date:20110203

On 2/3/11 9:38 AM, Alphazo wrote:
 Is it possible to add or remove a recipient to an already encrypted file
 and thus without re-encrypting the whole file?

Technically, yes, although you would need to write the tool yourself.

 Assuming I own the private key of one the original recipient, could
 GnuPG decrypt the session key and add/remove new recipients to
 the existing file?

GnuPG does not have this functionality.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Add/remove recipient without re-encrypting

2011-02-03 Thread Hauke Laging

Am Donnerstag 03 Februar 2011 15:38:12 schrieb Alphazo:
 Is it possible to add or remove a recipient to an already encrypted file
  and thus without re-encrypting the whole file?

Not an answer but a proposal:

I have read this question several times on this list. I know that this is 
possible today but complicated (and AFAIK not part of the gpg documentation). 
I prefer an easy solution within gpg. Thus I suggest the feature that 
recipient packets can be stored in a seperate file. Thus only a small file has 
to be changed (extended or partially erased).

A solution with better compatibility would be: The session key of the content 
file is the encrypted content of the recipients file. Thus implementations 
with a feature like --override-session-key can still access the content file 
(with some manual assistance) if they don't support such an extension file.

That could look like this:

gpg --encrypt --recipient  --recipient 1112 file.txt

would change to

gpg --encrypt --recipient  --ext-rec-file  --recipient 1112 \
file.txt

with all recipients given after --ext-rec-file (or --ext-rec-file=filename) 
being written to the extension file.


If this is not implemented and we stick to you would need to write the tool 
yourself then it might be helpful to add the option to write some dummy 
recipients (just to have enough space in the file which can be overwritten).


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Add/remove recipient without re-encrypting

2011-02-03 Thread Nicolas Boullis

Hello,

On Thu, Feb 03, 2011 at 03:38:12PM +0100, Alphazo wrote:
 Is it possible to add or remove a recipient to an already encrypted file and
 thus without re-encrypting the whole file?
 
 From what I understand GnuPG encrypts the payload (my binary file) with a
 symmetric session key. Then it stores each recipient key ID (optional) as
 well as an encrypted version of the session key using the public key of the
 recipient (asymmetric encryption).
 Assuming I own the private key of one the original recipient, could GnuPG
 decrypt the session key and add/remove new recipients to the existing file?

For what it's worth, I tried to write such a tool for my own, and 
annouced it on this list; see 
http://www.mail-archive.com/gnupg-users@gnupg.org/msg13495.html
for the announcement.

If you are interrested, I think it would be possible to resurrect this 
project.


Cheers,

-- 
Nicolas Boullis

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG Decrypt Messages

2011-02-03 Thread hare krishna

Hi,

Can some please help me how to avoid these messages whenever the gpg files
is decrypted. Here are the messages

gpg: Signature made Wed Feb 02 14:26:25 2011 PST using DSA key ID BD6608B2
gpg: Good signature from umesh (GPG encryptionl) a...@xxx.com

It is printing in logs everytime. Please advice what should i use to avoid
them.
Here is the command i am using:
gpg -q -d abc.gpg


Thanks,
Umesh
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Is commerical PGP.com compatible with Gnupg ???

2011-02-03 Thread Keith Theman


Hello,

Is the pgp from pgp.com compatible with gnupg ??

Is gnupg FIPS 140-2 compliant?

Dave
  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is commerical PGP.com compatible with Gnupg ???

On 2/3/11 12:34 PM, Keith Theman wrote:
 Is the pgp from pgp.com compatible with gnupg ??

Generally, yes.  PGP holds a patent on the Additional Decryption Key
functionality (which GnuPG developers have said will not be implemented
in GnuPG, even if it weren't patented), though, so that's an example of
one of the minor incompatibilities between the two.

 Is gnupg FIPS 140-2 compliant?

I am unaware of any certified laboratory which has declared GnuPG
conformant to any FIPS.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: learning which symmetric cipher via --status-fd when --decrypting

2011-02-03 Thread Werner Koch

On Thu,  3 Feb 2011 08:28, d...@fifthhorseman.net said:

 is there a way for a program that parses --status-fd to get this

Not yet.

 information, or does the program need to parse --logger-fd as well to

better don't do that; the messages may change.  What about this new
feature:

DECRYPTION_INFO mdc_method sym_algo
Print information about the symmetric encryption algorithm and
the MDC method.  This will be emitted even if the decryption
fails.


