Re: OpenLDAP schema to store OpenPGP keys?
Excerpts from 's message of Mon Feb 20 10:56:32 +0100 2006: Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for use with GnuPG). [...] However, I was unable to find any schema definiton... http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip Like Walter, I'd like to add OpenPGP keys to an LDAP server, but can't locate the schema used / understood by GnuPG. The file mentioned above has since gone. Where did the schema come from originally? If the license is GPL compatible, would it be possibly to include it as part of the GnuPG documentation? Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Crontab running gpg script can’t find secret key
Although I can encrypt a file using a script, when crontab runs the same script, it returns the error message “no default secret key: No secret key”. I have one secret key: sananselmo backupscripts.d # gpg --list-secret-keys /root/.gnupg/secring.gpg sec 2048R/AC1E8E28 2011-01-11 uid Griff McClellan (Broadmark Asset Management) ssb 2048R/81E9591C 2011-01-11 Here is my script: gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign /usr/share/tararchive/file.tar.bz2 When I run it I am prompted for a password, even though I have the batch flag. However the file.gpg encrypted file is created. When I run the same script as root using crontab, I get: gpg: no default secret key: No secret key Does anyone have any suggestions about how to fix this problem? I tried setting the default-flag in gpg.conf but that didn’t change the outcome. -- View this message in context: http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30831486.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crontab running gpg script can’t find secret key
griffmcc wrote: Although I can encrypt a file using a script, when crontab runs the same script, it returns the error message “no default secret key: No secret key”. I have one secret key: sananselmo backupscripts.d # gpg --list-secret-keys /root/.gnupg/secring.gpg sec 2048R/AC1E8E28 2011-01-11 uid Griff McClellan (Broadmark Asset Management) ssb 2048R/81E9591C 2011-01-11 Here is my script: gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign /usr/share/tararchive/file.tar.bz2 When I run it I am prompted for a password, even though I have the batch flag. However the file.gpg encrypted file is created. When I run the same script as root using crontab, I get: gpg: no default secret key: No secret key Does anyone have any suggestions about how to fix this problem? I tried setting the default-flag in gpg.conf but that didn’t change the outcome. Which user ID is the cron script running under? Is that user the same one that owns the key? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, 03 Feb 2011, Sascha Silbe wrote: Excerpts from 's message of Mon Feb 20 10:56:32 +0100 2006: Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for use with GnuPG). [...] However, I was unable to find any schema definiton... http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip Like Walter, I'd like to add OpenPGP keys to an LDAP server, but can't locate the schema used / understood by GnuPG. The file mentioned above has since gone. Where did the schema come from originally? If the license is GPL compatible, would it be possibly to include it as part of the GnuPG documentation? It came from PGP Corporation in 2003, licensed BSD style. I've dug through my old mail and restored the file at http://www.palfrader.org/pgp/PGPKeyserverSchema.zip Cheers, -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Add/remove recipient without re-encrypting
Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file? From what I understand GnuPG encrypts the payload (my binary file) with a symmetric session key. Then it stores each recipient key ID (optional) as well as an encrypted version of the session key using the public key of the recipient (asymmetric encryption). Assuming I own the private key of one the original recipient, could GnuPG decrypt the session key and add/remove new recipients to the existing file? Thanks Alphazo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
On 2/3/11 9:38 AM, Alphazo wrote: Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file? Technically, yes, although you would need to write the tool yourself. Assuming I own the private key of one the original recipient, could GnuPG decrypt the session key and add/remove new recipients to the existing file? GnuPG does not have this functionality. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
Am Donnerstag 03 Februar 2011 15:38:12 schrieb Alphazo: Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file? Not an answer but a proposal: I have read this question several times on this list. I know that this is possible today but complicated (and AFAIK not part of the gpg documentation). I prefer an easy solution within gpg. Thus I suggest the feature that recipient packets can be stored in a seperate file. Thus only a small file has to be changed (extended or partially erased). A solution with better compatibility would be: The session key of the content file is the encrypted content of the recipients file. Thus implementations with a feature like --override-session-key can still access the content file (with some manual assistance) if they don't support such an extension file. That could look like this: gpg --encrypt --recipient --recipient 1112 file.txt would change to gpg --encrypt --recipient --ext-rec-file --recipient 1112 \ file.txt with all recipients given after --ext-rec-file (or --ext-rec-file=filename) being written to the extension file. If this is not implemented and we stick to you would need to write the tool yourself then it might be helpful to add the option to write some dummy recipients (just to have enough space in the file which can be overwritten). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
Hello, On Thu, Feb 03, 2011 at 03:38:12PM +0100, Alphazo wrote: Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file? From what I understand GnuPG encrypts the payload (my binary file) with a symmetric session key. Then it stores each recipient key ID (optional) as well as an encrypted version of the session key using the public key of the recipient (asymmetric encryption). Assuming I own the private key of one the original recipient, could GnuPG decrypt the session key and add/remove new recipients to the existing file? For what it's worth, I tried to write such a tool for my own, and annouced it on this list; see http://www.mail-archive.com/gnupg-users@gnupg.org/msg13495.html for the announcement. If you are interrested, I think it would be possible to resurrect this project. Cheers, -- Nicolas Boullis ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG Decrypt Messages
Hi, Can some please help me how to avoid these messages whenever the gpg files is decrypted. Here are the messages gpg: Signature made Wed Feb 02 14:26:25 2011 PST using DSA key ID BD6608B2 gpg: Good signature from umesh (GPG encryptionl) a...@xxx.com It is printing in logs everytime. Please advice what should i use to avoid them. Here is the command i am using: gpg -q -d abc.gpg Thanks, Umesh ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is commerical PGP.com compatible with Gnupg ???
