Dump all the properties of a key?
How do I dump all the properties of a key? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
Sorry, I sent the last mail only to Hubert. I was saying that Squeeze does not have in any of its repositories the versions that support IDEA: Max version of GnuPG is 1.4.12 http://packages.debian.org/search?keywords=gnupgsearchon=namesexact=1suite=allsection=all Max version of libgcrypt is 1.5.1 http://packages.debian.org/search?keywords=libgcrypt11searchon=namesexact=1suite=allsection=all So in other words, I can have IDEA support in Debian Squeeze only when I compile myself either the extension for GPG 1 or libgcrypt for GPG 2. Compiling and shipping IDEA means that I have to provide the sources of my software, correct? On Tue, Mar 26, 2013 at 7:40 AM, Jan Chaloupecky chal...@gmail.com wrote: I see gnupg 1.4.12-7 in Wheezy but not 1.4.13 http://packages.debian.org/wheezy/gnupg -- Jan On Monday, March 25, 2013 at 11:14 PM, Hubert Kario wrote: On Monday 25 of March 2013 21:05:02 Jan Chaloupecky wrote: On Monday, March 25, 2013 at 8:36 PM, Werner Koch wrote: On Mon, 25 Mar 2013 16:00, chal...@gmail.com (mailto:chal...@gmail.comchal...@gmail.com) said: I have to use GnuPG 1.4.10 and a self compiled idea.c from here You better use 1.4.13. I have to stick to the version provided by Debian Squeeze and it's 1.4.10. I haven't found any back port repositories. that's usually a sign that the package from testing, or in this case, wheezy, will work fine. Regards, -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawerów 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl -- Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
On 03/25/13 20:05, Jan Chaloupecky wrote: On Monday, March 25, 2013 at 8:36 PM, Werner Koch wrote: On Mon, 25 Mar 2013 16:00, chal...@gmail.com so the question is .. can I ship the idea shared object with my software? The idea.c contains the following comments. So if I understand it You need to provide the full source code and including that file. ok so idea is GPL. Not quite. Werner's implementation of IDEA (as included in GnuPG) is copyrighted but released under the terms of the GPL, and therefore, if you take his source code directly and copy it (or any part of it) into your code, then you are restricted by the terms of the GPL. The algorithm itself cannot be copyrighted, but can be patented (and was). The patent covered /any/ implementation (whoever coded it). However, the patent(s) have now expired, so now anyone is free to code their own version of the algorithm under any license they like, provided they write their own version of the code, rather than just copying someone else's. Disclaimer: IANAL, you should get your own proper legal advice from a real lawyer, etc. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
On 03/26/13 10:30, Jan Chaloupecky wrote: Sorry, I sent the last mail only to Hubert. I was saying that Squeeze does not have in any of its repositories the versions that support IDEA: Max version of GnuPG is 1.4.12 http://packages.debian.org/search?keywords=gnupgsearchon=namesexact=1suite=allsection=all Max version of libgcrypt is 1.5.1 http://packages.debian.org/search?keywords=libgcrypt11searchon=namesexact=1suite=allsection=all So in other words, I can have IDEA support in Debian Squeeze only when I compile myself either the extension for GPG 1 or libgcrypt for GPG 2. Compiling and shipping IDEA means that I have to provide the sources of my software, correct? Not necessarily. If you write your own implementation of IDEA, you can release it under any license you like. If you include libgcrypt in your software, then it depends on how you use it. libgcrypt appears to be licensed under either GPL or LGPL[1], so if you dynamically link against a separately-compiled libgcrypt library, then you don't have to release your source because you can use libgcrypt under the LGPL. You can ship your own software and an LGPL-licensed library together (e.g. in a tarfile), provided that the LGPL-licensed stuff is easily separable from the proprietary stuff (i.e. in an independant library which contains *only* LGPL code). You do still have to include in your shipment information to state that it includes libgcrypt licensed under the LGPL, and provide facilities for your customers to get access to the libgcrypt source code. If you make any changes to the libgcrypt code to use for your application, then you must make the source code for those changes available. If you statically link libgcrypt into your software (i.e. compile it in to the binary), then it is no longer easily separable from the proprietary code, so you must release the source code to your software, and furthermore, you cannot prevent anyone copying, modifying and distributing your software and/or source code. Again, IANAL, get your own professional legal advice, etc... [1] http://directory.fsf.org/wiki/Libgcrypt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Dump all the properties of a key?