  $ ~/b/gnupg/g10/gpg2 --status-fd 2 enc+sig.asc
  [GNUPG:] ENC_TO 4F9915352D91F921 18 0
  gpg: encrypted with 256-bit ECDH key, ID 2D91F921, created 2011-02-03
Joe Random Hacker (test key with passphrase x) j...@setq.org
  [GNUPG:] BEGIN_DECRYPTION
  [GNUPG:] DECRYPTION_INFO 2 7
  [GNUPG:] PLAINTEXT 62 1296751201 
  [GNUPG:] PLAINTEXT_LENGTH 139
  The difference between the right word and the almost right word is the
  difference between lightning and the lightning bug.
  -- Mark Twain
  gpg: Signature made Thu Feb  3 17:40:01 2011 CET using ECDSA key ID 6AE8EAC3
  [GNUPG:] SIG_ID Fh+ZrREGtHN97DZR1dRxaRCohdo 2011-02-03 1296751201
  [GNUPG:] GOODSIG 9A7AE1B86AE8EAC3 Joe Random Hacker (test key with...
  gpg: Good signature from Joe Random Hacker (test key with passphrase...
  [GNUPG:] VALIDSIG 1C5AD3334C35780012F7D6979A7AE1B86AE8EAC3 2011-02-03 ...
  [GNUPG:] TRUST_FULLY
  [GNUPG:] DECRYPTION_OKAY
  [GNUPG:] GOODMDC
  [GNUPG:] END_DECRYPTION

Commit 5667e33.  There is no support in GPGME yet, but I added some
framework to support it.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: learning which symmetric cipher via --status-fd when --decrypting

On 02/03/2011 03:01 PM, Werner Koch wrote:
 On Thu,  3 Feb 2011 08:28, d...@fifthhorseman.net said:
 
 is there a way for a program that parses --status-fd to get this
 
 Not yet.
 
 information, or does the program need to parse --logger-fd as well to
 
 better don't do that; the messages may change.  What about this new
 feature:
 
 DECRYPTION_INFO mdc_method sym_algo
 Print information about the symmetric encryption algorithm and
 the MDC method.  This will be emitted even if the decryption
 fails.

This looks great.  Thanks, Werner!  Can we expect this in the 1.x and
2.0.x branches as well?

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

moving user ID Comments to --expert mode

Hi folks--

I'd like to propose that GnuPG only prompt the user for a Comment for
their User ID under --expert mode.

Here's why:

 * most people just need a simple identity-driven OpenPGP certificate,
one that matches their name and e-mail address.

 * new users see the prompt and think they need to enter something
there, without understanding why or what to put there.  This leads to
people either making a witticism (e.g. No Comment), repeating their
actual name, redundantly describing their e-mail address (e.g. gmail
address), or saying something like this is cool software, which then
becomes part of their User ID and goes on the keyservers, associated
with them permanently.

When keysigning, if i get asked to certify a key with a comment like
this, i don't know what to say.  What am i certifying if i say that this
key really belongs to Joe Schmoe (no comment) j...@example.org ? Joe
Schmoe j...@example.org i can understand and certify, but the
intervening comment doesn't seem sensible or verifiable.

There are indeed some possibly legitimate uses of comments, but many of
them would be better handled with notations attached to subkeys or
notations attached to particular user IDs.


What do other people think?


If moving the Comment: prompt to --expert seems to radical, a more
conservative proposal would be to change the prompt from:

 Comment:

to:

 Comment (leave blank unless you are sure you need this and know what
you are doing):

or:

 Comment (most people should leave this blank):


The example User ID prompt should also be changed (in english) from


 You need a user ID to identify your key; the software constructs the user ID
 from the Real Name, Comment and Email Address in this form:
 Heinrich Heine (Der Dichter) heinri...@duesseldorf.de

to:

 Your new key needs a User ID that identifies you; Usually, this takes
 the form of your real name followed by your e-mail address:
 Heinrich Heine heinri...@duesseldorf.de



Regards,

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote:
  * most people just need a simple identity-driven OpenPGP certificate,
 one that matches their name and e-mail address.

Whenever people talk about what most users need, I have to ask to see
the user survey that's showing this.  History has shown that technically
sophisticated users' ideas of what real users need tends to not
correlate very tightly with what real users say they need.

 If moving the Comment: prompt to --expert seems to radical, a more
 conservative proposal would be to change the prompt from:
 
  Comment:
 
 to:
 
  Comment (leave blank unless you are sure you need this and know what
 you are doing):
 
 or:
 
  Comment (most people should leave this blank):

Terse is beautiful.  I think something like

Comment (optional):

... would suffice, and would be a modest improvement on the current prompt.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: learning which symmetric cipher via --status-fd when --decrypting

2011-02-03 Thread Werner Koch

On Thu,  3 Feb 2011 21:13, d...@fifthhorseman.net said:

 This looks great.  Thanks, Werner!  Can we expect this in the 1.x and
 2.0.x branches as well?

Hmmm.  If you really want that please out it into the tracker; there is
a topic keyword backport.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Crontab running gpg script can’t find secret key

2011-02-03 Thread griffmcc

The user running the cron job is root and the owner of the key is root.

I know this because I added

whoami whoami.txt

to the script and the contents of the file were root.