Hello, Is the pgp from pgp.com compatible with gnupg ?? Is gnupg FIPS 140-2 compliant? Dave ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is commerical PGP.com compatible with Gnupg ???
On 2/3/11 12:34 PM, Keith Theman wrote: Is the pgp from pgp.com compatible with gnupg ?? Generally, yes. PGP holds a patent on the Additional Decryption Key functionality (which GnuPG developers have said will not be implemented in GnuPG, even if it weren't patented), though, so that's an example of one of the minor incompatibilities between the two. Is gnupg FIPS 140-2 compliant? I am unaware of any certified laboratory which has declared GnuPG conformant to any FIPS. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On Thu, 3 Feb 2011 08:28, d...@fifthhorseman.net said: is there a way for a program that parses --status-fd to get this Not yet. information, or does the program need to parse --logger-fd as well to better don't do that; the messages may change. What about this new feature: DECRYPTION_INFO mdc_method sym_algo Print information about the symmetric encryption algorithm and the MDC method. This will be emitted even if the decryption fails. $ ~/b/gnupg/g10/gpg2 --status-fd 2 enc+sig.asc [GNUPG:] ENC_TO 4F9915352D91F921 18 0 gpg: encrypted with 256-bit ECDH key, ID 2D91F921, created 2011-02-03 Joe Random Hacker (test key with passphrase x) j...@setq.org [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 2 7 [GNUPG:] PLAINTEXT 62 1296751201 [GNUPG:] PLAINTEXT_LENGTH 139 The difference between the right word and the almost right word is the difference between lightning and the lightning bug. -- Mark Twain gpg: Signature made Thu Feb 3 17:40:01 2011 CET using ECDSA key ID 6AE8EAC3 [GNUPG:] SIG_ID Fh+ZrREGtHN97DZR1dRxaRCohdo 2011-02-03 1296751201 [GNUPG:] GOODSIG 9A7AE1B86AE8EAC3 Joe Random Hacker (test key with... gpg: Good signature from Joe Random Hacker (test key with passphrase... [GNUPG:] VALIDSIG 1C5AD3334C35780012F7D6979A7AE1B86AE8EAC3 2011-02-03 ... [GNUPG:] TRUST_FULLY [GNUPG:] DECRYPTION_OKAY [GNUPG:] GOODMDC [GNUPG:] END_DECRYPTION Commit 5667e33. There is no support in GPGME yet, but I added some framework to support it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On 02/03/2011 03:01 PM, Werner Koch wrote: On Thu, 3 Feb 2011 08:28, d...@fifthhorseman.net said: is there a way for a program that parses --status-fd to get this Not yet. information, or does the program need to parse --logger-fd as well to better don't do that; the messages may change. What about this new feature: DECRYPTION_INFO mdc_method sym_algo Print information about the symmetric encryption algorithm and the MDC method. This will be emitted even if the decryption fails. This looks great. Thanks, Werner! Can we expect this in the 1.x and 2.0.x branches as well? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
moving user ID Comments to --expert mode
Hi folks-- I'd like to propose that GnuPG only prompt the user for a Comment for their User ID under --expert mode. Here's why: * most people just need a simple identity-driven OpenPGP certificate, one that matches their name and e-mail address. * new users see the prompt and think they need to enter something there, without understanding why or what to put there. This leads to people either making a witticism (e.g. No Comment), repeating their actual name, redundantly describing their e-mail address (e.g. gmail address), or saying something like this is cool software, which then becomes part of their User ID and goes on the keyservers, associated with them permanently. When keysigning, if i get asked to certify a key with a comment like this, i don't know what to say. What am i certifying if i say that this key really belongs to Joe Schmoe (no comment) j...@example.org ? Joe Schmoe j...@example.org i can understand and certify, but the intervening comment doesn't seem sensible or verifiable. There are indeed some possibly legitimate uses of comments, but many of them would be better handled with notations attached to subkeys or notations attached to particular user IDs. What do other people think? If moving the Comment: prompt to --expert seems to radical, a more conservative proposal would be to change the prompt from: Comment: to: Comment (leave blank unless you are sure you need this and know what you are doing): or: Comment (most people should leave this blank): The example User ID prompt should also be changed (in english) from You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: Heinrich Heine (Der Dichter) heinri...@duesseldorf.de to: Your new key needs a User ID that identifies you; Usually, this takes the form of your real name followed by your e-mail address: Heinrich Heine heinri...@duesseldorf.de Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: * most people just need a simple identity-driven OpenPGP certificate, one that matches their name and e-mail address. Whenever people talk about what most users need, I have to ask to see the user survey that's showing this. History has shown that technically sophisticated users' ideas of what real users need tends to not correlate very tightly with what real users say they need. If moving the Comment: prompt to --expert seems to radical, a more conservative proposal would be to change the prompt from: Comment: to: Comment (leave blank unless you are sure you need this and know what you are doing): or: Comment (most people should leave this blank): Terse is beautiful. I think something like Comment (optional): ... would suffice, and would be a modest improvement on the current prompt. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On Thu, 3 Feb 2011 21:13, d...@fifthhorseman.net said: This looks great. Thanks, Werner! Can we expect this in the 1.x and 2.0.x branches as well? Hmmm. If you really want that please out it into the tracker; there is a topic keyword backport. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crontab running gpg script can’t find secret key