On 03/25/2013 06:30 PM, Jack Bates wrote: How do I dump all the properties of a key? it's not clear to me what you're looking for, but here are a few options that might provide you with useful information: gpg --export-options export-minimal --export $KEYID | pgpdump gpg --export-options export-minimal --export $KEYID | gpg --list-packets if you are interested in the list of other people's certifications (or old self-certifications) you could omit the --export-options export-minimal arguments. If you're looking for some piece of information in particular, asking in more detail can make it easier for other people to help you get the answer you're looking for. hth, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg for anonymous users - Alternative to the web of trust?
As a brief introduction, I am adrelanos, the strictly pseudonymous (anonymous) maintainer of Whonix, an Open Source Anonymous Operating System. [1] I gpg-sign binary releases and source code (git tags) in order to authenticate Whonix to users, and prevent adversaries from distributing altered versions in my name. Given that I can't meet with other Linux or Tor developers who could verify my identity and sign my key, how can I establish a web of trust for potential Whonix users to rely on? More generally, how can strictly pseudonymous people establish webs of trust? In an attempt to bootstrap my public key from the Web, it's available on keyservers, in Whonix source code and binary releases, and on my homepage and project page. [3] By mirroring my key to many http, https and/or .onion sites, it becomes harder and harder to impersonate me. However, that hasn't worked out very well, because search engines apparently don't index keys, and so there is no way to verify my list of public key mirrors. How can I establish a pseudonym that no one can easily fake while remaining anonymous? [1] http://whonix.sf.net/ [2] https://sourceforge.net/p/whonix/wiki/Trust/ [3] https://sourceforge.net/p/whonix/wiki/OpenPGP/#bootstrapping-openpgp-keys-from-the-web ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
On Tue, 26 Mar 2013 01:38, j...@berklix.com said: So to wikipedia, after Japan I appended expired 2011-05-16 I could edit in an href'd citation to wikipedia, if URL known ? I don't know; the dates are by Ulrich Müller ulm at gentoo.org Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Dump all the properties of a key?
Am Mo 25.03.2013, 15:30:23 schrieb Jack Bates: How do I dump all the properties of a key? gpg --list-options show-policy-urls,show-notations,show-sig-expire,\ show-keyserver-urls,show-uid-validity,show-unusable-uids,\ show-unusable-subkeys --with-colons --list-sigs $KEYID gpg --list-options show-policy-urls,show-notations,show-sig-expire,\ show-keyserver-urls,show-uid-validity,show-unusable-uids,\ show-unusable-subkeys --list-sigs $KEYID -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm#Availability From: Werner Koch w...@gnupg.org Werner Koch wrote: On Tue, 26 Mar 2013 01:38, j...@berklix.com said: So to wikipedia, after Japan I appended expired 2011-05-16 I could edit in an href'd citation to wikipedia, if URL known ? I don't know; the dates are by Ulrich Müller ulm at gentoo.org OK I added Ulrich M to cc He can add URL to wikipedia of expiry date of Japan IDEA paent if he wants, or I will if he mails it me. A dead patent is a good patent ;-) Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with . Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for anonymous users - Alternative to the web of trust?
Its pretty much impossible to distinguish a nation-state's covert agency personnel who are masquerading as someone else from the real someone else. In the UK we have recently had examples of undercover agents infiltrating animal rights groups or similar as activists, forming deep emotional relationships with female members, moving in with them, having children with them, and then years later, after the group has been smashed, disappearing from the scene. One such lady victim saw the picture of a policeman years later (I think in a newspaper) and recognised him as the father of her child, which is when the scam was blown open. So in short, these agencies do not find it difficult to do anything that they need or want to do regards David On 26/03/2013 17:36, Johnicholas Hines wrote: The question is how to distinguish yourself from a nation-state's covert agency purporting to be an individual interested in anonymity; you need to do something that the agency would find difficult to do. Getting your name and key into difficult-to-corrupt archives will start a timer - eventually you can point to the archives as evidence that you are not a newcomer. Even an agency would find it difficult to change history. Spending money or effort forces a covert agency to also spend money or effort to replicate your behavior. For example, if you sent someone a bitcoin, they would have to spend some dollars to establish themselves as comparably credible. Unfortunately, they have deep pockets. Effort might be preferable to money, since leaves more ways that a covert agency might make a mistake, behaving in some characteristic way (e.g. some sort of automatic authorship attribution software might become available that revealed them to be a team rather than an individual). Steady effort at releasing patches over a decade might be moderately credible. Johnicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users