David SMITH-4 wrote:

griffmcc wrote:
Although I can encrypt a file using a script, when crontab runs the same
script, it returns the error message “no default secret key: No secret
key”. I have one secret key:

sananselmo backupscripts.d # gpg --list-secret-keys
/root/.gnupg/secring.gpg

sec 2048R/AC1E8E28 2011-01-11
uid Griff McClellan (Broadmark Asset Management)
ssb 2048R/81E9591C 2011-01-11

Here is my script:

gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign
/usr/share/tararchive/file.tar.bz2

When I run it I am prompted for a password, even though I have the batch
flag. However the file.gpg encrypted file is created. When I run the
same script as root using crontab, I get:

gpg: no default secret key: No secret key

Does anyone have any suggestions about how to fix this problem? I tried
setting the default-flag in gpg.conf but that didn’t change the outcome.

Which user ID is the cron script running under? Is that user the same
one that owns the key?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
View this message in context:
http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30838341.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Solution: Crontab running gpg script can’t find secret key

2011-02-03 Thread griffmcc


Here's what works for me:


echo 'password' | gpg -vvv --homedir /root/.gnupg --batch --passphrase-fd 0
--output /usr/share/file.gpg --encrypt --sign /usr/share/file.tar.bz2


-- 
View this message in context: 
http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30839184.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: learning which symmetric cipher via --status-fd when --decrypting

On 02/03/2011 04:19 PM, Werner Koch wrote:
 On Thu,  3 Feb 2011 21:13, d...@fifthhorseman.net said:
 
 This looks great.  Thanks, Werner!  Can we expect this in the 1.x and
 2.0.x branches as well?
 
 Hmmm.  If you really want that please out it into the tracker; there is
 a topic keyword backport.

reported, thanks:

https://bugs.g10code.com/gnupg/issue1316

Regards,

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 02/03/2011 04:07 PM, Robert J. Hansen wrote:
 On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote:
  * most people just need a simple identity-driven OpenPGP certificate,
 one that matches their name and e-mail address.
 
 Whenever people talk about what most users need, I have to ask to see
 the user survey that's showing this.  History has shown that technically
 sophisticated users' ideas of what real users need tends to not
 correlate very tightly with what real users say they need.

my user survey is from several years of trying to personally help
dozens of people of all skill levels learn how to use OpenPGP for secure
messaging.  Regardless of the intelligence or technical savvy of the
people i've personally helped get more comfortable with OpenPGP, i
believe all of them have been baffled by the Comment: prompt.

If anyone thinks that removing this prompt would be a Bad Thing, I would
love to have a clearer explanation of the Comment prompt that i could
refer to when i try to de-baffle people in the future.

Looking through my keyring, i see many more useless comments (clutter)
than i see comments that might possibly be useful.

Of the comments in user IDs in my keyring that might possibly be useful,
most of them would be better communicated in some other way than as
assertions of their personal identity.

I invite you to look through the User IDs in your own keyring, from the
perspective of a potential certifier, and ask yourself what does it
mean for me to certify these comments?

 Terse is beautiful.  

Omitting the baffling prompt entirely would be the most terse, which is
what i propose.  Do you object to that?

 I think something like
 
 Comment (optional):
 
 ... would suffice, and would be a modest improvement on the current prompt.

Yes, that would be an improvement over the current situation.  i suspect
it will cause a non-negligible proportion of users to use the string
optional as their comment, but you can't win 'em all :(

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 4:30 PM, Daniel Kahn Gillmor wrote:
 my user survey is from several years of trying to personally help
 dozens of people of all skill levels learn how to use OpenPGP for secure
 messaging.  Regardless of the intelligence or technical savvy of the
 people i've personally helped get more comfortable with OpenPGP, i
 believe all of them have been baffled by the Comment: prompt.

I'm in a similar position to you, except this is my twentieth year of
helping people with PGP.  (I started way back in 1991, when PGP first
came out and was distributed friend-to-friend on floppy disks... five
and a quarter floppy disks.)

I have never seen anyone be baffled by the 'Comment:' prompt.  Some
people have asked, What should I type here?, and I usually explain,
nothing, just hit return, and they do.  Those who ask what the
Comment field means generally understand it very quickly.

The problem with using anecdotal evidence as opposed to surveys is
there's all different kinds of cognitive biases that go on inside the
mind of the person relating the anecdote.  With surveys, you can go back
to the original documents and say, User #4 said this: what do we think
about this user's remarks?

Ultimately, I think arguing from anecdote that we need to change the
comment prompt is unpersuasive.

 If anyone thinks that removing this prompt would be a Bad Thing, I would
 love to have a clearer explanation of the Comment prompt that i could
 refer to when i try to de-baffle people in the future.

Just like a user ID allows you to tell people your email address and
your real name, it also lets you put a note in there in case there's
anything else you really want people to know.  You can skip this: just
hit 'return.'