The user running the cron job is root and the owner of the key is root. I know this because I added whoami whoami.txt to the script and the contents of the file were root. David SMITH-4 wrote: griffmcc wrote: Although I can encrypt a file using a script, when crontab runs the same script, it returns the error message “no default secret key: No secret key”. I have one secret key: sananselmo backupscripts.d # gpg --list-secret-keys /root/.gnupg/secring.gpg sec 2048R/AC1E8E28 2011-01-11 uid Griff McClellan (Broadmark Asset Management) ssb 2048R/81E9591C 2011-01-11 Here is my script: gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign /usr/share/tararchive/file.tar.bz2 When I run it I am prompted for a password, even though I have the batch flag. However the file.gpg encrypted file is created. When I run the same script as root using crontab, I get: gpg: no default secret key: No secret key Does anyone have any suggestions about how to fix this problem? I tried setting the default-flag in gpg.conf but that didn’t change the outcome. Which user ID is the cron script running under? Is that user the same one that owns the key? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- View this message in context: http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30838341.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Solution: Crontab running gpg script can’t find secret key
Here's what works for me: echo 'password' | gpg -vvv --homedir /root/.gnupg --batch --passphrase-fd 0 --output /usr/share/file.gpg --encrypt --sign /usr/share/file.tar.bz2 -- View this message in context: http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30839184.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On 02/03/2011 04:19 PM, Werner Koch wrote: On Thu, 3 Feb 2011 21:13, d...@fifthhorseman.net said: This looks great. Thanks, Werner! Can we expect this in the 1.x and 2.0.x branches as well? Hmmm. If you really want that please out it into the tracker; there is a topic keyword backport. reported, thanks: https://bugs.g10code.com/gnupg/issue1316 Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 04:07 PM, Robert J. Hansen wrote: On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: * most people just need a simple identity-driven OpenPGP certificate, one that matches their name and e-mail address. Whenever people talk about what most users need, I have to ask to see the user survey that's showing this. History has shown that technically sophisticated users' ideas of what real users need tends to not correlate very tightly with what real users say they need. my user survey is from several years of trying to personally help dozens of people of all skill levels learn how to use OpenPGP for secure messaging. Regardless of the intelligence or technical savvy of the people i've personally helped get more comfortable with OpenPGP, i believe all of them have been baffled by the Comment: prompt. If anyone thinks that removing this prompt would be a Bad Thing, I would love to have a clearer explanation of the Comment prompt that i could refer to when i try to de-baffle people in the future. Looking through my keyring, i see many more useless comments (clutter) than i see comments that might possibly be useful. Of the comments in user IDs in my keyring that might possibly be useful, most of them would be better communicated in some other way than as assertions of their personal identity. I invite you to look through the User IDs in your own keyring, from the perspective of a potential certifier, and ask yourself what does it mean for me to certify these comments? Terse is beautiful. Omitting the baffling prompt entirely would be the most terse, which is what i propose. Do you object to that? I think something like Comment (optional): ... would suffice, and would be a modest improvement on the current prompt. Yes, that would be an improvement over the current situation. i suspect it will cause a non-negligible proportion of users to use the string optional as their comment, but you can't win 'em all :( --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 4:30 PM, Daniel Kahn Gillmor wrote: my user survey is from several years of trying to personally help dozens of people of all skill levels learn how to use OpenPGP for secure messaging. Regardless of the intelligence or technical savvy of the people i've personally helped get more comfortable with OpenPGP, i believe all of them have been baffled by the Comment: prompt. I'm in a similar position to you, except this is my twentieth year of helping people with PGP. (I started way back in 1991, when PGP first came out and was distributed friend-to-friend on floppy disks... five and a quarter floppy disks.) I have never seen anyone be baffled by the 'Comment:' prompt. Some people have asked, What should I type here?, and I usually explain, nothing, just hit return, and they do. Those who ask what the Comment field means generally understand it very quickly. The problem with using anecdotal evidence as opposed to surveys is there's all different kinds of cognitive biases that go on inside the mind of the person relating the anecdote. With surveys, you can go back to the original documents and