64 version, not i386. This is more a problem for the Ubuntu devs I think than for Werner and gang. So if you are using Hardy, then that may explain your problem. Doesn't seem to be a problem with Gutsy though, just rechecked. Best regards, Harvey ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users