Re: key length for smart card key generation
On 2013-03-01 02:08, Josef Schneider wrote: On Thu, Feb 28, 2013 at 10:34 PM, Peter Lebbing pe...@digitalbrains.com wrote: On 27/02/13 22:58, Anonymous wrote: So I should be able to import the key...but not use it unless it is 3072 bits or less? If we're all talking about RSA here, I think so. Using an 4096 bit RSA key _should_ work if you compile the current source from the git repository and then _should_ work with 2.0.20 once that is out! I've imported a 4096bit RSA key, and can use it without any problem on 2.0.18. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Public Keys not showing up in Choose Recipients
I have used OpenPGP a few times before and it worked just fine, I just began to use it again and have run into an issue. I wish to encrypt text written on IOS Notepad. So I copy and paste someone's public key into a notepad file, and then Import into my GPG Keychain Access. It then loads the public key along with an email and all that information. I type some text in Notepad, I then highlight-right-click-Services-OpenPGP:Encrypt Selection This opens a box Choose Recipients, and only a couple of the public keys I have on my PGP Keychain Access, namely ones I had loaded on months ago (which showed up immediately back then) I have tried nearly a half dozen public keys and they all fail to show up in this Choose Recipients box, preventing me from encrypting my text. Essentially, my problem is that new public keys will not show up outside of my keychain. I have tried: -Multiple different public keys -Reinstalling GPG Keychain Access -Updating GPG Keychain Access IMPORTANT: Something I noticed. In the GPG Keychain Access directory of my public keys, there is a drop down arrow next to the public keys I have saved, this seems to reveal more about the keys. The ones that DO show up in the Choose Recipients box, under the Type column have both types uid and sub. While the public keys that DO NOT show up, are missing the sub. I am new to this and it is almost a foreign language of encryption jargon, please help me out!! Thank you! -- View this message in context: http://gnupg.10057.n7.nabble.com/Public-Keys-not-showing-up-in-Choose-Recipients-tp29987.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] pool.sks-keyservers.net issues
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Short version: bad interaction of GnuPG, cURL and Apache. Can probably be worked around in Apache config, can definitely be worked around in GnuPG code, should aim to get both done. On 2013-02-28 at 10:01 -0800, Doug Barton wrote: 2001:470:1f09:5e7::2 worked 2001:470:1f0a:5d7::2 failed In any case thanks for clarifying the cause of the error ... it's just hard to debug without putting those options in first obviously, and with those options the output is very noisy. 417 is not load-related, Kristian's goofed. 417 _only_ happens when the client sends Expect: 100-continue, in an HTTP/1.1 request, and a reverse proxy (or forward-proxy) knows that the backend is HTTP/1.0 only. GnuPG will use such a header with a _POST_ request, ie when _sending_ keys; that expectation is a POST optimisation, and it's coming from cURL. In this case, the failing server is keys.wuschelpuschel.org, which is running GnuKS behind Apache. Since SKS/GnuKS only support HTTP/1.0, Apache has been correctly configured, per standards. nginx doesn't support returning 417, so this is only seen with Apache-fronted keyservers. I see nothing in RFC2616 which