say, User #4 said this: what do we think about this user's remarks? Ultimately, I think arguing from anecdote that we need to change the comment prompt is unpersuasive. If anyone thinks that removing this prompt would be a Bad Thing, I would love to have a clearer explanation of the Comment prompt that i could refer to when i try to de-baffle people in the future. Just like a user ID allows you to tell people your email address and your real name, it also lets you put a note in there in case there's anything else you really want people to know. You can skip this: just hit 'return.' I invite you to look through the User IDs in your own keyring, from the perspective of a potential certifier, and ask yourself what does it mean for me to certify these comments? Zero. Comments don't get certified. All my signature means is I have met this person face to face, have seen two forms of government identification, have confirmed a fingerprint and exchanged an email at that address. There's nothing in my signature policy that addresses comments, nothing at all. Omitting the baffling prompt entirely would be the most terse, which is what i propose. Do you object to that? Without a good basis, yes, I do. If you change this prompt you will also break a ton of scripts that expect this prompt. Not only that, but since key generation is a rare occurrence the breakage may occur months or years after the change is made. This isn't something to be done lightly. Yes, that would be an improvement over the current situation. i suspect it will cause a non-negligible proportion of users to use the string optional as their comment, but you can't win 'em all :( You can't prevent people from being gratuitously foolish idiots. Some people think they're tremendously clever by doing things like this, and they'll continue to do it no matter how you change the user interface. It is unwise to Fisher-Price the interface in the hopes of preventing fools from being clever. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 03 Feb 2011 17:10:58 -0500, Robert J. Hansen r...@sixdemonbag.org wrote: On 2/3/11 4:30 PM, Daniel Kahn Gillmor wrote: my user survey is from several years of trying to personally help dozens of people of all skill levels learn how to use OpenPGP for secure messaging. Regardless of the intelligence or technical savvy of the people i've personally helped get more comfortable with OpenPGP, i believe all of them have been baffled by the Comment: prompt. I'm in a similar position to you, except this is my twentieth year of helping people with PGP. (I started way back in 1991, when PGP first came out and was distributed friend-to-friend on floppy disks... five and a quarter floppy disks.) I have never seen anyone be baffled by the 'Comment:' prompt. Some people have asked, What should I type here?, and I usually explain, nothing, just hit return, and they do. Those who ask what the Comment field means generally understand it very quickly. I have to agree with Daniel that I have in fact honestly never spoken to anyone who was *not* confused by that field. I can't ever remember seeing a comment field used in any way that made sense to me. I invite you to look through the User IDs in your own keyring, from the perspective of a potential certifier, and ask yourself what does it mean for me to certify these comments? Zero. Comments don't get certified. All my signature means is I have met this person face to face, have seen two forms of government identification, have confirmed a fingerprint and exchanged an email at that address. There's nothing in my signature policy that addresses comments, nothing at all. I'm not sure I understand this comment. Certifications are over user IDs. The comments are in the user IDs. By certifying the full user ID you are also certifying the comment. Omitting the baffling prompt entirely would be the most terse, which is what i propose. Do you object to that? Without a good basis, yes, I do. If you change this prompt you will also break a ton of scripts that expect this prompt. Not only that, but since key generation is a rare occurrence the breakage may occur months or years after the change is made. This isn't something to be done lightly. I think this is why his original suggestion was to move it instead to --expert. Moving it to --expert makes a lot of sense to me. jamie. pgptusULBZJoU.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
I like the idea of adding the (Optional) to the prompt because I'm a big fan of optional fields being marked as such. This is an simple and elegant fix to an issue. And I'd hesitate to move it to expert since we have been (ab)using the comment field for our keys, then again this is being used by sysadmins who should know what they are doing, so moving it to expert mode shouldn't be too bad... but what should be is not the same as what is. On Thu, Feb 3, 2011 at 4:07 PM, Robert J. Hansen r...@sixdemonbag.org wrote: On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: * most people just need a simple identity-driven OpenPGP certificate, one that matches their name and e-mail address. Whenever people talk about what most users need, I have to ask to see the user survey that's showing this. History has shown that technically sophisticated users' ideas of what real users need tends to not correlate very tightly with what real users say they need. If moving the Comment: prompt to --expert seems to radical, a more conservative proposal would be to change the prompt from: Comment: to: Comment (leave blank unless you are sure you need this and know what you are doing): or: Comment (most people should leave this blank): Terse is beautiful. I think something like Comment (optional): ... would suffice, and would be a modest improvement on the current prompt. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Solution: Crontab running gpg script can’t find secret key