 I invite you to look through the User IDs in your own keyring, from the
 perspective of a potential certifier, and ask yourself what does it
 mean for me to certify these comments?

Zero.  Comments don't get certified.  All my signature means is I have
met this person face to face, have seen two forms of government
identification, have confirmed a fingerprint and exchanged an email at
that address.  There's nothing in my signature policy that addresses
comments, nothing at all.

 Omitting the baffling prompt entirely would be the most terse, which is
 what i propose.  Do you object to that?

Without a good basis, yes, I do.  If you change this prompt you will
also break a ton of scripts that expect this prompt.  Not only that, but
since key generation is a rare occurrence the breakage may occur months
or years after the change is made.  This isn't something to be done lightly.

 Yes, that would be an improvement over the current situation.  i suspect
 it will cause a non-negligible proportion of users to use the string
 optional as their comment, but you can't win 'em all :(

You can't prevent people from being gratuitously foolish idiots.  Some
people think they're tremendously clever by doing things like this, and
they'll continue to do it no matter how you change the user interface.
It is unwise to Fisher-Price the interface in the hopes of preventing
fools from being clever.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Jameson Rollins

On Thu, 03 Feb 2011 17:10:58 -0500, Robert J. Hansen r...@sixdemonbag.org 
wrote:
 On 2/3/11 4:30 PM, Daniel Kahn Gillmor wrote:
  my user survey is from several years of trying to personally help
  dozens of people of all skill levels learn how to use OpenPGP for secure
  messaging.  Regardless of the intelligence or technical savvy of the
  people i've personally helped get more comfortable with OpenPGP, i
  believe all of them have been baffled by the Comment: prompt.
 
 I'm in a similar position to you, except this is my twentieth year of
 helping people with PGP.  (I started way back in 1991, when PGP first
 came out and was distributed friend-to-friend on floppy disks... five
 and a quarter floppy disks.)
 
 I have never seen anyone be baffled by the 'Comment:' prompt.  Some
 people have asked, What should I type here?, and I usually explain,
 nothing, just hit return, and they do.  Those who ask what the
 Comment field means generally understand it very quickly.

I have to agree with Daniel that I have in fact honestly never spoken to
anyone who was *not* confused by that field.  I can't ever remember
seeing a comment field used in any way that made sense to me.

  I invite you to look through the User IDs in your own keyring, from the
  perspective of a potential certifier, and ask yourself what does it
  mean for me to certify these comments?
 
 Zero.  Comments don't get certified.  All my signature means is I have
 met this person face to face, have seen two forms of government
 identification, have confirmed a fingerprint and exchanged an email at
 that address.  There's nothing in my signature policy that addresses
 comments, nothing at all.

I'm not sure I understand this comment.  Certifications are over user
IDs.  The comments are in the user IDs.  By certifying the full user ID
you are also certifying the comment.

  Omitting the baffling prompt entirely would be the most terse, which is
  what i propose.  Do you object to that?
 
 Without a good basis, yes, I do.  If you change this prompt you will
 also break a ton of scripts that expect this prompt.  Not only that, but
 since key generation is a rare occurrence the breakage may occur months
 or years after the change is made.  This isn't something to be done lightly.

I think this is why his original suggestion was to move it instead to
--expert.  Moving it to --expert makes a lot of sense to me.

jamie.


pgptusULBZJoU.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Dirk Walter

I like the idea of adding the (Optional) to the prompt because I'm a
big fan of optional fields being marked as such. This is an simple and
elegant fix to an issue.

And I'd hesitate to move it to expert since we have been (ab)using the
comment field for our keys, then again this is being used by sysadmins
who should know what they are doing, so moving it to expert mode
shouldn't be too bad... but what should be is not the same as what is.

On Thu, Feb 3, 2011 at 4:07 PM, Robert J. Hansen r...@sixdemonbag.org wrote:
 On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote:
  * most people just need a simple identity-driven OpenPGP certificate,
 one that matches their name and e-mail address.

 Whenever people talk about what most users need, I have to ask to see
 the user survey that's showing this.  History has shown that technically
 sophisticated users' ideas of what real users need tends to not
 correlate very tightly with what real users say they need.

 If moving the Comment: prompt to --expert seems to radical, a more
 conservative proposal would be to change the prompt from:

  Comment:

 to:

  Comment (leave blank unless you are sure you need this and know what
 you are doing):

 or:

  Comment (most people should leave this blank):

 Terse is beautiful.  I think something like

 Comment (optional):

 ... would suffice, and would be a modest improvement on the current prompt.