explains how 1.1 clients speaking to 1.1 proxies with 1.0 origin servers should handle this. Presumably, they should retry. Can someone running SKS/GnuKS behind Apache please use: gpg -v --keyserver-options verbose,debug --keyserver THEIRS --send-key WHATEVER and confirm that they see this (as I do, reliably and reproducibly) and then try: IfModule mod_headers.c RequestHeader unset Expect early /IfModule I suspect that just ripping the header out of the request and pretending it's not there will let things work. GnuPG developers: with GnuPG 2.0.19, in keyserver/gpgkeys_hkp.c main(), around line 783, I added an empty Expect: header to force cURL to not send that header, and it worked. I could then send a key to keys.wuschelpuschel.org. - 8 cut here 8-- headers=curl_slist_append(headers,Pragma: no-cache); if(headers) headers=curl_slist_append(headers,Cache-Control: no-cache); /* Added this next bit: */ if(headers) headers=curl_slist_append(headers,Expect:); - 8 cut here 8-- So: I know GnuPG can work around it, that will take a while to work around. If we can get someone using Apache to confirm that the above fix works for them, we can push people to include it. Kristian: I suggest that a pool check might try an HTTP/1.1 POST with an Expect: header and exclude from the main pools any server where this fails. (Similarly, need to figure out what to do about nginx/FreeBSD/KQUEUE for GnuPG curl-shim ... harder to deterministically detect. For myself, I might suck it up and rebuild without KQUEUE support.) Regards, - -Phil -BEGIN PGP SIGNATURE- iEYEAREDAAYFAlEwYPQACgkQQDBDFTkDY38a2gCfUmlbJqHy+CcNNRtyWRicvhoJ cu8AnAgfFYYnjP5I0yi7jdBiSI14Q6Hn =o4bt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key length for smart card key generation
On Fri, 01 Mar 2013 09:20:10 +0100 Niels Laukens ni...@dest-unreach.be wrote: On 2013-03-01 02:08, Josef Schneider wrote: On Thu, Feb 28, 2013 at 10:34 PM, Peter Lebbing pe...@digitalbrains.com wrote: On 27/02/13 22:58, Anonymous wrote: So I should be able to import the key...but not use it unless it is 3072 bits or less? If we're all talking about RSA here, I think so. Using an 4096 bit RSA key _should_ work if you compile the current source from the git repository and then _should_ work with 2.0.20 once that is out! I've imported a 4096bit RSA key, and can use it without any problem on 2.0.18. That's excellent thing! I was hoping to find a smart-card that could work with 4096-bit RSA keys in order to use it as a small poor man's CA HSM (better than storing it in soft key). Now to see if there's any way of using the OpenPGP card through PKCS#11 :) -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] pool.sks-keyservers.net issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/01/2013 09:04 AM, Phil Pennock wrote: .. 417 is not load-related, Kristian's goofed. 417 _only_ happens when the client sends Expect: 100-continue, in an HTTP/1.1 request, and a reverse proxy (or forward-proxy) knows that the backend is HTTP/1.0 only. You are of course correct, not sure what I was thinking of, thanks for following up :) ... Kristian: I suggest that a pool check might try an HTTP/1.1 POST with an Expect: header and exclude from the main pools any server where this fails. This is a good idea. I'll add it to my TODO list. - -- - Kristian Fiskerstrand Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nil satis nisi optimum Nothing but the best is good enough -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-beta163 (GNU/Linux) iQIcBAEBCAAGBQJRMN24AAoJEAt/i2Dj7frjwKEP/REURT5O+iDIlEKD2F1qTei7 4tK9czso7kHElUg1wWoEX9sTjjxmIzwiogeahxBVmq5UzUo1ExtoSVfSmLk+C3dW q3UP8sUO+APSalpcafA8sLqvEcjpQIOp1sXMEaGMAr29M+q4dikD21hOGPyV5Jxe Tq6pDf5h2PgDKoYtJqHQHIqQ2Wwuih+TOaxjCGBC4gQOfZUYb2GfNU2NaNiHlUNB aykw9pvXTRUYqeebe+5bsZ4enXu5oUwGITlYQ3SuDMOZpWOwwWH0d7vCy84w03w8 w3b0f9UzvqIAzp28zr4myJ37lPxHRyqUphfrV26ezp7mSOlF6ewPJSCJBmSh+vhX gRUakjB2uajCul9yFgz9p2uxGhSvBjmlIrHX3ENHPSJzxWD9f2jagbE455uqbEku Lf2RoTbbkKsHPlfTwHthCIbBDyPhmGt0/7zZm4g9Abx4VTQ1mRhPJoUh1a5H6lSi AQBj2KVdoUhS2uGlYolsgcbMLPxkLgU8lHU3SopvAlSojIHI7aA6j7mr80xOInze huCfVNku06AhCrWW2y2zD4DmDLetzL4UP17AL1vlsRt66y3B/Vu9CJl4rSWGIcvj uhhuXJ90aeXjx+Ccy8o2csaFhM5Obx1mEJ7BB5ejgYfeShLShUMIw5VRTOO96TYq szETtLLgN8RchVl3uo41 =8d/0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about OpenPGP best practices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/01/2013 12:07 AM, Doug Barton wrote: On 02/28/2013 09:33 AM, Kristian Fiskerstrand wrote: | for a service that specifically targets the OpenPGP community, I | consider using the OpenPGP WoT more appropriate than any CA | Corporation. Kristian, I certainly understand that perspective, however I see a couple of problems with it. First, there is a bootstrapping problem. People new to PGP almost certainly do not possess the skills to verify the signature file for the cert, even if they had an appropriate web of trust to rely on (which obviously they would not). Second, not using a cert signed by a recognized CA presents 2 problems, it increases the perception that the PGP community is a closed circle, such that if you don't already have the skills, we don't want to talk to you. For those new users that click through it adds further damage to their security habits, since we try to teach people NOT to do that, even though most people do it anyway. Arguably the website doesn't provide information that strictly has to be protected by a HTTPS scheme. So to some extent this is avoided by such users using the HTTP website in the first place, and not necessarily contributing as much difficulties for bootstrapping new users. Another point is obviously that new users doesn't necessarily visit the website at all, but it is more for people with more special interests. In the previous era where free and/or low-cost SSL certs were not available I would have had a lot more sympathy with your position. However nowadays there are a non-zero number of good choices, including https://www.startssl.com/ which offers free certs, and has a good reputation in the community. I personally use them for my sites, although I have no other affiliation other than happy 'customer.' Ironically enough I have a stronger affiliation than that, myself, as I still have an active reseller agreement :) I hope you'll reconsider your decision. I certainly continuously consider constructive feedback on the setup, so will give it some more thought. The main issue I see is that when I experimented with this a while ago the two schemes were incompatible, i.e. I couldn't get monkeysphere to work with a CA signed X.509 certificate. For this to work I'll have to completely switch to the root CA approach, which I don't particularly trust, so I'd prefer to have a way to continue using the OpenPGP WoT. - -- - Kristian Fiskerstrand Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nil satis nisi optimum Nothing but the best is good enough -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-beta163 (GNU/Linux) iQIcBAEBCAAGBQJRMOAgAAoJEAt/i2Dj7frjm4gQAJLrBUs14yKrRhFOrcxT3X/+ XpDZAZx1/jBpLqrHZn9Jlum88JLT25jVPlVFcRekPrb+gR5VUnOWk3g5NSXg13+f fz+4dTsm0XIMmoWwOnIIIFAdu/03401FruZIZ5wy/hHJVXVDnSe0zTEh4boELcpo 0VUKSCe05csa36nQlM9wyIUr1/yIvljJVQhCadX4/fngOA0eNPifqMdTdRDz2eyW iA7mNEmfNUvp+D240rcI7XaTUUknt3StYZJUtYids0coPkHb6GAeqiOA2GU8s7pI 6EhCnetnRqTOhslgglyn3LwiMUBhMdDCuUejnzIJoVlmLOwaiBE8H1WM392t/YyP 0fVLxdbcbTD2e8KmdscEcW0LK9LrDUSKKxx6RVJqhn7GLOJy8J53dUiLRoOsCysK paxmvtv99wTGY5rsz3PPGez1bV0y6VSPjIOG3HIxVXeLwk4HxV94mP2DvM2JPFCS 0Mu45LtzHfZ5SviVjv3RC+gmTmRCShKgCTqaJSG8T1daI1WYiNPXsE+2FP700odv RzlQTCh5zMs/FwsxVgSI2AITRRfYuXYKC+yAdUvSZZveGF/JifRAtSuyT5si1FTy I+fEYLrO42t19sEAK2W3l/fFbQvcJLLZ2VCf1hi0Zz5xbi1iU2VLkw+A6nWxLheQ BvUR2divq8Ar0LH19ypn =8nU1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about OpenPGP best practices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/01/2013 06:06 PM, Kristian Fiskerstrand wrote: On 03/01/2013 12:07 AM, Doug Barton wrote: .. I hope you'll reconsider your decision. I certainly continuously consider constructive feedback on the setup, so will give it some more thought. The main issue I see is that when I experimented with this a while ago the two schemes were incompatible, i.e. I couldn't get monkeysphere to work with a CA signed X.509 certificate. For this to work I'll have to completely switch to the root CA approach, which I don't particularly trust, so I'd prefer to have a way to continue using the OpenPGP WoT. Seems that was just me goofing again (thankfully it is weekend now!). Hopefully it works for both CA and OpenPGP WoT now!. - -- - Kristian Fiskerstrand Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - In politics stupidity is not a handicap. (Napoleon Bonaparte) -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.0-beta163 (GNU/Linux) iQIcBAEBCAAGBQJRMO9JAAoJEAt/i2Dj7frjKpsP/2mRAtJLEejBhp8HSHGRk1YI 6EuXFvOwVk5WrtD6+4KsRyub1Y2ltoc+wd0YcbFwtKMF4WUlzbM6ypkL1OwH0sC9 pVm3pwOhP8emwTVQgfunl7ajJ9hMXkXiULNwW+DseZQNW51Vr1s16BPvjdChbWoB PCYhQcdz4ZZddnZRE1PZDuQN5rlnn1GjNaQm2F8uyDY55g2JT3I9OMXzQKDxZKEz CiVgGfho4KN8va1QfxV5Mkcfa1xXevPplQqPCaSku8QSxiSGgXEhXn2ik9ir3eq/ +gekEJpkb8+j/kO1PUy5vS+WgKiODJyG78pC8qkdXmRya9pqHqcYQ5sBMyguCZ28 5NtU73DMtPcTk3TzAI88LBVFSwMzK1hswAOgQcnALtvb7orA3W9/WHvZ4FvNTdU3 Ev7vwDsZc2f/eCDRmcDrEcwEc9sGsvn5Z8iSwpF3V21K7rGdQV1Q3zjeKpAcr+fx wLsUZ9y3scvTHfz1Eox5QkOu8JFzWqsQ83jRx9nHNHRUjBoBj5BiB8C+ullz0vQB II4H5iiilaKDEMhhuhkwyqm9s+ZXMJuz2J4RGHUTeOhDnBzFaMYHAVootN5SQG4K HYCeyIIN/z+LQ+9AK3n/bx45wjZgaoxjDDLBigS1SzZZMVjHKjcvH4f9gih9Iddz YsoaYaE14JI3k6eFaOcH =WIfY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about OpenPGP best practices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 25-02-2013 19:54, Peter Loshin escribió: ... 2. On keeping an encrypted backup of my secret key material, what method is recommended for doing that? (Presumably something like gpg --export-secret-keys | gpg --output secretkeymatter.gpg --symmetric?) You can use Paperkey utility to print you secret key (still protected by its passphrase). Paperkey removes the public key information from the secret key and prints it in a way that makes it very easy to OCR it or manual type it in case you need the backup. You will need your public key to restore the private key, but if you uploaded it to key servers, it is very likely you won't have troubles to find a copy of it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRMPxcAAoJEMV4f6PvczxAKIEH/Rw8+3aTn/ffONAfr5pamxwA 9GO4+fFLfMgxmBWhUTI7ckTGS8HS1NcuLJXTEs1yaJ7detBeqeT89sN3A7iibx95 eHFp6m/KjhGeTNMHv4Fym2rdsbh14t6p/0AJofRRVUc/Mbx5GKUJanovSQTMQ1uo TNdO0WBOPGlwLX9dxnD1RbrZHG05K+VefWClH6f8NHD++4/p/vNoj7LDst5ySw5O 5jp1uMMTsiJ08hR23RfOt9CJA1KXczeZZoeLK5z8g1nwlkE+hn/7x+Vg/QFkfCJR wswM9jaJ0FoT3T5+oOqNiNH672FW1A07W9VEzwBU4lpFMLN2fWukW0n0XlBMoSo= =k038 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP for zLinux [full info]