On Thursday 03 February 2011, griffmcc wrote: Here's what works for me: echo 'password' | gpg -vvv --homedir /root/.gnupg --batch --passphrase-fd 0 --output /usr/share/file.gpg --encrypt --sign /usr/share/file.tar.bz2 I suggest setting the passphrase of the key to an empty passphrase. Using a non-empty passphrase and then putting this secret passphrase in the crontab totally defeats the purpose of the passphrase. Moreover, the passphrase will be available to anybody who knows ps. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 03 Feb 2011 16:30:00 -0500 Daniel Kahn Gillmor d...@fifthhorseman.net articulated: On 02/03/2011 04:07 PM, Robert J. Hansen wrote: On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: * most people just need a simple identity-driven OpenPGP certificate, one that matches their name and e-mail address. Whenever people talk about what most users need, I have to ask to see the user survey that's showing this. History has shown that technically sophisticated users' ideas of what real users need tends to not correlate very tightly with what real users say they need. my user survey is from several years of trying to personally help dozens of people of all skill levels learn how to use OpenPGP for secure messaging. Regardless of the intelligence or technical savvy of the people i've personally helped get more comfortable with OpenPGP, i believe all of them have been baffled by the Comment: prompt. Statistically speaking, a few dozen users is not very meaningful. Furthermore, did you have a test group to compare these results against? In addition, did any one who claimed to be knowledgeable with the concepts of PGP ask you for assistance? Probably not which causes your statistical analyses to be in error. It reminds me of the famous Coke a Cola debacle in the 80's. Their analysis was so flawed that they eventually fired everyone involved in the fiasco, not to mention the fact that they lost millions of dollars. In any case, statistics can be made to represent anything you want them to. If 5% of a group suffers from constipation does that mean the remaining 95% enjoys it? -- Jerry ✌ gnupg.u...@seibercom.net _ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. Q: What is the difference between Texas and yogurt? A: Yogurt has culture. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 05:22 PM, Jameson Rollins wrote: On Thu, 03 Feb 2011 17:10:58 -0500, Robert J. Hansen r...@sixdemonbag.org wrote: Zero. Comments don't get certified. All my signature means is I have met this person face to face, have seen two forms of government identification, have confirmed a fingerprint and exchanged an email at that address. There's nothing in my signature policy that addresses comments, nothing at all. I'm not sure I understand this comment. Certifications are over user IDs. The comments are in the user IDs. By certifying the full user ID you are also certifying the comment. Just to clarify this point: If i meet Robert in person, show him my gov't IDs, my fingerprint, and we exchange e-mails, Robert would probably be fine certifying this User ID: Daniel Kahn Gillmor d...@fifthhorseman.net But i suspect he would not want to certify this User ID: Daniel Kahn Gillmor (I am really Robert Hansen) d...@fifthhorseman.net And he would be right to do avoid certifying it. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 5:47 PM, Daniel Kahn Gillmor wrote: By certifying the full user ID you are also certifying the comment. This is not how either OpenPGP or GnuPG work. Certifiers get to define what their certifications mean. Bang, period, end of sentence. There are *no* certification semantics in OpenPGP: there is only a rich and comprehensive set of syntactic primitives. It's true that, say, a persona-level signature is different syntactically than an I-have-done-extensive-checking signature: but OpenPGP quite wisely says *nothing* about the level of checking which goes into each signature level. If you see a certification and you assume you know what the certifier intends, then you are living in sin. Ask the certifier what for their policy: that's the only way to know. Some people will make certifications willy-nilly (well, I've traded emails with the guy a few times...). Some will make certifications only very carefully. Some will make totally unreasonable certifications because they don't know any better, and some will not make reasonable certifications because they have an abundance of paranoia. Unless you ask the certifier, *you do not, and cannot, know*. By certifying the full user ID, I am making a statement that is derived from my own local certification policy. That's all. Nothing else. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