 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Solution: Crontab running gpg script can’t find secret key

2011-02-03 Thread Ingo Klöcker

On Thursday 03 February 2011, griffmcc wrote:
 Here's what works for me:
 
 
 echo 'password' | gpg -vvv --homedir /root/.gnupg --batch
 --passphrase-fd 0 --output /usr/share/file.gpg --encrypt --sign
 /usr/share/file.tar.bz2

I suggest setting the passphrase of the key to an empty passphrase. 
Using a non-empty passphrase and then putting this secret passphrase 
in the crontab totally defeats the purpose of the passphrase. Moreover, 
the passphrase will be available to anybody who knows ps.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Jerry

On Thu, 03 Feb 2011 16:30:00 -0500
Daniel Kahn Gillmor d...@fifthhorseman.net articulated:

 On 02/03/2011 04:07 PM, Robert J. Hansen wrote:
  On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote:
   * most people just need a simple identity-driven OpenPGP
  certificate, one that matches their name and e-mail address.
  
  Whenever people talk about what most users need, I have to ask to
  see the user survey that's showing this.  History has shown that
  technically sophisticated users' ideas of what real users need
  tends to not correlate very tightly with what real users say they
  need.
 
 my user survey is from several years of trying to personally help
 dozens of people of all skill levels learn how to use OpenPGP for
 secure messaging.  Regardless of the intelligence or technical savvy
 of the people i've personally helped get more comfortable with
 OpenPGP, i believe all of them have been baffled by the Comment:
 prompt.

Statistically speaking, a few dozen users is not very meaningful.
Furthermore, did you have a test group to compare these results
against? In addition, did any one who claimed to be knowledgeable with
the concepts of PGP ask you for assistance? Probably not which causes
your statistical analyses to be in error. It reminds me of the famous
Coke a Cola debacle in the 80's. Their analysis was so flawed that
they eventually fired everyone involved in the fiasco, not to mention
the fact that they lost millions of dollars.

In any case, statistics can be made to represent anything you
want them to. If 5% of a group suffers from constipation does that mean
the remaining 95% enjoys it?

-- 
Jerry ✌
gnupg.u...@seibercom.net
_
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

Q:  What is the difference between Texas and yogurt?
A:  Yogurt has culture.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 02/03/2011 05:22 PM, Jameson Rollins wrote:
 On Thu, 03 Feb 2011 17:10:58 -0500, Robert J. Hansen r...@sixdemonbag.org 
 wrote:
 Zero.  Comments don't get certified.  All my signature means is I have
 met this person face to face, have seen two forms of government
 identification, have confirmed a fingerprint and exchanged an email at
 that address.  There's nothing in my signature policy that addresses
 comments, nothing at all.
 
 I'm not sure I understand this comment.  Certifications are over user
 IDs.  The comments are in the user IDs.  By certifying the full user ID
 you are also certifying the comment.

Just to clarify this point:

If i meet Robert in person, show him my gov't IDs, my fingerprint, and
we exchange e-mails, Robert would probably be fine certifying this User ID:

 Daniel Kahn Gillmor d...@fifthhorseman.net

But i suspect he would not want to certify this User ID:

 Daniel Kahn Gillmor (I am really Robert Hansen) d...@fifthhorseman.net

And he would be right to do avoid certifying it.

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 5:47 PM, Daniel Kahn Gillmor wrote:
 By certifying the full user ID you are also certifying the comment.

This is not how either OpenPGP or GnuPG work.

Certifiers get to define what their certifications mean.  Bang, period,
end of sentence.  There are *no* certification semantics in OpenPGP:
there is only a rich and comprehensive set of syntactic primitives.
It's true that, say, a persona-level signature is different
syntactically than an I-have-done-extensive-checking signature: but
OpenPGP quite wisely says *nothing* about the level of checking which
goes into each signature level.

If you see a certification and you assume you know what the certifier
intends, then you are living in sin.  Ask the certifier what for their
policy: that's the only way to know.  Some people will make
certifications willy-nilly (well, I've traded emails with the guy a few
times...).  Some will make certifications only very carefully.  Some
will make totally unreasonable certifications because they don't know
any better, and some will not make reasonable certifications because
they have an abundance of paranoia.  Unless you ask the certifier, *you
do not, and cannot, know*.

By certifying the full user ID, I am making a statement that is derived
from my own local certification policy.  That's all.  Nothing else.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Hauke Laging

Am Donnerstag 03 Februar 2011 23:22:38 schrieb Jameson Rollins:

 I think this is why his original suggestion was to move it instead to
 --expert.  Moving it to --expert makes a lot of sense to me.

Perhaps it makes sense to extend the output of --gen-key by a hint like 
Additional features are enabled by the option --expert. Have a look at the 
documentation.

This is independent of this discussion, though. It took me several years to 
notice this option... ;-)


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode


On 02/03/2011 15:16, Hauke Laging wrote:

Am Donnerstag 03 Februar 2011 23:22:38 schrieb Jameson Rollins:


I think this is why his original suggestion was to move it instead to
--expert.  Moving it to --expert makes a lot of sense to me.


