Re: Details of signature verification status-fd lines
On Tue, 22 Sep 2009 17:50, bmea...@ieee.org said: Thanks for the response. So EXPKEYSIG doesn't mean the key was expired when the signature was made, right? If that shows up along with It means that the key has expired by now. VALIDSIG, it's ok to trust the signature, correct? What about That is up to you. Usually you would show a message stating that the key used to create the message meanwhile expired. Whether you take the signature creation date into account and show a different message is up to you. If a signer wants to use an expired key for signing he may as well change the signature creation time. REVKEYSIG? If a key is revoked, is there an easy way to know if the signature was made prior to revocation, or would it be necessary to just compare the stamps on the signature and the revocation? There is no way becuase you don't know why the key was revoked. Sure the revocation signature allows to give a reason of revocation and you can take that in account, but if the key was compromised an attacker may also create a revocation with a different reasons (e.g. key superseded). You can't tell who did the revocation. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Wed, Sep 23, 2009 at 4:20 AM, Werner Koch w...@gnupg.org wrote: On Tue, 22 Sep 2009 17:50, bmea...@ieee.org said: Thanks for the response. So EXPKEYSIG doesn't mean the key was expired when the signature was made, right? If that shows up along with It means that the key has expired by now. VALIDSIG, it's ok to trust the signature, correct? What about That is up to you. Usually you would show a message stating that the key used to create the message meanwhile expired. Whether you take the signature creation date into account and show a different message is up to you. If a signer wants to use an expired key for signing he may as well change the signature creation time. REVKEYSIG? If a key is revoked, is there an easy way to know if the signature was made prior to revocation, or would it be necessary to just compare the stamps on the signature and the revocation? There is no way becuase you don't know why the key was revoked. Sure the revocation signature allows to give a reason of revocation and you can take that in account, but if the key was compromised an attacker may also create a revocation with a different reasons (e.g. key superseded). You can't tell who did the revocation. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. Great, thanks for the help, Werner. By the way, are there any python or PHP bindings for GPGME? -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Wed, 23 Sep 2009 16:16, bmea...@ieee.org said: By the way, are there any python or PHP bindings for GPGME? Yes, there are several of them and we should really compile a list of them or actually add them to the distribution. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
Werner Koch wrote: On Wed, 23 Sep 2009 16:16, bmea...@ieee.org said: By the way, are there any python or PHP bindings for GPGME? Yes, there are several of them and we should really compile a list of them or actually add them to the distribution. It would be a huge help if added to the distro, Werner. Compiling a list would be a nice bonus for those who already have GPGME downloaded or installed. I was working on updating an application in Pascal that used the old GPGME api and knocked it to the backburner when I couldn't find updated Pascal bindings. (It was free work) -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Details of signature verification status-fd lines
Just a quick question on the --status-fd output from a --verify operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could VALIDSIG or GOODSIG also show up? In other words, are these just for more information on why a signature failed, or can they qualify the GOOD and VALID outputs? Thanks -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Tue, Sep 22, 2009 at 11:19 AM, Werner Koch w...@gnupg.org wrote: On Tue, 22 Sep 2009 16:26, bmea...@ieee.org said: Just a quick question on the --status-fd output from a --verify operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could VALIDSIG or GOODSIG also show up? In other words, are these just for It depends. EXPKEYSIG for example may come in addition to VALIDSIG. VALIDSIG is the modern version of GOODSIG. Except for the description in doc/DETAILS we don't have a more specific description (it is on our task list, though). The best way to see what you can expect is to look at the gpgme code. gpgme/src/verify.c computes the validity of signatures. Processing the NEWSIG status line is in general a good idea so that you don't mix the status lines given for different signatures. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. Thanks for the response. So EXPKEYSIG doesn't mean the key was expired when the signature was made, right? If that shows up along with VALIDSIG, it's ok to trust the signature, correct? What about REVKEYSIG? If a key is revoked, is there an easy way to know if the signature was made prior to revocation, or would it be necessary to just compare the stamps on the signature and the revocation? Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Tue, 22 Sep 2009 16:26, bmea...@ieee.org said: Just a quick question on the --status-fd output from a --verify operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could VALIDSIG or GOODSIG also show up? In other words, are these just for It depends. EXPKEYSIG for example may come in addition to VALIDSIG. VALIDSIG is the modern version of GOODSIG. Except for the description in doc/DETAILS we don't have a more specific description (it is on our task list, though). The best way to see what you can expect is to look at the gpgme code. gpgme/src/verify.c computes the validity of signatures. Processing the NEWSIG status line is in general a good idea so that you don't mix the status lines given for different signatures. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users