Am Donnerstag 03 Februar 2011 23:22:38 schrieb Jameson Rollins: I think this is why his original suggestion was to move it instead to --expert. Moving it to --expert makes a lot of sense to me. Perhaps it makes sense to extend the output of --gen-key by a hint like Additional features are enabled by the option --expert. Have a look at the documentation. This is independent of this discussion, though. It took me several years to notice this option... ;-) Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 15:16, Hauke Laging wrote: Am Donnerstag 03 Februar 2011 23:22:38 schrieb Jameson Rollins: I think this is why his original suggestion was to move it instead to --expert. Moving it to --expert makes a lot of sense to me. Perhaps it makes sense to extend the output of --gen-key by a hint like Additional features are enabled by the option --expert. Have a look at the documentation. This is independent of this discussion, though. It took me several years to notice this option... ;-) That's part of the test. Congratulations on your passing grade. :) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 14:22, Jameson Rollins wrote: I have to agree with Daniel that I have in fact honestly never spoken to anyone who was*not* confused by that field. I can't ever remember seeing a comment field used in any way that made sense to me. I'm as pedantic as the next geeky dev, but I agree with this, and believe that arguing from example is perfectly valid in this case. FWIW I would love to see the comment field moved to expert mode since it rather clearly qualifies under the If you don't already know that you need this, you don't need this category that --expert is designed to protect the casual user from. I think (Optional) would be an Ok compromise if that's what the gnupg devs think is right, although something closer to (You probably don't want to type anything here, no, really, don't do it) would be better. :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Feb 3, 2011, at 5:10 PM, Robert J. Hansen wrote: I invite you to look through the User IDs in your own keyring, from the perspective of a potential certifier, and ask yourself what does it mean for me to certify these comments? Zero. Comments don't get certified. All my signature means is I have met this person face to face, have seen two forms of government identification, have confirmed a fingerprint and exchanged an email at that address. There's nothing in my signature policy that addresses comments, nothing at all. I'm afraid I'm not parsing your point here. Comments are part of the user ID field. When you make a certification, they are included in the hash. You can't sign part of a user ID. Are you saying that you don't sign things with comments? (Comments don't get certified). Or are you arguing the *meaning* of the certification (you may or may not sign the user ID, but if you did sign it, the comment part should be considered null and void in terms of your particular certification)? Or something else? Omitting the baffling prompt entirely would be the most terse, which is what i propose. Do you object to that? Without a good basis, yes, I do. If you change this prompt you will also break a ton of scripts that expect this prompt. Not only that, but since key generation is a rare occurrence the breakage may occur months or years after the change is made. This isn't something to be done lightly. I suppose I don't really have particularly strong feelings about whether comment is put under --expert or not, but either way this argument is not a good one. We have made many changes to the keygen prompts over time, and no doubt will continue to do so in the future. The only scriptable interface for key generation in GPG is --batch --key-gen, and it is documented as such. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 6:30 PM, David Shaw wrote: Or are you arguing the *meaning* of the certification (you may or may not sign the user ID, but if you did sign it, the comment part should be considered null and void in terms of your particular certification)? This. I may agree with the comment, I may disagree with it, but either way I am not vouching for it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 03 Feb 2011 17:54:39 -0500, Robert J. Hansen r...@sixdemonbag.org wrote: But i suspect he would not want to certify this User ID: Daniel Kahn Gillmor (I am really Robert Hansen) d...@fifthhorseman.net Correct. Because the presence of my signature means something. The *absence* means *nothing at all*, and you're smart enough to know that. Just out of curiosity, can you explain why you wouldn't sign dkg's hypothetical user ID? jamie. pgpkFAKu20oug.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when decrypting
Message: 8 Date: Thu, 03 Feb 2011 02:28:05 -0500 From: Daniel Kahn Gillmor d...@fifthhorseman.net is there a way to get information about which symmetric cipher was used on an encrypted message when decrypting? There may be other direct ways, but a simple unexpected way, is to use the option of --show-session-key. Upon decryption, GnuPG shows the number of the symmetric algorithm, followed by a colon, followed by the session key string (i.e, '2:' indicates that 3DES is the symmetric cipher used). vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 6:09 PM, Jameson Rollins wrote: Just out of curiosity, can you explain why you wouldn't sign dkg's hypothetical user ID? Because with a comment like that, my impression would be that he was aiming to deliberately yank my chain: and why should I put up with that? To use that as an example, and to simultaneously lose sight of the you know, I'm kind of being a jerk here, and why should do me a favor by making a certification if I'm being a jerk to him? factor, is to reduce humanity to automation. It implicitly says, you must do this, because to be otherwise is illogical. I demand logic in technical matters. In social matters, I embrace my humanity, which is to say my right to be inconsistent. I heartily recommend this course of living to everyone. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, Feb 03, 2011 at 04:07:40PM -0500, Robert J. Hansen wrote: Whenever people talk about what most users need, I have to ask to see the user survey that's showing this. I don't think it matters what the real numbers are. We've all seen user ids with utterly unhelpful comments, and it stands to reason that some fraction of them were put in place because novice users felt obligated to include a comment. The first time I used gnupg this is exactly what I did, as evident in my old keys on the keyservers. Personally I've never seen a comment that helped me identify the owner of a key in a meaningful way. So since it occasionally causes silliness, and rarely or never to my knowledge helps, I would go so far as to say that use of comments should be strongly discouraged. --mjgoins signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 5:32 PM, Matthew James Goins wrote: Personally I've never seen a comment that helped me identify the owner of a key in a meaningful way. The problem with anecdote is everyone's anecdote is different. As a ham radio operator (KC0SJE), I have a fair number of keys that have comments of Amateur radio: KC0SJE. (A former cert of mine had Amateur Radio tagged on my kc0sje@my.domain address, for instance.) And yes, I do find it helpful to have someone's ham call on their key: when I'm sending a contact report to someone, it's nice to be able to grep through my keyring looking for their call sign and get the email address it should go to. The user community is huge. Just because you don't see it doesn't mean other people don't use it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 8:17 PM, Doug Barton wrote: So, you're saying that hams are not smart enough to figure out how to use expert mode if they really want this functionality? :) You're moving the goalposts. That was responding to someone who denied the usefulness of comments at all. If I'm establishing there are communities who use comments, and these communities often exist under the radar of list members, then it's disingenuous to say but they can just use expert mode. Whether it should be in normal mode or expert mode is a completely different question from whether there exist a significant number of users who find the comment field useful. As long as we're moving things into expert mode, I'd like to see all non-default options moved into expert mode, including key lengths. I've never seen anyone outside of the intelligence community who had a need for a 4096-bit key: why do we support generating them? I've seen people screw up expiration dates more often than I've seen them use expiration dates as part of a sane, rational security policy: why is this option part of the default, why isn't setting an expiration date reserved for expert users? Etc., etc. If you open up the well, I think it ought to be in expert mode, there are a lot of other things that ought to be moved over there first. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 17:23, Robert J. Hansen wrote: On 2/3/11 8:17 PM, Doug Barton wrote: So, you're saying that hams are not smart enough to figure out how to use expert mode if they really want this functionality? :) You're moving the goalposts. That was responding to someone who denied the usefulness of comments at all. If I'm establishing there are communities who use comments, and these communities often exist under the radar of list members, I don't disagree with anything above, but then it's disingenuous to say but they can just use expert mode. Why? Restating my argument in a more serious fashion: 1. There are very few people who usefully benefit from comments 2. Most novice users who add a comment do so badly 3. Therefore moving the option to expert mode is a win for the community. Whether it should be in normal mode or expert mode is a completely different question from whether there exist a significant number of users who find the comment field useful. I actually disagree with this as stated, although I will grant you that point 2 above is included in the overall issue. :) As long as we're moving things into expert mode, I'd like to see all non-default options moved into expert mode, including key lengths. I've never seen anyone outside of the intelligence community who had a need for a 4096-bit key: why do we support generating them? I've seen people screw up expiration dates more often than I've seen them use expiration dates as part of a sane, rational security policy: why is this option part of the default, why isn't setting an expiration date reserved for expert users? Etc., etc. That all sounds good to me. Doug (seriously) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 17:10, Robert J. Hansen wrote: On 2/3/11 5:32 PM, Matthew James Goins wrote: Personally I've never seen a comment that helped me identify the owner of a key in a meaningful way. The problem with anecdote is everyone's anecdote is different. As a ham radio operator (KC0SJE), I have a fair number of keys that have comments of Amateur radio: KC0SJE. So, you're saying that hams are not smart enough to figure out how to use expert mode if they really want this functionality? :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 8:36 PM, Doug Barton wrote: then it's disingenuous to say but they can just use expert mode. Why? Because it does not recognize the validity of a well-answered question. When a question is asked and answered, it is good form to recognize the answer, rather than say ... well, but! Moving the goalposts, in addition to being a logical fallacy, tends to persuade people that you're not really interested in the answer. ... E.g., Lee Harvey Oswald didn't kill Jack