Perhaps it makes sense to extend the output of --gen-key by a hint like
Additional features are enabled by the option --expert. Have a look at the
documentation.

This is independent of this discussion, though. It took me several years to
notice this option... ;-)


That's part of the test. Congratulations on your passing grade. :)


--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode


On 02/03/2011 14:22, Jameson Rollins wrote:

I have to agree with Daniel that I have in fact honestly never spoken to
anyone who was*not*  confused by that field.  I can't ever remember
seeing a comment field used in any way that made sense to me.


I'm as pedantic as the next geeky dev, but I agree with this, and 
believe that arguing from example is perfectly valid in this case.


FWIW I would love to see the comment field moved to expert mode since it 
rather clearly qualifies under the If you don't already know that you 
need this, you don't need this category that --expert is designed to 
protect the casual user from. I think (Optional) would be an Ok 
compromise if that's what the gnupg devs think is right, although 
something closer to (You probably don't want to type anything here, no, 
really, don't do it) would be better. :)



Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread David Shaw

On Feb 3, 2011, at 5:10 PM, Robert J. Hansen wrote:

 I invite you to look through the User IDs in your own keyring, from the
 perspective of a potential certifier, and ask yourself what does it
 mean for me to certify these comments?
 
 Zero.  Comments don't get certified.  All my signature means is I have
 met this person face to face, have seen two forms of government
 identification, have confirmed a fingerprint and exchanged an email at
 that address.  There's nothing in my signature policy that addresses
 comments, nothing at all.

I'm afraid I'm not parsing your point here.  Comments are part of the user ID 
field.  When you make a certification, they are included in the hash.  You 
can't sign part of a user ID.

Are you saying that you don't sign things with comments?  (Comments don't get 
certified).

Or are you arguing the *meaning* of the certification (you may or may not sign 
the user ID, but if you did sign it, the comment part should be considered null 
and void in terms of your particular certification)?

Or something else?

 Omitting the baffling prompt entirely would be the most terse, which is
 what i propose.  Do you object to that?
 
 Without a good basis, yes, I do.  If you change this prompt you will
 also break a ton of scripts that expect this prompt.  Not only that, but
 since key generation is a rare occurrence the breakage may occur months
 or years after the change is made.  This isn't something to be done lightly.

I suppose I don't really have particularly strong feelings about whether 
comment is put under --expert or not, but either way this argument is not a 
good one.  We have made many changes to the keygen prompts over time, and no 
doubt will continue to do so in the future.  The only scriptable interface for 
key generation in GPG is --batch --key-gen, and it is documented as such.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 6:30 PM, David Shaw wrote:
 Or are you arguing the *meaning* of the certification (you may or may
 not sign the user ID, but if you did sign it, the comment part should
 be considered null and void in terms of your particular
 certification)?

This.  I may agree with the comment, I may disagree with it, but either
way I am not vouching for it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Jameson Rollins

On Thu, 03 Feb 2011 17:54:39 -0500, Robert J. Hansen r...@sixdemonbag.org 
wrote:
  But i suspect he would not want to certify this User ID:
  
   Daniel Kahn Gillmor (I am really Robert Hansen) d...@fifthhorseman.net
 
 Correct.  Because the presence of my signature means something.  The
 *absence* means *nothing at all*, and you're smart enough to know that.

Just out of curiosity, can you explain why you wouldn't sign dkg's
hypothetical user ID?

jamie.


pgpkFAKu20oug.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: learning which symmetric cipher via --status-fd when decrypting

2011-02-03 Thread vedaal

Message: 8
Date: Thu, 03 Feb 2011 02:28:05 -0500
From: Daniel Kahn Gillmor d...@fifthhorseman.net

is there a way to get information about which symmetric cipher was 

used on an encrypted message when decrypting?

There may be other direct ways, but a simple unexpected way, is to 
use the option of --show-session-key.

Upon decryption, GnuPG shows the number of the symmetric algorithm, 
followed by a colon, followed by the session key string
(i.e, '2:' indicates that 3DES is the symmetric cipher used). 

vedaal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 6:09 PM, Jameson Rollins wrote:
 Just out of curiosity, can you explain why you wouldn't sign dkg's
 hypothetical user ID?

Because with a comment like that, my impression would be that he was
aiming to deliberately yank my chain: and why should I put up with that?

To use that as an example, and to simultaneously lose sight of the you
know, I'm kind of being a jerk here, and why should do me a favor by
making a certification if I'm being a jerk to him? factor, is to reduce
humanity to automation.  It implicitly says, you must do this, because
to be otherwise is illogical.

I demand logic in technical matters.  In social matters, I embrace my
humanity, which is to say my right to be inconsistent.  I heartily
recommend this course of living to everyone.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Matthew James Goins

On Thu, Feb 03, 2011 at 04:07:40PM -0500, Robert J. Hansen wrote:
 Whenever people talk about what most users need, I have to ask to see
 the user survey that's showing this.