Hello, I have sent an email earlier requesting information about the best PGP version to install in a zLinux server. Please find the full information of te OS below: Kernel 2.6.16.60-0.97.1-default running on a 18-processor s390x (under z/VM 6.2.0) Many thanks in advance! Thanks and Regards, Gustavo Calado De Araujo Delivery Competence - Application Developer - Datastage Mobile: 55-41- 91840398 | Tie-Line: 732-4862 E-mail: gcal...@br.ibm.com Av. Marechal Deodoro #717 10t Curitiba, PR 80020-320 Brazil From: Gustavo Calado De Araujo/Brazil/Contr/IBM To: gnupg-annou...@gnupg.org, Cc: gnupg-users@gnupg.org Date: 01/03/2013 12:52 Subject:PGP for zLinux Hi, I am currently using zLinux version 2.6.16.60-0.97.1-default Which PGP version would you recomend for my OS? Many thanks in advance. Thanks and Regards, Gustavo Calado De Araujo Delivery Competence - Application Developer - Datastage Mobile: 55-41- 91840398 | Tie-Line: 732-4862 E-mail: gcal...@br.ibm.com Av. Marechal Deodoro #717 10t Curitiba, PR 80020-320 Brazil image/gifimage/gif___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP for zLinux
Hi, I am currently using zLinux version 2.6.16.60. Which PGP version would you recomend for my OS? Many thanks in advance. Thanks and Regards, Gustavo Calado De Araujo Delivery Competence - Application Developer - Datastage Mobile: 55-41- 91840398 | Tie-Line: 732-4862 E-mail: gcal...@br.ibm.com Av. Marechal Deodoro #717 10t Curitiba, PR 80020-320 Brazil image/gif___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP for zLinux
Hi, I am currently using zLinux version 2.6.16.60-0.97.1-default Which PGP version would you recomend for my OS? Many thanks in advance. Thanks and Regards, Gustavo Calado De Araujo Delivery Competence - Application Developer - Datastage Mobile: 55-41- 91840398 | Tie-Line: 732-4862 E-mail: gcal...@br.ibm.com Av. Marechal Deodoro #717 10t Curitiba, PR 80020-320 Brazil image/gif___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP for zLinux [full info]
On Fri, 1 Mar 2013 17:04, gcal...@br.ibm.com said: I have sent an email earlier requesting information about the best PGP version to install in a zLinux server. [This is the GnuPG mailing list and not a PGP list]. I don't know wether Symantex provides a version of PGG for this system. However, the standard GnuPG 1.4.x will build just fine on any Unix based system. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP for zLinux
On 3/1/13 10:43 AM, gcal...@br.ibm.com wrote: Hi, I am currently using zLinux version 2.6.16.60. Which PGP version would you recomend for my OS? Many thanks in advance. Most linux distributions include gnupg by default. I don't know if this is the case with zLinux. Try this from the command line to see if it's installed: gpg --version -- Grant http://rubygems-openpgp-ca.org - Sign Your Gems. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: Signature made date time tamper resistant?
Hello, is the gpg output gpg: Signature made date time tamper resistant? Or in other words, is the date and time taken from the signers machine clock and signed with the signers private key? Cheers! adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users