Kennedy! The shots weren't fired from the Texas Book Depository. Well, in point of fact, his co-workers saw him going up to the floor where he fired from, and a lifelong hunter co-worker of his was exactly one floor below and heard the gunshots, the shooter working the bolt of the rifle, and the brass ejecting on the floor. But there's no way any human being could fire those shots that quickly and accurately! That's the work of a military sniper, not a deranged gunman! Oswald couldn't have been the shooter! Well, now you're moving the goalposts: but, while we're talking about it, the Warren Commission was able to find an Army specialist[*] who was able to not only fire faster than that, but with better accuracy. But what about the grassy knoll and the fourth gunshot?! ... Listen, you're not really interested in having a discussion about this, are you? For every claim of yours that gets refuted, you just move the goalposts somewhere else. I'm done talking: it doesn't matter what answer I give, you're going to keep subscribing to these ridiculous and refuted conspiracy theories. [*] Non-Americans: 'specialist' is a rank in the United States Army, just barely above a raw recruit. Instead of being a specialist shooter, as you might think from the phrase Army specialist, it really means, the Warren Commission found a young soldier who was barely able to tie his own shoes without a sergeant's help, and even *he* was able to do a better job than Oswald. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-02-2011 22:17, Doug Barton escribió: On 02/03/2011 17:10, Robert J. Hansen wrote: ... The problem with anecdote is everyone's anecdote is different. As a ham radio operator (KC0SJE), I have a fair number of keys that have comments of Amateur radio: KC0SJE. So, you're saying that hams are not smart enough to figure out how to use expert mode if they really want this functionality? :) Guys, it is just a comment field, is it so hard to ignore comments that are meaningless to you? Maybe they have some meaning to someone else. Personally, I'm tired of saying ok, where did they put that thing I used to use, and that was so easy to find in the previous version?. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNS4aIAAoJEMV4f6PvczxAb7IH/iNa8WB2hGBokex3HPbmihXc cEx0hSmeXKgkGbD7lVi7V9CBy6FCdYcTqTQCs3i5SIPCabBbEai/yzbg9Smgf5Nc ZbhDxb7sFimKAXrzi0+VZO9x4IlpNHZYUWvJya1xr085XKnIrBl0FUMGXqVV7MeM PRUUlFeKa2MvK3nOLlK9KeMJb3C0t/A0KRwxl7997q7d9INATAz9ZrDd2U5Bync9 aSwx74ZvGvaVnEMUK0E3Y8EwLUIb0CqDUPPtN1Y3mndxBuksGN1BDtDQmHfRjIQl l53WKG9cq2k4TzxXJ4U/OTPRTPG3pFsNAgDkpBp6Kh2cwW+qvxPLd2sQubhh0s4= =tS8D -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 3 Feb 2011 21:59, d...@fifthhorseman.net said: * new users see the prompt and think they need to enter something there, without understanding why or what to put there. This leads to people either making a witticism (e.g. No Comment), repeating their I have only seen a few of these comments; thus I don't think it is a real problem. I use the comment failed mainly to indicate a test key and I have seen other sensible usages as well. Many might nor know that there is a help feature for every input field: GnuPG needs to construct a user ID to identify your key. Real name: d Email address: @ Comment: ? Please enter an optional comment. The characters ( and ) are not allowed. In general there is no need for a comment. Comment: but many more users are using a GUI for key generation and thus it is up to the GUI to preset the comment field. For example GPA uses in non-advanced mode a wizard dialog for key generation and that one does not ask for comment. I don't have any strong feelings about this, however, here is my own proposal: GnuPG needs to construct a user ID to identify your key. Real name: d Email address: @ You selected this USER-ID: d @ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? c Comment: test key You selected this USER-ID: d (test key) @ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? q No expert option and no translation changes required, just one more key stroke to enter a comment. The drawback is as with the --expert option: we will receive bug reports like I can't enter a comment anymore ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 17:52, Robert J. Hansen wrote: On 2/3/11 8:36 PM, Doug Barton wrote: then it's disingenuous to say but they can just use expert mode. Why? Because it does not recognize the validity of a well-answered question. I recognized it, but I don't think the answer is as central to the question of moving comments to expert mode as you do. Daniel's argument boils down to almost everyone who uses a comment doesn't need to, and most of the ones who do use them poorly. Your counter argument boils down to, yeah, but here is a group of people who use comments well. I gave a tongue-in-cheek response, but the kernel of it was (IMO) pertinent. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/4/11 2:16 AM, Doug Barton wrote: I recognized it, but I don't think the answer is as central to the question of moving comments to expert mode as you do. Daniel's argument boils down... I wasn't responding to Daniel. I was responding to Matt Goins, as was shown in my message, who said he had never seen any comment that helped him identify the owner of a key in a meaningful way. To that statement, pointing out the ham radio community's use of comment fields to store license numbers is on point. Moving the goalposts to, but ham operators can still set comment fields with --expert, is not. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users