I don't think it matters what the real numbers are. We've all seen user
ids with utterly unhelpful comments, and it stands to reason that some
fraction of them were put in place because novice users felt obligated
to include a comment. The first time I used gnupg this is exactly what I
did, as evident in my old keys on the keyservers.

Personally I've never seen a comment that helped me identify the owner
of a key in a meaningful way.

So since it occasionally causes silliness, and rarely or never to my
knowledge helps, I would go so far as to say that use of comments should
be strongly discouraged.

--mjgoins



signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 5:32 PM, Matthew James Goins wrote:
 Personally I've never seen a comment that helped me identify the owner
 of a key in a meaningful way.

The problem with anecdote is everyone's anecdote is different.  As a ham
radio operator (KC0SJE), I have a fair number of keys that have comments
of Amateur radio: KC0SJE.  (A former cert of mine had Amateur Radio
tagged on my kc0sje@my.domain address, for instance.)  And yes, I do
find it helpful to have someone's ham call on their key: when I'm
sending a contact report to someone, it's nice to be able to grep
through my keyring looking for their call sign and get the email address
it should go to.

The user community is huge.  Just because you don't see it doesn't mean
other people don't use it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 8:17 PM, Doug Barton wrote:
 So, you're saying that hams are not smart enough to figure out how to
 use expert mode if they really want this functionality? :)

You're moving the goalposts.  That was responding to someone who denied
the usefulness of comments at all.  If I'm establishing there are
communities who use comments, and these communities often exist under
the radar of list members, then it's disingenuous to say but they can
just use expert mode.

Whether it should be in normal mode or expert mode is a completely
different question from whether there exist a significant number of
users who find the comment field useful.

As long as we're moving things into expert mode, I'd like to see all
non-default options moved into expert mode, including key lengths.  I've
never seen anyone outside of the intelligence community who had a need
for a 4096-bit key: why do we support generating them?  I've seen people
screw up expiration dates more often than I've seen them use expiration
dates as part of a sane, rational security policy: why is this option
part of the default, why isn't setting an expiration date reserved for
expert users?  Etc., etc.

If you open up the well, I think it ought to be in expert mode, there
are a lot of other things that ought to be moved over there first.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode


On 02/03/2011 17:23, Robert J. Hansen wrote:

On 2/3/11 8:17 PM, Doug Barton wrote:

So, you're saying that hams are not smart enough to figure out how to
use expert mode if they really want this functionality? :)


You're moving the goalposts.  That was responding to someone who denied
the usefulness of comments at all.  If I'm establishing there are
communities who use comments, and these communities often exist under
the radar of list members,


I don't disagree with anything above, but


then it's disingenuous to say but they can just use expert mode.


Why? Restating my argument in a more serious fashion:

1. There are very few people who usefully benefit from comments
2. Most novice users who add a comment do so badly
3. Therefore moving the option to expert mode is a win for the community.


Whether it should be in normal mode or expert mode is a completely
different question from whether there exist a significant number of
users who find the comment field useful.


I actually disagree with this as stated, although I will grant you that 
point 2 above is included in the overall issue. :)



As long as we're moving things into expert mode, I'd like to see all
non-default options moved into expert mode, including key lengths.  I've
never seen anyone outside of the intelligence community who had a need
for a 4096-bit key: why do we support generating them?  I've seen people
screw up expiration dates more often than I've seen them use expiration
dates as part of a sane, rational security policy: why is this option
part of the default, why isn't setting an expiration date reserved for
expert users?  Etc., etc.


That all sounds good to me.


Doug (seriously)

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode


On 02/03/2011 17:10, Robert J. Hansen wrote:

On 2/3/11 5:32 PM, Matthew James Goins wrote:

Personally I've never seen a comment that helped me identify the owner
of a key in a meaningful way.


The problem with anecdote is everyone's anecdote is different.  As a ham
radio operator (KC0SJE), I have a fair number of keys that have comments
of Amateur radio: KC0SJE.


So, you're saying that hams are not smart enough to figure out how to 
use expert mode if they really want this functionality? :)



Doug


--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

On 2/3/11 8:36 PM, Doug Barton wrote:
 then it's disingenuous to say but they can just use expert mode.
 
 Why?

Because it does not recognize the validity of a well-answered question.
 When a question is asked and answered, it is good form to recognize the
answer, rather than say ... well, but!  Moving the goalposts, in
addition to being a logical fallacy, tends to persuade people that
you're not really interested in the answer.


... E.g., Lee Harvey Oswald didn't kill Jack Kennedy!  The shots
weren't fired from the Texas Book Depository.  Well, in point of fact,
his co-workers saw him going up to the floor where he fired from, and a
lifelong hunter co-worker of his was exactly one floor below and heard
the gunshots, the shooter working the bolt of the rifle, and the brass
ejecting on the floor.  But there's no way any human being could fire
those shots that quickly and accurately!  That's the work of a military
sniper, not a deranged gunman!  Oswald couldn't have been the shooter!
 Well, now you're moving the goalposts: but, while we're talking about
it, the Warren Commission was able to find an Army specialist[*] who was
able to not only fire faster than that, but with better accuracy.  But
what about the grassy knoll and the fourth gunshot?! ... Listen, you're
not really interested in having a discussion about this, are you?  For
every claim of yours that gets refuted, you just move the goalposts
somewhere else.  I'm done talking: it doesn't matter what answer I give,
you're going to keep subscribing to these ridiculous and refuted
conspiracy theories.



[*] Non-Americans: 'specialist' is a rank in the United States Army,
just barely above a raw recruit.  Instead of being a specialist
shooter, as you might think from the phrase Army specialist, it
really means, the Warren Commission found a young soldier who was
barely able to tie his own shoes without a sergeant's help, and even
*he* was able to do a better job than Oswald.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Faramir

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

El 03-02-2011 22:17, Doug Barton escribió:
 On 02/03/2011 17:10, Robert J. Hansen wrote:
...
 The problem with anecdote is everyone's anecdote is different.  As a ham
 radio operator (KC0SJE), I have a fair number of keys that have comments
 of Amateur radio: KC0SJE.
 
 So, you're saying that hams are not smart enough to figure out how to
 use expert mode if they really want this functionality? :)

  Guys, it is just a comment field, is it so hard to ignore comments
that are meaningless to you? Maybe they have some meaning to someone else.

  Personally, I'm tired of saying ok, where did they put that thing I
used to use, and that was so easy to find in the previous version?.

  Best Regards
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJNS4aIAAoJEMV4f6PvczxAb7IH/iNa8WB2hGBokex3HPbmihXc
cEx0hSmeXKgkGbD7lVi7V9CBy6FCdYcTqTQCs3i5SIPCabBbEai/yzbg9Smgf5Nc
ZbhDxb7sFimKAXrzi0+VZO9x4IlpNHZYUWvJya1xr085XKnIrBl0FUMGXqVV7MeM
PRUUlFeKa2MvK3nOLlK9KeMJb3C0t/A0KRwxl7997q7d9INATAz9ZrDd2U5Bync9
aSwx74ZvGvaVnEMUK0E3Y8EwLUIb0CqDUPPtN1Y3mndxBuksGN1BDtDQmHfRjIQl
l53WKG9cq2k4TzxXJ4U/OTPRTPG3pFsNAgDkpBp6Kh2cwW+qvxPLd2sQubhh0s4=
=tS8D
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode

2011-02-03 Thread Werner Koch

On Thu,  3 Feb 2011 21:59, d...@fifthhorseman.net said:

  * new users see the prompt and think they need to enter something
 there, without understanding why or what to put there.  This leads to
 people either making a witticism (e.g. No Comment), repeating their

I have only seen a few of these comments; thus I don't think it is a
real problem.  I use the comment failed mainly to indicate a test key
and I have seen other sensible usages as well.  Many might nor know that
there is a help feature for every input field:

  GnuPG needs to construct a user ID to identify your key.
  
  Real name: d
  Email address: @
  Comment: ?
  Please enter an optional comment.
  The characters ( and ) are not allowed.
  In general there is no need for a comment.
  Comment: 

but many more users are using a GUI for key generation and thus it is up
to the GUI to preset the comment field.  For example GPA uses in
non-advanced mode a wizard dialog for key generation and that one does
not ask for comment.

I don't have any strong feelings about this, however, here is my own
proposal:

  GnuPG needs to construct a user ID to identify your key.
  
  Real name: d
  Email address: @
  You selected this USER-ID:
  d @
  
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? c
  Comment: test key
  You selected this USER-ID:
  d (test key) @
  
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? q

No expert option and no translation changes required, just one more key
stroke to enter a comment.  The drawback is as with the --expert option:
we will receive bug reports like I can't enter a comment anymore ;-).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode


On 02/03/2011 17:52, Robert J. Hansen wrote:

On 2/3/11 8:36 PM, Doug Barton wrote:

  then it's disingenuous to say but they can just use expert mode.


  Why?

Because it does not recognize the validity of a well-answered question.


I recognized it, but I don't think the answer is as central to the 
question of moving comments to expert mode as you do. Daniel's argument 
boils down to almost everyone who uses a comment doesn't need to, and 
most of the ones who do use them poorly. Your counter argument boils 
down to, yeah, but here is a group of people who use comments well. I 
gave a tongue-in-cheek response, but the kernel of it was (IMO) pertinent.



Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving user ID Comments to --expert mode